A question was posted to ServerFault yesterday that raised ALL of our eyebrows.
Our security auditor is an idiot, how do I give him the information he wants?
The asker is not wrong. Really, go read the question. Any security auditor asking for a complete list of passwords, in plain-text, has got a few screws loose. The asker is understandably hiding their identity, though it has become clear that they are in the UK somewhere. The answers are high quality, and I recommend reading them.
Yes, this is something that System Administrators have to put up with from time to time.
The "fix" for this particular case is the same as the "fix" for being asked to troubleshoot a faulting legacy system you'd been studiously ignoring because it privately scares you. Hold your nose, get educated about the system, and start making some reasoned arguments/guesses about what may be the problem. The answers on that question provide the education and troubleshooting guidance for dealing with the, "my security auditor is defective," problem.
This person is in a very sticky situation. They are being asked to do something that is very likely illegal in their area and it seems like this is a serious request rather than a subtle test of some kind. And worse, their business management has bought in (see second comment on the question, you'll have to expand the comments to see it). If they do everything they can to convince business management that this is not only stupid, but potentially criminal, and management still presses ahead, they'll get to one of the hardest decisions to make in our line of work.
I wish them the best of luck. It's the kind of thing that we all hope only happens a very few times in any career.
Our security auditor is an idiot, how do I give him the information he wants?
The asker is not wrong. Really, go read the question. Any security auditor asking for a complete list of passwords, in plain-text, has got a few screws loose. The asker is understandably hiding their identity, though it has become clear that they are in the UK somewhere. The answers are high quality, and I recommend reading them.
Yes, this is something that System Administrators have to put up with from time to time.
- I have been told to do something against all good understanding of best practice, and may be possibly illegal.
- I have complained, and been told by higher authority to put up or shut up.
- Now what?
The "fix" for this particular case is the same as the "fix" for being asked to troubleshoot a faulting legacy system you'd been studiously ignoring because it privately scares you. Hold your nose, get educated about the system, and start making some reasoned arguments/guesses about what may be the problem. The answers on that question provide the education and troubleshooting guidance for dealing with the, "my security auditor is defective," problem.
This person is in a very sticky situation. They are being asked to do something that is very likely illegal in their area and it seems like this is a serious request rather than a subtle test of some kind. And worse, their business management has bought in (see second comment on the question, you'll have to expand the comments to see it). If they do everything they can to convince business management that this is not only stupid, but potentially criminal, and management still presses ahead, they'll get to one of the hardest decisions to make in our line of work.
- Do I quietly go along with this, having done everything I can to dissuade them?
- Do I report this action to the authorities and be a whistle blower?
- Do I point management at this as-yet-unlinked-to-the-company tempest-in-an-Internet as last ditch supporting evidence of the flagrant stupidity of these actions?
- Do I resign my position and become employed elsewhere rather than do these actions?
I wish them the best of luck. It's the kind of thing that we all hope only happens a very few times in any career.