Re: RE: present day admin skills

["R. DuFresne" <dufresne () sysinfo com>]

For those that have contacted me off-list, in private, well, Bcc: is a
wonderful thing, and it's been used here for that purpose, to retain
anonymity of you people.

I've been stating these issues about poorly skilled folks ending up in
jobs requiring some level of competence for a few years, and replies like
this have been common in the past (I'm surprised only one has filtered
out of the present discussion this time). But, I have to say honestly,
while I can relate and understand this, to a degree, I have to say quite
plainly, and do not mean to sound too harsh, though it will come off as
harsh and biting;  I have little sympathy for these situations folks talk
themselves into being hired for.  It boils down to a point of passing the
buck and not taking responsibility.  Specifics inline:


>   I think I can tell you why people act that way. I do a lot of similar
> things during the day (doing things the hard way) because I don't have the
> time to stop and learn something new, no matter how trivial, otherwise I
> could never keep up with the workload. So I go with what I know works, even
> if I know there is another possible way to do something (like using cron; I
> don't know how to use it but do know that a scheduling command is
> available). In addition to performing lite-weight audits (exams) of credit
> unions (which is my real job), I am also in charge of all the systems at my
> state agency where I work. True, only 9 people and 3 servers in the office.


Ouch!  First, not being able to read and comprehend is a serious issue to
have to contend with, for you and the state agency.  I worked just
recently for a company doing serious system audits, 800 servers and four
of us in the unix systems security department.  None of the others in the
group had any serious security experience, beyond some of the
administration chores they'd been doing for sometime.  So, I learned to
mentor, alot. but that is beside the points here.

Ahh, yes, mentoring, passing on what I've learned to others.  It has only
served further ingrain those skills and that knowledge deeper into my own
grey matter.  And is similar to raising a daughter, and finding how much
I've become my parents over the years...sometimes it's like trying to herd
cats, it depends upon the commitment of those I'm task to 'assist'...


>       However, I know nothing about the Raptor firewall and yet I have a
> Universal-Universal rule I need to fix since outside people are using our
> licenses. Every once in a while, I have to start/stop the raptor service to
> free up licenses. I wish I knew how to fix this problem permanently, but I
> don't have time to read the Raptor manual, understand it, and then fix the
> problem (and believe me, I have tried!). I can't convince the boss that it
> is in his best interest to send me to Raptor training. You know how state
> agencies are about spending money, even though it is only $120 for Symantec
> training for 3 days. They can spare me the time, they can't spare the money.


First, I worked 3 jobs in a past life to put myself through what college I
did <250 credits with a major (developmental psych[0]) and two minors
<philosophy/religious studies and photography[1], talk about a workload>.
While doing that I learned that all my time was extremely valuable, and so
learned to use all of it and still retain those habits to this day:


manuals in the bathroom.  Yep, I even take then with me when on a jobsite,
or one of the industry rags I get to keep myself up to date.  I haven't
read a manual in a setting whence I've read only a paragraph or chapter at
atime in a lifetime or two...and I've yet had an occasion that I've had to
use the pages to finish up the task on the pottery under me...

I also tend to get so stressed with being over loaded and doing the work
of others at times that I need a bit of time to relax before my mind will
let me sleep, so, I got into a habit of trying to do a bit of reading just
before turning off the lights, for those few short hours of sleep.

I've been forced to learn new stuff, with a desk full of things still to
do and no worktime to learn in, so I had to keep those bathrooms stocked
with manuals and industry rags.  I actually like <love? my wife claims
she's got second place in my life and has learned to deal with my *real*
mistress> IT work, it has allowed me to maintain that college, thing
about learning and experiencing new and different, as everything changes so
dramatically from month to month and year to year and one can never really
stay on top of it all.  Isn't it a shame some folks have to do a job
they hate?  Of course, I've learned to think a bit more before
volunteering, but, still take them steps forward, hand raised, while my
co-workers head off to the coffee room to gossip...

Secondly, if matters are this bad, $120 is a small price to put out of
your own pocket to save some face!  Damn, you must spend more then that on
a weekend at the golf course.  I know, I know, I'm being glib here and
taking advantage of your typo, having a clue, I'm sure you meant something
more on the order of $1200.  Yep, these training courses do cost a good
buck these days!  I remember when  folks like M$ and Novell were first
test driving their instruction sessions and certification processes and
begged folks to take them for free.  Now they tend to charge an arm and a
leg for these things.  And I guess taking a full Summer from the golf
course is too much to ask of anyone in management.  And the kids certainly
do need that trip to Disney World I guess.  I'm hoping to get their, if I
can ever afford to retire in 30 years <even at 44, it's 72 when they let
me take that route>, but, well social security is still not solvent, and
the feds are dipping into that again to pay for last years tax 
blunder....Well, at least it's not a SANS certification, damn
those prices went up faster the the national debt!

I've never had any formal training with computers.  I've taught myself
what I know, reading, and trial and error, and gleaned as much as I could
from those I have worked with and/or met and places like these mailing
lists and Usenet newsgroups.  I made it a commitment to try and be a
professional in the industry I work in, after all, it is my responsibility
to do so.  I learned to try and type as fast as I think and sometimes fail
to take the time to ispell my e-mails and such, often relying upon my
wife, when she has the time, to proof my documents.  And some have at
times tried to prick at me that this is a sign of a lack of education or
knowledge, it's really just typos, and I will admit, because I do not take
the time to ispell it all, *my* excuse for being a bit lazy, but, we all
are human after all and prone to such excesses <smile>.

I still have to work on the acre and a half here, and do them chores and
the daughters school functions.  The family tells me life is *not* a
vacume of work for sure...


>       I also deal with "How do I do.....?". I am also the designated
> Information Resource Mgr. I file the Computer Incident Reports monthly with
> another state agency. I make final decision on spec'd hardware, deal with
> the vendors, get the quotes, and everything else involving computer stuff. I
> deal with the webserver.  Basically, they want a jack-of-all-trades but they
> don't really understand why I don't know all the answers (they kind of do,
> but they don't). And that means I have to go dig up answers for stuff that I
> really don't have in-depth training for, so it takes me longer to find the
> solution.



Vendors are fun, first rule of vendors, especially if something is broked
and more then one vendors product might have the slightest possible impact
upon the problem;  it's the other vendors product that is at fault, and it
goes down the line and round the circle till you get so dizzy...  I've
learned to keep them in separate corners and ignorant of one another
existence till we can actually discover a point of failure, and focus upon
the real product/culprit<s>.  you know, -the usual suspects- kinda
perspective...



> I've installed Linux of various distro's on personal machines at least 20
> times over the last 6 years. I still can't fix a problem resulting from the
> last install (startx during boot and get an error from kppp-Mandrake v8)
> because I don't know how and I don't have the time to work on it while
> trying to keep up with everything else. It's pretty much last on my list of
> priorities right now.
>
> I've read Unix in a Nutshell, didn't understand it.


Again, OUCH!  See above.  Unix in a Nutshell is a reference companion for
the most part, an addition to the man pages, which can be more terse, yet
the nutshell book supplies many examples, comprehension sure is an issue
here.  I'm surprised that any work is accomplished at this state agency,
in this department, being gov jobs tend to be tied to lots and lots of
documents and regulations and such (i.e. requires reading of them, and
comprehension of often that political/legal mumbo-jumbo doesn't it?  The 
rainbow series, I recall those discussions here, Marcus even had some
'kind(?)' words about them a time or two). I'm seriously wondering how a
job was obtained with these *issues*.  And really, I'm not trying to sound
harsh or like an asshole-SOB, but, I'm so shocked to be reading this.

Dang, Linux has so many documents for people to learn from and gain a
clue or further confuse, they try to cover so much with such old
documentation and change the format so often from the info stuffs to html,
/usr/doc/ can, if one does not watch themselves, allow you to get
lost for at least two to three months gaining clues and/or headaches.  And
afterall, Linux does not require that X-gui, I'm seldom in it once a month
maybe, I know I've gone for six sometimes without having to touch it here,
depends upon what I need to do.  But, do keep the Linux box on the shelf
for now, you've really got other issues to *not* deal with adeptly...


> I'm starting to work towards a CISSP and have scheduled myself to take the
> test in about 2 years. Why so far out? Because I know that in order to get
> thru the study material, feel that I understand it, and _have_the_time_ to
> prepare myself, there is no other way I will make it.


Due to the issues you have outlined here, I'm wondering if two years is
enough time or if the task can ever be completed.  The dyslexia there will
require tutoring I fear.  I take it you planned on self study, being the
costs of the classes are not any cheaper then the raptor courses you could
not afford above.  By the way, whose footing the bill for the test?
Thats at least a month on the golf course isn't it?


> As has been mentioned before, IT departments are understaffed (especially in
> government). I'd like to be able to do a good job but the workload and the
> constant need to keep up with everything else is what holds me back.
> Unfortunately, I do my best learning hands-on, but, as you can see, my days
> and nights are not exactly free. And let's not even go into my personal life
> demands. If you're married, you'll know what I mean. ("You never spend time
> with me...")


Yes, I understand having a life, as does the wife and kid here, who often
have to go to family get togethers without me, due to the fact I'm home
accomplishing the work that co-workers have not been qualified to
complete, similar to your examples in this posting, or I'm doing up
extensive spoonfeeding documents to explain things these people should
have known to get hired for the job in the first place, but, for some
reason, good-looks or something, it was not picked up by HR, the
preliminary technical interviews or the mgr's personal interview<s>, that
this is a person lacking skills required of the position.  This surely
explains statements that surprise me from various gov agencies like this
recent mention of the SANS weekly:

SANS NewsBites Vol. 4 Num. 02 Jan 9 2002;

 --8 January 2002  National Research Council Report: US Firms at Risk
Summary: "From an operational standpoint, cybersecurity today is far
worse than what known best practices can provide."
http://www.cnn.com/2002/TECH/industry/01/08/security.reut/index.html

News that has well been known and documented by most folks in this and the
various other security related lists for quite a few years, yet, only
comes to be acknowledged by gov agencies years after others have been
sounding alarms loudly for quite sometime.  It certainly leaves one with a
*shudder* up the spine to know that the government can even function under
these circumstances, though, I'm sure many besides myself have plenty of
hands on knowledge of the ineptitude that often messes up our lives.  I
gained some of mine directly, while condemned for a period to supporting
the EPA for Lockheed Martin, they have a whole building of folks here in
my area, of way underpaid folks, similar to the level of skilllessness
you document, who have just as much a lack of inclination to learn to be
functional.  What was interesting was that the EPA had a list of
requirements and qualifications so demanding, that if anyone actually had
those skills, abilities and experience, they'd make well over a hundred
grand or two a year!  Certainly not the 30-50k being offered.  So folks
learned it seems to pad resumes with fictitious skills so they could sit
in astonishment in the security staff meetings after the Yahoo and Amozon
DDOS events and the GAO's audit and compromise of their inside to home X
sessions wondering how it was accomplished.  Imagine their surprise when I
mentioned in those staff meetings how Mitnick used many of the same
exploits 15 or more years ago when he took over another gov employees X
windows sessions to his household, while that employee was away skiing...

Of course the EPA had been considering a firewall for more then 5 years,
but, since it could not function in a secure manner to allow their X and
rsh connections to their home machines, it was shelved until something
'usefull' could be put together.  Well, the GAO audit <publically
presented in congressional meetings> twisted heads quickly and totally
forced the shutdown of any work for the EPA and it's external clients for
a month or more, I'm not sure how long, I got a better offer and moved on
as fast as my legs would let me run!  I think they finally settled for a
gauntlet device and a few fw-1 systems, internally, to segment people
without clearances from data and information requiring them, but had not
yet thought of how to proxy e-mail and or http, and so had gaping holes in
what traffic they had to open up to function again...

Of course, when a Lockheed support person, like me, went to deal with EPA
folks needing a clue, they DEMANDED that EPA policy be side stepped to
allow them to revert to the dreaded r* commands they knew, adapting to
encrypted connections was too much, it would require people to learn
something new!  

Ahh, yes, the government in inaction!  BTDT, never again without a ton of
gold to compensate for the frustration levels their regulations and BS
puts on a person...

Of course, I'm probably babbling here, from your perspective, please
forgive me and let me get back to the issues you document.


> I feel like an old-time mainframe; "a timeslice (1sec) for this job, and
> another timeslice (1sec) for this one, and another (1sec) for this....". And
> for humans, that's not really an efficient way to get things done.
>
> the reason 12 yr olds know the commands? they don't have anything else to
> do. they don't work under a deadline for a living. they get to do it for the
> sheer joy of learning. I'd love to go back to that way of life but who will
> pay the bills, do the laundry, feed the cats, cook the meals, do the dishes,
> keep up the maintenance on the house and mortgage?


And they have the gumption to actually go out and seek knowledge!  It's
amazing, but these kids have a willingness to learn, and will use all the
resources at their disposal to accomplish the chore, though, I do know
many adults that retained that ability to seek knowledge, in its various
forms and can even retain some of it, or at least take notes for when our
minds drift into the abyss of dementia...


> I would gladly forgo a payraise just to be able to squeeze in extra time to
> learn stuff. That learning will benefit me more down the road and keep the
> stress level down.

Have you actually done that?  Asked that your raises over the years be
applied to educating you to actually become functional in your job?  Have
you taken on any of those two to four week yearly vacations, any of the
manuals that confuse you and either learn to read them or have someone
read them and explain to you what they are reading so that you can
actually do some of the work you have been tasked to do?

Another person replied to me on this posting off list and will remain
anonymous for that reason (even the taliban can't beat his name and e-mail
address out of me.  Well, I'm sure anonymous would understand that
tempting me with one of those new fangled systems sporting intels new 2.2
gigahertz chip, able to play with the super duper DDRAM would be cruel and
unusual punishment and forgive me> with these words:

        Problem is that 'corporate culture' rewards stupid ness:
        - the person in example one will get a 'great show award' for finishing
        task two within 5 minutes, and thus exceeding the users
        expectation.
        - the person in example two will get a 'great show award' for showing more
        then required dedication to the job

        Since [most!] management is so unbelievably stupid [or uneducated?]
        nowadays, they don't even know of options like scheduling, scripts and the
        like. They like to see there people 'busy' and that is what they get: busy
        looking people.

        What's wrong with this? Nothing I am afraid. This is the way corporate
        wheels turn.


I sadly nodded my head upon reading this, knowing full well the depth of
this observation.  And sadly read the words here you presented, knowing
our governments, state and federal, are surely in a poorer state.


> geez, my simple response turned into a 2-1/2 page rant!


I know!  I'm wondering whom you got to take time out of *their* day to
type this up for you!  I hope it did not take too much of your hard earned
paycheck to compensate them.  I'm sorry to be so harsh here, but, I can
not offer sympathy to someone that does not even try.  It's this kind of
"commitment" to professionalism that makes my nights after work go onto
the wee hours of 4-5am before I can lay down for 2-3 hours of sleep before
heading back into the office to do my own work I'm paid to do.  That is if
the pager does not go off and I have to drop what little life I'm allowed
and rush in to deal with a manager, that did not read the screen updates
upon each login and the broadcast in his mailbox that the mail servers
were going down for a patch, and has called in an ***all points emergency
broadcast*** that he's unable to send his daughter an e-mail, telling her
that he's sending her that check so she can get her hair done for the next
frat dance coming up...

I guess it's time I buy a suit (have not had one for more then ten years)
and become a Mgr so I can take a break.  I love making those pretty
little graphs in Excel too!  I heard that if you stare at one long
enough though, or someone slaps you on the back for the great job, it 
will make you crossed-eyed...Damn, and these blue-jeans were just starting
to fit nicely after 5 years of washing...


Thanks,


Ron DuFresne
<poor me!  removing tongue from cheekie now...>

[0] Had I not needed to go out and make a living, retrained myself for
this present lifetime, and gone on for a masters or higher (is one
really allowed to violate their on .sig?), I was all prepared to do a
thesis on duct-tape and a firm wall being the basis of raising a teenager,
in the later years one tapes them upside down so the blood flows to the
proper organs <seriously, the daughter here is a fantastic kid!>

[1] baptized catholic, confirmed Lutheran, annoying teenage jesus-people
<it was 'in' then>, Baha'i, and finally an agnostic human-being, you
should see the great pics I have of the crays of past and the co-workers
over the years, everyone needs a hobby.

P.S.  on a totally related cross-thread, circulating on and off-list
dealing with secure software and such <trying to save Marcus some time in
validating postings to the list, after-all, I have been partially guilty
of keeping his so darned busy lately> :  Has anyone heard the story about
the 'published' CISSP that decided cross-vendor ftpd's were less secure
then wu-ftpd and decided we should replace then with it?  No?  Well, let
me tell you a story about a an named umm, ahh, Jed, yes, we'll call him
Jed for this little ditty.  Anyways, while auditing those 800 systems
mentioned above, we discovered that vendors ftpd's of various platforms
were not being maintained in any sort of secure fashion and violated
corporate policies all over the place.  So Jed, who had the ear of a
biggie in upper mgt. decided that wu-ftpd was the way to go, nevermind
it's history anyone recall the Bugtraq thread two years back "WuFTPD:
Providing *remote* root since at least1994"?, 2.6.1 had to finally cover
all the bases and be 'stable'.  I do have to admit, the one good point
would have been a standard implementation and single configuration across
platforms.  I know, I know, but, no one would listen to me, and scp would
have created those issues of having to learn something different, and
getting sshd1 on servers took like forever, no one wanted to hear about
sshd1 issues and sshd2, well, it required those learning issues for admins
to relearn configurations they had not yet fully understood with sshd1.
Well, I spent the last two weeks there, before the economy went caput
(prior to 9/11 which only served to accelerate the decline, certainly was 
*NOT* the cause of it's current condition), trying to inform folks that
most of the vendor implementations had the same configuration capabilities
as wu-ftpd, but the problem was no one had read any documentation nor had
a clue about the capabilities, cause open access ftp was, well, just
easier.  <we don't need no sinking configuration> Nevermind that since
there there have been problems found in wu-ftpd 2.6.1.  I do not know if I
ever made a point or if anyone ever did or will get a clue, but,
certifications really are great eh?

P.P.S.S.  Having broached the topic of economics a few times here, I think
I'm entitled to enter it into further evidence.  So, if anyone knows of an
opening in the RTP area down here, and does not mind a cynical-BOFH that
doesn't mind cat-herding.  Hell, I don't mind travel <even up to 75% if
required>, as long as I can get home weekly or bi-weekly, well, it's not
going to be as sweet as it was a few years back when I did the Sunday to
Friday thing between mpls and boston <RTP now, I've relocated>.  Let me
know, I really could use a new paycheck and promise to do my best to earn
it!  And if you really wanna force me, I'll even go buy a suit.  Marcus
needs the break (please, keep me too busy to post to the sec lists) almost
as much as I could use the paycheck...the P.S.'s demonstrate the ability
to consolidate, yes?

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  sysinfo.com
                  http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!



























_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards