[geeks] Suits, Politicians, and Windows

[Jonathan C. Patschke]

I do IT security and connectivity consulting for $county in central Texas.
So far, it's a decent gig.  The people are nice.  They're not very clued,
but they realize that, and are always open to suggestions about what might
make things run more smoothly.  In short, they're lusers, but they're the
good kind--the kind that can learn.

$county runs a mission-critical software application (written and/or
deployed by $company) on an AIX server.  This software does all sorts of
record-keeping, and I have no idea how extensive it is or what it talks
to.  It's just a black box, and $company likes it that way.

In fact, $company is violently opposed to anyone touching "their" AIX box
or "their" network so long as $company is paid to maintain and service the
AIX box and it's hundred or so attached Wyse terminals.  They have a
history of blaming any problems on anything they can find that they didn't
install.  Then, while the "offending" party is called to fix the problem,
$company dials into the AIX box and fixes the true problem.

Note that "their" network is the multisite spaghetti nightmare that I
bitched about a couple of months ago.  $company have either never read, or
have failed to comprehend RFC 1918, and large portions of "their" network
sit on 204.204.204.0/24.  Not the real 204.204.204.0/24, mind you; the one
that exists only behind the NAT box of $county's WAN.

Sooo..... $county wants to "get into this whole Internet thing" by letting
constituents check all sorts of potentially sensitive information over an
SSL-protected web site.  Now, I'm fundamentally opposed to this sort of
thing being web-based, but I'm also rather paranoid.  I suppose that, if
implemented correctly, it could be a Good Thing.

$company has no intentions of implementing things correctly, as far as I
can tell, as their bid for the job included a 700MHz Pentium-III based
computer running Windows 2000 and IIS, 256MB of memory, 18.1 GB of
non-mirrored IDE disc, and an off-the-shelf consumer grade firewall.  All
of this comes at the low-low price of $16.5k, including the query app, but
excluding maintenance.

To me, this sounds like a lovely job for a Sun Fire 220R server and a
little bit of tight CGI code--something that I could surely do for less
than $16.5K and still consider myself handsomely paid.  Also, this
wouldn't require interfacing a mission-critical database with a Windows
``server'' connected to the Internet.

The problem is that, to present this information, it has to be queried
from the AIX server, which is hopefully running some sane database system
(not that anyone knows).  AIX server may be considered a black box, as the
system is fully-managed by $company, and I don't even think anyone at
$county has root on the box.

I want to do the right thing.  Even though I don't live in $county, if I
sit by idly, and Shit Happens, I'm going to feel bad because I can see
this looming over the horizon.  If I put in a bid, win it, and stuff
doesn't go smoothly $company is going to point at me, and $county won't
know any better (due to aforementioned lack of clue).  Either way, it
looks like $company is going to get away with doing a half-assed job and
taking severe monetary advantage of what is (to them) a sweet deal.

-- 
Jonathan Patschke
  "gnu: we aim to fuck up everything with the potential to not suck"
                                                   --alex j avriette