Forgot your password?
typodupeerror
Linux Business Technology

Replaced by Outsourcing -- What's a Geek to Do? 1166

Posted by Cliff
from the disturbing-trends-in-the-market dept.
SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?

"Here comes the obligatory South Park reference:

  1. Perform Network Vulnerability Assessment
  2. ?
  3. Profit! (Sell Outsourced product)
Looks like they came up with an actual step 2:
Label anyone who is responsible for network security as the risk, and get them fired.
I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.

I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.

I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.

I'd like to hear comments from folks this has happened to, and what did you do as a result?"
This discussion has been archived. No new comments can be posted.

Replaced by Outsourcing -- What's a Geek to Do?

Comments Filter:
  • by Anonymous Coward on Friday December 19, 2003 @12:14PM (#7764834)
    The managers and CEOs of this country have no idea about how to make router connection or how to correct a line of code in their payroll systems.

    I'm on call 24x7x365 while the CEO sleeps.

    The none technical types need to understand where info power resides.
  • Easy solution (Score:5, Interesting)

    by IGnatius T Foobar (4328) on Friday December 19, 2003 @12:16PM (#7764859) Homepage Journal
    Easy solution:

    Get a job working with an outsourcer. Duh.

    "Services" is where the IT business is going. And yes, there are outsourcing companies in the USA and various other non-India, non-China nations. Skilled, flexible talent is very valuable to a services company. And it's satisfying work because you're not stuck with one environment all the time -- you get to play with lots of different customer environments, picking up new skills along the way.

    Basically, what I'm saying here is, quit whining. Make yourself a valuable person and you will find employment. And don't rest on your laurels, either: you have to constantly adapt and pick up new skills.

    Now I shall sit back and wait to get modded down by the unemployed, disgruntled Slashdot hive mind, but my position on this issue stands.
  • by sphealey (2855) on Friday December 19, 2003 @12:19PM (#7764899)
    That really sucks, but I doubt there is anything you can do. Except learn. Next time you need to be the bigger bastard [slashdot.org] than they are
    He might have a libel/slander case against the outsourcer. Worth talking to a lawyer about anyway.

    sPh

  • by QuackQuack (550293) on Friday December 19, 2003 @12:20PM (#7764926) Journal
    I work for a software company. After many months of people having a hard time getting interviews, and very few leaving for other jobs. In the past three weeks, suddenly we had seven people announce they are leaving for new jobs. I have a friend who was recently laid off from another tech company a couple of weeks ago. He's had quite a few interviews already.

    Things seem to be looking better out there. New jobs will replace the old ones lost.
  • by PureFiction (10256) on Friday December 19, 2003 @12:21PM (#7764949)
    You didn't mention any specific vulnerabilities that were directed against you in this audit. Were there any legitimate holes that you overlooked or was most of the report fabricated?

    Security is a complex task in any environment (from physical threats, unknown vulnerabilities, social engineering, misconfiguration, etc) and the increased size and complexity of networks and systems means this problem will only get worse.

    Having what sounds like a single security / administrator handling a financial computer network does sound risky to me personally (but maybe you were just singled out among you coworkers?)

    Your comment about telecommuting is a good one though. No longer requiring physical presence to do a contract or work some other position could free you up for additional tasks at other companies bringing your overall salary to a decent level.

    Both parties get what they want in the deal; businesses with inexpensive, on demand services; engineers working an efficient schedule for multiple clients (thus good wage despite lower prices on individual jobs)

    I'm not sure what kind of reputable engineer you would need to be to pull this off. Liability is going to be the major sticking point on any contract or work-for-hire (until you get a proven track record of completed, functional projects)
  • by Broadcatch (100226) on Friday December 19, 2003 @12:24PM (#7764978) Homepage
    I was "outsourced" two years ago and after 25 years of seamlessly moving between companies with never once even writing a resume, I haven't been able to get back into the market.
    • the good : I've had lots of time to play with my 2 year old son
    • the bad : I've got a family to feed
    • the ugly : I'm learning that experience in the industry hurts ones chances te land a job, as we're considered "too expensive"
    I've found a few consulting gigs to help, but now I'm moving out of the Bay Area - can't afford to live here anymore.
  • Re:I don't trust you (Score:3, Interesting)

    by bmj (230572) on Friday December 19, 2003 @12:29PM (#7765058) Homepage

    I don't trust you to work from home. You will just watch Scooby Doo.

    'Tis true, but a company in India has tons of programmers in cube farms (at least that's what they tell you), so the PHBs feel more secure knowing their new programming staff is being directly managed.

  • by Anonymous Coward on Friday December 19, 2003 @12:29PM (#7765065)
    I'd say he should contact his former employer and offer to perform testing of the outsourced security system as a consultant -- after all, he knows those systems as well as anybody else. Then he should try to hack the system -- since he's working as a consultant, it would be legal to do so.

    Then when he's able to hack in through the outsourced security system, he should state that the outsourced company's report was right -- a disgruntled former IT person is a big threat, but since he knows the tricks he'll know how to counteract that threat.
  • by Cragen (697038) on Friday December 19, 2003 @12:30PM (#7765086)
    On what grounds were you labeled a major security risk? Publish them here, please. Verbatim. We don't know a thing about you, your company, vendor, etc. It is possible you WERE a major security risk. I do not think we should assume innocence or guilt until we have seen something in "writing". We have not seen any of that, yet. I think everyone should hold off any assumptions either way until more info is brought to the table.

    *cragen

  • by Anonymous Coward on Friday December 19, 2003 @12:31PM (#7765104)
    The outsourcing company's argument is fairly simple...

    If inhouse IT causes a security failure (or worse actively compromises something), you have no recourse but to fire them. One can take them to court, but it will be difficult to get any signifigant damages out of an individual. Switch to outsourced security analysts and you get a big corporation to sue should things go wrong.

    This has nothing to do with the quality of service, rather it's the ability to do damage control in situations potentially damaging to the company.
  • Re:You were set up (Score:3, Interesting)

    by kevlar (13509) on Friday December 19, 2003 @12:32PM (#7765115)
    Yes, Name the names. Inquiring minds want to know. Post anonymously if necessary.
  • Auditing... (Score:3, Interesting)

    by softspokenrevolution (644206) on Friday December 19, 2003 @12:34PM (#7765151) Journal
    Now, here's something interesting. A little bit back, if you recall, there was this big scandal with a large energy corporation called Enron. Now, it seemed that they were cooking their books like there was no tomorrow (which in fact there wasn't). A big part of the problem is that they were using their auditing company as their general financial friend too. What does this have to do with your problem?

    Simply put, the idea of a third party review of anything is to get a clear and objective review of whatever is being audited, whether it is a company's financial dealings or it's network security. Now, was your company's third party review objective, no.

    I don't know the details, but from your post I do know that the company doing the auditing had a financial interest in giving your network security team a bad grade.

    On the bright side of it, the people you worked for seem to be missing the point of auditing (which probably means that they missed that day in Business school or that they are stupid). I mean, a 'financial institution', you would think that they would have learned the lesson of the past few years.
  • Re:Easy solution (Score:5, Interesting)

    by haystor (102186) on Friday December 19, 2003 @12:34PM (#7765155)
    Yea, become a consultant. You've already got one business in your rolodex that will buy a product from the same person inspecting whether they need that product.

    What I'd do is file for unemployment immediately. This would be good to find out if they claim they fired you for cause. In Texas at least, if they want to make that claim, it has to be done in writing which means they would have to commit to those statements. If you wanted to pursue it, you could eventually find out why they say you were fired. Likely they will just take the hit on their unemployment insurance and not contest your unemployment.

    If you think that something was a little bit shady, like a manager getting a kickback from the consultants you might try to use your current contacts to feel that out. Unlikely you'll find out anything there but if you do you could be a real bastard about it.

    I ran into a situation where I was hired by a business consulting group to do some work they normally didn't do. I had contract signed and everything when they never called back with a start date. After two weeks of expecting a firm date, I called them and they said it was a no go. I suspect they filled the position internally after using me to land the contract. They had accidentally let me know the company they were pitching and it turns out the President of that company is a family friend. All I had to do was ask an uncle to ask this guy over lunch if they had someone doing this job from company xxx. After weighing the possibilities of what I would/could do if I was right, I decided I just didn't want to know and time would be best spent concentrating on a job/career instead of money and time lost. When lawyers get involved the only sure thing is that the lawyers make money.
  • by CatGrep (707480) on Friday December 19, 2003 @12:35PM (#7765168)
    Sure, we're not living in our cars (yet) and we're not getting beat up just for talking about organizing (we're ignored), but there seem to be a lot of parallels between what was happening to Okies in the '30s and programmers today. It's amazing how the same kinds of corporate greed issues are still happening just the same as they were then. Essentially, offshoring puts downward pressure on our income just as bringing in too many workers did to farm labor back then. The main difference is that it will do us absolutely no good to unionize since the corporations have a huge supply of workers willing to work for nothing (at least from our perspective).

    Just like in the book where the price paid for a picked box of peaches went from 5cents then 2.5 cents (for a ton, as I recall), the same is happening to us programmers. A year and a half ago I had a C++ contract working at $40/hr which was easily $10 to $15/hr less than the year before that. Last week I accepted (after not having paying work for over a year) a C++ contract at $35/hr. What will the going rate be in another year?

    Global free trade/capitalism is a race to the bottom.
  • by Amiga Lover (708890) on Friday December 19, 2003 @12:35PM (#7765171)
    I was removed from my job where the majority of my team's time was spent monitoring our data centre, and calling in whoever we needed, when we needed, to fix glitches. I was proud of our work, and it's one of the times I truly felt a true "team player" that so many employers are after.

    In the space of 3 months, two separate consulting firms recommended our tasks be outsourced. We all lost our jobs, and what comes out in the wash? The outsourced monitoring company is a subsidiary of one of the consulting firms. No surprises there.

    Now, my employers have gone from having a small dedicated team who treated their equipment as their very own, to having a useless 'monitoring' company who not only can't detect an outage to save themselves (when the most clueless of managers has needed to contact them to ASK if a server is down when it's been out all night, things are bad) but don't actually do fixes themselves, but re-outsource those also

    Last I heard email went out for 4 days. Our worst was a 3 hour fix, which was a combination of intermittent server problems and a backup clean slate machine that failed right after install, so we needed to source and rebuild a box from scratch. The new firm's best time is over a day.

    The only thing I like about the whole situation is they're getting what they deserved, and are locked into it for another 18 months. Morals be damned, schadenfreude is fun.
  • by saudadelinux (574392) on Friday December 19, 2003 @12:36PM (#7765177)

    SafariShane needs to get onboard with a company that does this kind of work. A buddy of mine ran a one-guy development/network admin company for several years, and got into security as well, picking up a cert or two.

    Due to the economic downturn (and his bread and butter client not falling under the Prompt Payment Act), he had to get a job with The Man.

    He got a job with these people [ncircle.com], as the tech half of a two-guy sales team, by leveraging his knowledge of Windows and *nix networking and security.

    He's working like a sled dog, can't say anything about what clients he's seeing, or much about the product. But he's a very, very well paid sled dog in terms of base salary, benefits and commission; he went out and got a 32" TV and laser-corrected his eyes.

  • by Lord_Dweomer (648696) on Friday December 19, 2003 @12:36PM (#7765180) Homepage
    I'm starting to notice a trend. I work in advertising/marketing (yeah yeah, don't kill me, we're not all evil and incompetent). Advertising used to be handled by the companies directly. Then they realized it was cheaper to hire an agency who did nothing BUT advertising, and thus provided better skills for less money.

    This sounds like where IT is heading. And keep in mind that companies still have marketing departments that interact with the agencies to make sure things work right.

    Why not embrace this model and start up your own outsourcing firm? It's obviously profitable, and with the growing number of extremely skilled IT workers out there that are unemployed, I'm sure you won't have a problem finding talent.

  • by Tyb (715616) on Friday December 19, 2003 @12:36PM (#7765181) Homepage
    In fact, I received a 12.5% raise only two months ago for job performance.

    If your story is right on accurate, then this is truly a travesty. Sitting on the other side of the desk, though, it may have made financial sense to outsource your responsibilities. If you fail, the company has no recourse. If they fail, it's a civil court problem that brings money back to the company. On another thought, they may have underbid your salary.

    Although an important thing to have, the responsibility of network security is basically insurance for the company. The fact that they only had one intrusion in 12 months may have made outsourcing that insurance at a cheaper rate a good idea...after all, historically there hasn't been much threat.

  • 2 questions (Score:3, Interesting)

    by jrexilius (520067) on Friday December 19, 2003 @12:40PM (#7765237) Homepage
    1) what is the name of the company? This is for my own dealings. To be honest, I will take your story with a grain of salt but a little research might help me understand if I would want to do business with them or add them to my blacklist.

    2) what is your question, "how do I build stable relationships with PHBs so that free lunches and golf outings from vendors dont get me outsourced again" or "how do I prepare for 3rd party assesments/sales pitches to ensure that both they and I can be objectively analyzed"?

    Sadly, in corp IT, the answer to both questions is the answer to the first. Face time, "expectations management", proactive education, whispering sweet nothings in the ear, and many other social engineering tactics are how you build relationships with the morons in charge. This is how you will also be better prepared to deal with vendor incursions into your domain.

    Technically the way to prepare for this is to do an assesment yourself, early and often, document it, summarize it, broadcast it, and ask for money. You will get ignored and turned down but you will have paper trail and they will remember, vaguely, that you said something about security when the sales pitch comes and they wont be surprised.

    In corp IT and much of the world, when dealing with non-engineers, technical merit does not speak for itself but appearance and posturing go a long way. So, in the future, over-communicate and advertise. Remember that most non-technical people get their educations from advertisements and sales pitches so fight fire with fire.
  • by Colossus (9063) on Friday December 19, 2003 @12:40PM (#7765239)
    ...went along the same lines.

    I was working for a development firm, we had long term client who had made use of many other development firms.

    We landed a big project, the client had us work with another development firm, this one out of India to supplement our skill set, throw more bodies on the project, and so they had a clear understanding of the architecture when they took it over later.

    We came to find out that the head programmer working with us would go directly to the client and tell them how poorly we performed, that we didn't know what we were doing and other such niceties.

    The PM from the client bought it, and we were removed from the project (an action that within 6 month caused 130 people to loose jobs.)

    The other firm left with our architecture, our code, and our self esteem, we left the company with 2 weeks severance.

    The most ironic part was that these guys came in with no knowledge of the platform! We taught them to Java as we went! That was the biggest slap in the face that I have ever received.

    What are you going to do, hopefully this kind of stuff will run rampant and leave a nasty taste in everyones mouth.

  • by lythander (21981) on Friday December 19, 2003 @12:41PM (#7765257)
    Talk to a lawyer. If you can prove even remotely that they were negligent, wrong, or malicious, try suing them. What the hell, you have time, right? They'll settle. Think of it as extending your severeance a bit.
  • by Anonymous Coward on Friday December 19, 2003 @12:42PM (#7765290)
    Right - business does drive technology - I agree.

    Labor wars have been around for a long time and still management hasn't learned the lession. Now that people are pushing keys, not turning screws, and the workers (geeks) live their jobs, managers find it only simpler to push the employees around.

    Do the terms "work stoppage" or "stike" come to mind? Computer don't run them selfs.

  • by cravey (414235) on Friday December 19, 2003 @12:50PM (#7765382)
    I knew someone who worked for a company years ago (maybe he still does) whee the bosses were similarly stupid. He was THE unix guy at a company involved with transoceanic shipping. His bosses were so paranoid that he might do something maliciously (servers on the ships too) that they made him WRITE CODE that would track what he did in the event he decided to do something unauthorized. All kinds of shades of stupid.

    The flip side of this is that most of the major IT disasters I've seen have been caused by idiot1 getting hired by idiot2 to do a job that neither idiot1 nor idiot2 knew the first thing about.
  • Re:One word: (Score:4, Interesting)

    by IWorkForMorons (679120) on Friday December 19, 2003 @12:53PM (#7765421) Journal
    Can you tell your boss to sod off and never show up to work again? Yes.

    Sure, if you don't mind not earning money.

    Can you find a job at another company, sometimes even a competitor, and instantly go work there with little fear of backlash from your current employer? Yes.

    Not if you sign a non-complete contract. Otherwise, they can, and probably will, sue your ass until there's nothing left.

    If a company lets you go, are you entitled to unemployment compenstation of some sort? Yes.

    Not always. If the company makes it look as if you are the cause of your unemployment status, as this guy was because "he let the company security slide, as was found by the vulerability assessment", then you have fewer chances of seeing anything more then the standard 2 weeks. But there's little chance that government U.I. would kick in. Could you survive 3 months with only 2 weeks pay?

    Can a company legally tell another company that you don't bathe, you write shitty code and your mother-in-law calls you 17 times a day distracting you at work? No.

    A company can legally tell another company of the reason that you were let go. And since this guy was accused of letting network security lapse, that's not going to sound good when another company calls up.

    I wouldn't trust anything else coming from this company if I were him. I would try to minimize any contact with this company by future potential employers. He really is in as bad a position as he thinks. What's worse is that probably none of it is deserved. Good luck buddy, because you're going to need it...
  • Re:One word: (Score:3, Interesting)

    by Master Bait (115103) on Friday December 19, 2003 @12:56PM (#7765460) Homepage Journal
    Libel. Got any paperwork from the outsourcing company? Did the company make you sign a non-sue contract before they 'let' you claim unemployment benefits? Sue them, too!

  • by Anonymous Coward on Friday December 19, 2003 @01:00PM (#7765526)
    Through 401K's and other programs, a larger portion of the populace owns stock than ever before, and they want strong growth just as much as the next guy.

    The number of Americans who owns stocks, directly or indirectly, is indeed impressive. The number of Americans who owns a significant amount of stocks (say 10% of their annual revenue), on the other hand, is extremely small.

  • Not just in IT (Score:5, Interesting)

    by The Tyro (247333) on Friday December 19, 2003 @01:00PM (#7765529)
    medicine has become the same way.

    Many hospitals are contracting with large national companies to provide physicians services that were traditionally provided "in house." This is most easily done for things like Radiology, where films can be digitized and shipped anywhere in the world to be read by a room full of radiologists. It's also being done (and has been for years) with Pathology services... send your slides and tissue specimens to a big lab to be examined rather than the employing a bunch of local pathologists. Admittedly, there are some economies of scale that enter into the picture... "sending out" can be more efficient.

    This is also a big deal in my own specialty (emergency medicine); competition is brutal. There are large national "contract management" ER groups that are constantly approaching hospital administrators with sales people, brochures, and a pitch about their high-quality, lower-cost emergency medicine care. Contracts change hands in ER all the time, which is why a lot of ER docs live like gypsies... if your hospital outsources their ER services, you get fired, and have to find another job (if you live in a smaller area with only one or two hospitals, you can be SOL... time to uproot the family and move.)

    How do I/we fight it? Relationships and service. We make ourselves available to the administration to address concerns and problems. We build relationships with the community physicians, so that they KNOW who's taking care of their patients in the ER, and KNOW they can trust us to take care of the critically-ill. We integrate ourselves into hospital committees, and get involved in the community. We implement Quality Assurance and Peer Review to ensure that we're practicing up to the standard of care. It can be a lot of work trying to keep your job (never thought you'd hear a doctor say that, did you?).

    In ER, losing your contract/job or not usually has nothing to do with bad medicine... it's failure to "play the game" that sinks you. There may be a parallel here for the infosec geek that was fired... If there's one area where the prototypical "geek" personality probably hurts the most, it's in the eschewing of those critical relationships. It's great to have m4d 5ki11z in the server room... but a little face time with the powers that be could make the difference between paycheck and pink slip...

    There's no guarantees, however... even with all my efforts, I can still get sold out if my hospital administrator gets a wild hair, or just plain doesn't like me.

    It's business reality for lots of folks, not just IT.

  • Re:Easy solution (Score:2, Interesting)

    by toganet (176363) <gwhodgson&gmail,com> on Friday December 19, 2003 @01:08PM (#7765669) Homepage
    I'll add my own -1 Redundant to this, but I concur with the parent on this.

    I recently relocated, and took a job for a consulting agency, for about 10% less than I was making in my previous job (but COL is lower here).

    I've been at the same client for 6 months now, and I do a little of everything (coding, admin, PM, sales) so they like having me around. To me, it's beginning to get boring, so I may look elsewhere.

    But the nice thing is, if the client decides they can't afford me any more, my employer will find me a new placement (hopefully) -- so there's less risk of being suddenly unemployed.
  • Re:Company names (Score:2, Interesting)

    by SafariShane (560870) on Friday December 19, 2003 @01:12PM (#7765725)
    Before I post any names, I'd need a couple IANAL comments telling me it's okay. :-)
  • Workers Rights (Score:5, Interesting)

    by Aron S-T (3012) on Friday December 19, 2003 @01:15PM (#7765765) Homepage
    Whenever an issue like this comes up the inevitable /. knee-jerk libetarians come out of the wood-work: "capitalism good protection bad" Well maybe some of these libetarians should find out what Adam Smith was really about. His model of capitalism is based in an agrarian society with independent artisans and traders. His idea of a free market is exactly that - where everyone has equal access to market and equal information.

    Corporate America has as much to do with the Adam Smith model as the Bolshevist U.S.S.R. It's not even related to Marx' model of capitalism, for in Corporate America, capital is as alientated from controlling the means of production as labor is. Instead, what you have is a management class which calls the shots and enriches itself at the expense of both workers and owners - can you say Enron, Adelphi, Worldcom etc etc.

    Sure a worker has the "freedom" to say "fuck you" to his boss and look for another job. In theory. In practice, as the job market shrinks despite the "improving" economy (i.e. the management class being further enriched) those jobs are very hard to come by. So the worker has to bite his tongue as his workload is doubled, as her boss wittles away more and more of her "perks," as the threat of outsourcing is used to bludgeon him into obedience.

    Saying to someone "go out and upgrade your skills" is also BS. A friend of mine is in his mid-40s, extremely talented, engineer/MBA out of work for a year and a half. Who's going to hire people in their 40s and 50s, no matter how much talent and experience they have, no matter how upgraded their skills are? And you young 'uns are going to get there faster than you think.

    Corporate America demands obedience, makes people work like slaves, uses them, chews them up and throws them out when they no longer are useful. Maybe we should just kill off laid of workers so we don't have to worry about unemployment insurance and welfare?

    And no I am not speaking out of personal bitterness. I have a successful consultancy business and work for myself. But even if you believe in ultra-selfishness, a society with many poor, disaffected people is a very scary and dangerous place to live in. This is an issue that effects all of us, not just the laid off.

  • Re:I don't trust you (Score:5, Interesting)

    by Anonymous Coward on Friday December 19, 2003 @01:16PM (#7765783)
    My own experience relating to this:

    1) Medium to large size business do not trust individuals: only other businesses are trusted. A local Goodwill (yeah, really, Goodwill) used to outsource work to me on a very regular basis. I'd give them plenty of freebies (again, it's Goodwill) along with the outsourced work. Eventually they hired someone to take care of internal matters and the outsourced work finally stopped (he had a gripe with me apparently). The CEO didn't question his judgment because he was moving to Microsoft products and outsourcing to larger companies. It didn't matter that they were paying six times (I kid you not) as much for the same work, their firewall had been removed (the new guy didn't understand how to manage it), and they removed a perfectly stable Linux box in favor of Exchange (easier to maintain for him, but DID go down frequently). None of this mattered. The CEO and kin felt more comfortable with larger businesses despite the problems. They care about feeling better, not about how much they're paying or how often something goes down. They will excuse ANYTHING if they're happy.

    2) This (security assessment) is a new tactic from a small group of companies/individuals that have been around for a while. Years ago I handled support for a local ISP. The ISP had (shame on them) sold bandwidth to an adjacent office which was plopped right on the main network (no bridge/firewall/etc). This office had a MUD server which was compromised and made a really great packet sniffer. Account info was snagged and used....by a **network security firm** working out of Canada. They changed a few passwords to get attention, then e-mailed the owner of the ISP with a 'Hey, we didn't do anything but we wanted you to know your setup is easily corrupted. We can supply you with services to prevent this in the future.'. It's like, some kind of dorky geek mafia.

    The original submitter could be a dick or a great employee. Either way, it doesn't matter because these security goons are out there and using a much better tactic to get business. It's pathetic, but it's real and there are enough ignorant businesses out there to make it profitable. All the education in the world won't help some employers, they're just too fucking stupid. Maybe the submitter's best bet is to hook up with one of these shitty security firms....join 'em before they beat you out of the market (re: multiple bad security profiles).

    Sorry for the long rant...too much coffee ;-)
  • by Anonymous Coward on Friday December 19, 2003 @01:17PM (#7765803)
    Recently I was fired for something I wrote online under a nickname on my own time and on my own server. Basically it was a diary site a few of my friends knew about and it was my place to vent. The company I worked for was never mentioned by name and neither was anyone I worked with. Only a handful of friends even knew the site existed in the first place.

    Anyway, somehow someone (rather curious about these two points...) at work found the site and they found one little sentence that they didn't like. They hauled me into the presidents office and fired me. It was over in maybe 15 minutes. The thing was, they had no proof that that nickname was me. They wouldn't tell me how the site was found. And they even went so far as to call my opinions illegal.

    What can I do about this? Has anyone had this happen to them or know someone maybe? What can be done? Anything? They even mailed me a letter that suggested rather rudely and directly that I should seek a professional councilor to discuss some of the things I had written in my diary!
  • by SafariShane (560870) on Friday December 19, 2003 @01:24PM (#7765888)
    I'd also like to thank all the folks who have emailed me asking for information so that they could hack the network for me. Come to think of it, I shouldn't provide the names of the parties involved. I will mention though, all reside in the state of Florida.
  • by Anonymous Coward on Friday December 19, 2003 @01:26PM (#7765914)
    Foremost, I sympathize with your situation. I also work for a financial company and we recently had a 3rd party perform security assessment. I believe the reason why nothing has changed in favor of the 3rd party assessment company because we worked hard to be better. As we found out, that was the case with this company as we felt they were merely following some premade script, using readily available open source tools, skipped some parts of their assessment that we thought they didn't grasp and dodged many of our inquiries. During the whole assessment it was important to keep management informed of our impression of them, our findings, their weaknesses and flaws so that management isn't falsely influenced.

    Wishing you great success with your future endevours!
  • by t0qer (230538) on Friday December 19, 2003 @01:32PM (#7765991) Homepage Journal
    He should sue the outsourcing company for slander and libel (since they probably handed his employer a report stating he was a security risk)

    Of course it all depends on what context he was fired for. Are we getting the whole story here? Did you do any activities that could be considered a security risk?
  • by Anonymous Coward on Friday December 19, 2003 @01:33PM (#7766000)
    I was the IS manager (and pretty much the only network guy at a county Behavioral Health (Mental Health) agency. They decided to go with a "complete mental health solution"(CMHC) that hadn't been written to work in our state when mangement bought it.

    This was done shortly before I arrived and the previous two IS managers quit 1. when it looked like the county was about to purchase this package 2. once the system was purchased and she saw the daunting task of maling the thing work. (Oh, did I say the fiscal officer was a real good friend of the consultant for this company)

    I, while working out an annual budget, informally (warning, nothing is ever informal) noted that over the next year or two we needed to be phaseing out these expensive consulting services. Next, the consultant is salled to do a review of my work performance. No supprise, I was doing every single thing wrong. Even my backups were wrong, I was doing full backups every night while she noted that relative (full, differential, incremental... relative isn't on that lest girl) backups should be done instead because they are significantly easer to restore from. The whole review was like that. Bull from a vendor who had a interest (kickbacks almost) interest in getting rid of me.

    Well, I am back to repiring copiers, faxes and printers for about $10 an hour and hating every minute of it (oh, and I still "get" to do network installs of devices and troubleshooting for that same $10/hr). All I can say is what a waste.
  • Unions (Score:4, Interesting)

    by Alan Cox (27532) on Friday December 19, 2003 @01:33PM (#7766005) Homepage
    If the IT world had better organisation it wouldn't consist of people being trodden underfoot because they think they are "elite" "indespensible" and "able to stand alone". As a rule of thumb your CEO is smarter than your average 21 year old programmer, and believe me *his* interests don't match yours, however much he swears they do.

    India has much much stronger labour laws than the USA on most issues (although enforcement has problems sometimes). Indian IT workers sometimes do belong to unions or labour groups. Interestingly some of them chose not to use the word "union" because they wanted a labour group but didn't want the conflict the word union implies in some parts of the world, but to imply constructive working together

    The jobs that went from the USA and EU have something much more important in common. They are low skilled, highly manpower intensive and not subsidized. It has a lot to do with wage costs and very little to do with unions.
    Software is manpower intensive, not subsidized and the skills are being developed rapidly to a high level in other countries. The rest follows logically enough.

    Welcome to globalization of production. Unfortunately globalisation of buying is a different matter (eg DVD prices in europe , US text book costs, US v Canadian medicine prices).

  • by Anonymous Coward on Friday December 19, 2003 @01:34PM (#7766019)
    The scum at Data Networks out of Maryland did the same thing. I had worked for this company for 21 years, and they gave a report to our board that was about 300 pages long of all the security things I was doing "wrong." Most of the pages were wild claims about Linux's and Solaris's lack of security and about the risks of *not* using a cisco PIX firewall. There was pages of silly stuff like the demarc point being too far from equipment room. Well, the board was the ones that decided on which room to install a raised floor and extra cooling. Of course, I got called to the carpet on that one. It wasn't even a problem in the first place since you can extend T1's for 100's of feet without problems, but they claimed the 50' we had was too much. I was accused of "malfeasance" for buying Sun servers rather than buying cheaper Dell's. Most of our Sun's are 5+ years-old and a few are even 10 years-old and chugging along without problem. An old IPC running Debian makes a perfect backup name server. So, Data Networks has convinced them to get involved with the Windows/Dell upgrade from hell cycle and to pay them to rewrite all of the software we use. They also sold them a $40k cisco router they don't need and a $30k (or so) cisco PIX firewalls. Data Networks has also convinced them to sue me over the price difference between the Sun's and an "equivalent" (not that you can buy a Dell that's equivalent to a Sun) Dell server. They're supposed to serve papers sometime early next year. Oh well. It was a great job working with great people for 21 years. It was also the only job I've had since I graduated from Ga Tech.
  • Re:You were set up (Score:3, Interesting)

    by horvathcom (629683) on Friday December 19, 2003 @01:40PM (#7766091)
    I was wondering if it was them. If you read Bruce Schneir's Secrets and Lies, you reach the end and figure out the whole book is a way for them to sell their services.

    1. Security is tough.
    2. It is best left to professionals.
    3. You are better off hiring those professionals rather than trying to develop it yourself.
    4. You should hire us.
  • by bstadil (7110) on Friday December 19, 2003 @01:43PM (#7766135) Homepage
    FYI read this assessment [alternet.org] on Alternet,

    It makes the point you are making and points to how Democrats and notably Dean could seize this winnable Issue

  • by ToasterTester (95180) on Friday December 19, 2003 @01:44PM (#7766148)
    Pointed Haired Bosses don't think that way. At my last job (one of the big 3 ISP's) one of the NT admin's screwed up and opened our one internal systems to the whole world. One of our techs studing security discovered the hole and reported it our PHB. Who came to our SA team to check and confirm. They were more concerned about the tech finding the hole, than the idiot NT admin who screw up an NT securtiy setting. They were insisting on firing the tech. They said opening up our system to world was less of and issue, than a employee sniffing our network, even if he reported it.

    I've worked for too many large corporations don't ever think management is going to think logicly.
  • by Florian Weimer (88405) <fw@deneb.enyo.de> on Friday December 19, 2003 @01:53PM (#7766244) Homepage
    If all you did there was security, then you were in a bad position to begin with. Security should be a part of everything that is done, not handled simply by one person somewhere.

    Do you think that somewhat indepedent review is unnecessary, especially in the area of security? And who decides where required security features are implemented? Just to give an example: Sometimes, it's not cost-effective to provide the required protection level entirely on the network layer, but it can be implemented on the application layer (or by using operating system features) in a straightforward way.
  • If you're on call 24/7 while they're home sleeping, it sounds to me like they've got a lot better handle on where power resides than you do...

    Until the people that provide that support decide they don't want to do it anymore and go off to another career, leaving a shortage of people to do the job. Not saying that this will happen anytime soon, it's mostly to make the point that people in power must derive their power from somewhere. Things don't happen in a vaccuum.

  • Re:Security risk? (Score:2, Interesting)

    by deepvoid (175028) on Friday December 19, 2003 @02:00PM (#7766353) Journal
    If those engineers who either changed careers, retired, or are unemployed due to outsourcing refused to vote for any candidate who encouraged the practice, they may actually stem the tide.

    And don't think a management job will be safe. As soon as the foreign company realises that they have all of the workers, what effort will it take to "fire" the parent company and hire their own managers? Not much. American companies are merely feeding their replacements and will find themselves outsourced with their employees. There is no way for American companies to avoid this outcome. It is one thing to sell an invention, and another to sell the inventor.

    He who feeds a dragon, does not love his children, for the beast will quickly tire of his master's fare, and soon turn on his master.
  • by Smallpond (221300) on Friday December 19, 2003 @02:18PM (#7766573) Homepage Journal

    A company I used to work for had 2 IT guys: the manager and the worker, and laid off the worker. Before leaving, he fired off an abusive companywide email, messed up the servers, and changed the root passwords. When management found out that the manager couldn't fix the problems, they fired him and rehired the worker, who made less money anyway. No charges, no retaliation, just business.

    I always thought it was a good decision.
  • by theglassishalf (216497) on Friday December 19, 2003 @02:18PM (#7766575) Homepage
    Well, he could sue them. It's called "slander." If they wrote it down as well, it's called "libel." As a bonus, as part of the trial he could subpoena all the documents related to the case, and find out what they really had to say about him.
    Courts tend to look at libel related to employment very favorably. He should contact a lawyer.
  • Get a lawyer! (Score:3, Interesting)

    by MadKook (734191) on Friday December 19, 2003 @02:26PM (#7766672)
    Not being a lawyer, but knowing a few, plus having a few who swear by having employment lawyers, I would say that you should definitely talk to one!!

    A company who chooses to terminate your employment because of research or inquiries, the results of which are not told to you, sounds quite... well illegal. Were you a regular fulltime employee? Did you sign some sort of disclaimer because you were in "security" that they coudl at any time terminate you because you could be terminated as a "security risk" ???

    Get a lawyer now!
  • Re:What to do? (Score:2, Interesting)

    by sgt_getraer (448034) on Friday December 19, 2003 @02:35PM (#7766806) Homepage
    It's been trendy for the exec types to read The Art of War as of late. If you want to fight sleeze with sleeze, The Prince [constitution.org] will give you a few ideas next time around.
  • by kpost (594219) on Friday December 19, 2003 @02:45PM (#7766916)
    I used to work with PriceWaterhouseCoopers where I performed network security auditing. While I worked there, we NEVER did anything like what's reported in the article. We reported things like unpatched systems, firewall holes and often showed how our clients' networks were vulnerable to various threats, but never did we label our clients' network operators as primary risks. -Kevin
  • by Greedo (304385) on Friday December 19, 2003 @03:04PM (#7767132) Homepage Journal
    Exactly what I was thinking.

    Here in Canada, you also can't get fired on the spot (well, not for this). You have to receive at least a verbal warning and/or a written warning first, outlining what it is you are doing wrong.

    I don't know what the laws in the US are (or even if you are in the US), but you might want to check with a lawyer. A quick consult shouldn't cost you much, if anything.
  • by voss (52565) on Friday December 19, 2003 @03:04PM (#7767135)
    This assumes hes being on the level

    While geeks are smart they dont know the law. If this new company wrongly accused him of incompetence or negligence he has have every right to sue them. The sooner the better..... He doesnt sue his employer thats bad for future employment. He sues this third party and then subpoenas exactly what they told his employer about him.

    In addition to libel, and defmation there is also tortious interference with business relation(ie your employment with this company)

    Id say he needs to consult with a lawyer
  • Re:One word: (Score:2, Interesting)

    by mschuyler (197441) on Friday December 19, 2003 @03:09PM (#7767185) Homepage Journal
    It's still the same world with the same economic realities. This is not a US vs the rest of the world issue. Turning anything anyone says here into that is just bullshit (and it happens all the time). When "workers' rights" affects efficiency, it's just a matter of time before an 'adjustment' happens. In the US unions have often bid up workers' wages to the point that companies can't compete efficiently and jobs are lost. Witness US steel companies trying to hide behind tariffs. Didn't work. Faced with EU retaliation, they were dismissed. That is entirely proper and the EU was right in insisting the US play by the new rules. Get efficient or die. If you need to learn how to make steel, visit a EU factory. Steel can whine all they want, blame government for their troubles, or whatever. (IMHO Bush correographed that whole issue. He placated steel for a few months knowing full well what would happen. When the EU called him on it he could say, "Hey, guys, I'm really sorry. I tried to help, but we just can't go there any more.")

    But it works both ways. Witness recent strikes in France over pension plans. Citizens feel it is "their right!" to retire at 55 and get a full salary for the rest of their unproductive lives. That's not going to work either and there will be consequences down the road as this 'entitlement generation' is forced to get a life. The rest of the citizens of France simply cannot afford to keep the boomer generation in the style to which they have become accustomed.

    The only time this doesn't work is when there is not good communication/transportation between high and low pressure areas. In the comm area there are few barriers left. If there IS a flow, wind is created, and the high pressure flows to the low pressure until they equal out. In other words, it sucks. If there IS NOT a flow because of barriers (like oceans, for example), then artifically high pressure areas remain. Witness the lock the US West Coast longshoreman have on shipping. There a data entry clerk makes $120K per year. Is that efficient? Hell No. It can't last, but there will be hell to pay to make it go away. And it's the exact same hell the EU faces with artifically high pensions. It's the same dynamic at work.

    One commonality between the US and the EU is the rights of workers in government, and the resulting inefficiencies and bureaucracy. Both suffer enormously from it and as a result government not only has a hard time being productive, it becomes a drag on the economy of the respective countries.

    It matters not whit what country you're from or what philosophy you espouse. The equation is this: More coddling of workers leads to less accountability, efficiency, and productivity. Compare the civil service of ANY country to the self-employed and figure out just who is more motivated.
  • by tonyray (215820) on Friday December 19, 2003 @03:19PM (#7767297)
    I'm an employer, not a lawyer, so check with a lawyer to see if what I say is correct, but I believe it is.

    If your employer told you (or better yet, put it in writing) that you were fired because you were a security risk, then you may be able to sue. Here is why:

    You can be fired for making false statements on an employment application. No matter why you were fired, if you lie on your application your case is lost. So, when filling out future employment applications for the position of security admin you must say you were fired from your last job because they thought you were a security risk. Of course no one will hire you. Get any of them (but perferably four or more) to put in writing you were not hired because your application says you were fired for being a security risk.

    Now sue your previous employer and the security company for $10,000,000. Even if your employment was "at will" you can still sue in this instance because they have effected your future employability by claiming your were a security risk. If you are lucky, the security company put in writing (very stupid) that you were a security risk but it isn't necessary that they did so. People frequently win this type of case. Lesson to employers - "NEVER TELL SOMEONE WHY THEY ARE BEING FIRED".

    There is only one catch. If you have bad credit then that is proof you are a security risk. You could still win (think jury trial), but it would be harder.

    Have fun, be American ;)
  • by h4rm0ny (722443) * on Friday December 19, 2003 @03:33PM (#7767477) Journal

    If that's possible then yes, he should sue. It might be extremely difficult however.

    I have some experience in this as I was fired as a security risk. The cause? I installed a firewall on my PC. The formal letter stated that this could interfere with their network firewall (a Cisco box that was very over-the-top for a small development company of twenty people).

    Of course that wasn't the real reason. It was the refusal to work unpaid overtime and perhaps a tendancy to correct my boss that got me out. However, how do I go about getting this fixed in court? No matter how expert I am in IT (and I am quite expert), they can through an 'expert' back at me in court, and how will a judge know the difference.

    And aside from that, what would be the charge? I'd already resigned and was working out my notice. The sole result is that any reference from my former employer now states that I was fired for 'Gross Misconduct.' The burden is on me to convince people that it wasn't fair.

    A very nasty situation all round.

    I wish the poster good luck if he finds a way to sue, but beware of getting into a credentials battle with various "experts," because most courts wont be able to assess your case on the basis of technical details.
  • by Anne Thwacks (531696) on Friday December 19, 2003 @03:50PM (#7767721)
    I had the same experience - recommended a fix for a major problem, and got fired for pointing out there WAS a problem. With hindsight, I'd say it was the company with the lowest employee morale I ever worked for.

    and the lesson is ... If employee morale is rock bottom, there's generally a damn good reason at the top. Look for a job elsewhere before its too late.

    As for offering to work from home in place of outsourcing? Are you nutz You would just be proving that womeone could do the job remotely ... ie in some place that is beyond even the third world. Lets face it, India and China are now complaning about jobs being ousoureced. Obviously the work is being done by krrgs from the planet Zog.

  • by zabieru (622547) on Friday December 19, 2003 @03:55PM (#7767792)
    Eh, on the other hand, a company engaged in this sort of practice is likely to go over their stuff with a fine-toothed legal comb. It's probably all couched in terms of '54% of senior network security personnel at some point blah blah, and therefore hiring outside consultants from such firms as blah, blah, or oh, yeah, us, is safer, and blah, blah' rather than 'How could you possibly trust a commie pinko faggot like X? Fire him immediately so you can hire us!' Unfortunately, libel laws are fairly specific, so although he can clearly prove damages (usually the hard part) next he's going to have to show that they said something deliberately and provably false about him, which it's not likely they did.
  • by djunia (525560) on Friday December 19, 2003 @05:16PM (#7768711)
    This is a very bad business model. In order to sell themselves to the clients, they generally need to have GIAC or CISSP certifications. Those certifying bodies have codes of ethics. What you have described does not fit into those general codes of ethics. If anyone representing the outsource firm is a CPA, CISA, or CIA (the accounting world certifications for this sort of work), they have broken a really basic ethical requirement. This is followed more in the breech, but accounting firms that audit for security are not supposed to advise clients on how to fix the problems. The idea is that you cannot honestly audit a company for which you have provided or will provide other services. If they represented the work they did as a SAS70 or other public assurance audit and then took over the jobs of people they assessed, they can be censured by any number of regulatory bodies. The biggest problem today is that there are flocks of us security folks out of work. I have 10 yrs experience, but no CISSP or CISA, and am considered "too senior" for the jobs that don't require certs. Charitably, I assume that they are referring to me having opinions about process and procedures. Privately, I am less naive.
  • by SafariShane (560870) on Friday December 19, 2003 @05:35PM (#7768889)
    Lawyers I've called (labor lawyers) are saying this isn't a labor dispute, but a libel/slander thing. Those lawyers tell me it's a labor dispute. Hello chicken vs. egg paradox. Ugh.
  • Why business's exist (Score:3, Interesting)

    by corinath (30865) on Friday December 19, 2003 @05:54PM (#7769049)
    COntrary to the belief by many people, business's do not exist to provide a job to any particular person, excepting perhaps, the owner. A business exists for the sole purpose of making money for the people who own it. The fact that they provide jobs to other people is mearly incidental. As such, the owners or management can choose who they want working for them.

    Anybody who doesn't see it this way should try to put themselves into the position of the owners. Try to imagine owning a company. If you are the boss and you don't want a particular person working there any longer, you would fire them, right?

    If you don't like people having that sort of power over you, start your own business.

    Now, don't get me wrong, I do feel that what the company did was most likely a bad move, and certainly was not a good way to repay a person who seems to have been a good employee.

    Any way you look at it, the management is responsible to the owners, be it private parties or stockholders. Their job is to make money for them. It is not to provide the employees with work.

    Sorry for the rant, but I get irritated when people think the their employer OWES them a job, they don't.
  • by ScottSpeaks! (707844) on Friday December 19, 2003 @06:05PM (#7769164) Homepage Journal
    Revenge? you want revenge? Just sit back and watch as the security for that company gets pummeled.

    That's what I did. My former employer of five years spent several times my salary-to-date on consultants from Gartner, who convinced management that everything I'd built was wrong and they should spend my salary for the next five years on Microsoft products. I helped them roll it all out, they showed me the door... and now (from what I hear from a few friends there) they are hurting. {shrug}

  • by Lodragandraoidh (639696) on Friday December 19, 2003 @06:22PM (#7769327) Journal
    I am not a security geek - so can not comment on the issue of having a security audit cost me my job.

    On the other hand, I do have some thoughts on increasing your likelyhood of finding or keeping a job in this tough IT marketplace, that can be found here... [slashdot.org]

    The executive summary: diversify your skill base, and become a jack of all trades; coupled with that, look at other means to increase your ability to satisfy your user community better and faster than the competition.
  • by Anonymous Coward on Friday December 19, 2003 @06:48PM (#7769550)
    While my real job title is QA Manager, I also manage the security plan at my company (located in Canada), who makes export control restricted products (products restricted by either or both the Canadian govt and/or the US Govt). When doing security assessments on this side of the border, the citizenship requirements of the Controlled Goods Program (CGP) are far more lenient than those of the US International Traffic in Arms Regulations (ITAR). Still, because we export our products to the US, I have to take citizenship into account (i.e.: I have to in some specific cases meet the US requirements). That means in the case of specific individuals, they must be removed from projects and found alternate work. If alternate work cannot be found, then they must be let go. There's nothing the company can do about it - it's a federal requirement of employment to work for a company that designs these specific kinds of products. I will assume you are in the US, in which case a third party, such as the government or someone waving wads of cash around, has set some specific requirements for personnel working on their products. For some reason you didn't meet them. You do have a reasonable "right" to find out what specifically was the issue - was it citizenship? was it political affiliation? was it all those nights you've been downloading pr0n? Your employer should have made an effort to find you alternate work within the organization. If they didn't even try, then you might be able to make a case for wrongful dismissal. However, if they did try, or such an option simply is not feasible (and this is what it sounds like, how can you be an effective SysAdm when you can't access huge chunks of the network?), then they are within their legal bounds to let you go.
  • by xeno (2667) on Friday December 19, 2003 @06:50PM (#7769565)
    .
    IANAL (but I've paid for their kids' dental work and sailboat), but there are two issues here: I think you have excellent grounds for proving damages to your reputation in the industry (from both the consultancy and your employer), in addition to wrongful termination if you were let go with prejudice (fired for false or misrepresented cause and denied unemployment). However, the real money is in the first part, so go for a libel/slander lawyer with knowledge of labor, not a labor lawyer who's heard of slander and will sue to get your job back. What you really should want from this is to (a) clear your name, (b) collect monetary damages, and (c) walk away. Dunno about FL law, but you should get all your lawyer fees back as well if you file the suit properly...

    I have (unfortunately) some experience in picking a lawyer for similarly hostile and unpleasant situations. In a recent situation that involved an insurance company, I turned to my own insurance carrier (home, personal liability, auto etc) and asked to be put in touch with a couple of senior examiner/adjusters. When I reached them (no easy task), I asked them the following question:

    "Who is the meanest son-of-a-bitch you never want to be across a table from?"

    Both people gave me the same name, and I hired that person as my lawyer. Yeah, the hourly rate was kinda frightening, but when your lawyer scares the piss out of the other party simply by name, the proceedings tend to be much shorter, and more to your advantage.

    How does that apply to your case? Call a libel/slander *defense* lawyer, and ask him/her the question above. Two votes for one name, and voila, you have your counsel.

    My personal advice is not to be shy about this. There's a time to shrug and walk away from an employer who lays you off for stupid reasons (I did a few months ago), and there's a time to fight like hell against something that could drown your career. This seems to me like the latter. What will you say in a few years, when a potential employer asks "If you weren't a security risk, why didn't you fight it?"

    Jon Espenschied
  • by gobbo (567674) <wrewrite@gmail . c om> on Friday December 19, 2003 @07:46PM (#7770030) Journal
    My spouse once had a job with a small political newsmagazine. She was the typesetter on an old obscure setup. Every word went through that machine. Since it was such a rare system, they needed her pretty badly to meet publication deadlines, and that meant that she had an editorial veto. She exercised it directly once: simply over the capitalization of an artist's name--who generally insisted that it be lowercase--and she demanded they respect his wishes. There was a standoff--editors backed down when they realized the stakes--they approached her to sound out controversial decisions after that. It helped that she was good at her job. The whole deal was a revelation for me.

    This is gonna sound syndicalist (though it isn't, really, just basic strategy): the wielders of tools can exercise final power over those tools, even if they don't officially own them--because posession is more powerful than abstract ownership. Of course, being a social species, working in concert makes us far more powerful.
  • I did assessments (Score:3, Interesting)

    by nakeddeath (734277) on Friday December 19, 2003 @08:11PM (#7770207)
    I used to do assessments for a company that wanted to do them to discredit the existing IT and replace them. After awhile it really bothered me because we went after some good, hard working, dedicated people.

    I decided to get some certs and marketability and find a job less 'stressful'. In studying the Code of Ethics for the CISSP, I realized that it should be my job to help dedicated people hang on to their job with instruction, training, learning, awareness.

    I now work at companies with the idea that I will locate 'vulnerabilities' and correct them with the resources they currently have. I know its a stretch for some to adopt that line of thinking but in the long run, this attitude is paying off.
  • by SafariShane (560870) on Friday December 19, 2003 @08:58PM (#7770562)
    "untested, untrusted, unproven consultants"

    During the "audit" they took down the network 3 times, even though their sales people promised they wouldn't. How much you wanna bet that they blamed that on me too? Two word folks... "ARP Poisioning" Sounds good, until you attempt to send 100+mbs thru a 10 meg nic. Not only did this firm use a shady tatic to win a contract, they don't even do what they do well.
  • Redundant not sacked (Score:2, Interesting)

    by oo_waratah (699830) * on Friday December 19, 2003 @10:44PM (#7771095)
    I have read that there is a security issue with having a single person as the abministrator. thiss would imply redundancy not sacking. Is Australia there are extra payments for redundance like 1 week per year of service. It also is better than "sacked' (but still not great).

    From the point of view of the sacking the company is legally obliged to tell you in detail what you did wrong so that you can study and correct those faults and not be doomed to repeat them. Ask for an "exit interview", this interview should discuss in detail the technical reasons why you failed to provide the service. You could ask for a copy of the security report under a non-disclosure agreement to supplement your knowledge of what went wrong. The company may (rightly) refuse to provide a copy of the report but you should ask.

    Discuss with management that you were "outsourced" not fired and discuss with them that they should correctly reflect this to potential employers. Advise them that if you caan you are willing to assist them with problems or provide independant audits of their security at a reasonable consultant rate. It is better to leave them in a friendly frame of mind:

    a) It will be reflected in your reference.

    b) It gives you a slim chance of picking some extra consulting work.

    c) Asking for details of security problems is a positive and should be reflected by you to your potential employers.

    Don't under estimate the fact that you may have been a problem. You have given us no indication whether you followed security alerts, whether you configured your boundaries properly, etc. This may not be the case but we cannot judge your performance.
  • by busysteve (466550) on Saturday December 20, 2003 @11:16AM (#7773038)
    This seems to be a wise thread. I was laid off a few years ago for "cost cutting" reasons. I was very nice to my managers afterwords(days later). I told them where recent code was that they didn't know they needed and how to (and why) to make use of it. In the mean time I got a cool contract working on a StrongARM embedded Linux job(for less money). As luck would have it, when the contract was almost complete they asked me to come back for the same pay. I asked why they wanted me back and they mentioned my kindness(and their sorrow).

    A(nother) suggestion for your problem would be to watch for up coming security matters that might effect them such as an exploit or virus and warn them of it right away. Just be careful how you warn them, some warnings can be taken as threats. You might even add how to combat the threat.

    Just a thought... it worked for me.

The number of arguments is unimportant unless some of them are correct. -- Ralph Hartley

Working...