This community is my new hero!

[klfjoat.livejournal.com]

I'm back in the archive 240 posts and only to May!  Hi, I'm new here, and thought I'd introduce myself.  I have too many tech horror stories to even list, but I'm sure that I'll get around to them.  For background, I've been playing with computers for 19 years, and been employed in the computer industry almost continuously since I turned 18.  I currently work for a security company that specializes in security assessments for banks, credit unions, etc.


My biggest pet peeve is stupidity.  Now, when I tell stupid non-tech people this, their reply is usually, "well, not everyone knows as much as you about computers."  Yes, I understand this...  my complaint is not about IGNORANCE, but rather STUPIDITY. I am ignorant of a great many things...  economics, plumbing, programming, etc.  But I am not stupid. 


I have the greatest patience in the world for people ignorant of computers.  I once spent 45 minutes on the phone with the CEO of credit union consisting of 6 employees, explaining to her how to find the IP address information we needed to successfully scan her network and test her outsourced IT company. 


In contrast, I went on-site for a client credit union where the head of IT was an idiot.  This was the credit union for a company so large, I guarantee you've seen their commercials and know their name.  i.e., deep pockets for their credit union.  She had displayed some slowness before my visit, so instead of the usual 45-minute wrap-up (review, training, tools), I blocked out a full 1.5 hours.  The first step: reviewing the results of our testing.

I mentioned finding SomeDevice (I use Ruby, not $Perl ;-) on SomeIPAddress.  She asked how I found it.  I explained that when I scanned it using nmap, it told me what it was.  She said no, she wanted to know how I got the IP address.  I told her I ennumerated it.  She asked how.  I told her that I based it off my own IP address.  She again asked how I got SomeDevice's IP address using mine.  It took me a while, but I was finally able to explain to her that, given 192.168.1.20, I could just start trying 192.168.1.1,2,3,4,5... 254. 

She then asked if there was a way for her to prevent her users from doing that.  I explained that locking down software, as they had done, was the best way to go.  She said no, she wanted to know how to prevent her users from getting THAT (pointing to my IP address in the command window on my laptop screen).  I ask, "you want to keep your users from getting to the command line?"  No, she wants to prevent them from learning the IP address of their own machines, to keep it secret.  Again, I had to explain that knowing IP addresses was the cost of doing business on a TCP/IP network, and that there was no real way to keep them secret.

Flash forward 60 minutes, and we're still on the review.  I'm explaining that I grabbed a password using Cain & Abel to do ARP Poision Routing (APR). 

Me: APR is a little complicated, so we'll just skip it, but suffice it to say it means that...
Idiot: Do you mean to imply that *I* wouldn't understand it?
My thoughts: Considering you couldn't grasp the concept of counting 1 - 254, and want to keep IP addresses secret, no...  I doubt you'd understand the concept of Layer2/Layer3 resolution, and how to subvert it.
Me: ... (uncharacteristicly quick reply) No, it's just pretty complicated, and while I can use it, I still have a tough time explaining it.  *jumps right into an explanation before she can think I was blowing her off*
*intentionally flubs the explanation* Uhhh, yeah, this is where I get lost.  But you get the idea.
Idiot: *blank look, drool*
Me: *moves on to next issue*


The review was like this the whole way through, explaining Network 101, Server 101, and Desktop 101 concepts to someone who supposedly knew this stuff.  We got through that, and were halfway through the training when she had to go catch a plane.  She had told me she had *all day* for me, and had *nothing* else to do this day.  Apparently she forgot her plane ride out of one of the nation's busiest and most security-conscious airports, flying through some of the most secure airspace in the world.  Nah, not something I would remember about, either.


I've been in tech shops before where the name of one particular user/customer elicits a groan from every tech.  But this client's name elicits a groan from three different tech groups, along with management. 

Comments

[sethb.livejournal.com]

I once spent 45 minutes on the phone with the CEO of credit union consisting of 6 employees, explaining to her how to find the IP address information we needed to successfully scan her network and test her outsourced IT company.

If you want the IP of her externally-visible network, ask her for the URL and get the IP yourself. If you want the IP of the machine sitting in front of her (or at least the public IP it maps to), have her go to http://whatsmyip.org and read you the top line. What took 45 minutes?

[ptomblin-lj.livejournal.com]

have her go to http://whatsmyip.org and read you the top line

Ever heard of web proxies?

[klfjoat.livejournal.com]

I did not want the IP of her externally visible network (outsourced, not in scope of work), nor the external IP of her computers (already got her to read it off the network topology diagram she had in the first 5 mins).

The 40 mins was trying to have a non-techie read me every IP address and range on the network topology diagram and supporting documentation; then having her run ipconfig, ping, and tracert to figure out which IP's were actually hers and which were her outsourced vendors. We're not allowed to scan THEM, we can only scan HER network. But in these small credit unions, their networks will often be tied in with the same IP scheme as the private interfaces for the vendors.

For example: her IP might have been 192.168.5.37. But in addition to that, she sees 192.168.1.x, 192.168.3.x, and 192.168.100.x on her topology diagram. 1.x and 3.x are 1 hop away, 100.x is 3+ hops, therefore 100 isn't hers. Are 1 and 3? How do you check? At the time, I think I had almost a half dozen reasons why 1 and 3 might be hers (now I can probably come up with an even dozen), so I needed to check and exclude if possible to make sure we didn't run on someone else's network.

Finally, I needed to find and steal an IP address from her network to put into our remote machine, again telling her all of the static IP information I gathered about her network to put in it.

[knirirr.livejournal.com]

I use Ruby, not $Perl

Huzzah! A man of taste. ;-)

[superbus.livejournal.com]

Depends on if it's her own IP he needs, or failing that, if she's on a router with a consistent NAT. My entire workplace routes through the same IP, so if someone wanted to connect to us, for example, either we'd have to initiate a GoToMeeting, or we'd have to NAT an internal computer.

[canray.livejournal.com]

I had to explain that knowing IP addresses was the cost of doing business on a TCP/IP network, and that there was no real way to keep them secret.

Why, oh *WHY* are people so paranoid about IP Addresses?

Corporations I can understand, but INTERNAL IP Addresses are like OFFICE ROOM NUMBERS for frigs sake.

[wherdafux-d-cat.livejournal.com]

And that's why this person has taped over the numbers on all of the office doors. She's also, no doubt, marked out the phone numbers on all office phones. Just to be secure, you know.

[argonel.livejournal.com]

There is but one solution to idiot customers. Raise prices. Eventually either they will find someone cheaper to annoy, or you will be charging such ridiculous amounts that the idiocy won't bother you. Also make sure you charge an hourly rate, not a fixed fee.

[forever-damned.livejournal.com]

Some people, seriously, think that other people in the organisation can track what they are doing if they know their IP. Besides the fact that the sysadmin can, and in some cases probably is ;p

[forever-damned.livejournal.com]

The problem is, the company likes stupid customers, because they need help more often then the other customers thus making them cash cows.

That said, I can think of a few clients I wouldn't miss...

[klfjoat.livejournal.com]

Actually, I've found that there are as many rich idiots as poor ones... so raising prices would only help the company, but wouldn't help the tech.

[superbus.livejournal.com]

When I was brought into my company, it was to smooth over the transition period of us purchasing a large security provider based in the Northeast.

Now, some background about my company: We do what is called "Security in the Clouds", mostly for banks and credit unions (trust me, when the OP talks about idiotic heads of IT, I BELIEVE HIM; the head of IT at one company I deal with is really a receptionist!). This basically means our company maintains external firewalls for these companies, anti-virus and email scanning for multiple items (spam, viruses, content filtering in case some luser tries to send an SSN over unsecured lines), and other various services. I don't even agree with it - I think a bank should have their own IT department specialized for their bank, to be safe, because I simply cannot take care of hundreds of banks as well as they need to be taken care of - but that's how we work. And we bought a company based up in Massachusetts that did the same thing.

But for the most part, the people in Mass did things better. The firewall wasn't a convoluted mess, email was more streamlined, they had a much better staff-per-customer ratio, URL filtering for banks was done by Squid (my company uses Websense; Websense doesn't work well for ONE company, but when you try to run it for an enterprise, HOLY SHIT does it crap the bed; I hold together Websense with scotch tape, essentially), most of what the people in Mass did was a better way.

But one thing they did - and I wonder if it was a marketing ploy - was that IPs were NEVER to go over unsecured lines. Even some luser's internal IP of 10.10.10.whatever, that was either to have the first two subnets removed, or it had to go over secure email. And trust me, when these customers started to deal more with the new parent company, they were in for a rude awakening; you should have heard one tech arguing with some MCSE saying "no, there really is no danger with this...".

To be fair, I learned coming up that you NEVER EVER EVER gave away internals, because if some hacker HAPPENED to penetrate your external IP address, then the PIX, and happened to know where he was going, and the PC HAPPENED to allow remote connections, and he HAPPENED to have the authentication for this PC, and the Earth alligned with the Moon, why, that hacker could run that PC asunder! Now, I know better, but this is how a lot of people are trained, even by people inside the industry that should know better.

[klfjoat.livejournal.com]

a) since we work on opposite sides in the same industry, we probably know each other's company names, if not have clients in common. The bitch is that we can't talk about it. :-)

b) We've got one client contact... Title? "IT Manager/Teller". This doesn't count the disturbingly large number of places where there IS no IT personnel at all... everything's outsourced, and the VP of Operations (a banking position that runs day-to-day operations) is the main point-of-contact for IT issues.

c) Defense in depth... There's no reason to give out IP addresses to the external network. And we find that often. For example, Content-Location headers on webservers, SNMP on border routers, etc. But to try to keep internal IP addresses secret on the client's own internal network? Impossible.

[the-s-guy.livejournal.com]

It would if the tech was paid commission on top of salary.

[zastrazzi.livejournal.com]

Check out BlueCoat to replace WebSense. You'll thank yourself over and over, and management will bloody love you.

Having transparency for ssl communications is sweet *grin* Push company cert to hosts, bang. No more hidden encrypted traffic. We of course exclude banking/financial sites from scrutiny. Noone wants responsibility or visibility for *that* data.

That and their filtering is stellar. We have ~10,000 hosts behind a set of these. We just wccp 21,80,443 to the Bluecoats and the world is a happy happy place.

Cheers

[superbus.livejournal.com]

I'm personally a Squid man. You can configure it to do just about anything and everything you want to do, and best of all, it's free. That's what I've been recommending since I got to the company, but I'll definitely check out BlueCoat on my own time. Thanks.

[zastrazzi.livejournal.com]

Fair 'nuff ;) I'm a huge fan of OSS myself, and will generally lean in that direction first. I'm fortunate to work with a large company that is actually open to it.

We actually abandoned Websense a few years ago, as well as the NetCache products recently, in favour of Bluecoat.

Cheers!