zlacker

[return to "IoT hacking and rickrolling my high school district"]
1. jimt12+1C[view] [source] 2021-10-12 23:40:06
>>revico+(OP)
Working in IT/tech for school district is the worst. My experience from many years ago - around 2002, I think:

1. First day on the job, email to boss: "Hey, the computer lab at Springfield High has a ton of known security flaws that are begging to be exploited."

2. Reply, 1 week later: "Sorry, we don't have any money for that. Just keep everything up-and-running."

3. 3 weeks later the computer lab at Springfield High got "hacked". All the computers displayed a popup window that said, "Miss Krabappel is a dyke!" (sorry for the offensive language)

4. Next day, email from boss: "The computer lab at Springfield High was hacked! Figure out how to fix this and make sure it doesn't happen again!"

5. A few days later Miss Krabappel filed to sue the school district. The local newspaper picked up the story.

6. Email from boss, in full panic mode: "I need you to figure out who hacked the computer lab at Springfield High so we can report him to the police!"

7. A week later an independent consulting firm was brought in to help identify the person behind the "hack". I heard they were paid $50K and found nothing. However, the kid got ratted out when he told all his friends. (It wasn't Bart Simpson! ;) )

8. Several weeks later: meeting to discuss working with a consulting firm that's gonna fix all the security issues because the current staff (me and my team) lacks the skills.

9. About 6 months later, I quit.

◧◩
2. javajo+3l3[view] [source] 2021-10-13 20:02:39
>>jimt12+1C
People respond to incentives, and "fast-to-react" is easier to measure than "wisely proactive" in at least two ways. First, the risk is no longer theoretical; the damage was measured. Second, the fix is easy to measure: spend $X dollars on Y firm on date Z. This is all nice, easy to understand evidence of a manager doing their job.

Alternatively, you have staff pointing out a possible flaw. That staff's time was already allocated; their noticing a flaw is a) taking time away from their allocation, and b) tacitly critical of decisions made above their pay grade. And even if they are right, the manager won't get credit for prevention, and in fact will get punished for "wasting" resources in an ad hoc way, rather than what they were acquired for.

It is depressing in the extreme to work for such an organization, and you were right to quit, because over time these perverse incentives will start to shape you whether you like it or not. The very idea of owning your work, of caring about real-world outcomes, becomes anathema as a matter of survival. You have to exist, along with your org, in a checking-the-boxes, don't-notice-what-you-aren't-paid-to-notice, mode. It's safe and comfortable for the body; it is deadly to the soul.

◧◩◪
3. ironma+ui4[view] [source] 2021-10-14 04:48:25
>>javajo+3l3
Just in case any onlookers need it spelled out, the phrase “easier to measure” in this case is vastly different from “better.”
[go to top]