Oh, yes. It's all about helping the users get their job done. Let's take a trip through my midsized companies summary of just this months "this phrase 'business need' does not mean what you think it means", edited for clarity of intent. Thank the gods our management know the difference between "facilitating business" and "feckless idiots who are endangering the company".

U: "I need iTunes on my work PC"
IT: "Why would you even *want* to do this. Bring in your iPod."

U: "Full disk encryption is a pain in the ass, what with the second password. Please turn it off on my laptop."
IT: "You carry vast amounts of sensitive employee data on your laptop. And there's no second password. It's just the screen you enter your single password looks different."
U: "So?"
IT: "You've lost your laptop twice in the last 3 years. You leave it in your back seat. Even though we've told you not to."
U: "So?"

U: "I don't like X (the very expensive, very capable software package the whole rest of the team agreed to use, and be trained on at additional great cost). I used Y at my last job and I want to use that. I want you buy it. And I'll probably need some additional training."
IT: Checking records, user missed most of the training on X.

U: "I want to use KTBICS (known to be insecure cloud service) to share files amongst my team"
IT: "You're a finance group. Handling SOX related data. And we already have a corporate approved, secure service that does exactly the same thing."
U: "Well, we're already using the non-commercial free version of KTBICS to share the same data, so we don't see what the problem is."

U: "I want you to install IIS, SQLserver and .NET on my desktop PC for testing."
IT: "We've built a sophisticated, secure dev/test environment to do exactly this."
U: "I forgot about that. But since I have to deliver this week I won't have time to finish the project if I have to learn how to use the approved platform. So just install everything on my machine. And I'll need the Internet to have access."
IT: (check records...user blew off training on the dev platform, which would have allowed them to spin up everything they needed in about 5 minutes).
IT: "Ummm....When is your due date, and what IP addresses need access?"
U: "It's due this Friday. I don't know what IP addresses need access, so just let everyone in.".

U: "I don't want to use X. X is made by Microsoft, and I have moral objections to using Microsoft products. I want to use open source package Y."
IT: "If you have a moral objection to using Microsoft, why did you take a job on a team developing .NET applications on Windows Server 2008R2 in C# using Visual Studio with a SQLServer backend? Something made clear as far back as the job ad you responded to?"

Lemme guess...fill the bottle with butyric acid, top of with some random aromatic oil...profit!

Not my point. This is probably going to come as quite a surprise to you, and you probably don't much care, but there's more at stake here than the backdoor. Jason Wright, FBI plant or no, will never be able to fully clear his name, and for some will always be "the guy who might be a FBI plant". God help the guy if someone finds some sort of bug; no matter how innocuous, it will be cited as "proof". I clearly don't know how "douche" is defined in your world, but in mine throwing someone under the bus with no hard evidence and precisely zero concern for them qualifies as grade-A douche. But then, I actually give a shit about other people and consider the consequences of my actions. YMMV.

The adult, professional, dare I say "non-douche" way to handle this would have been to say "I have credible reason to believe that there is a deliberately introduced back door in the IPSec code in OpenBSD. It would have been introduced around $DATE and/or in $FILES. Please drop what you are doing and start auditing." while trying to confirm the details. Obviously, that didn't happen. Obviously, far too many people couldn't care less.

Lesse...I'll publish a wildly sensational accusation by a third party without attempting to verify any of it and excuse myself with "prove you didn't do it". Of course, since everyone on the Internet will take a reasoned step back, verify all the facts before reacting, and will never launch a mass electronic lynch mob, the folk accused will be just fine. Does that cover how big a douche DeRaadt is here?

You purchasing people are idiots. My brothers small biz routinely orders well appointed Dell machines (mid-tier Core processors, 4-8gb RAM, nice monitors) for around $700. That's for one or two at a time. It sounds like your folks negotiated some "standard" buys which are crappy deals. This is not Dells problem, and it's unlikely white-boxing will fix a broken procurement system.

To be clear, this was a report done by a law firm retained by the school district to "investigate" the situation. One shouldn't take it as conclusive or impartial.

> Where's the value/point in releasing another limited-utility webserver?

Well...that depends I suppose. I don't think G-WAN is worth paying attention to, but Marcus Ranum semi-famously wrote a "limited utility" web server for an porn site that was both very fast and very secure in 1996, and still was a decade later. I agree with his point that not everything requires Apache level functionality, and all those bells and whistles come at a cost. Right tool for the job and all that.

http://www.ranum.com/security/computer_security/editorials/master-tzu/

I truly believe that the patching fad in which we are currently living is not going to last much longer. It can't. In another couple years, we'll have one full-time patcher to each system administrator. What's odd is that if companies simply exercised a bit of discipline, it wouldn't be necessary at all. Back in 1996 a buddy of mine and I set up a web server for a high-traffic significant target. It was not the Whitehouse; it was a porn site. We invested 8 hours (of our customer's money) writing a small web server daemon that knew how to serve up files, cache them, and virtualize filenames behind hashes. It ran chrooted on a version of UNIX that was very minimized and had code hacked right into the IP stack to toss traffic that was not TCP aimed at port 80. 10 years later, it's still working, has never been hacked, and has never been patched. If you compute the Return On Investment (Or ROI in the language of Prince Ciao) it's gigantic.

No.

Georgia Tech has been offering a ridiculously popular Science Fiction literature class since the 70s. You might use it's curriculum as a guide. http://lcc.gatech.edu/~brobertson3/texts/sf.pdf

We do. All the time. And we don't put critical infrastructure on things we build out in the garage.