Documentation for Documentation's Sake



  • So, I had to rant a bit. I had a customer call in earlier and said their their Vulnerability Manager needed to scan some Linux boxes. Ok, no big deal.. Well, the guy said his IT Manager? wanted documentation that you needed to use the root account, or a root account, for the credentials for the scan. It was said it was a manager, and I had to confirm it was someone in IT, because this manager had no f***ing clue how file systems worked.

    Now, I couldn't find any documentation in the Best Practice guide or the Product guide that actually specifically said that you should use an admin or root user for a Windows or Linux system, when scanning. However, I explained to him that MVM does not have any credentials itself on the box, and that it scans using the account you provide to it. If you use a user-level account, you're not going to see all the vulnerabilities, as there are files and directories that are not accessible unless you have root privileges.

    The guy felt the need to explain to me how they had scanned their Windows machines with user accounts, power users, and domain admins, and how domain admin scans found a ton of vulnerabilities not found under the other users. Umm, yeah, exactly. So you understand how this works.

    However, he kept reiterating how he wanted a document to show his manager, as his manager was "cautious". WTF?! Do you not understand how the basics of file systems and privileges work?! Obviously you do because you saw it at work in Windows! In the end, I sent an email explaining this very basic concept and that was enough to satisfy the tech on the phone. Whether that will be enough for the manager, who knows. But damn! Some people...



  • Welcome to IT. No, chances are neither he nor his manager has any idea of what a filesystem is.



  • Sometimes people want what they want, and even they don't understand why they want it.



  • Ah, yes... IT: where the manager who did the hiring knows nothing about the skill set needed for the job, and the employee knows only slightly more than that (or maybe just knows enough buzzwords to impress the manager). I keep my sanity by remembering that 90% of all "professionals" are incompetent in their jobs... and I think the stats may be worse for non-professionals. (and that 87.3% of all statistics are made up on the spot)



  • @art_of_shred seems like non-professionals would be better. How often do you find an incompetent plumber or electrician? You find them, but is it that high of a percentage? I think incompetency increases as the job becomes more complicated since it is harder and harder to find people capable of being competent and harder and harder for outsiders to identify competence so the tendency to weed out the bad ones drops rapidly.



  • You obviously don't know very many plumbers and electricians.



  • Also, you may have picked a bad example to pin you case on. Plumbers and electricians are skilled tradesmen, needing to be licensed and typically have apprenticeships. They don't just get hired off the street. However, I believe that most retail workers are not competent at their jobs. You be the judge.



  • @art_of_shred said:

    Also, you may have picked a bad example to pin you case on. Plumbers and electricians are skilled tradesmen, needing to be licensed and typically have apprenticeships. They don't just get hired off the street. However, I believe that most retail workers are not competent at their jobs. You be the judge.

    They might be the most likely to be competent of any trained ranks. lol



  • @scottalanmiller said:

    @art_of_shred said:

    Also, you may have picked a bad example to pin you case on. Plumbers and electricians are skilled tradesmen, needing to be licensed and typically have apprenticeships. They don't just get hired off the street. However, I believe that most retail workers are not competent at their jobs. You be the judge.

    They might be the most likely to be competent of any trained ranks. lol

    Agreed.


Log in to reply