The borough had finally embraced 'The Internet' and wanted a website. The IT dept had meetings, established protocols and promptly rammed up against politics. The web was to be run from the comms department, by a web team, overseen by comms and IT had to be happy to support. No way was IT going to be allowed to run the council website... Not that this IT dept had any vision, or possibly even any desire. I'm not even sure they were convinced 'The Web' had any future. Reactionary is putting it mildly. But possibly in revenge, the tools they provided us with were Microsoft Front Page and Microsoft Visual Interdev. VB Script and Internet Explorer were the limits of their vision. For a corporate website. God help you if you looked at the site in Netscape, then a rising star, or Cello or any other of the myriad browsers available then (VB Script would only work in Internet Explorer, so you were fucked if you looked at the scripted pages in another browser). Open standards? Forget it. Microsoft was 'The Future', Internet Explorer was The Browser.
The web server, if I recall was a 486 box, maybe even an early Pentium running NT Server and IIS. One Friday evening, out of interest, from home, I port-scanned it with nmap looking for vulnerabilities. I had a few drinks that evening and completely forgot I'd left nmap running... On my old 286 with a V22 modem, nmap took its time anyway. Next day I shut it down, idly noting the number of ports left open and thought nothing more of it. I checked the council website and noticed that it was serving a 404 page not found. Didn't think anything about it, thinking maintenance was probably in progress.
Monday morning, whooah! IT were screaming about a serious hacking attempt and involving the police. They had the IP of the perpetrator and they were after blood. The web server had been knocked offline on Friday evening, probably by l33t H4x0rs and God only knows what damage had been done. Shit, I then remembered who the perp was and sweated slightly. I think I had used a proxy server but wasn't entirely sure. Could they trace it to me?
Soooo, Be positive. I went to see the Director and told him straight up that I had undertaken a security scan of the web server, as any sysadmin should (I'm not a sysadmin, I was busy deflecting, because IT obviously hadn't a clue about security). I told him I wasn't happy with the number of vulnerable ports left open and questioned the firewall policies of IT. The Director had always been supportive, and was partly responsible for the political decision to locate the web team in Comms rather than IT. As I left he held his head in his hands and moaned “What have you done...”.
What he did with that information I don't know, but it was the beginning of a rise in tension between the web team and IT that led to some hilarious confrontations and consequences.