Hacker News new | ask | show | jobs
by Spooky23 1611 days ago
It’s pretty much impossible to validate that you are meeting the terms of your contract re: security policy if you’re doing that. You almost certainly were if you were providing SOC services to a big telco.

I have terminated contracts for cause and in one case got a vendor suspended from a big centralized procurement contract for pulling bullshit like what you described.
3 comments
icedchai 1611 days ago
Folks do all sorts of naughty things with SSH. Back when we used to work in an office, one guy would tunnel out and proxy all his web connections through an SSH socks proxy so the employer's IT would not monitor his web traffic. Another guy would do reverse tunnels from his work PC to home, so he could connect to work without using the VPN.
link
crims0n 1611 days ago
The telco was providing the managed services in this case. That is interesting, so it sounds like this was a complete breakdown in the process somewhere. We weren’t doing it for fun or sport, we were doing it because it was the only way to effectively do our job.
link
znpy 1611 days ago
I've been there but nowadays my policy is to let my employer/customer get hit with downtime if they don't provide me with ways to effectively do my work.
link
Spooky23 1611 days ago
Absolutely — that’s nuts! I was in the managed services biz for some time, I can’t imagine facing our auditors having allowed third party contractors to do stuff like that.
link
bryanrasmussen 1611 days ago
>You almost certainly were if

Don't you mean they almost certainly weren't? It's hard to understand the rest otherwise.

link
znpy 1611 days ago
No, gp is speaking from the point of view of those who set up the security measure.

Once you start poking holes into the security it's hard to assure you only did it for a good cause or with good intentions (whatever that means).

link
bryanrasmussen 1610 days ago
I still don't get it:

The original:

"It’s pretty much impossible to validate that you are meeting the terms of your contract re: security policy if you’re doing that. You almost certainly were if you were providing SOC services to a big telco."

That second sentence seems to be only interpretable as:

You almost certainly were meeting the terms of your contract re: security policy if you were providing SOC services to a big telco.

However it also says it's impossible to validate - so if it is impossible to validate that you were meeting the terms of your contract re: security policy, it must mean you weren't meeting the terms of your contract because such a contract will require validation.

But I guess I should let it go.

link