• (cs)

    Secure development environments are frustrating as hell. One of the biggest problems is that on a project where everyone has a TS clearance, they don't segment properly... they put everything in the TS category because it doesn't matter. Everyone has it.

    Then you hire someone, and they can't access anything.

    If the existing people would just stop and think long enough to keep some work items unclassified, new hires would at the very least be able to do SOME work. I never could get much accomplished at that point in my career, though... it took about ten years in the field before I could start throwing my weight around and expecting to effect change rather than just get fired.

  • my name is missing (unregistered)

    Your best bet is to not work at any place that doesn't allow you to work. Unless of course its at $100/hr and access to the web.

  • pfarrell (unregistered)

    How does one go about getting security clearance? Do you always have to have a sponsor agency? Anyone here gotten clearance?

  • Timothy Baldridge (unregistered)

    My only consolation in this situation would be knowing that the next batch of contractors wouldn't do much better.

  • (cs) in reply to pfarrell

    If someone does, they couldn't tell you, or they'd have to kill you.

  • (cs) in reply to Tukaro
    Tukaro:
    If someone does, they couldn't tell you, or they'd have to kill you.

    Shit! I forgot about the "if I tell you" part, and went ahead and killed him for asking.

  • Hyuga (unregistered) in reply to pfarrell

    I'm in the process of getting clearance. First, somebody in the company has to rise up and say, "This guy needs clearance!" Then they go to the agency that's sponsoring the clearance, and that does make a big difference because difference agencies have different requirements. Mine just so happens to be a bitch.

    For example, they require a polygraph. I'm not even going to go into the particulars of that--but basically they know it's not accurate for detecting lies. It's more of a form of psychological torture that they put you through.

    But anyways, I failed my first polygraph, which is common. They scheduled a new one for me (yes, they just schedule it, without any consultation). Unfortunately they scheduled it for a time when I already had vacation planned, so I had to ask them to reschedule it. About 3 months later I still hadn't heard anything back from them, so I finally made a few phone calls and within hours I had a new one scheduled. I guess they had just forgotten about me.

  • Working Contractor (unregistered)

    In the second story, it sounds like there was a serious communication disconnect between dev, IT & management.

    What? The dev dept couldn't say that productivity was down because IT hadn't done sh*t to install development tools?

    And what was the company doing to prepare for the contractor during that 6 week down-time before the contract actually started?

    Sheesh! I hope that company has either gone out of business or has a branch in the Seattle area. :)

  • KG2V (unregistered) in reply to pfarrell

    Yeah - used to have a secret clearance - oh, 20+ years ago. Yes, you have to be sponsored for it - and when you leave the job where you got the clearance, unless you move directly to another job requiring clearance, your clearance is terminated. If you are then hired by someone that needs you to have clearance, you have to go back through the process - the GOOD news is that it's faster, as they only have to investigate back to the date your last clearance was granted

    Joke? Only had to use it once, and I got the offical notice that what I worked on was declassified 2 weeks later...

  • Anon (unregistered)

    Why not just put a clause in your contract that states:

    If the required development tools listed below are not delivered within the first week of employment then Agency XYZ will release the contractor and will compensate him $XXXX.XX.

    Can you not do this with government agencies? What happens if the government breaches it's contract? You can't sue them as far as I know...

  • whicker (unregistered)

    security clearance agency background investigation roadblocks administrative security purposes

    blah blah blah

    The real WTF is that Rubik's Pentacube. That and the fact that it's actually a real product.

  • Working Contractor (unregistered) in reply to Anon
    Anon:
    Why not just put a clause in your contract that states:

    If the required development tools listed below are not delivered within the first week of employment then Agency XYZ will release the contractor and will compensate him $XXXX.XX.

    Can you not do this with government agencies? What happens if the government breaches it's contract? You can't sue them as far as I know...

    That's not exactly true. The government decides if you're allowed to sue them or not. Many people sue the government and win, but first they have to have "clearance" to sue. :)

    Captch: riaa - NICE!

  • Ubersoldat (unregistered)

    The Real WTF is that he's using Visual Studio. Grab a pendrive and install some Linux on it. At least you could have been playing Tuxracer XD

    SMILE is what I do every time I get paid for developing in Linux

  • Language feature abuse is cool (unregistered)

    I suspect that if I were placed in that position, I would spend that last day creating an invoice for the 6 weeks of unpaid lead time, itemize it under "Wasted Time and Lost Opportunities", possibly tack on a bit more for a "Termination in breach of contract terms" fee, and plonk it ceremoniously on the CTO's desk on the way out with a polite goodbye... after all, there's no reason to go burning bridges over things like that ;)

  • Kozz (unregistered) in reply to Ubersoldat

    Removable media? In a high-security environment? Not likely.

  • (cs)

    On my first job when I first turned on my computer I found it was password-protected. But it was an Ubuntu machine and on the desk lay a bunch of LiveCDs. I could have called the admin to tell me the password (after calling the previous owner and asking for it) but the easier solution for me was booting from the LiveCD and manually adding a new superuser. The guy who used that computer before me arrived to collect his personal belongings and at first thought I've reformatted the machine! He knew that he never told anyone his password and had a really puzzled look on his face.

  • nobody (unregistered) in reply to Language feature abuse is cool
    Language feature abuse is cool:
    I suspect that if I were placed in that position, I would spend that last day creating an invoice for the 6 weeks of unpaid lead time,

    Where did it say he was unpaid? It would be a WTF if he spent time looking at non-sensitive docs and didn't get a paycheck.

  • Franz Kafka (unregistered) in reply to KG2V
    KG2V:
    Yeah - used to have a secret clearance - oh, 20+ years ago. Yes, you have to be sponsored for it - and when you leave the job where you got the clearance, unless you move directly to another job requiring clearance, your clearance is terminated. If you are then hired by someone that needs you to have clearance, you have to go back through the process - the GOOD news is that it's faster, as they only have to investigate back to the date your last clearance was granted

    Joke? Only had to use it once, and I got the offical notice that what I worked on was declassified 2 weeks later...

    My understanding was that the clearance had a 2 year expiration date - if you jump into another cleared position within 2 years, you're still cleared.

  • (cs) in reply to Kozz
    Kozz:
    Removable media? In a high-security environment? Not likely.
    At my place, we have two dedicated rooms for secure private transactions. Each room requires a card swipe for entry to the main "common" area. Beyond that, there are individual walled-off sections with locking doors for privacy when performing highly secure private transactions.

    Um, wait a minute, those are the mens/ladies rooms...

    The level of security and the type of environment are all relative.

    When in college, I used to work at Banker's Trust. Specifically, I worked in the room where they kept all the stock certificates. Everything had to be physically locked in the safe at night, but during the day, the stock certificates were all over the place; we used to use them as placemats when we ate at our desks, and nothing could have prevented us from accidentally folding one up with the garbage from lunch, and tossing it (it happened more than you'd want to know).

  • (cs)

    Alex's and Steven's experiences are very common. One reason is that IT departments seem to be incredibly good at dragging their feet. Another is that some overzealous twit, either in IT or management, thinks contractors are evil morlocks who do nothing but steal company assets and drain office coffeemakers, therefore they must not be given access to anything ever. (Actually, considering how sloppy and indiscriminate contract pool companies have become with making placements in the last five to ten years, such company paranoia is starting to make a little more sense.)

    I have noticed that people who choose to be contractors rather than seeking salaried employment are in the habit of taking their laptops to work. It doesn't get them access to the code base or database, but at least they don't have to wait for IT to give them basic development tools.

    As for clearances... that's entirely in the government's hands, and it's treated like a force of nature: you can't make it faster, and you can't really make it move except how it wants to move. Some take years.

    Alex is right that if a project requires clearance, they were unwise for hiring people who aren't cleared. Except, as Alex also pointed out, it's damn near impossible to find cleared people who aren't already employed. And we all know that competent programmers, cleared or uncleared, are a small percentage of the total offering, and considering cleared programmers are a small pool already, that leaves few to no choices. So companies have come to accept that the only way to find cleared people is to create cleared people. Even though it takes years.

    So the clearance thing is a pain but unavoidable. Steve's neglect by IT was fully avoidable, is disgustingly common, and is a true WTF.

  • (cs)

    WOW. Two stories in one!

  • SteveyDevey (unregistered)

    A Regional dialect of Esperanto! That made my day.

    Tamen, mi dubas ke vi faris ĝin. :D

  • Judge Mentok the Mindtaker (unregistered)

    I don't understand why you didn't just:

    Download standalone executables (like nmap and putty) and start figuring out how to actually do your job.

    When I get to a place the first thing I usually do is make sure I can break all their security measures.

    Even in something as low-pri as financial or media licensing there is usually a TON of 'security' that has to be busted through.

    Think of it this way: People lock their doors because they expect it to keep people from kicking their doors in.

    Diebold doesn't say anything about bazookas, does it?

  • Judge Mentok the Mindtaker (unregistered) in reply to Ubersoldat

    YESSSSSSSSSSSS

  • (cs) in reply to snoofle
    snoofle:
    Kozz:
    Removable media? In a high-security environment? Not likely.
    At my place, we have two dedicated rooms for secure private transactions. Each room requires a card swipe for entry to the main "common" area. Beyond that, there are individual walled-off sections with locking doors for privacy when performing highly secure private transactions.

    Um, wait a minute, those are the mens/ladies rooms...

    The level of security and the type of environment are all relative.

    When in college, I used to work at Banker's Trust. Specifically, I worked in the room where they kept all the stock certificates. Everything had to be physically locked in the safe at night, but during the day, the stock certificates were all over the place; we used to use them as placemats when we ate at our desks, and nothing could have prevented us from accidentally folding one up with the garbage from lunch, and tossing it (it happened more than you'd want to know).

    That is only in 'private industry'. In the US Federal Government environment there are VERY SPECIFIC classifications with explicit rules. When you are granted a security clearance you, essentially, sign a contract with Uncle Sam and can be jailed for violating that contract. It is true that in any Classified area (beyond FOUO, maybe) (ie Secret or TS) no portable media leaves. You can bring a thumbdrive or cellphone in, but it then becomes a part of the facility.
  • (cs)

    I have a friend who setup and maintains one such system. ANY use of a media drive or any transfer of files to a computer sets off multiple pagers, locks the account and alerts security(armed security, not rent-a-cops). Everything has to be done over the network on secured lines and its completely sepperate from the rest of the systems at the company. Even setup with their own isolated firewalls and servers and different passwords within the company so none of the equipment is accessible to the regular IT department.

    I just can't imagine working in that type of enviroment, although the paycheck probably makes up for the inconvience.

  • (cs) in reply to Ubersoldat
    Ubersoldat:
    SMILE is what I do every time I get paid for developing in Linux

    You'll get over it. It's the rarity of the experience that delights.

  • Cabinet Sanchez (unregistered) in reply to Shial

    You'd think that people in high security jobs would make good money but the pay in government tends to lag behind what they'd get as a contractor (except in those rare "realignment" years). I used to work at such a facility and thought that I was making good money until I realized that I could leave, become a contractor, do work that I actually was interested in, earn a lot more money, and actually make a difference.

  • Corporate Cog (unregistered) in reply to pfarrell
    pfarrell:
    How does one go about getting security clearance? Do you always have to have a sponsor agency?

    Yes. And even then you get the lowest possible clearance. In my last job I think I had the lowest one possible. It was only necessary because I had access to live SSNs.

  • Steve (unregistered) in reply to ParkinT
    ParkinT:
    It is true that in any Classified area (beyond FOUO, maybe) (ie Secret or TS) no portable media leaves. You can bring a thumbdrive or cellphone in, but it then becomes a part of the facility.

    Step 1: Collect a bunch of burnt out and/or obsolete (4kb thumbdrive anyone?) Step 2: Cart the pile into a secure facility Step 3: ??? Step 4: Profit!

    There's got to be some process for removing items from a secure facility eventually, doesn't there?

  • anonymous (unregistered) in reply to Steve
    Steve:
    ParkinT:
    It is true that in any Classified area (beyond FOUO, maybe) (ie Secret or TS) no portable media leaves. You can bring a thumbdrive or cellphone in, but it then becomes a part of the facility.

    Step 1: Collect a bunch of burnt out and/or obsolete (4kb thumbdrive anyone?) Step 2: Cart the pile into a secure facility Step 3: ??? Step 4: Profit!

    There's got to be some process for removing items from a secure facility eventually, doesn't there?

    I know that there was something about melting hard-drives with a lot of thermite...sounds like a fun job

  • Loren Pechtel (unregistered)

    Suppose it was an IT division plot to get rid of contractors?

  • (cs) in reply to Steve
    Steve:
    ParkinT:
    It is true that in any Classified area (beyond FOUO, maybe) (ie Secret or TS) no portable media leaves. You can bring a thumbdrive or cellphone in, but it then becomes a part of the facility.

    Step 1: Collect a bunch of burnt out and/or obsolete (4kb thumbdrive anyone?) Step 2: Cart the pile into a secure facility Step 3: ??? Step 4: Profit!

    There's got to be some process for removing items from a secure facility eventually, doesn't there?

    It's called an industrial shredder, and it makes for very quick and hassle-free removal. You might not have much use for what comes out though.
  • hexatron (unregistered)

    I had a secret clearance in the 1960s, fresh out of grad school. I got it in two weeks. Other people hired with me took months. I think it was because of the transparency of my answers:

    What were your addresses for the last 9 years? New York, Kansas, various addresses.

    List all relatives living behind the iron curtain. I have many relatives living in Poland, Romania and Russia.

    If you give them nothing to investigate, the investigation goes more rapidly.

  • verisimilidude (unregistered) in reply to Steve
    Steve:
    There's got to be some process for removing items from a secure facility eventually, doesn't there?
    Either it goes into the shredder or it waits until the whole place gets decommissioned.
  • Language feature abuse is cool (unregistered) in reply to nobody
    nobody:
    Language feature abuse is cool:
    I suspect that if I were placed in that position, I would spend that last day creating an invoice for the 6 weeks of unpaid lead time,

    Where did it say he was unpaid? It would be a WTF if he spent time looking at non-sensitive docs and didn't get a paycheck.

    The first and second paragraphs...

    Through the four-week interviewing process, they assured me that I’d be able to start immediately. This was important to both of us, as I was out of work and they had a huge developer shortage. Their offer letter, however, told a different story: my start date was a full six weeks away.

    Try as I might, they refused to push the start date closer. Apparently, they had to “prepare for my arrival” and perform “background checks” just to make sure my story checked out. I wasn’t too thrilled to have another unpaid six weeks, but agreed and stuck around.

  • Martin (unregistered)
    In the second story, it sounds like there was a serious communication disconnect between dev, IT & management.

    What? The dev dept couldn't say that productivity was down because IT hadn't done sh*t to install development tools?

    They did, but the CTO was not listening. I once had a boss who demanded a change an application for which we did not have the source. I explained why it cannot be done. The only answer (even after further explanation): "Just do it! I do not want to hear your excuses anymore!"

    Sad thing, those people. Very unprofessional.

  • Trix (unregistered)

    The most ridiculous part of the whole scenario was the piss-poor manager. If I had a manager that didn't advocate for me, or enable me to do my job, I'd be out of there on general principles.

    What the hell was she doing while this guy was logging calls to the Helpdesk? Writing out her management procedure instructions in Notepad? 1000 lines of "I must chuck my staff in the deep end and let them drown - I must not bother the Helpdesk because of course my important project has no priority - I must not go and pound on the CIO's desk about the situation, because then we might actually get to do something"? At the very least, the workstations should have been prepared with the correct software before the contractor arrived onsite.

  • Matt (unregistered) in reply to Shial

    No. Consider that the paycheck for people in classified lines of business is usually government money (see: taxpayers) which is spent not in paying employees, but in fueling inefficiencies.

  • Kurt (unregistered)

    Many jobs of this sort are found in the military complex, especially for mil contractors. Their goal is not in fact to work on building sophisticated equipment and software, but in fact in doing the absolute minimum necessary to retain lucrative gravy train contracts. So long as the work remains to be done, they can bill on the contract, but the moment the work finishes, then so too does that revenue stream.

    I suspect that the contracting company doing the background-checks likewise has a similar contract - "hey, it took a lot of hours to find out that this guy got a speeding ticket when he was seventeen!" - and since its a fairly minimal chance that anyone would even bother to double check (unless, of course, the applicant looked vaguely Middle Eastern and so was guaranteed to be an Iranian Al-Quaeda terrorist) its likely that most of the investigation probably took place at a bar, a race track or a night club of one sort or another.

    Personally, its a self-correcting problem. Eventually, such companies and agencies can only attract the very new, the very naive, or the very unimaginative, and not surprisingly, very little good code gets written as a consequence.

  • PseudoNoise (unregistered) in reply to SteveyDevey
    SteveyDevey:
    A Regional dialect of Esperanto! That made my day.

    Tamen, mi dubas ke vi faris ĝin. :D

    Dammit, I came in here to say that The Real WTF (tm) was that the whole point of Esperanto was to eliminate the need for local dialects.

  • gonchuki (unregistered) in reply to verisimilidude
    verisimilidude:
    Steve:
    There's got to be some process for removing items from a secure facility eventually, doesn't there?
    Either it goes into the shredder or it waits until the whole place gets decommissioned.
    sounds like more fun stuff for "will it blend?" ^_^
  • chaz (unregistered) in reply to whicker
    whicker:
    The real WTF is that Rubik's Pentacube. That and the fact that it's actually a real product.

    Nope, that's the Professor's Cube: http://en.wikipedia.org/wiki/Professor%27s_Cube

  • chaz (unregistered) in reply to chaz
    chaz:
    whicker:
    The real WTF is that Rubik's Pentacube. That and the fact that it's actually a real product.

    Nope, that's the Professor's Cube: http://en.wikipedia.org/wiki/Professor%27s_Cube

    Er, I uh ... totally mis-read what you wrote, whicker. Sorry...

  • The Real WTF (unregistered) in reply to CDarklock

    Just how much were you getting paid to securely do nothing for a year? Damn, man, why not renew that contract? Can you even get an easier job than that?

  • Nex (unregistered) in reply to Judge Mentok the Mindtaker

    Because at this type of place, "making sure you can break all their security measures.." could get people killed and most likely will end with your dumb ass in jail.

  • seebs (unregistered)

    Wow. I was really annoyed that it took me two weeks to get fully online at $DAYJOB. By the afternoon of my first day, I had a copy of the source tree on a spare workstation a coworker lent me so I could look at things. I still didn't get much done in that first week -- and no one gave me crap about it, because they knew that it took a while to, for instance, get a new workstation ordered, delivered to IT, configured, and then shipped to our office in another state. My access to various systems took a variable number of days to set up, but once again, I was able to hang out in internal IRC on day 1.

  • rumwrks (unregistered) in reply to CDarklock

    developing for FreeBSD is even better... but thats been a while.

  • masonReloaded (unregistered) in reply to seebs

    shit - I work at a medium/large-size company, and when I was on the helpdesk (I have since moved to another dept) if ANY user - salesperson, developer, customer service, anybody - didnt have their computer setup and ready for them to rock'n'roll first thing on their first day their manager would give us hell until it was ready - if that meant we would sit and build it while they waited we would do it. If it takes that long to get dev tools to a contract developer, then they either have a) Lazy helpdesk staff or b) Very poor methods/systems for installing software - they should have either a standard image for devs or a system like SMS to push the right applications to the right users.

  • (cs)

    That was a damned long winded post. I guess Alex was concerned that Certain Federal Agency might object to his talking about them in this manner, so he wrote a long post in the hopes that it would take them another 6 months to read all of it.

Leave a comment on “The Cost of High Security”

Log In or post as a guest

Replying to comment #:

« Return to Article