• Dotnetzch (unregistered)

    Good ol' Monty. Always trust designers with server access!

  • CigarDoug (unregistered)

    The an article doesn't make clear the an difference between the an admin and the an manager. Was it the an Jim's manager who deployed his module, or the an super-admin? And what did this have to do with the an Customization Panel?

    Also, the an first.

  • scudsucker (cs)

    I guess TRWTF is believing that Wordpress offers any real form of security.

  • CigarDoug (unregistered)
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

  • Black Bart (unregistered)

    So, had Jim actually changed something about the test order that prevented Jim's manager from deleting it?

  • ObiWayneKenobi (cs)

    Oh this manager sounds like a real treat. I tried something and it didn't work, so the developer must have screwed something up! I know, let's remove their permissions so they can't screw things up, but also can't do their job!

  • Pista (unregistered) in reply to CigarDoug
    CigarDoug:
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

    Yeah man, the grammar is like hell in this article. WTF???

  • Geoff (unregistered)
    As an aside, it's rarely good to argue that you should be given a security exemption by suggesting that if you wanted to screw the company, it was already within your power to do so. Just keep that in the back of your mind as you move through your career. Now, back to our story.

    Its all about perceptions. Yes if you say, "hey man I can totally screw this place already" yea that isn't the message you want to send. Its not necessarily a bad idea to point out weaknesses in policy and controls however. You should say something like

    "Oh I did not realize we did not want development staff to have permissions to deploy modules on the production server, I had guessed we had those so that we could assist operations if the need arose. I can see how that is a sensible control though. The problem is in the current configuration its not effective because X,Y,Z. We should get that fixed so there can be proper accountability."

    And in truth you do want that. I have worked in places where I have ASKED for my own permissions to be reduced. Mostly because I did not fully trust the admin staff, and wanted to be sure I would be blameless when things did go wrong. Its a good thing when the finger pointing starts to be able to say "wasn't me I am not normally allowed to even login, but if you want to throw me in the wheel group for the evening I'll help troubleshoot; you all can figure out who broke it later."

  • RFox (unregistered)

    One more option: Send out resumes now and run as quickly as possible from that dysfunctional company.

    Captcha: bene - good good.

  • Smug Unix User (unregistered)

    "Proper user permissions are hard. Lets take away access until people can't do their jobs and complain." - every company every where.

  • ZoomST (unregistered) in reply to Smug Unix User
    Smug Unix User:
    "Proper user permissions are hard. Lets take away access until people can't do their jobs and complain." - every company every where.
    "There are coming too much complains... wait! There is a complain from company's CEO/boss/guru, so a very important somebody ordered to grant access to everyone" - same company, several minutes later. Note: Yes, a very important somebody could be Bob from Accounting, or Mitch from Sales. No, not you, engineer! You are not important in this engineering company! Now, go back to your dungeon!
  • Julia (cs)

    "The administrator had only restricted Jim without actually increasing the manager's capability."

    One WTF perhaps, but many more prevented...

  • Nagesh (cs)

    I am failing to understand who "Sophie" is in this story?

  • Nagesh (cs) in reply to Dotnetzch
    Dotnetzch:
    Good ol' Monty. Always trust designers with server access!

    That is only way they can NOT do any harm.

  • Nagesh (cs) in reply to CigarDoug
    CigarDoug:
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

    you are being silly if you are focused on spice and not the meat of the story.

  • DrPepper (cs) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    Oh this manager sounds like a real treat. I tried something and it didn't work, so the developer must have screwed something up! I know, let's remove their permissions so they can't screw things up, but also can't do their job!

    Plus 1.

    If the manager can't delete a test order, then there is a bug in the system. Probably, users can't delete their orders either. This should have resulted in a ticket being issued, and someone (Jim?) fixing the problem.

    If the manager can't simply ask Jim -- Hey Jim, did you deploy something yesterday? I can't delete a test order -- then there is something even more fundametally wrong in this company than access permissions.

  • DrPepper (cs)

    I always ask for read-only access to production databases; that way I can't accidentally modify data. Sometimes it's frustrating; but it's much better for my career.

    Being able to directly modify production environments is a recipe for having your name appear in a front-page article on TDWTF.

  • caecus (unregistered) in reply to Nagesh
    Nagesh:
    I am failing to understand who "Sophie" is in this story?
    Paula Bean's sister.
  • Nagesh (cs) in reply to caecus
    caecus:
    Nagesh:
    I am failing to understand who "Sophie" is in this story?
    Paula Bean's sister.

    Thanks for that ex-plantation.

  • eric76 (cs) in reply to DrPepper
    DrPepper:
    I always ask for read-only access to production databases; that way I can't accidentally modify data. Sometimes it's frustrating; but it's much better for my career.

    Years ago, I knew a woman who worked on payroll systems for a rather large company. Everything she did was supposed to be on a test payroll system but somehow she apparently had full access to the live payroll system as well.

    After a year or so, she was fired for hacking into the live payroll system. My guess is that she logged into the live system when she should have logged into the test system.

  • Jeff Grigg (unregistered)

    I was working at an international firm...

    And someone became concerned that developer read-only access to server production log files could be a security problem, for reasons they could not describe, revoked access to the web interface that let us list and download the log files.

    It wasn't long before we pointed out that we couldn't help them resolve their production problems without being able to see log file contents.

    So they granted us FTP access to the servers.

    Read-write FTP access. To the Unix root directories. Of All the production servers. Oh, and plain text database passwords were stored in configuration files... So all the production database passwords were exposed too.

    As far as I know, it's still that way, to this day.

  • eric76 (cs) in reply to DrPepper
    DrPepper:
    If the manager can't delete a test order, then there is a bug in the system. Probably, users can't delete their orders either. This should have resulted in a ticket being issued, and someone (Jim?) fixing the problem.

    My preference is for users not be able to delete anything important but to leave an auditable trail by marking it as to be ignored. I would be more likely to cancel the order along with the date, who, and the reason for the cancellation.

  • ContraCorners (cs)

    Off topic, but am I the only one who thinks Weird Al should have called the new album "Mandatory Fun Day?

  • Xaser (unregistered)

    The amount of incomplete sentence fragments. Is driving me. Absolutely. Cr. Az. Y.

  • C-Derb (unregistered)

    A few years ago, I worked for a company that had an Admin interface to manager users, clients and configuration settings of a large healthcare portal. Almost every developer, including several Indian contractors, had access to the production admin site that exposed names, addresses, date of birth, SS# and more of over 5 million people.

    At least 8 months after being downsized in favor of more offshore contractors, I could still log in to the Admin site. I may or may not have changed the answer to one of the FAQs:

    Q: Is my private health information secure? A: No, not at all.

  • C-Derb (unregistered) in reply to Xaser
    Xaser:
    The amount of incomplete sentence fragments. Is driving me. Absolutely. Cr. Az. Y.
    I wholeheartedly.

    Agree.

  • ¯\(°_o)/¯ I DUNNO LOL (unregistered) in reply to Pista
    Pista:
    CigarDoug:
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

    Yeah man, the grammar is like hell in this article. WTF???
    Why do you say that? It has an completely grammar!

  • laoreet (unregistered) in reply to C-Derb
    C-Derb:
    Xaser:
    The amount of incomplete sentence fragments. Is driving me. Absolutely. Cr. Az. Y.
    I wholeheartedly.

    Agree.

    Maybe. The Author. Was. Trying. For that. WILLIAM! SHATNER! Dramatic. Delay. Effect.

  • Zylon (cs)

    Dear Bruce Johnson,

    The word for un-fired clay is "clay". Once you fire it, it's ceramic.

  • cellocgw (cs) in reply to RFox
    RFox:
    One more option: Send out resumes now and run as quickly as possible from that dysfunctional company.

    Uh-huh. And good luck finding a company with a less disfunctional security ruleset.

  • cellocgw (cs) in reply to Xaser
    Xaser:
    The amount of incomplete sentence fragments. Is driving me. Absolutely. Cr. Az. Y.

    In which case, do NOT take a job on the bridge of NCC-1701 .

  • CigarDoug (unregistered) in reply to Nagesh
    Nagesh:
    CigarDoug:
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

    you are being silly if you are focused on spice and not the meat of the story.

    I addressed the meat in my first (not first) comment. For example, was it the manager or the admin who lost access, was it the manager or the admin who took away Jim's permissions, what caused the management console to disappear, etc., etc.

    I added the spice later.

  • cyborg (unregistered) in reply to ¯\(°_o)/¯ I DUNNO LOL
    ¯\(°_o)/¯ I DUNNO LOL:
    Pista:
    CigarDoug:
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

    Yeah man, the grammar is like hell in this article. WTF???
    Why do you say that? It has an completely grammar!

    I cannot BNF :(

  • chubertdev (cs)

    Release management seems to be an afterthought at most companies, if even considered at all.

  • Ann Onymous (unregistered)

    Besides the typos already noted, there's a small WTF with the sequence of tenses in some sentences.

    Proofreading much?

  • Insane in the Mainframe (unregistered) in reply to chubertdev
    chubertdev:
    Release management seems to be an afterthought at most companies, if even considered at all.

    I wish I could release my management.

  • tharpa (cs) in reply to Nagesh
    Nagesh:
    CigarDoug:
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

    you are being silly if you are focused on spice and not the meat of the story.

    You are being silly if you are focused on the meat and not the dahl.

  • Nagesh (cs) in reply to tharpa
    tharpa:
    Nagesh:
    CigarDoug:
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

    you are being silly if you are focused on spice and not the meat of the story.

    You are being silly if you are focused on the meat and not the dahl.

    Dahl= Branch of Tree! Dal = Lentil in food!

    Now who is being silly. Only time to focus on dhal is to check strength before attempt to pluck raw mangoes.

  • Valued Service (unregistered)

    Almost all of these security things has to do with one of two problems.

    1. Management not trusting its employees and thinking somehow it can understand and assess the issues regarding security with as much accuracy as a seasoned professional.
    2. Seasoned professionals turning out to be untrustworthy idiots who don't know their material, leading to #1.

    The problem is that managers can't tell that #1 and #2 have the same results.

  • tharpa (cs) in reply to Nagesh
    Nagesh:
    tharpa:
    Nagesh:
    CigarDoug:
    Maybe it was the fact that requirements had the malleability of the an un-fired lump of clay.
    The an grammatical error I was making the an fun of.

    Also, drat, too slow and not the an first.

    you are being silly if you are focused on spice and not the meat of the story.

    You are being silly if you are focused on the meat and not the dahl.

    Dahl= Branch of Tree! Dal = Lentil in food!

    Now who is being silly. Only time to focus on dhal is to check strength before attempt to pluck raw mangoes.

    http://en.wikipedia.org/wiki/Dahl

    If I am wrong, I am in good company. Wikipedia says that both spellings are correct for lentils in food.

  • plaidfluff (cs)

    TRW(an)TF is using Wordpress for anything business-critical.

  • Jeff Grigg (unregistered)

    Years ago, one of our minicomputer customers was PARANOID about security. He had the only admin account. We worked mostly offsite on separate machines. He'd enable our accounts when we showed up to install software, and disable them when we left. There were no dial-in lines or internet, so it did seem that to augment physical security with account security was a bit much. But that was his "thing." ;->

    But... There was one terminal port, which we trained them to use weekly -- to back up the system. It had admin access, without requiring any login process at all. We often used it, when there, to bypass all security protections.

    To the best of my knowledge, Mr. Paranoid Customer never did "put two and two together" about the backup process having access to everything, with no security, and, well... No Security. Well, we were a bit to "busy" to explain it to him in detail. >;->

  • Boeis Galakot (unregistered)
    So, to help troubleshoot the problem, Jim was temporarily given full access to the system.
    ...and that's your cue to make it a permanent, hidden full access that only you know about.
  • DWalker (unregistered) in reply to Valued Service
    Valued Service:
    Almost all of these security things has to do with one of two problems.
    1. Management not trusting its employees and thinking somehow it can understand and assess the issues regarding security with as much accuracy as a seasoned professional.
    2. Seasoned professionals turning out to be untrustworthy idiots who don't know their material, leading to #1.

    The problem is that managers can't tell that #1 and #2 have the same results.

    Seasoned professionals? Meat and spice? What is really going on here?

  • Ross Presser (unregistered) in reply to Nagesh
    Nagesh:
    I am failing to understand who "Sophie" is in this story?
    Assuming this is a cultural misfire: "Sophie's Choice" and "The Full Monty" are both American movies. "Sophie's Choice" was about the impossible choice a woman had to make during World War II. "The Full Monty" was about a group of men stripping to make money after losing their jobs.
  • Andrew (unregistered)

    Shouldn't sysadmins be doing the deployment?

  • deleted (unregistered)

    I had the Jim recently completely permissions reduced. I assure you, it was an laughing matter.

  • yeahso (unregistered) in reply to deleted
    deleted:
    I had the Jim recently completely permissions reduced. I assure you, it was an laughing matter.

    Clearly.

  • Norman Diamond (unregistered) in reply to Zylon
    Zylon:
    Dear Bruce Johnson,

    The word for un-fired clay is "clay". Once you fire it, it's ceramic.

    What is it if it resigns before getting fired?

  • Norman Diamond (unregistered) in reply to Ross Presser
    Ross Presser:
    Nagesh:
    I am failing to understand who "Sophie" is in this story?
    Assuming this is a cultural misfire: "Sophie's Choice" and "The Full Monty" are both American movies. "Sophie's Choice" was about the impossible choice a woman had to make during World War II. "The Full Monty" was about a group of men stripping to make money after losing their jobs.
    Yes that's a cultural misfire: "Sophie's Choice" and "The Full Monty" are both British movies.[*] The question is what does either of them have to do with the story? Sophie seems to be Jim, but who are the children? Also if the Full Monty means to look at all three doors, what difference does it make which goat you sacrifice? The seasoning works equally well on all of them. I'm thoroughly confused.

    [* Intentionally half true and half sarcastic, to fight cultural misfire with cultural misfire.]

Leave a comment on “Limited Options”

Log In or post as a guest

Replying to comment #:

« Return to Article