Ask HN:How to rebut phony excuses to a non-tech senior

1 point

15 years ago

At the non-profit I work at, there is a senior (older) developer who is held in higher esteem.

It was recently discovered that he was using our production website as a testing ground for his ASP projects. He has left a page unprotected with a list of over 2000 of our registrants full contact details.

His FTP access has since been revoked, and he has sent the following mail to my supervisor:

-------------------------------------------- As i am currently working on creating the web pages to be used for viewing xxxxxxxx, i need complete ftp access to xxxxxxxxx virtual directory and read access xxxxxxxx virtual directory.I plan to finish requirements given to me at this point in a few days time and I will inform you when this work is completed so you may review the access to the site from that point onward.

Also i want to put forth a clarification regarding the recent security issue on our website. First, i do take total responsibility for not securing the list of webcast registrants by using a password protected page. But, it is highly incorrect to say that the page was totally insecure or was accessible freely to public. We had put one level of security for that page by not including the link to that page from anywhere in the site. So people who are browsing the site will not accidentally come to the list, nor can they guess the link. The page was accessible only to xxxxxxx who new the complete link which directly takes them to that page. The other way is to access the page using FTP linking directly to server in US, which is password protected So in effect if you do not know the link you cannot access the page in any way.

The chances that a person would stumble upon the page through a google search is one in a million. After coming to know that such a thing has indeed happened,I have tried doing it myself several times and could not reach that page. Of course, having been exposed to this vulnerability, i have plugged the gap and made the page secure by password protection. Also, we should continue this approach in future as well.

Finally, i totally appreciate your proactive action in resetting the server password to address the security issue. But, in the future, if you could send me a mail regarding this in advance, it would be greatly appreciated, as i spent two days trying to figure out why i was not able to work, checked all my code, and finally deduced that the password has been changed. Also, would like to bring to your kind attention that this is the second time that such a thing has happened. I sincerely hope that this issue need not be brought to your notice in the future.

---------------------------------------------

My supervisor is now facing heat and has asked me for a rebuttal. Problem is, we only work on facts here so I can't tell him how badly web-development best practises have been violated without providing some kind of proof.

Can anyone help me out?