They are professionals. They cannot upgrade this particular windows server, because the software they're running on it requires visual basic 6.0 support. The vendor cannot provide any upgrade for their system, because certifying anything newer than Windows 2003 for this software is prohibitively expensive for the vendor. You cannot switch vendor due to obscure clauses in contract.
since when does entry level IT “call the shots” on reviewing code that gets deployed to prod?
Sure a junior programmer or devops may do something dumb. That’s not the problem - at all. The problem is pretending they are a professional. They are not. They are juniors that need mentorship and should be _expected_ to mess up frequently.
To use a different analogy. If I bring my car to the mechanic, i’m OK with the new guy working on my car, assuming that the senior mechanic, you know, double checks their work. Is that not a reasonable assumption?
You have an incomplete understanding of the situation. The services that have been affected are 3rd party systems, built by the private sector on a government contract. The service was built by people who were not going to support it. It is not possible to upgrade and patch these services. The civil servant developers working on them do what they can, but they have been warming management, who have warned government, that they systems are insecure, but govt won't spend money on updating them.
There are services built by civil servant developers, that are built with security in mind, and they are not affected by this breach.
So it's nothing to do with being paid peanuts, or not wanting to do the best job possible.
It's very easy to backseat drive and offer opinions but your opinion is based on a fallacy.
> The civil servant developers working on them do what they can, but they have been warming management, who have warned government, that they systems are insecure, but govt won't spend money on updating them.
Makes sense. So if i’m understanding this right, the fault basically lies with the decision maker(s) in government who said “nope, not worth paying $x to secure/maintain our systems”
Sounds to me like they shouldn’t be allowed to create these public facing systems in the first place if they can’t afford (or don’t want to) maintain them. no?
That would be like paying someone to build a bridge for you and then deciding to purposely ignore maintenance on the bridge when the experts warn you it needs maintenance.
> Sounds to me like they shouldn’t be allowed to create these public facing systems in the first place if they can’t afford (or don’t want to) maintain them. no?
Have you ever worked in a government job? This is a common reality in those kind of roles. Reality doesn't neatly fit into: "I have enough money to build this thing I desperately need" and "I have enough money to maintain this properly" and "I have enough budget to run the country well enough not to get kicked out of the job"
i have not worked a government job. My father did, in civil engineering in NYC.
In his discipline at least, the government _certainly__ found the money to maintain critical infrastructure. Bridges were routinely painted. Inspected for cracks. The works.
When NYC’s aging water tunnels (providing tap water from upstate NY) were in major disrepair and engineers warned of the damage, guess what happened? They got the funding to build a replacement bypass tunnel to ensure NYC was not impacted. A multi-decade project scheduled to be completed very shortly. They planned ahead. They didn’t ignore the issue and then pretend they couldn’t have predicted this would happen (lol).
From what I can tell, the ONLY reason the same care isn’t given to our IT systems is because the decision makers in charge don’t care. Am i wrong?
I agree that reality is not simple. It’s unfortunate. :(
These are professionals. It’s their responsibility to build a solid, secure system. If they can’t or don’t want to then they should find another job.