Slashdot Mirror
Post Mortem of GunnAllen IT Meltdown
CowboyRobot writes "The story begins when GunnAllen, a financial company, outsourced all of its IT to The Revere Group. Before long, it was discovered that 'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.' In addition to the obvious security concerns of sending information such as bank routing information and driver's license numbers, the act violated SEC rules because the routed information was not being logged. Regardless of whether the cause was negligence, incompetence, or sabotage, the matter was swept under the rug for a time until unpaid SQL Server licenses meant threatening calls from Microsoft as well. The rest of the story is one of greed, mismanagement, and neglect, and ends with the SEC's first-ever fine for failure to protect customer data."
Wow, according to the The Revere Group website:
WHEN TRANSFORMING THEIR BUSINESS, TOP PERFORMERS TURN TO A TRUSTED ADVISOR
Guess that's not The Revere! Group
If you want news from today, you have to come back tomorrow.
I agree. This is the funniest thing I've heard today. Through his home cable modem! HAHAHAHAHAHA!
Yeah keep outsourcing the responsibility of something so crucial that IT people hold the keys to the kingdom.
This is nothing new in the world of IT. Save a dime to lose a million dollars.
I am in a comany right now where they hired IT consultants for well over 3 years and come to find out so called "Experts" where just patching the system but never really fixing the real issues. It's amazing to see what these contractors were selling to a company who had the money to buy great gear only to discover pure incompetence at implementing it. I am no expert by any means but I can smeel bullshit when I see a network in need of a lot of TLC.
A financial company outsourcing its IT ought to be considered criminal negligence.
(Though an own employee could do the same thing, in this case.)
Sheesh, evil *and* a jerk. -- Jade
Here's the printer friendly page. The whole article on one page; http://www.informationweek.com/security/attacks/exclusive-anatomy-of-a-brokerage-it-melt/240008569?printer_friendly=this-page
Well, you know, he had RoadRunner... In 2005, that was pretty wicked! If he had set up two or three accounts and load balanced them...
If you want news from today, you have to come back tomorrow.
What a clusterfuck!
GunnAllen, a financial company, outsourced all of its IT
I think I've found the first problem.
'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.
That's got to be the funniest thing I've ever read on /. Seriously, it sounds like something from an Onion story.
Are you trying to tell me that the SEC has rules? That they enforce? I don't believe this. This does not reflect the US that I live in; are you perhaps talking about some other country with more reasonable laws about this kind of thing - maybe you meant to say it happened in Armenia, not America?
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
The writing is so bad I can barely follow the story.
Woe is me, shame and scandal in the family
Woe is me, shame and scandal in the family.
It's not mentioned in the summary, but the first sign of the rerouting was, as you'd expect, their network slowing to a crawl. That earned the IT guy responsible for it a reprimand. A reprimand, for routing an entire company's trading data through his home modem for a week!
There's other gold in there too, like the time the guy pulled the cable on a production rack in order to create a catastrophe so he wouldn't have to travel to a business meeting, or his habit of remoting into IT infrastructure (Blackberry and Exchange servers were mentioned) on the weekends to fuck up their configuration, just so he could "magically" fix it on Monday morning.
He was, apparently, eventually fired.
There's no place I could be, since I've found Serenity...
_
The network engineer was sabotaging the system by logging in during the middle of the night and breaking servers such as the Blackberry server, etc., so that he could come in during the morning and be the hero by fixing everything as quickly as he wanted.
"The network would get screwy over the weekend ... then [he] would show up, and five minutes in on a Monday, he'd fix the problem," Saccavino said.
He got caught when they sent a different level of IT person to investigate the network slowdowns and who used a keylogger to catch the shenanigans.
_
The saboteur network engineer was also plain ol' lazy, he's also accused of
"purposely pulling a cable out of a production environment in order that you would not have to travel to Jacksonville to attend an HP event at the request of the CIO." As a bonus, Microsoft also threatened to revoke their licenses for their version of SQL because, get this, the CIO had not gotten around to paying the license fees. That part seems to be a management problem, and not the network engineer's fault. But obviously, if this is the first time for a stand-alone SEC fine, then there were very crazy things going on at this company.
I worked at a place where the Exchange admin - every so often - would have to heroically worked 72 hours or whatever to rescue the mail servers and we only have 2 days of downtime, etc etc, and the CIO would praise him for his hardwork.
I asked my boss if I should also reboot the firewalls every now and then - just to heroically bring them back up again, and get thanked for my hardwork. He gave me a nasty look...
Or not... it seems from the small investment firm to the core of our financial systems are manned by corrupt, lazy, money-comes-through-grift-not-work types.
If not given the resources to have Exchange load balanced, and if it happens to crash and requires a 200GB Store restored...72 hours sounds about right. The 2 days downtime should have been 4 hours (time to investigate and bring a backup VM online). Without a backup VM, it should have been down 1 day.
I say Sabotage. I'm presently a NOC engineer at an IT managed services provider. Before, I worked for a well-known financial market data provider. The most demanding client we have is a financial company. Everyone once in a while, they get unhappy with our service for whatever reason and decide to blast the blame-thrower. During the most recent hissy-fit episode, they threatened to not renew the service contract. Moreover, their CIO dropped in on the conference call and said not only are they not gonna renew the contract but he was gonna have us blacklisted with other financial companies that we were looking to grow business with. It's been my general impression that financial clients tend to be some of the most high maintenance, demanding, and nasty assholes. I've a hunch that a similar reason could be a factor In explaining this network engineer's actions.
Go to http://www.reveregroup.com/ and search for anything in the top right search box. You'll get a licensing error. These guys are on the ball...
FTFA:
"He'd purposefully break things, then come in in the morning and be the hero,"
"purposely pulling a cable out of a production environment in order that you would not have to travel to Jacksonville to attend an HP event at the request of the CIO."
I'm in a decent position at my company. My particular skillset is luckily in decent demand, so I'm not worried if I do get outsourced.
However, I like my company. It has good benefits and the working conditions are not bad. We are looking at co-location of our data center and outsourcing some of our support.
The biggest problem I see is that the outsourcing company really sucks. Their engineers are crappy, have little skills, and know little about regulatory or other compliance requirements.
We have already begun to outsource some web development efforts to another company. Our internal IT had to bid against the external company. Apparently internal IT's costs and delivery date were not 'aggressive' enough. Long story short, the external company won the bid but are now at least two months behind and 50% over budget. That 50% translates to over $1M US. Not only that, the external company has pretty much ignored any compliance requirements (PCI, internal baseline standards, change control processes, etc.). Why can they get away with it when internal IT cannot? Simply because this is a critical project and normal controls are being relaxed. Yes, it makes absolutely no sense that the more critical a project is, the less it has to adhere to standards, but welcome to my company.
As I said, I like my company, but some idiots got sold on a vendor promise and we will end up paying for it in lost revenue and jobs.
I mean it's disappointing that a title like that wasn't a story about someone from IT going completely berserk apeshit. It's bound to happen, lol.
Why would senior network engineer need to send traffic home to verify his routing patterns? Yeah right, he scammed millions and they covered it up to avoid more fines. Now, he and his red stapler, are at some beach resort complaining about the Mai Tais.
'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.
That's got to be the funniest thing I've ever read on /. Seriously, it sounds like something from an Onion story.
He probably cooked lobsters in his dishwasher, too.
A feeling of having made the same mistake before: Deja Foobar
Well, here we go! The CIO of the company outsourced the IT department to..... his own personal company. No conflict of interest there!
_
I meant to find a real example of another lazy network tech., sabotaging for the sake of self-aggrandization or for getting out of work, but I couldn't find an example easily, or think of the search-terms that would do it. ("Self-aggrandization" didn't lead to much..., though there are some good reads like http://www.metafilter.com/88359/Not-enough-women-have-what-it-takes-to-behave-like-arrogant-selfaggrandizing-jerks
http://www.shirky.com/weblog/2010/01/a-rant-about-women/
http://www.computerworld.com/s/article/9034438/Former_network_engineer_faces_jail_time_for_sabotaging_patient_data ) but that last one is more of a criminal sociapath.
. And there was the San Francisco City Network administrator who refused to hand over his password, even to his boss or the mayor until he was taken to court on a criminal charge.
If you know any other good tech example, I'd love to know about it.
Unions can be a big help in stopping BS like this from happening.
When you have people purposefully break things just to look good for the bosses that's bad even worse is sweeping security and other issues under the rug.
Fuck exchange for stuff the like this, the worst part is that it probably did it on its "own". Granted, it shouldn't take 72 hours, but a good 8 can occur if you have an entire raid array failing or something, coupled with a bad MS update and someone who tried to install Office 2007 on the CAS.
Sounds like this guy: http://www.bash.org/?500338
Apparently Scott Adams can retire, even the pointy haired boss couldn't top this.
Are you kidding? If he was union labor, they wouldn't have been able to fire him.
DATABASE WOW WOW
It's hard reading IT train wreck stories, especially when the damage is self-inflicted. And yet I saw that same attitude, on both sides of the transaction, acted out over and over.
A long time ago a CIO I worked for said he wasn't worried as long as he had a throat he could choke if things went sideways. The only thing he cared about was having somewhere to cast blame.
Those were the days I naively cared about doing a good job.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
So, this brokerage was set up as a flag of convenience fifteen years ago and, to all appearances, operates as a loose federation of unchecked agents. One broker is charged with defrauded his clients, assigning all profitable trades to his wife, and all losses to the client. Another gets busted in a massive Ponzi scheme involving retirees and refinancing. Only when they're on the ropes does the SEC come looking at their IT operation, outsourced, from what I can see in the article, via an obvious conflict of interest to a "see-no-evil" boss and a pathological engineer. And the SEC only finds the very tip of the problem.
And that's the only time the SEC fined anyone for IT breeches of customer confidence.
Sleep well, America.
You should never ascribe to malice that which is adequately explained by stupidity.
Are you kidding? Unions are the first to resort to such underhanded behavior. Just look at what happened at American Airlines. Some maintenance worker loosened up a bunch of seats, and bingo within a week the Pilot's union has a new contract after over a year of negotiating. Some coincidence!
Yeah yeah we know it does work, mostly, and is probably written in VBscript or cobol.
But damn, you can afford a EX licence, but cannot afford a high end intel 512G SSD x 2.
Restore in 5mins.
Hardrives, puhhhh.... so 90s, like C64 tapes. Get with the future dude.
Liberty freedom are no1, not dicks in suits.
However no jail time. Refusing to disclose a password in case it's used by such an incompetent carries jail time, but being deliberately criminally incompetent does not. It's a pretty nasty lesson we are teaching the next generation.
MS Exchange is difficult to care for from what I've seen and the competence or otherwise of the people that look after it doesn't seem to spare such dramas from what I've seen. The experienced seem to run several MS Exchange servers (even in small places of 100 users where a 300MHz machine with Sendmail would do the job) that way the blowups and disasters may happen on one server but the mail still gets through on another.
It's a shambolic pile of services and applications loosely stuck together with gum, and there was no reliable way to get usable backup without stopping it (ie. the entire fucking thing to put on a new server and not just a portion of the mailboxes), until volume shadow copy came around - the MS Exchange programmers never supplied what every other MTA provided on first release!
You probably do need to be a hero to keep a single instance of it running.
There's other gold in there too, like the time the guy pulled the cable on a production rack in order to create a catastrophe so he wouldn't have to travel to a business meeting, or his habit of remoting into IT infrastructure (Blackberry and Exchange servers were mentioned) on the weekends to fuck up their configuration, just so he could "magically" fix it on Monday morning.
He was, apparently, eventually fired.
Wha!??
What was this guy? The Harold Shipman of IT?
'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.
That's got to be the funniest thing I've ever read on /. Seriously, it sounds like something from an Onion story.
The thing I'm really struggling with is why on Earth would anyone do such a thing
What about when the mafia who controls the unions comes around looking to get paid? What about when politicians looking for paybacks for favors granted to the union demand you employ 50 people who will collect paychecks and yet never show up for work?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
OOHHH GOD!!
WHY, but WHY people still use that exchange garbage!! With so many exchange replacements, so many webmails, so many SAAS alternatives... WHY!?
At least they pay the (heavy) price for it! (money, work hours, never ending troubles)
Higuita
Come to Chicago sometime and you can see how helpful the unions are when it comes to running a business ... right out of Illinois.
Gonna, nothin... okay;
Madder, intensive porpoises, pwned... lame.
the summary says:
the act violated SEC rules because the routed information was not being logged.
are they sure he wasn't logging the data?
I know it's hard for you to understand, but Exchange is a little bit more than an MTA.
As well as email and calendaring and resource sharing and telephony integration, Exchange also allows other functions. How about OTA smart phone synchronization and management. How about user management and seamless integration across domains, subdomains, continents...? There's also journaling and regulatory compliance, continuous replication, load balancing, redundancy and offsite automatic fail over. There's a lot more too that I can be bothered with right now.
The point is that anyone that compares Exchange with Sendmail or any other MTA obviously doesn't have an effing clue what Exchange is and is completely unqualified to have the discussion in the first place.
No the NON unions american airlines el salvador maintenance works did it.
He did it as a test to make sure that he understood his routing tables, and then forgot to go back and fix it. For a week.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
I bet every one of them that messed up here never wore suits and ties. I bet they wore polos and regular kacki pants, maybe even tee shirts and jeans. Remeber, this is the business world we are talking about here, you can't trust people not wearing a suit and tie.
Protip: the world is full of people who do stupid shit for apparently no rational reason at all. There.
A successful API design takes a mixture of software design and pedagogy.
Perhaps one of the greatest comments ever seen regarding I.T. projects...
Just look at what happened at American Airlines. Some maintenance worker loosened up a bunch of seats, and bingo within a week the Pilot's union has a new contract after over a year of negotiating. Some coincidence!
No the NON unions american airlines el salvador maintenance works did it.
Exactly. It was only after it happened *twice* that they sent everything to the union shop (right here in Tulsa) to get it fixed right. Then they settled with the union (and *still* shipped some more of their jobs to El Salvador, just not as many as they'd been trying to).
I'd really like to see the AC's story about the union NFL referees. The non-union refs are comically bad for weeks, then blow a game-changing call on Monday Night football, and bingo within a week the Referee's union has a new contract after over a year of negotiating. Some coincidence!
Seriously, this is the most insightful thing I've read on slashdot.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
As per TFA:
But given the rest of the story, I'm not sure if that's the only reason.
Never worked in a Union shop, have you? The difference is that in a Union shop you will get fired 'For Cause', rather than just because your boss doesn't like redheads or Asians. And in this case there was abundant cause.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
I, too, love that they outsourced their IT - they got what they apparently deserved.
But then there's the part in the article where it doesn't appear that before things came down that they'd *never* been audited.
Oh, that's right, most of this happened between '01 and '08, when Bush & Cheney were in charge, and All Republicans Love Deregulation, and if you can't deregulate, strangle the budget of the regulating agency so they can't do their job.
And before you libertarians here jump on me, tell me what you would have done if *you* had invested with them.
mark "that's right, you *ain't* rich, or you wouldn't be spending time reading comments on slashdot"
Not as big of a coincidence as you might think.
I live in Green Bay, and let me tell you, that night things went a little crazy. People on the radio were openly talking about Boycotts.
Nothing changes the mind of a group like the NFL faster, then the concept of lost profits.
On the contrary, union workers can be fired easily for what this guy is accused of.
Free Martian Whores!
What about when the mafia who controls the unions comes around looking to get paid?
The Teamsters aren't the only union in the US. They are, afaik, the only ones run by the mafia.
Free Martian Whores!
Actually with our backup solution you can get the Backup VM online in about an hour.
It's taxes that run businesses out of Illinois, not unions. Most businesses here are nonunion and have no problem... until they start fucking over their workers and the workers organize.
Free Martian Whores!
'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.
That's got to be the funniest thing I've ever read on /. Seriously, it sounds like something from an Onion story.
The thing I'm really struggling with is why on Earth would anyone do such a thing
It sounds like a case of Munchausen syndrome ...
[ puts on sunglasses ]
by proxy!
YEEEAAAAAAHHHHHHHH!!!!
John
Amusing - some clown that didn't bother to read a short post trying to bury me in a megabytes of text about service level agreements that mean little if they allow week long outages to occur due to quick to correct typos.
Maybe you should stop turning me into a strawman by pretending it was my problem instead of one that I became aware of when I couldn't get a job offer by email out to one of the students who had lost their email access for a week. Please have the decency to read short posts before making incorrect assumptions that you would not have made if you'd read a few short sentences
You've mischaracterized the situation in San Francsco. Terry Childs, the contract network engineer, never sabotaged anything. He just refused to reveal sensitive Cisco switch admin passwords to a cadre of incompetent bureaucrats on a telephone conference call with several unknown participants who were calling into the meeting from a remote office. He was completely correct, and was even willing to go to jail before compromising the security of the city's new fiber optic network that he had designed and configured. He did give the passwords to mayor Gavin Newsome, after explaining to the mayor how poorly the city's IT infrastructure was being managed. The mayor was the only person he felt he could trust, and he was correct. Even his former supervisor stood by him in this dispute, claiming that the city's management was too incompetent to be trusted with such sensitive information.
That supervisor resigned in disgust several months before Childs was arrested. This was during a widespread IT staff revolt that occurrred after the city hired a new Chief Information Security Officer who was completely unqualified for the position and landed the job only because she was the girlfriend of another powerful city administrator. Indeed, even when the managers had the admin passwords in hand, they still managed to screw things up royally, proving beyond a doubt that Childs was correct.
As slick as Mayor Gavin Newsome was, he still couldn't fix stupid.
I work in a union shop (state government), and nobody ever gets fired, no matter how poorly they perform. The shop steward always grieves any personnel action taken "for cause" and it ends up going no where. The only staff turnover we ever see is among the few contractors we have on board, who are hired for their skills in areas that the union jobs don't cover (e.g., datacenter virtualization, audio-visual support, high-level .NET programming, database administration, BizTalk support, PeopleSoft support, etc.). There aren't many of those folks left, but there is a revolving door kept open them. The union jobs are secure until the employee dies or retires, whichever comes first. There aren't many young folks on our staff except for the contractors, who can keep their skills up to date by training and studying. There's no incentive for union employees to do that, since they are comfortable in their zone and don't welcome any new challenges.
.
The CIO as the source of the problem definitely parallels the Gunn-Allen problem, though, and that is the point I was trying to make, though it did not come across clearly as I had wished. Do you have a pointer for the political problems and the girlfriend of the administrator thing? (or are you very in the know and that's why you had to post anonymously?) (by the way, if you'd responded to my comment, I would've been messaged and I would have replied earlier. I think your response is at the same parallel level as my statement. Anyway, thanks for the comment. And in SF, a politically connected boyfriend could be as likely a problem as a politically connect girlfriend, eh? (sez I as a member of the girl gender) )
'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.
That's got to be the funniest thing I've ever read on /. Seriously, it sounds like something from an Onion story.
The thing I'm really struggling with is why on Earth would anyone do such a thing
It sounds like a case of Munchausen syndrome ...
[ puts on sunglasses ]
by proxy!
YEEEAAAAAAHHHHHHHH!!!!
That joke was bad and you should feel bad