The Nightmare Continues

For those of you who haven’t read the previous “nightmare” entry at http://sysadmin.ncphotography.com/2010/09/07/a-nightmare-before-friday/, this is a continuation of that saga.  You may be aware that a prestigious cancer researcher was recently demoted and had her salary cut by almost 50% (http://www.databreaches.net/?p=14479, http://www.databreaches.net/?p=14547) for being negligent in securing her project’s data.  This situation is arguably worse – the idiot programmer in question actively handed out the hostname, username, and password to the entire world.  His argument will be that he locked down the database to UNC-only connections, but let’s be honest here – it’s trivially easy to walk into one of the UNC libraries, find an open port, jack in, and sniff for an available IP address.  Heck, all you really need to do is find a weak machine somewhere and exploit it, then you’ve got immediate access to this database through a bounce-box.  You could even just spoof the IP you’re coming from – it really is just that easy!

Well, in light of the mammography study issues, I reiterated my concern to my boss.  The response I got back was that he has raised the issue with the programmer, and been told that it’s not an issue.  And nobody’s concerned!  Not a one of them are worried at all about having hostnames, usernames, database names, and passwords out on the Internet available anonymously from SourceForge to the entire world!  I’ve raised this issue with the departmental security person (he’s at the “dean” level of things, so fairly high up) and with my boss, and nobody wants to do anything about it.  Even after the mammography thing, they don’t get it…

I am out of options.  I can do nothing further to warn them of this disaster waiting to happen.  I feel like I’m standing alone on the borders of the Roman Empire, shortsword in hand, watching the Goths mass just beyond bowshot, listening to the banquet the rest of the legion is partaking of and telling me to stop worrying, that no group of natives could possibly breach the fort’s defensive walls.  Hearing the manongels being built, but not able to see them, not able to make anyone believe.

Why are so many people in the computer industry (be it corporate or academic) so blindly incompetent?

Comments are closed.