Why have just one firewall when you can fire all the walls?
'Support monkey' turned network isolation job into a banana skin
Who, Me? To quote the ancient philosophers: "Monday Monday, dah dah dah, can't trust that day."
And so it is, dear reader, that we find ourselves yet again betrayed by the beginning of the working week and its requirement to spend the next five days exchanging your labor for currency (except of course for our American readers – Happy Thanksgiving). Fear not, though, for we can rely on The Reg to soften the blow with a dose of Who, Me? in which readers share their own tales of the treachery of tech.
For example, meet a reader we'll Regomize as "Charles" who once worked as a "support monkey" in a university Biology department. Fear not – Charles's role may have had a simian name, but he was there to fix tech, not to have it tested on him.
Fixing things was challenging, as Charles told us this team had a very broad remit indeed. "We did everything computer related – managed the servers and desktops, produced bespoke hardware and software packages for experiments, data recovery, software support, and generally acted like the computer concierge for the department's employees," Charles told Who, Me?, adding "If it had a CPU it was our responsibility."
One particularly challenging assignment followed the installation of an electron microscope. The microscope was controlled by a PC, and that PC in turn had to communicate with one other workstation, which was to be the "staging location" for data from the microscope. From there, data would be doled out as needed to whichever boffin needed it.
The PCs and workstations in the department were all networked, and it was vital that the PC controlling the microscope was not accessible from any other machine on the network. It was very new and very fancy, you see, so its usage had to be tightly controlled.
As it happened, the support monkeys had recently rolled out an antivirus/security package that included a firewall, and as Charles had helped with that project he was deemed a natural selection to set up the 'scope.
He sensibly began by studying the relevant documentation and scripting some firewall rules to achieve the required outcome.
- Bright spark techie knew the drill and used it to install a power line, but couldn't outsmart an odd electrician
- Shock horror – and there goes the network neighborhood
- After nine servers he worked on failed, techie imagined next career as beach vendor
- That script I wrote three years ago is now doing what? How many times?
Charles noted that the documentation was not exactly helpful: "Basically it was a list of the available variables and functions without any explanations or examples."
No problem, though – Charles was sure he was fit to survive this particular environmental change.
Having drafted a first pass at the firewall rules, he assigned it to a test group using the remote policy management server. Then he began testing the rules and found that, indeed, he could not connect to the microscope PC. Success.
Then, he found that he could not in fact connect to anything. At all. Suddenly Charles felt small. Very small. So small the availability of an electron microscope felt apt.
Then the phones started ringing and Charles realized with horror what had happened. In defining the test group via the management server he had accidentally applied his draft rules to every PC on the network.
Nobody could connect to anything.
Thankfully one of Charles's ancestors in the monkey colony had anticipated just such an undesirable mutation, and had permanently and irrevocably white-listed the policy management server – so it alone still had access to the rest of the network. Charles revoked his draft rule and the network came back to life before too many users went bananas.
Of course Charles did not go on to complete the project – it was handed to someone more suited to the task. (He thinks that ultimately a hardware solution was found rather than a firewall rule.)
If you have an anecdote like this – a time when your tech skills were not quite so brilliant as you might have hoped – we'd love to hear about it and turn it into a yarn to brighten some future Monday morn. Let us know in an email to Who, Me? and we'll make you anonymously famous. ®