Coding and programming are two different things (they are related, but they are different). Coding is learning the syntax of a language and the mechanics of implementing a solution to a problem. Programming is analyzing a problem and determining what computational steps are needed to arrive at a solution.
In the mid 70's, my high school offered a FORTRAN programming class out of the math department. It was a full school year class that met daily. For the coding aspect of the class, we had one shot a week on the computer. On Friday we would hand in our punched cards and on Monday the teacher would return the cards and the compile/run printouts (the computer we used was the school district's main system). The time we spent actually coding was done outside the class room.
The majority of the class however was learning how to program. Coding was a secondary aspect of the class (typically one day a week was going over specific FORTRAN concepts). Our first assignment was to break down the steps one used to make a phone call (step 1, walk over to the phone, step 2 pick up receiver, step 3 listen for a dial tone, step 4 if no dial done
In the parent article, it sounds almost the same. They are being introduced on how to program.
In today's environment, there are a lot of coding frameworks that have pre-canned solutions that address many typical programming requirements. So it's easy to approach solving a problem by learning the frameworks and connecting the pieces together. The real programming has already been done within the framework. This is both a blessing and a curse. The blessing is that a lot of people can code a solution to many real-life problems without needing to really understand the programming aspect. The curse is that the solution will more then likely be bloated, and computationally inefficient.
The internet really helps with coding, it acts as a helpful reference for finding frameworks, the syntax of languages and little coding snippets.
What you described is nothing more then a full security / disaster recovery audit. If your data center (and management) is really serious about it the company will need to invest both time and money to protect itself.
Once you have your policies in place and everyone has "signed off" that they are in compliance, you can start with the auditing.
One additional comment, depending on the size of the organization, there may be a security group. If there is one, then it should be the responsibility of this group to perform any security monitoring or testing. Individuals outside the group should not be performing their own security or intrusion testing of systems that they are not directly responsible for. If a vulnerability is uncovered, it should be documented and reported to the security focal point and management.
James Madison, (you may have remembered his name as he was one of the primary authors of the US Constitution and the Bill of Rights, fourth president of the US, etc..), wrote under the pseudonym Publius a letter that was published in news papers in and around this new group of states. A whole series of these letters and essays, which are now collectively known as the Federalist Papers, were written to help explain to the people why they should ratify this new document and accept this new form of government. The people at that time were a little on the leery side and really didn't have a lot of trust in governments (having just fought a war with England and such).
In the Federalist Paper #46 Madison wrote
The only refuge left for those who prophesy the downfall of the State governments is the visionary supposition that the federal government may previously accumulate a military force for the projects of ambition. The reasonings contained in these papers must have been employed to little purpose indeed, if it could be necessary now to disprove the reality of this danger. That the people and the States should, for a sufficient period of time, elect an uninterupted succession of men ready to betray both; that the traitors should, throughout this period, uniformly and systematically pursue some fixed plan for the extension of the military establishment; that the governments and the people of the States should silently and patiently behold the gathering storm, and continue to supply the materials, until it should be prepared to burst on their own heads, must appear to every one more like the incoherent dreams of a delirious jealousy, or the misjudged exaggerations of a counterfeit zeal, than like the sober apprehensions of genuine patriotism.
Extravagant as the supposition is, let it however be made. Let a regular army, fully equal to the resources of the country, be formed; and let it be entirely at the devotion of the federal government; still it would not be going too far to say, that the State governments, with the people on their side, would be able to repel the danger. The highest number to which, according to the best computation, a standing army can be carried in any country, does not exceed one hundredth part of the whole number of souls; or one twenty-fifth part of the number able to bear arms. This proportion would not yield, in the United States, an army of more than twenty-five or thirty thousand men. To these would be opposed a militia amounting to near half a million of citizens with arms in their hands, officered by men chosen from among themselves, fighting for their common liberties, and united and conducted by governments possessing their affections and confidence. It may well be doubted, whether a militia thus circumstanced could ever be conquered by such a proportion of regular troops. Those who are best acquainted with the last successful resistance of this country against the British arms, will be most inclined to deny the possibility of it. Besides the advantage of being armed, which the Americans possess over the people of almost every other nation, the existence of subordinate governments, to which the people are attached, and by which the militia officers are appointed, forms a barrier against the enterprises of ambition, more insurmountable than any which a simple government of any form can admit of. Notwithstanding the military establishments in the several kingdoms of Europe, which are carried as far as the public resources will bear, the governments are afraid to trust the people with arms. And it is not certain, that with this aid alone they would not be able to shake off their yokes. But were the people to possess the additional advantages of local governments chosen by themselves, who could collect the national will and direct the national force, and of officers appointed out of the militia, by these governments, and attached both to them and to the militia, it may be affirmed with the greatest assurance, that the throne of every tyranny in Europe would be speedily overturned in spite of the legions which surround it.
Federalist Papers #46 James Madison as Publius writing to the People of New York, January 29, 1788 The Federalist Papers : No. 46 from the Avalon Project at Yale
Something to think about when trying to frame the wording of the 2nd amendment
If I called a towing company claimed that the car you had parked in your driveway was mine and that I wanted it towed to my house, that would be theft.
If I add in my phone... stock android -> Cyanogenmod
No one is expecting management to come in and fight the fire at 2 AM. What is expected of management however is for them to understand what is happening within their organization (and not at the bit's and bytes level) because they are directly responsible for the actual organization. What management should be able to do is to be able to bring in another competent person to fix the fire at 11 AM because you were killed on the highway while you were driving into the office at 2. And that competent person should be able to get a start fixing that problem because management was able to give them the proper "keys" and there is proper documentation for them to get a gist of the layout of the system.
Yes -- you are a sysop, and not management. You are an employee hired to perform what management wants. If management screws up and something happens to the organization, they can be legally held responsible -- think Sorbanes Oxley, if you are following their orders then you are off the hook (one of the reasons why executives are paid the salaries that they are). If you go off and do something on your own without their approval, or try to hide things from them under the guise of "I know what's right for the business", and something happens it will be your butt on the line.
Say that you worked in a finance group responsible for transferring company assets into different external funds that are dictated by upper management, and you thought "hey upper management doesn't understand what they are doing and they don't listen to me, I'm going to go out and transfer some of the companies money into some the funds that I think are doing well, and I know it can make a huge return of investment for the company". How far do you think your arguments would float?
One of the things is that sysops and admins need to stop "hiding" the incompetencies of management by "by going behind management and doing the right thing". If you really believe that the organization is going to fail because of management decisions, document what those decisions are, document how you believe that they are harming the organization and report it to the organization's internal auditing or business controls folks.
The code of ethics for the ACM includes the following http://www.acm.org/about/code-of-ethics
All in all I believe that if you really read full list of the ethics of these types of organizations you will find that if you are doing your job well, properly documenting any issues, validating problems, and responsibly reporting them, incompetency will not have a leg to stand on.
A policy should have been in place that defined who the business owner (management) of the resource was (network in this case). It is the responsibility of management to ensure that they define who has a business need for access (and have it documented), and it's the responsibility of the tech grunt to run the system (or network) for the business owner.
The key point is that as a non-manager type person, if management says jump, get it in writing and jump. Management is ultimately responsible for the system and network to the business. If management has made bad choices or decisions, it's their fault and if the request or actions leading up to the failure are documented, that admin can refer to that.
All organizations should at least have a documented policy of who can have access to resources and that the business owner of the resource can be easily determined. The business owner needs to be someone who is legally responsible to the organization (i.e. an executive, or someone high enough in management).
As a system administrator, you should insist on having this documented just to protect yourself. If you suspect that there is some management decisions that could jeopardize the operation of the system, document it, report it to the business owner and let them make the final decision (with documentation).
In the case of Terry Childs, had this been documented, he would have been able to either say that the person who was requesting the passwords did not have a business need (and would be able to back that statement with documentation), -or- if the person did have authority to have access, he could have simply have documented why it was a bad decision, hand the passwords over and walk away from it.
Yes there is a pride element. You've spent years building up a system and making it shine, but unless you are running your own business, you are not the legal owner of that system.
e-credibility: the non-guaranteeable likelihood that the electronic data you're seeing is genuine rather than somebody's made-up crap. - Karl Lehenbauer