Where to start…

First, I want to apologize for not posting much.  I was asked to stop and I complied because I truely felt I was going to be able to make a difference, and since they asked me to stop blogging it would be a good guesture to do so.  I figured that if I cooperated with them they would do what they needed to do in order to get stuff fixed.  WOW was I wrong…  asking me to stop was their way of hiding their incompetence even if I NEVER disclosed any identifying information.  So now that I have gotten my final check from my previous employer and it has cleared the bank I feel it is time to speak some truth about the wasteful spending of man hours to unqualified, unmotivated, ignorant, shady and downright incompetent personnel.  When I took the position I genuinely felt like I had the opportunity to take my previous experiences and make a huge difference in a place that needed a major overhaul from a security perspective.  Initial meetings/conferences seemed to also point in that direction.  Leadership seemed like they really understood the problem and really wanted to make a difference.  Re-orgs were happening to place the right people in decision making positions, budgets were being announced, contracts were being awarded….  it all seemed to make for a situation ripe for success.  Boy was I wrong……..

It seems the good old boy system was way more at play than anyone could have imagined.  In order to protect the innocent “A” will be used as a Chief Executive level officer, “B” for the security lead, “C” for contract lead, and x, y,z for the incompetent underlings.  So…  A and C had a long past that made for what seemed to be a good relationship at first and turned out to be a good way to backdoor the system and processes.  A and C talked about how they could just move the prime out of the way if it didn’t work out.  C couldn’t do the work alone because they didn’t exactly qualify as a company for the award but C was surely in on the $$ with a little help from a friend.  A appointed B in what seemed like a good move but later turned out to be something somewhat forced and although it was pointed out many times that B was more incompetent than a parapalegic playing professional football and in way over his head, A could do nothing about it.  A told C that he agreed B was incompetent and knew he was unqualified, but couldn’t do anything about it.  xyz wanted to do more complaining about things than actually working on fixing the issues.  They talked about bastion hosts like they were the newest thing in the world and the end all to security problems, ummmm…. yeah.  xyz also decided to do some internet stalking when I first started….  have fun reading mullet man ( m!m )!!!  B at one point decided to report something as a CAT3 to the CERT that was unequivacly a CAT1….  malware being executed as a domain admin and pushed out across the network as a domain admin with psexec, O and that domain admin just happened to be “B”.  Hmmm, anyone else smell ethical issues here?!?!  B also was quick to change dates and names on official deliverables in order to hide his incompetence.  CERT:  If you would like more information, aka CSA logs, I’d be happy to provide that to you.  I would normally never do such a thing but since this wasn’t the only unethical thing that was done I feel it is my duty to provide the information you should have legally been given up front.

C had a team hired to help fix things but as it turns out C really only wanted to make it seem like we were there to make a difference, the real reason was to fill seats.  We were even asked to go 24/7 at which point it was noted there wasn’t enough “other” support and it was really just wasting money.  Well, as it turns out again A and C were there to fill seats, build resumes, make money, and A didn’t care if the money would be well spent as long as the total number of positions was increased, making A and C look good in the end.  As long as C was able to meet A’s requirements all is well and both are made to look like the heroes.  Official audit??  IG are you out there?

There are a few good people to work with there but there is also an overwhelming number of people who really aren’t worth their weight in trash.  It’s obvious to see exactly why some agencies end up getting pwn3d over and over again.  For anybody that believes things will just magically get better by TALKING about things and not actually DOING things is sorely mistaken.  I’ve seen places in the past that are in poor shape from a security standpoint but take the recommendations of security professionals and actually get better.  Crazy concept I know!!

In the end, I guess you could say they won.  The smartest people there left, the A, B, C and xyz get to do business without someone like me pointing out problems, the CERT has no idea what is really going on.  Congrats to them, now they can get owned and be completely oblivious to it but they will certainly have the man power to sit and do nothing.