mostly useless crap from me

I am so sick of APT this and APT that. Advanced Persistent Threats, essentially state sponsored intelligence gathering, are no different to the age old espionage between EADS and Boeing – something that CANNOT be prevented by coining yet another new FUD term like APT. Espionage is at least the second oldest profession in the world, and moaning about whatever APT is called this week is not going to change that. If your CFO wants to leak information to a competitor, there is NO information security system ever built that has or can prevent that level of misconduct.

Look behind who is promoting APT this time around. Companies that have IT security services and products to sell. I have worked in that industry for over 12 years now. We have enough work without ambulance chasing as part of our marketing plan.

Remember SOX? Lots of FUD then just like APT today. Lots of “security” (and even non-security) programs designed to bring in so-called SOX compliance – and for what? There were more breaches and losses post SOX compliance than before and its getting worse! Lots of money was wasted on useless programs, and hundreds of millions if not billions of dollars went down the drain for no business return.

If you ever wondered why business folks are rebelling against PCI DSS (which is actually fairly good), fear factor is to blame. We lose respect every time we yell “fire!” when there’s not even a match’s worth of smoke, and when asked for a solution, we want to bring in a DC-10 water bomber. It’s even worse when we come with a reasonable, cost effective, and long term solution and we can’t do it because of the reasonable expectation it’s just another false alarm.

Stop doing it! We have plenty of good reasons to do security (properly), and APT is simply not one of them. If you’re going to yell “APT APT APT!” have the courage to talk about solutions and make them workable, effective, financially responsible, and not to just rabbit on about security theatre solutions to sophomoric movie plot threats. I am not diminishing those organizations like the oil and steel industry who are responding properly where they have a real expectation that industrial or state based espionage will occur or has occurred in the past, but responding to APT for 99% of organizations is just a complete WAFTAM.

I hate APT and all the FUD surrounding it. Scaring the punters is chicken little or crying wolf. Get with the “do something” program. If you’re a news org, instead of talking about folks who got pwned, let’s talk about folks who through good management and effective IT Security programs have survived such “advanced persistent threats”.

What would I suggest we do about APT? Let’s take it back a step – what would I suggest EVERY firm of more than about 10-20 employees should do. Let’s start at the beginning with:

IT Security Management 101

AS/NZS 4360 Standard for Risk Management (1999) and ISO 17799 (now 27000 family) is a great starting point. This stuff is simply not rocket science, any organization no matter what business (charity, big oil, health, military, government, financial, etc) can and should look at what they have today, and start implementing them if they have nothing.

1. ISMS – Create an Information Security Management System. This requires an effective CSO or a CIO who are a force for change with a mandate to take the opportunity cost out of the equation. Spending money on IT security seems a cost for most orgs, but if you see it has an opportunity to do better, you will succeed. Security is a business enabler and indicator of growth. CIO / CSO’s that choose the negative “no” speed hump path simply don’t get it and should be replaced. However, in all cases, it’s important that the CSO or CIO can force business owners to do the right thing or make the business owners accept the responsibilities and risks of poor security decisions. Most orgs do not have an ISMS, and rarely do CIO’s / CSO’s sit on the board or are effective in any fashion. If the CIO / CSO has responsibility and accountability, but no budget and no power to improve things, resign. There’s no way you can effect substantial change when all software is insecure.
2. Create and maintain IT security policies, procedures and allocate (and enforce) responsibilities. Someone has to have the power to say “turn that off”. Someone has to know when it’s time to “turn that off”. Someone should have known before hand that certain systems are more likely to end up in the “turn that off” category and have the power and responsibility to do something about it. The best IT security policy I ever saw* was 10 pages long, had less than 500 words (none of which were “don’t”) and 20+ images in it. Staff knew what they had to do and they did it as it worked with human nature rather than just saying “no” or “don’t do this” or “you’ll get the sack”. If your IT Security policies would make Stalin proud, occupies three massive binders, and is gathering dust in a cupboard, you’re doing it wrong.
3. Create and maintain a global risk register. Start with an Excel spreadsheet if you have to, but most of you should probably go out and acquire one of the many excellent products out there that satisfy the ITIL marketplace.
4. Create a catalog of all your assets (particularly DATA and the systems that handle that data!) and make sure it’s kept up to date. ITIL related products are your friend here – there’s heaps of asset register products out there, but make sure you register data assets as most are all about physical boxes. Assign all assets a classification and make sure folks know how things with that classification are to be dealt with. I prefer a simple three tiered classification system (public, internal, restricted), but whatever floats your boat. 90%+ of all orgs I deal with do not have any idea of what they are running nor the value of their assets or how they should treat them. I know of one org whose HR system was running on a desktop in a cupboard. Unacceptable. But if you don’t know it, you’re negligent, pure and simple.
5. Perform a risk assessment of all assets, particularly critical ones. Risk assessments used to be popular, but I haven’t seen any done for a while now. This is a huge mistake. Put the risk assessments and any findings from reviews in there. Track, assign responsibilities and dates, and …
6. Fix – Assign – Accept. Remediate what you can where it makes sense to do so. This doesn’t mean fix everything, just the things that matter. Insure (risk assign) the truly catastophic outcomes. Accept what’s left.
7. Security is an enabler! Be treated how you’d like to be treated! Train the business folks and developers in secure requirements and coding. Adopt a SDLC and do it. Get and use a defect tracker. Get and use code control. If you’re doing agile, make sure security is a key deliverable of every single user story / sprint / milestone. Make sure your testers test for abuse cases as well as business cases. Think outside the box and think about your customers when you do your security. Security that doesn’t work is wrong. Security theatre is wrong. A multitude of security features doesn’t mean you’re secure. Do security well, and you’ll win because your customers / clients / users will love you and appreciate the efforts you made to make security transparent, easy and effective.
8. Expect to keep up with the Joneses. You don’t need to be bleeding edge, but anyone running Lotus Notes from 2001 or IE 6 should put money aside to deal with the cleanup of any lame attack from the last X years. Just because you’re not paying out on cap ex this year doesn’t make you a good manager. Long term, you’re gonna pay. Even out the expenses and roll out new stuff all the time and retire old stuff all the time. Don’t be afraid to run XP, Vista, Linux, Windows 7, and Macs all side by side. You shouldn’t require everyone to use the same XP image from 2003 on modern hardware – that’s just stupid. Keeping up is the cost of using IT and those who update regularly pay less than those who wait. And wait. And then get attacked. Plant and equipment is tax deductible in most tax regimes, so there’s no excuse not to depreciate and retire old crap. It does mean you’ll need to cope with patching and scalable roll outs of new hardware and software. You need this anyway for those zero days.
9. Get rid of crap that costs a lot to operate. Systems that need patching all the time are doing it wrong. Systems that are attacked all the time because they are insecure should be retired. These systems are not worth supporting. Make the ISVs realize that you only pay for secure software that requires little maintenance. Wean off any supplier who refuses to understand this most basic of requirements. They’ll go out of business, and you’ll save money. Ensure when you buy customized software or have it developed for you that the contract states that the ISV has to fix all security bugs for free and they are responsible for paying for the code reviews and penetration tests to prove that they are secure. That’ll keep the ISVs in line.
10. Monitor and escalate. No system is perfect. Put in procedures to cope with the horse bolting, but try not to have your entire herd and all their tackle gallop out the stables.
11. Don’t be a cowboy – do it all the time. A good ISMS is not a “fire once and you’re done”. You can’t buy a product that does it for you. This is a commitment like GAAP is a commitment to financial standards to use the same systems year in year out. Those that forgot this lesson are now paying for APT. I’m not going to justify why you need to do this stuff, it should be obvious.

This stuff is simply not rocket science. It’s not new. Most well governed orgs already have this in place and have been doing it for a decade or more. The problem is that few orgs are well governed or have any particular driver to do IT Security well. Most CIO’s are untrained in security as they’re often accountants who are brought in to rein in costs – which is a mistake. Most CSO’s lack board presence and have no authority other than to be a speed hump. This has to change. Orgs who grew up overnight (like Google) will get hit –  and hard – by APT.

I don’t want to hear about APT unless you have a solution to whatever you’re bleating about. If you’re going on about how the script kiddies have all grown up and now do exactly what they did before, but are now bank rolled by intelligence agencies, my question to you is “so what?” If you’re doing IT security and governance right, APT is just so much hot air.

Today, the Labor Government, pandering to a tiny minority of voters who will NEVER vote for them, will proceed with censoring our Internet.

Many of these hard right wing “Christian” (who obviously missed the entire point of the New Testament) “voters” (Exclusive Bretheren, etc) do not have computers let alone TV’s or newspapers to be offended by the Internet. Worse still the Bretheren are some of the only people in Australia who are allowed not to vote. And for their vital electoral “support”, we all get censored. WTF!?!

FUCK NO!

Today, I start censoring the Internet for Australian Government departments. If your DNS name ends in “.gov.au”, there’s a pretty good chance you’ll not be able to see this site and the other sites I run. E-Mail from .gov.au sites will be delivered to /dev/null. In future works I create, I will make an explicit disallowance preventing Australian Government public servants and contractors from using my materials until the censorship mechanism comes down. I will encourage everyone I know to put up mandatory “.gov.au” filtering. See how you like it when the Internet is useless to you and you have to use personal Internet connections to get anything done.

I will fight this censorship scheme in every way I can. I will publish mechanisms on how to bypass it. I will encourage people to defeat it, even if they don’t have to. I will campaign against my local ALP member. You’ve made a political activist out of someone who used to just rant about politics around the water cooler. I am not the only one. Labor is doomed for a generation or more by this one heinous act.

Labor – shame shame shame. I’ve voted for you – stupidly it turns out – for my entire adult life. I’m sorry, but I’ll vote for Donald Duck before I grace your lice ridden corpse with the “1″ mark ever again.

Conroy – he who shall not be named from here on – you have are the Internet’s Public Enemy #1. You have cost Labor the next election, even with the Liberals in complete disarray. Labor cannot ever trusted to govern ever again.

Well, the Emissions Trading Scheme is dead – for now. Yay! I do a little dance on its grave. We’ll have to fight it when the double dissolution election comes up sooner than later.

However, I wasn’t expecting the mad monk, Tony Abbot, to gain the Liberal leadership. That was a surprise, as I bet it was to the majority of the Liberal party MPs.

With such a right wing, homophobic, anti-abortion, anti-pretty much anything we’ve achieved over the last forty years to several centuries, and top of that a truly hard core Catholic elected leader by the thinnest of margins (1 vote – a donkey vote *), the Libs will be in electoral wasteland for at least one and probably two more elections. Either the Libs will have to split into the electable bit and the unelectable’s, or they will have to try again in a few years after they get rid of Abbot.

Abbot is simply unelectable – even my wife who leans in the Libs direction doesn’t like him. Sure, Abbot will make the hard core religious and climate deniers happy, but they’re a tiny minority here – and they already vote Liberal. All the moderate swinging voters – they who elect our governments – will abandon ship once they realize just how backward Abbot is on so many things.

With Abbot being the mental giant that he is, he’s going to oppose pretty much all Government bills. I bet he opposes a really stupid little bill and that’ll be the trigger. KRudd could phone it in and win.

Bring it on – maybe enough of the disaffected voters will move to the Greens and we can get some real carbon reduction instead of the reward-the-polluters ETS.

* I bet the idiot ^H^H^H^H^H Member of Parliament who cast the deciding donkey vote (‘no’) is regretting their ineptitude tonight. The silly thing is that the vote was almost certainly cast by a moderate Liberal. That moron has ensured they stay unelected for at least another four and most likely seven years.

Unlike the deniers in the Liberal party, I understand climate science well enough to know that we should give our only planet the benefit of the (very little) doubt. It’s time to act. But not with an ETS. I hope that the Liberals (== conservatives, for my US readers) defeat the ETS a.k.a Carbon Pollution Reduction Scheme (CPRS).

The heart of the problem is that the Emissions Trading Scheme doesn’t help to reduce pollution. Why? ETS Traders have no skin in the game – you don’t have to be a polluter or seller to participate. Why would those traders be interested in carbon reduction. Over time, the value of the market will go up due to speculation and moves by the traders, making it more expensive for the Australian Government to buy back emissions credits to reduce the total emissions pool, or even worse, short changing the folks who need to acquire those credits. The folks who buy these credits on the open market will need to pay more, and we pay double through increased taxation and higher bills for pretty much everything even if you’re doing the right thing.

The Coalition have introduced a bunch of get of jail free cards to the heaviest polluters to provide their denying colleagues some carrots.

• Coal fired power plants are largely exempt, despite emitting about 50% of Australia’s total CO2 emissions
• Heavy users of power have tax credits to help pay for their credits, often up to 90% of the value of them or even free in the case of aluminium producers. Where’s my 90% reduction in my electricity bill? This is corporate welfare at the worst
• Agriculture has a wide range of exemptions, despite many inefficient processes that could benefit from better alternatives. They also get money for carbon offsetting, so in reality, they can be paid for sequestration activities, but have no economic harm from releasing that captured carbon. Way to go to buy the rural vote, Rudd.

So no matter what I do to reduce my carbon footprint, it will have little impact, as the largest polluters can simply keep on going on doing exactly what they’re doing today. I – and all Australians, even if you’re off the grid, grow your own food and don’t drive or fly will end up paying for this dumb scheme.

The Government should not distort an entirely new unproven market. Let it distort the current market:

• Announce the Government will only buy electricity from renewable sources as of 2015 or so
• Announce no more coal fired power stations will be built and approve nuclear power stations
• Set power consumption targets for the heaviest power users in the average business and house (computers, lights, fridges, ovens, aircons, etc)
• Require standby to be < 0.1 W (or it’s off), and prohibit clocks on things that don’t need them (like microwaves, fridges, ovens and toasters) so they can turn off when not used
• Ban crappy computer PSUs and require 80-Plus only PSUs. Make rackable servers like Google’s – no PSU in the device, and the power supply is > 90% efficient.
• Ban non-LED downlights (also have a positive impact on # of house fires from cheap iron core transformers setting fire to insulation)
• Fund or provide serious rebates for solar hot water for everyone with an electric water heater.
• Fund or provide serious rebates for passive solar cooling for every home, rented or owned.
• Continue the serious rebates for solar panels, and extended it to rented and owned properties.
• Required states to tax the hell out of cars that chew more than 7.5 l/100km
• Only buy cars with average fuel consumption of less than 7.5 l/100km from now on – there’s hundreds of thousands of cars in the government car fleet
• Mandate employers allow telecommuting where possible. This would eliminate hundreds of thousands of wasteful trips every day, and free up freeways for freight and necessary journeys. I enjoy my ten second commute and I don’t have to start the car most days.
• Provide incentives to get road freight back onto rail
• … anything other than an ETS

Trading schemes (like NEMMCO) have a proven history of epic failure. In California, traders caused widespread blackouts and damage not to mentioned sky high electricity bills. There is no incentive for an ETS to reduce carbon pollution. The market relies upon carbon being emitted. It will fail, not reduce CO2 emissions as the largest polluters don’t have to participate properly, and cost us billions.

ETS == Epic fail with our future. Bring on a double dissolution election.

Richard Bejtlich at his TaoSecurity Blog makes a very strong assertion that we’re all idiots for wanting to protect data, rather than the container.

I’m not going to play a semantic game about protecting data versus the thing the data is in at the moment, but honestly, I think he misses a really strong point as to why we’ve moving away from the failed network-centric strong border / soft center protection racket to a more secure data-centric protection scheme.

I will not disagree with Richard that we secure the containers, not the data, but we secure the containers BECAUSE of the data, not the other way around. For far too long, we’ve thought about the enemy outside the gates, when its actually the folks inside that cause many breaches.

The weakest link in any protection scheme is the humans.

• They have weak passwords
• They (rightfully) share information about themeselves to their friends and (not so rightfully) to the Internet at large, making password resets untenable.
• Folks accidentally disclose data assets all the time. Laptops, backup tapes, USB sticks, brief cases containing the data.

Should we care if I lose my phone? It contains my address book, which I can sync again to the next phone, and little else. But to a CEO with e-mails, internal VPN access, browse history, contacts, calendars and more. What differentiates my container (my iPhone) from the CEO of Apple’s container (Steve Jobs’ iPhone)? In a Richard world, nothing – they should be protected equally. But it’s really about the data the container holds and what data the container has access to.

Data in and of itself is intangible, and generally cannot be secured if it wants to get out (see WikiLeaks for an incontrovertible example). I think Richard and I agree with this bit. Where I stray from Richard is to ignore the data is to miss the point of information security entirely, which is why I take umbrage at his ad hominem attack.

• If you have backups, you’re changing the data’s container, but you’re protecting the asset (the data) and not the container by doing backups. We’re planning for a complete loss of the container.
• If you have a DR site, protecting the container is secondary to protecting the data
• If you have a distributed cloud, protecting the container is nigh on impossible as you don’t control them.
• If you’ve printed previously encrypted data, the container and its protection controls have changed. The need for protection hasn’t changed, just how those controls work.

Lastly, it comes down to classification. If we ignored the data, we would protect the most expensive containers, rather than the business critical data.

• The CEO’s high-end home desktop would get more protection than a USB stick containing next quarter’s results. I bet I know which the company would fret about more.
• The WAF would get more protection and monitoring than the HR server as the WAF costs 10x as much as any one commodity server
• The SAP system would probably gain some attention as it would consume a chunk of change from the IT budget, but would you put it in a data center or in a closet?

We’re not idiots for promoting protection of the data. The containers and pipes BECOME valuable and we protect them because of the data sitting in or passing through that containers and pipes. We only protect those tangible assets because we pay enough attention to the data’s classification and its various requirements for the data’s protection.

Really, we don’t need to call each other names to try and bring us back to the failed border centric fold. We can disagree with each other as gentlefolks and not call each other names. I’m amazed that Richard has gone down the attack path as I normally agree with 99% of all his blog posts.

I work on an open source project, ESAPI for PHP. Well, “work” might be too strong a word for it, but I try to prod its lifeless carcass from time to time. That’s not the reason I write today. I write because of stupidity, and evil being conducted in the name of a “law”.

I have a fellow open sourcer, who wants to contribute to ESAPI for PHP. He’s actually completed a MVC framework for PHP (jFramework). Due to Google blocking Iran, this gentleman can’t easily contribute to our project, which hosts its repository on code.google.com. ESAPI for PHP will not help build a nuke. It does no crypto of its own. It will make PHP applications safer and more secure – but you can do that anyway if you read half a dozen pages on PHP’s website.

This is madness. ITAR is about blocking the EXPORT of sensitive MUNITIONS (i.e. weapons) TO Iran and other “hostile” countries. ITAR is NOT about blocking the GIFT of intellectual property and valuable developer cycles FROM Iran, helping everyone all over the world, including those folks in Iran (as well as Australia and the USA). This is stupidity on a scale I’ve not seen in a while.

Google: you are doing evil.

Stop this madness, now! Call in your tame congress critters and tell them how stupid and harmful this particular nonsense is and get it repealed. Grow a spine and take a chance. Unless someone open sources a command and control system for a warship, a missile guidance program, or puts Nuclear Reactors For Dummies up as a project, all of the projects should be available for download worldwide. Those one or two mythical and nonsensical projects should not block an entire library of human knowledge to the entire Iranian people just because of some imaginary evil open source project might help Iran’s nuclear program or military. The stuff we do is not rocket science.

Stupid and outdated laws / treaties like ITAR make us disrespectful of all the other laws and treaties, and make us lose all respect for those who abuse their positions of power in the name of “security”. The way to improving relations between countries is not to block them (how’s that Cuba policy going, anyway?) but to engage with them and stop the evil ignoramuses on both sides stopping everyone being happy and free, or just contributing to an open source project.

I read Jakob Neilsen’s post on password security, and although he has a point, there are several issues as to why this is a monumentally bad idea.

First, passwords are a fundamentally bad idea for all data risk classifications. Instead of trying to make passwords more usable, how about getting rid of them?

Second, exposing folks’ passwords in a shared environment will expose them in more ways than one. For example, most folks use the same password everywhere. I used to do this when I was 16. Then I migrated in 1989 to having low, medium and high security passwords. Then about five years ago, I migrated to using long random passwords for nearly everything. I do not know my password for my blog. I cut n paste my passwords from a password manager. I’m ashamed to say that I still use the low security password from 1989 from time to time – mostly to recover access to long lost internet sites. So if your social networking site – where you’ve evaluated YOUR risk to be low, well… that user uses the same password EVERYWHERE, including high risk sites such as Internet Banking, for tax, for their insurance login, etc.

Third, malware that currently snaps screens when used with visual keyboards (security theater!) will have a bonus time with this scheme, or any scheme like it (think iPhone where the last character typed remains on the screen for a second or so and then becomes a bullet). However, if you have malware, you have more interesting problems than just clear text passwords.

I am all for killing passwords. They are crap. They are insecure. They are hard to remember. IT Security folks with NO UNDERSTANDING of human nature or how this terrible usability costs the business ask us to change them every 30 days and you can’t have the same password for the last five years and the password must not be a dictionary word and must contain punctuation and numbers and upper and lower case characters. The only people who can do that without ringing the help desk are the tin foil hat people like me who use password managers with long random passwords. I love going to sites with those sort of rules – the passwords are nearly universally on post it notes or written on the cubicle wall or dry erase board. Dumb!

So how do we improve the situation? I strongly believe that for the average user, the browser should take over the credential for the user. A nice auto-generated certificate login managed basically transparently by the browser’s credential manager makes the most sense. This should be able to export to a standard file format that all the browsers agree upon so that users can upgrade their machines, and move amongst them. Obviously, Apple already has MobileMe to help sync those credentials around, and this will help folks like me with more than one computer. If you’re out and about and need to log in remotely, you log in to MobileMe (or similar), and approve the site you want to log on to for (say) 10 minutes from the computer you’re currently on. Then you go to the site you want to go, like Wikipedia or Travelocity with your full strength credential… that will not stay on that machine and will not work after a few minutes.

For value transactions, the use of SMS transaction signing and two factor transaction signing should be mandated where PII, finanical or health data is concerned.

Then we can put passwords out of their misery, and folks never need to remember their passwords ever again. Jakob is right – passwords suck. It’s time for them to die.

This is disgusting.

http://www.newscientist.com/article/mg20227086.200-comment-dont-criticise-or-well-sue.html

If you’re in the UK, stand up to the legal bullies. Ask your MP to change the libel laws to reverse the burden of proof, and only allow actual UK citizens (and not companies or associations – foreign or not) the ability to sue.

I was once sued for defamation and had to settle as I had zero resources to fight it, and so had to apologize. I know how hard it is to state something you believe (or know) to be true and win in such cases.

Reputation is hard won, and I know how damaging hurtful or factually incorrect statements are, but the UK libel laws are legal censorship instruments, abused by anyone with enough money to sue.

In this particular case, it looks like observable facts, peer reviewed studies and a valid opinion based upon those observable facts and studies will lose. It’s a sad day for the UK when facts are not a valid defense.

I feel sorry for folks trying their hardest to be something they’re not.

It’s time for me to put something down I’ve been saying at conferences for years. If you’re not a programmer or developer by trade, please don’t write software or web apps. Dreamweaver does not maketh you a programmer. Ajax is not a magic path to studly geekiness.

You’re simply unqualified. Get someone who can do it right, the first time. Sadly of course, lots of developers are in the same boat, but at least they know what the tools of our trade look like.

I wouldn’t dream of doing marketing, cooking a meal for 300 Z-listers, ripping out a squidgy bit from inside someone else, arguing a case in front of judge (although I do play a lawyer in the lunchroom), or doing a corporation’s taxes in a zillion years.

Why does the opposite seemingly rarely apply?

SHAME! SHAME! SHAME!

Texas’ Board of Education will be ridiculed by pretty much everyone (including me in this post). I would make more fun of them if the consequence of their gross incompetence didn’t lead directly to irreparable harm to the next ten year’s worth of students who will be unemployable in any medical, bio medical, biology, DNA testing, stem cell research, drug research, geology, paleontology, farming, animal husbandry, crop research, or pretty much any field which requires them to understand the basics – or indeed, fine detail – of evolution.

Modern medicine, to name but just one field, doesn’t make ANY sense except if evolution is true. It’s as simple as that. There’s about as much doubt regarding evolution as there is doubt the planet is round and is orbiting our sun.

In my view (and IANAL), these students have due cause to sue the asses off the Board of Education for future earnings loss. What does a specialist medical doctor make per year? Half a million? Million per year? Multiply by all the number of students in each of these fields… whoa that’s a lot of moolah.

I call on all biology text book authors to refuse to allow “updated” editions to be issued with the forthcoming Texas changes. If the schools can’t buy any books, so be it. They can use the ones they have today that have the facts, instead of sowing doubt. Scientists everywhere should make it incredibly clear to their congress critters and senators, as well as their local Boards of Education, that this decision is about as dumb as they come.

I’m actually struggling to understand how “educated” folks, charged with the incredible responsibility of educating their state’s children could be so abusive. They should be sacked immediately and this terrible position stuck down for all time.