Crusher’s Blog

How do I hate thee? Let me count the ways…

On second thought, you’ve taken up enough of my time today. You’re old, and IBM should burn in blackest hell for not switching to ASCII with the rest of the civilized world. Good day sir.

Pedro has a blog entry on this topic as well. I have a Dilbert comic which is similar in nature to the one he has posted, but I cannot find an electronic version at this time. A paper version has been hanging in my cubicle for months, and the text of it is as follows:

Dilbert: “The project was moving along well until management changed our coding language and methodology. Now our timeline is represented by this M.C. Escher print of an endless stairway. This deep-sea submarine is looking for our morale.”

PHB: “Would this be a bad time to add a few features?”

Yesterday, this became reality. You see, I have been working the last couple of weeks on development of a new ASP.NET application with a C# codebehind that has been going slicker than bird poop. Yesterday, I found out that our IIS intranet server is being replaced with an IBM WebSphere J2EE platform. Apparently the project is already in the works as part of a larger effort to “standardize” our web servers, and has a project manager assigned to it and everything.

As far as I’ve been able to ascertain, the reason this project has come about is because the previous “web developers” the company had hired (both of whom have since moved on to greener pastures) decided in their infinite wisdom that rather than using common web programming technologies, such as PHP or ASP.NET, they would use Java to build an external website. My personal dislike of Java aside, the really bad decision was to have this (a) hosted by an external company, and (b) running on Apache Tomcat on Windows 2000. The reason this is such a problem is because apparnetly neither anyone in our IT department, nor the company hosting the server, has a clue how to administer Apache Tomcat, and there have been “problems” (occasional loss of service) with “it” (the website/server/software, it’s all the same to these people). So apparently someone, somewhere in the upper echelon of the company decided that if we dump Tomcat in favor of WebSphere, these “problems” would somehow magically disappear, and that “it” would run better.

That doesn’t explain how the intranet server got dragged into this, however. When I started here, the intranet server was an old NT4 box. This worked fine for the company because the intranet is mainly used to house local sites for each department, and the people in each department at that time weren’t programmers, and just slapped up some HTML pages with FrontPage. Of course, I wouldn’t be content with that, so I did the only thing I could do at the time, which was to develop old ASP pages in VBScript (which is of course how I met the #asp crowd).

About a year and a half later, long after I had finished most of the development of the Records website, they upgraded the intranet server to a Windows 2000 system. So when I took a new position in Customer Service and was tasked with maintaining and improving the website for this department, naturally I began down the path of ASP.NET.

I am still the only person in the company doing ANY server side programming on the intranet server, yet I was not even notified formally, let alone consulted, about this upgrade–just a passing comment during a meeting for this application I’m developing, which was something like “the WebSphere upgrade will probably impact this, but we’ll work something out.” Yes, we’ll work something out with my C# ASP.NET code on a J2EE server. Excuse me, I’m going to go stab my eyes out with a rusty fork.

I recently had a negative experience with the IT staff at the company I work for. Our security administrator, who has only been here a few months, took it upon himself to remove three programs I have been using regularly for the past three years: Firefox, WinAmp, and mIRC. He also stripped my admin privileges to my workstation, so I cannot install any programs, nor can I write data to my hard drive in any directory other than c:\documents and settings\username\.

After complaining and getting my supervisor to sign a System Security Request (a.k.a. TPS Report) for me, we managed to get Firefox back, but they vetoed the request to reinstall WinAmp and mIRC. WinAmp I can almost understand, since it’s not really work related (though keeping employee morale up should be considered as such), and I have since managed to get WMP10 to be almost adequate as a replacement. IRC, however, I use on a daily basis for entirely legitimate communications that directly relate to my job duties and impact my performance. Specifically, it provides me with immediate access to a large number of colleagues who can assist me with any problems I have in all aspects of programming and web application development.

The following is a copy of the reason the admin gave for not approving my request to restore mIRC:

“IRC along with other chat clients are insecure points of entry into our network. These clients have a continuing history of providing a vehicle for spreading worms and other malware. At this time, we do not have anyway to filter or scan the data at the perimeter via the ports that these clients use for potential malware or vulnerabilities which leave an un necessary risk through our firewall to our internal network.”

Now I won’t deny that it is a point of entry, but I would hardly consider it an insecure one. For one thing, it is a client, not a server, so inbound IRC connections are not allowed (I’m not going to go into DCC, which is and always has been disabled). The only data the client receives are plain text ASCII messages conforming to the IRC protocol, and it only receives that from the servers I have explicitly chosen to connect to.

The only potentially vulnerable point in the system is the IRC client itself. And to the best of my knowledge, in the 6+ years I have been using mIRC, there has only been one exploitable vulnerability in the client, which occured in the fall of 2003, and was fixed in an updated client the day after the exploit started being used. This single exploit cannot even be accurately called an IRC insecurity, since it was a DCC exploit.

In contrast, our company uses Internet Explorer as its officially supported browser. How many vulnerabilities and exploits thereof been discovered in regards to that little program in the last 6 years?

In a closely related struggle, after two weeks I was finally able to get the IT department to set up an FTP account for me to be able to transfer files to and from the externally-hosted web server. I am now on the third day of waiting for my request for an FTP client to be approved. With security policies like this, it’s amazing I can get any work done at all.

I finally caved in to peer pressure and the desire to be cool. Will this blog be updated regularly? Or will it be quickly forgotten, never to be seen again, until long in the future when it is uncovered during an archeological excavation; a perfectly preserved and unspoiled time capsule that humanity never bothered to record the existence of? Visit often and find out for yourself what wonders may be revealed herein!