Ok, I'll bite. If you are an admin generally you have God powers over everything within your umbrella. If things are going south with you and your employer and you're a giant asshole you can most certainly use your God powers to quietly open firewall ports, install software in dusty "corners" of networks, etc. We can all armchair quarterback this but in the end humans make mistakes and beyond that the presence of actual malicious intent by someone with keys to the whole kingdom makes the detection and/or mitigation difficulty factor go up significantly. It's real easy to make righteous proclamations about other people's misfortune when it's not you.
I'll admit, my tone might have been tad overly poisonous (too much internet for me..).
I'd agree that defending against malicious admins is really difficult. We have really little context to go by here, but I think there is important distinction to be made if the malicious actions (planting backdoors or whatnot) were done while the malicious actor was still employed or after their employment was terminated. Proper exit procedures protect against the latter, but generally are not that effective against the former.
> but in the end humans make mistakes
And it is useful for us outsiders to highlight the real mistakes so that we can learn from them, because that is really the biggest value of stories like this for the majority of people who are not directly impacted.
Exactly. Happened to my shop on my watch. Fired a contract admin... about a week later the network went to hell. Unfortunately I couldn't nail the bastard, but at least we found and closed the back door.
