Episode 14 BOFH 2001: Episode 14
I'm stuck in an office with a couple of glorified beancounters who want to know how we do things here, and why.
The Boss was no help in the matter, displaying all the spine you'd expect from an invertebrate when the idea was passed to him.
"But they're Financial and Technical Security Auditors! - You can't REFUSE to see auditors!" he blurts.
"Of course you can!"
"You can't - it wouldn't pay for us to get a bad Rep in their report."
"At least we'd have consistency across reports," I respond, pointing out the silver lining.
. . .
Half an hour later I'm sitting across a table at mission control from a beancounter/geek who works for some large multinational beancounter outfit with a padful of questions and stacks of time (at a huge hourly rate) to kill.
I don't like it.
"OK, we'd just like to kick this off with an overview of your current topology and systems. Now, what was your name again?"
"I'm afraid that's commercially sensitive information," I respond cheerily.
"It's commercially sensitive. If I tell you and it gets into the wrong hands, who's to know what slave-trading agency would be on the phone the next day trying to headhunt me."
"We COULD find that information out from your Phonebook."
"I'm not in the phone book. No-one in Systems Admin is."
"From the nameplate on the outside of the door then!"
"There isn't one."
"FROM YOUR PAY DETAILS!!"
"I'm a contractor - A company in other words."
"OK, From your Boss!"
"He's new and doesn't know."
"From your Co-Workers then!"
"They wouldn't tell you. Even if they DID know my real name, which they don't."
"We take security seriously here," The PFY adds, wandering in.
"Well we have to call you something!"
"Yes. I prefer 'The Systems Administrator formerly known as Roger'"
"So your name's Roger then?"
"Your name WAS Roger?"
"So why are you calling yourself the Systems Administrator.. etc"
"Oh, so I can identify myself with a single character from the Symbol font."
"I don't know its name. Do you have a laptop on you?"
"Then I'll have to draw it."
..ten minutes later...
"Now, what operating systems do you run?"
"Oh, I'm afraid that's commercially sensitive information...."
. . . Two hours later . . .
"So let's see, you can't tell me anything about you, your company, your work, the specifics of your computing resources, where they're located, your disaster recovery plans nor even where nearest fire exit is - because it's all commercially sensitive information?"
"Why is the fire exit commercially sensitive again?"
"Because a headhunter might be waiting outside it to make me an offer I can't refuse. See, they set the fire alarms off knowing which way I might leave the building. And get me. Happens all the time in big companies."
"So why is there a Fire Exit sign over the door to that fireproof safe over there?"
"Throw off industrial spies," The PFY chimes in, nodding knowingly.
"Yyyessss," the geek finally says, reaching for the phone.
Ten minutes later The Boss arrives, having been sent by a Royal command from somewhere on high.
"Now what's this about 'Commercially Sensitive Information?'" he asks.
"He won't tell us his name," the geek narks up. "He say's it's commercially sensitive."
"And personal information as well," I respond. "My contract states that you can't actually force me to reveal personal information."
"He won't tell me what Operating Systems you run either, nor what types of server you have."
"Why not?" The Boss asks, testily.
"He says it's commercially sensitive information."
The Boss' eyes narrow at this statement, so I head him off at the pass.
"It's simple," I blurt. "I tell them what OS and machines we're running, then they'll ask me about security and what external access methods we have and how they're penetrated. Before you know it, they'll be wanting to know about who routinely penetrates the firewall from within, how they do it, and where they go when they do. I'd then be forced to reveal details of non-web-cached browsing that management believes isn't logged. Which could be, uh, COMMERCIALLY, sensitive."
"Ah! Yes, yes, I'd have to agree! Because if people knew our browsing histories they might be able to, uh.."
"..leave messages on the websites concerned encouraging key members of management to defect to a rival company," I complete.
"Oh Yes, that's it!" The Boss gasps.
Once more, geek two reaches for the phone...
"..leave messages on the websites concerned encouraging key members of management to defect to a rival company.."
"Oh Yes!" the Head of IT gasps.
. . . Five minutes after that. . .
"..leave messages on the websites concerned encouraging key members of the Executive to defect to a rival company.."
"Ah Yes!" the Assistant CEO gasps unhappily.
. . .
"This'll all be reflected in my report to the board!" the beangeek blurts threateningly, hoping to sway someone in the chain of command. "You can't hide things just by saying they're commercially sensitive."
"Funnily enough, that's what the guy who did the audit last year said."
"Did he? I don't remember seeing it."
"Well you wouldn't. It was commercially sensitive. So we locked it in the safe over there."
"He only had ONE copy!?"
"So to speak. Course, It was in his head at the time."
The PFY adds to the overall threat by shutting the door and pulling the roller blind down over the viewing window..
. . .
"Ah.. Well perhaps I was a little hasty.." the beangeek cries, mid-moment-of-clarity. "Perhaps you DO take systems security seriously."
. . .
"You didn't really shut someone in the firesafe last year did you?" The Boss asks.
"Of course not! But it's the same story I used for last year's guy!"
"So what - or who - is in the Fire safe then?" the Head of IT asks suspiciously.
"Oh, I'm afraid that's commercially sensitive information."
It really is easy when you know how. I should be a politician... ®