Perhaps. So you prosecute your £30k low rank administrative assistant in charge of the thing. All the other unionized low-paid civil servants immediately go "we didn't sign up for this liability" and refuse to touch anything that could be deemed computer administration. Government grinds to a halt.
Something similar happened to the British Museum a couple of years ago. Almost certainly an even worse pay/qualifications employer.
They are professionals. They cannot upgrade this particular windows server, because the software they're running on it requires visual basic 6.0 support. The vendor cannot provide any upgrade for their system, because certifying anything newer than Windows 2003 for this software is prohibitively expensive for the vendor. You cannot switch vendor due to obscure clauses in contract.
since when does entry level IT “call the shots” on reviewing code that gets deployed to prod?
Sure a junior programmer or devops may do something dumb. That’s not the problem - at all. The problem is pretending they are a professional. They are not. They are juniors that need mentorship and should be _expected_ to mess up frequently.
To use a different analogy. If I bring my car to the mechanic, i’m OK with the new guy working on my car, assuming that the senior mechanic, you know, double checks their work. Is that not a reasonable assumption?
You have an incomplete understanding of the situation. The services that have been affected are 3rd party systems, built by the private sector on a government contract. The service was built by people who were not going to support it. It is not possible to upgrade and patch these services. The civil servant developers working on them do what they can, but they have been warming management, who have warned government, that they systems are insecure, but govt won't spend money on updating them.
There are services built by civil servant developers, that are built with security in mind, and they are not affected by this breach.
So it's nothing to do with being paid peanuts, or not wanting to do the best job possible.
It's very easy to backseat drive and offer opinions but your opinion is based on a fallacy.
If someone puts a low rank admin assistant in charge then the boss needs prosecuting. It would be the public sector version of getting the boss's nephew to do it.
But that's not what happened. It wasn't left unpatched because of incompetence of the developers. It's because it cannot be upgraded to a secure version of the software and to replace the entire system would cost a lot of money. Money that the Tory govt didnt want to spend. There are ongoing efforts to reduce reliance on this legacy tech but it's not an overnight solution.
Me personally I would like to set on fire the very people who begin to consider an upgrade to a major Windows version not earlier than it goes out of extended support.
Could you rephrase this with fewer negations? I cannot parse what you are trying to hate and therefore what point you are trying to make -- "those who begin to consider not earlier than it is not fully supported"
Can't edit anymore, so I have to bear the responsibility of that comment for life.
What I was trying to say is that some orgs upgrade their Windows OS installations after a ridiculous amount of time. Like I have legit seen a company thinking to upgrade to Windows Server 2008. And knowing them I'm sure it will take years to implement.
Gotcha. I couldn't tell because the other extreme drives me crazy too. Hey let's roll out 24H2 to everyone on Windows 11 in December, just in time for the holidays. Why, just why?
1) Someone left an unpatched server exposed to the Internet for months with a known critical vulnerability.
2) Someone uploaded the data to a world-readable S3 bucket or similar, or left it in an Internet-accessible database server with no authentication.
3) Someone with administrative credentials was using the password "password1!" or similar with no two-factor authentication.
In an ideal world (not the world we live in), in these cases, that someone would be prosecuted for gross negligence.