Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment: Re:One possible way forward... (Score 2) 116

by BVis (#49784187) Attached to: Insurer Won't Pay Out For Security Breach Because of Lax Security

if the IT contractor got the systems hacked through neligence, that's their fault; and if they secured the systems; but a hack was still pulled off, that's where the insurance policy comes in.

The IT contractor can't stay on-site 24/7 and monitor all the employees. The biggest security problems come from inside the organization; from idiots writing down their passwords to double-clicking on every single attachment that they get, users will never stop creating new and interesting ways to be complete fucking idiots.

If I'm an IT consultant and suddenly have to take on the responsibility for all security breaches, I'm going to find another line of work. I'd spend all my time defending lawsuits from my clients who had a security breach due to nothing that I've done (or didn't do), but instead due to some moron ignoring the written AUP that I left with the client. Since as an IT consultant everything that happens on that network is my fault, I get either dragged into court by my client or my insurer refuses to pay and drops me, leaving me holding the bag for something that wasn't my fault. By the time I get done proving that what happened was not my responsibility, I've spent so much time getting the legal system to understand what happened and why it wasn't my fault that I haven't been able to create billable work for my other clients (if I have any after one of my clients gets broken into).

The only way to avoid that would be to have a voluminous contract that covered as many "if your worker does X I'm not responsible" cases as could be described, and to have a network so locked down that people would barely be able to log into their computers. No client is going to put up with that, despite the fact that that's what they desperately need: to be protected from themselves. (And no client is going to sign that contract, because then it looks like you're trying to avoid responsibility for your work.) Plus you have the problem of your client refusing to implement a security precaution they desperately need because they refuse to change any of their processes, since "we've always done it that way". (Case in point: I used to work somewhere where we were storing complete CC information, including CVV codes, which is a BIG TIME PCI no-no. I put a stop to the CVV storage, but our back-office accounting system would not accept anything other than a complete CC number and expiration date for reconciliation later. I pointed out that we had no compelling business case to store that information, and got back "we've always done it this way". They refused to believe that we could have avoided storage and handled back-orders and refunds through tokenization supported by most major credit card vendors. So then they had a breach that cost them $200,000. They didn't change any of their processes.)

No, the clients are the ones who need to be held responsible for data breaches. Make them expensive enough and they'll start paying attention, hopefully. Make them prove that they followed all the best practices required by the insurer AND all instructions given by the consultant, or don't pay. Only when companies start going out of business because their security was shit will people finally wake up. (Maybe the CEO goes to jail, too. A man can dream...)

Comment: Re: Humans (Score 2) 150

by BVis (#49736219) Attached to: Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach

I suspect the 2/3rds figure is coming from the fact that the person creating the gap in security is above a given person on the org chart. Pissing off your superiors is a great example of a Career Limiting Event. Rank has its privileges. I have not yet seen an organization of any appreciable size, public or private, where those at the top do not consider themselves above security policy. That's for the plebs, kind of like how taxes are for little people. While your typical rank and file worker may have to change his/her password every 90 days with one of a given complexity that has not been used before, the CEO says he wants to use a simple password (no joke, I've seen them use the name of the company all lower case) that does not expire. That's a clear breach of written security policy. But, who's going to call him on it? Nobody, if they want to keep their jobs.

Ironically, the employees for whom following security policy is most important (not only due to company policy, but frequently due to external regulations like SOX, HIPAA, PCI, etc.) are the ones who are most likely to be able to bully IT staff into making exceptions.

Comment: Re:Too old (Score 1) 125

by BVis (#49698321) Attached to: Ask Slashdot: Security Certification For an Old Grad?

You are proceeding from the assumption that it matters how good a case you have. The legal system is not about justice, it's about who has the best lawyers. And it's not just limited to legal costs; there would be PI harassment, character assassination, and other dirty tricks. I don't think you fully understand the depths to which some employers are prepared to descend in order to win cases like this, even if it ends up being a Pyrrhic victory.

And good luck getting ANY member of the bar to take on your case unless you have high-res video of someone describing how they're going to fire you illegally. Representing yourself has its attractions, of course, but without courtroom experience or being able to formulate a counter for some insane legal technicality that opposing counsel will pull because they can and fuck you, you're done. You've wasted all that time, lost, and made yourself unemployable. Even if you DO manage to find a lawyer that will take your case, that lawyer will also suffer the consequences of fighting his corporate masters. There are companies that will put an attorney out of business, even try to get them disbarred, if they cross them.

Even if by some miracle you DO win your case, or get a favorable settlement, you are forever associated with not putting up with your employer's shit. Once that gets around, you will not be hired elsewhere, and if you are currently employed, you'll be mysteriously laid off in a "reorganization" or because you're "no longer a good fit for the corporate culture" (which isn't a lie, the corporate culture could very well include "firing people who dare to not take all our abuse like a little bitch".) You'll be a "troublemaker" and "malcontent", and employers don't like to hire people like that, especially in a soft job market where there are probably 400 other applicants willing to eat the shit sandwich they're given and smile.

You sound like you think you live in an ideal culture, where the truth matters, and justice is more than a platitude. The courts can be bought.

Comment: Re:Too old (Score 1) 125

by BVis (#49689587) Attached to: Ask Slashdot: Security Certification For an Old Grad?

Clearly that wasn't meant to be taken literally. What I meant by that was that the chances of your ex-employer having access to better (read: more expensive) legal counsel than you are quite high. They'll run up your legal fees to the point of making you bankrupt and unable to pursue the matter further.

You're probably thinking that'd be more expensive than settling with the plaintiff. You're probably right. But it could be worth it to the employer in terms of employee relations. After all, you kill one hostage, the others cooperate.

Comment: Re: Privacy? (Score 1) 776

by BVis (#49689231) Attached to: Worker Fired For Disabling GPS App That Tracked Her 24 Hours a Day

Yeah, but you still live in MS. Being the most expensive place in MS is kind of like being the fastest swimmer in a class full of amputees.

Lots of people hear about how much stuff costs up here and tell me "if you worked in [flyover state] you'd have a much bigger house, lower taxes, etc etc." The problem is that if I did that, I'd have to live there. Nope, I'll pay extra to live in a state where it doesn't matter if I go to church or not.

Comment: Re:Too old (Score 1) 125

by BVis (#49688823) Attached to: Ask Slashdot: Security Certification For an Old Grad?

Your comment proceeds from the assumption that the company gives a flip about what's illegal and what's not. It is illegal to retaliate against someone for exercising a protected right, but it's not illegal to fire someone for being 30 seconds late or for "no longer being a good fit for our corporate culture". (Said culture being that employees should do as they are told and shut up). Both are perfectly legal.

And even if what they do IS illegal, their lawyers can most likely beat up your lawyers.

Comment: Re:Here's the thing (Score 1) 84

by BVis (#49688621) Attached to: Apple, A123 To Settle Lawsuit Over Poached Battery Engineers

This. When the job market is soft and people are hard up for work, then you can pay them less. When the job market for these employees is super duper tight, to the point that one or two key people can make or break a company, wages SHOULD go up. That's supply and demand. Employers can't have it both ways. They TRY to through overt and covert collusion (this goes on a hell of a lot more than is generally known, people DO play golf together, after all) and simply refusing to pay more. As long as every company refuses to increase salaries, people will get paid less.

If A123 was worried about their people being poached away by a company that pays more, they should have given them raises to keep them happy and working there. For some reason, the suits don't understand that the workers are, in fact, NOT chained to their desks, and have the right to leave whenever they choose, and they frequently do so when someone offers them more money. Yes, it's inconvenient and annoying, but that's the situation. Something about slavery being illegal. Damn hippie socialist fascist homosexual liberals, wanting workers to have rights.

Comment: Re:I don't understand you (Score 1) 125

by BVis (#49688505) Attached to: Ask Slashdot: Security Certification For an Old Grad?

Statistics. If enough businesses open, a few of them will be lucky enough to not fold within 6 months. The rest don't fail for lack of trying or some bullshit Polyanna "If I visualize success and drink the kool-aid, then I will prosper" mindset.

The OP believes his business will fail because it's the most likely outcome. This does not prevent him from succeeding, it just prepares him for the reality of the situation, which is that starting a business is extremely risky.

Comment: Re: Forget the GPA (Score 1) 125

by BVis (#49688497) Attached to: Ask Slashdot: Security Certification For an Old Grad?

A recruiter is most likely some C-student fuckwit who wouldn't know a qualified candidate if they bit them on the ass.

FTFY.

Example: If you're going to post a JD that requires HIPAA experience, you should probably figure out how to spell HIPAA. (Hint: It's not spelled "HIPPA".) I'd write that off as a typo, except they did it four times in the JD.

Another example: The JD requires J2EE, Spring, all this other Java-specific stuff. Hey! Let's send it off to someone who doesn't even list Java on his resume! (Actually happened a couple weeks ago. I gave the recruiter the benefit of the doubt, maybe they were new to the industry, etc. Nope, she'd been doing it for 5 years. How do you do that for 5 years and not know the difference between a Java role and a php role?)

I still list my GPA because it was good and I worked hard to earn it, but it's at the end of my resume because I am not working in the field I have a degree in.

Comment: Re:Certification for programmers (Score 1) 125

by BVis (#49688455) Attached to: Ask Slashdot: Security Certification For an Old Grad?

If you're going to get past the drones in HR, the more certifications you have, the better the chance that your resume will land in front of someone who has actual skills instead of the C-student debris in HR.

The easier it is to set DUMMY_MODE="On" on HR, the better your chances of getting through their completely non-arbitrary and totally relevant filters.

Comment: Re:Too old (Score 2) 125

by BVis (#49688411) Attached to: Ask Slashdot: Security Certification For an Old Grad?

The lawsuit itself is a matter of public record. The allegations and parties involved will be on the record. The final resolution of the suit is much less important than the fact that it was filed in the first place. Filing the suit means that you are capable of questioning the wisdom of your ruling-class masters, and therefore are not to be trusted.

Comment: Re:Too old (Score 1) 125

by BVis (#49688403) Attached to: Ask Slashdot: Security Certification For an Old Grad?

You can make life a pain for your previous employer after being hired by the next one

That changes the situation from "not getting the job at all" to "getting fired as soon as your current employer finds out about your whistleblowing".

Perfectly legal to fire someone for any reason or no stated reason (outside of blatant protected-class discrimination, and even then, good luck proving it) in the USA.

People have been (legally) fired for smoking tobacco at home or having alcohol metabolites in their system from a beer they had last night. If an employer decides you need to go, you go, technically legal or not.

Wherever you go...There you are. - Buckaroo Banzai

Working...