Incredulity at security auditors

A question was posted to ServerFault yesterday that raised ALL of our eyebrows.

Our security auditor is an idiot, how do I give him the information he wants?

The asker is not wrong. Really, go read the question. Any security auditor asking for a complete list of passwords, in plain-text, has got a few screws loose. The asker is understandably hiding their identity, though it has become clear that they are in the UK somewhere. The answers are high quality, and I recommend reading them.

Yes, this is something that System Administrators have to put up with from time to time.

  • I have been told to do something against all good understanding of best practice, and may be possibly illegal.
  • I have complained, and been told by higher authority to put up or shut up.
  • Now what?
In the industry, if your boss is an (potentially criminal) idiot, and you can't change their mind, it is time to change the boss. Not everyone has that luxury though, especially in this economy, so sometimes you have to stick with it. That's the hard part.

The "fix" for this particular case is the same as the "fix" for being asked to troubleshoot a faulting legacy system you'd been studiously ignoring because it privately scares you. Hold your nose, get educated about the system, and start making some reasoned arguments/guesses about what may be the problem. The answers on that question provide the education and troubleshooting guidance for dealing with the, "my security auditor is defective," problem.

This person is in a very sticky situation. They are being asked to do something that is very likely illegal in their area and it seems like this is a serious request rather than a subtle test of some kind. And worse, their business management has bought in (see second comment on the question, you'll have to expand the comments to see it). If they do everything they can to convince business management that this is not only stupid, but potentially criminal, and management still presses ahead, they'll get to one of the hardest decisions to make in our line of work.

  • Do I quietly go along with this, having done everything I can to dissuade them?
  • Do I report this action to the authorities and be a whistle blower?
  • Do I point management at this as-yet-unlinked-to-the-company tempest-in-an-Internet as last ditch supporting evidence of the flagrant stupidity of these actions?
  • Do I resign my position and become employed elsewhere rather than do these actions?
Each of the above has their own consequences. The first point may end up with your butt on the line if the issue ever does get brought up legally. The second one will cause your company to be quite angry with you, probably involve extensive legal proceedings, and will be an unremovable mark on your record (for good or bad). The third will only work if management is of the right mindset to understand it, and may get you fired for talking about company policy in public. The fourth is perhaps the easiest to do, but will also involve a period of unemployment that could stretch several to many months.

I wish them the best of luck. It's the kind of thing that we all hope only happens a very few times in any career.