Slashdot Mirror
What To Do If Linux Sneaks Onto Your Network
BrentN writes: "Network World is running an article on how IT managers should deal with Linux "sneaking in" to their networks, or more precisely, being surreptitiously installed on workstations on their network. Opinions of the IT managers they interview range from 'Reformat the hard drive and fire the person who installed that renegade operating system' to 'Don't ask, don't tell.' The article's author (rightly) points out that this is probably an unstoppable phenomenon."
What many people don't realize is the troubles that most IT staff have to go through to maintain sanity in a typical company network. Many sysadmins I've met are responsible for keeping hundreds or thousands of machines on speaking terms with each other and the rest of the internet, within corporate policies, and ready to do work at all times. To do this, he uses scripts and other automated tools, and makes assumptions about how each machine is set up - it has the Company's OS, applications, network settings and security measures installed. Unauthorized OS's and applications break these scripts and tools, cause mayhem in the networks and drive sysadmins completely insane.
When some schmuck decides to install something unauthorized on his machine for gits and shiggles, he risks not only his own time and money, but he may be putting the entire network at risk. A misconfigured machine could break entire networks and cost the company thousands of dollars before it is fixed. When this happens, don't be surprised when the BOFH sysadmin rises up in righteous anger and takes his furious vengence upon the luser.
Some sysadmins do make allowances for staffers such as programmers to install Linux and other software on "sandbox systems". Presumably, there is a business need for this software, and it won't fight with present software. They always make it clear that if the software breaks, it is the user's problem to solve, not IT's, and if it causes problems for others, the user is expected to pull the plug and find a solution immediately.
Meldroc, Waster of Electrons
Fade in on IT Department..
A computer starts beeping and the operator looks at it with shock. He stands up and runs over to his supervisor to whisper a few words.
The supervisor runs toward the middle of the room and gets everyone attention..
"Break out the NT CDs! Bring our Exchange server online! Get those Bill Borgs out here in five minutes!"
There is a dramatic pause as the supervisor mutters in a low, gravelly voice.
"Someone's installing Linux on the network."
Something you are not likely to hear anytime soon:
"I worked at a place that gave me a company car. I didn't like that it used gasoline, so I spent the money and time and had it converted to use propane. Propane is not only cheaper, but is also better for the environment."
The problem isn't Linux, the problem is people who are overstepping their authority and possibly creating more work for someone else.
What has slashdot come to when the post stories who sources are freaking net-admins for publics schools. ""Destroy their servers and fire them," says Jeff Shapiro, director of technology for the Kingsport, Tenn., public schools." You've got to be kidding me. What power does this guy have. Just because he controls 50 Windows boxes in some lame Novell network in Bumsville, Idaho doesn't mean his opinion has any crediblity or is slashdot worthy.
int func(int a);
func((b += 3, b));
If Windows Sneaks Onto Your Network
| Ceci n'est pas une pipe.
I'd also address why they hadn't felt comfortable talking to me about it. Communication problems can bite you in the ass later on. Mostly, though, I'd be proud, and a little bit scared, to have a fellow geek on board.
The scene: an office, filled with cubicles. An IT worker walks down one of the rows, takes a look down a perpendicular line of cubicles, and then, satisifed, turns around, and wlaks in the opposite direction.
A lone penguin comes out of a nearby pool of water (connected directly, of course, to the Alaskan sea). THe annonymous bird leans up against a cubicle, and checks down the corridor. Seeing an IT worker, he ducks back behind cover, and quickly runs up behind when his back is turned, and then ducks down another way. he eventually makes it to the elevator, and presses 'up'.
The penguin removes his infiltration gear, and the words blare across the screen:
METAL GEAR LINUX
Tactical Operating System Installation Action!
----
ADVENTURERS! - ANTIHERO FOR HIRE - CARDMASTER CONFLICT
Write a gratuitously inflammatory story about Linux and submit it to Slashdot. Make sure your servers can take the load, though.
That said, there's no reason to actually take steps to see if Linux can be installed on a box. Write your IT department or supervisior, explain what benefits you *and* the company will get from installing Linux on that one machine. Make sure you explain you'll be completely responsible for that box from technical support to making sure it works with any priopritary protocols on the current network to making sure that it's secure. The latter point is probably most important; your job will be riding on the security of that box, so *you* need to be willing to take the risk and responsibilty to lock it down to the best of your ability. (This brings up the point how much more secure a well-maintained linux box is even compared to a expert NT person -- but you need to define how secure is secure.)
If they don't agree, then there's probably no reason to stay at that company, if they don't understand why different people need different tools to work. Particually if they are in the IT business.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
I've put linux at a lot of workplaces, and found that IS is very scared of it at first, but tend to forget about it until they *don't* have to worry about it - i.e. when the latest virus, os update, etc. comes through.
However, there are times when linux has presented valid problems - having samba set up and declare itself the master browser in such a way as to disrupt windows systems from connecting to shares on the domain, etc. (this may no longer be a problem, but it has happened). However this just points to the need to document how new elements must behave, and make it clear that new things must be tried in an environment that is not critical to production. This can teach real lessons and improve networks a lot.*
IMO an IT department that resists change above all else is one that will resist itself out of existance. It's the users that try new things for themselves, and from these evaluations learn new things, that make systems and networks useable.
-Peter
* Anyone else remember when doom first hit big novell networks? Networks were being crashed by the flood of ipx broadcast traffic. Even though this killed business in many places, in the end it fixed configs across the world to keep private networks private. Disruptive events like that, and like linux have to be evaluated and lessons learned. They can't be squashed.
== Just my opinion(s)
I respectfully disagree. I happen to believe that the VAST majority of today's Linux users are indeed less than skillful at administering Unix. Inept, if I may say so.
I see it everyday. People who claim to be Linux masters because they've been using this lesser-known distro for so many months/years.
And then I watch them login to their home machine (using telnet no less).
And this is one of the brighter ones who knew to disable remote logins by root. It scares the hell out of me thinking that these people consider themselves knowledgeable. The problem is that these are the people who will go around installing Linux overtop of Windows machines at work without asking because they presume that the sysadmin doesn't know how or (even worse) they believe that they don't need to ask permission.
An intelligent, well-informed Linux user will understand that control over what is deployed on a network is not just a luxury for a sysadmin. He will understand that he's treading on somebody else's toes by installing another OS where it shouldn't be.
For one thing, it's called common courtesy. For another, it's common sense. Unless your job is to maintain the workstation you're given, what the hell right do you have to mess with it? It's a tool, supplied to you by your employer in order for you to perform your work, not a God-given right.
I feel bad ranting like this, because I know there are some very knowledgeable people out there who are locked in by some short-sighted contract signed by even more short-sighted managers. But the reality is that it's not your call. Installing Linux without permission isn't going to help the cause 99% of the time.
--
Really though, this is just one more piece of software that people are bringing in from home because of a personal preference. In my last company we had people bring in copies of Corel Office suite because they were sick of Word crashing on them so much. We install Netscape on all of the computers we deploy so people can make a choice, and generally make it so that the employees can be the most productive.
Besides, at least Linux is free... How many rogue copies of Quake do you have running around in your company? Most places have at least one guy who has the quake cd sitting in their desk, to be passed around when new people come in or computers get moved around ;)
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
I'm speaking here with my IT manager hat on, not my Linux geek hat in order to provide a little perspective. We don't hate Linux - in fact, probably the majority of us have a favorable opinion of Linux, too. Some of us even use it in our home/hobby lives, like I do (and have been since '94).
.exe files that people e-mail to each other? We block them at the SMTP gateway. Yes, we're pains in the ass about it, but we have a stable network with very little downtime - and when the latest .VBS virus goes sweeping the Net we're safely locked away with no downtime. On the other hand, we don't filter or monitor e-mail content or web sites. We don't care about speech at my company (which a lot of companies restrict), just reliability and safety.
The problem we have is with unauthorized anything on our networks, not just Linux. You see, planning and running the corporate network is what we're paid to do. In most structured environments, nothing gets installed without IT's thumbs-up. Period. The business (and our jobs) depends on the network's being as stable and predictable as possible, and even though Linux is wonderful stuff, workers are required to use what the company provides because we know it. It's not just Linux that can get a worker fired at my shop. It's any software that didn't come in through our department's OK. And all those cute little
That's an important distinction. Some IT folks just reflexively hate that which they do not know. That's the wrong way to go about their job, but it covers the butt well. My attitude (and our policies are derived from it) is that the company provides the PC, so we get to decide what it runs, based on what you need to do your work. You don't get to decide unilaterally what runs on it - we do.
However, we're not entirely closed off to running "other" things or operating systems. If someone came to us and had a reason they needed Linux to do their job instead of NT, I'd test to make sure it didn't interfere with anything else on the LAN (like a misconfigured Samba could), and they'd get their Linux after we tested it. But the important point here is that we are flexible, provided you follow the "right way" of making sure your software is OK. When people do that, and give us the chance to test things, we approve things unless we find a specific technical reason not to.
But if someday Linux became our standard desktop OS at my company, you know what? We'd fire people who used Windows without authorization. Wouldn't that be an interesting turnabout?
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
In fact, at several companies I worked for, where Linux was definitely disapproved and IT was pissed off that I was running it, if the IT manager had pulled the stunt suggested by that quote (reformatting my hard drive), I likely could have gotten the IT manager fired, since I could have easily shown that such an act resulted in the destruction of valuable company property.
A good IT manager does not view the users as the enemy. If an employee is running an unapproved operating system (or any unapproved software), but does not cause a disruption for anyone else, a good IT manager will let that employee (and perhaps his or her manager) know that he can't expect any support out of IT, but that as long as he doesn't cause problems he can keep running it. If the employee's use of unapproved software does cause problems, or prevents that employee or other employees from doing their jobs effectively, then IT can get the employee's manager to intervene.
At one company I've worked for, every time anything went wrong on the network, IT tried to blame it on my machine, but in every case it was in fact determined to be a configuration error on their NT servers. For instance, at one point my machine was getting the same IP address as someone else's, so neither of us could use the network. IT claimed that the DHCP client in Red Hat Linux was broken, and assigned me a static IP address (becase they knew my manager wouldn't let them force me to run Windows). Afterwards, however, the same problem occurred with other people who were only running Windows. It turns out that in the interest of redundancy they were running two DHCP servers, but they were serving up overlapping ranges of IP addresses.
Then, months later, another IP address conflict occurred between my machine and a Windows machine. They were all set to blame Linux again, when I found out that they had expanded the DHCP pool to include several previously assigned static IP addresses.
After that they seemed to realize that I knew what I was doing, and that rather than trying to blame me for network problems, they should have me help out.
There once was a man from IT
Linux sneak'd to his desktop PC
The OS, not supported
His boss so purported:
"You're fired, we run FreeBSD!"
When a sysadmin installs an OS such as Linux, Solaris, or even NT usually administrative privileges are withheld from the workstation user - with good reason.
However, if someone comes along and installs their own Linux distro suddenly you've got someone other than the admins with root privileges on at least one machine in the network. Hello, nmap. Hello, packet sniffers. Yes, you can encrypt everything to death, but it's better to keep prying eyes from ever seeing the sensitive data in the first place.
If I'm the sysadmin and you go and replace the OS you were given, you're damn right I'll be pissed. There goes all my planning. You are using the company's equipment and messing with something that it's not your business to mess with.
If Windows is handicapping you so much, tell me. If your sysadmin is so ass-backwards that he doesn't recognize a good explanation of the benefits you'll get from using Linux, then he's an idiot and what are you doing working in an IT department with this guy managing your systems? Chances are he's missed the boat on more than just this one issue.
If you work for a company with very, very strict rules in place about changes to the network, there's probably a reason for that. You should know better than to mess with stuff that 1) is not your responsibility and 2) others probably know more about than you do.
Why is it assumed that if the person is running Linux they must be some Unix god incapable of messing up their system (and possibly the services provided for others) quite royally?
--
Additional systems are ANNOYING to support. I am responsible for IT and Development at my company, (i.e. a very small technical team), and we use Linux exclusively for development. We are developing PHP and Java code for web deployment, so Linux is the natural environment, the user has his own web server, etc.
Our network infrastructure is NT 4 w/ Exchange, so everyone has a Windows box. The developers have two boxes, NT and Linux, and they are responsible for their own Linux boxes.
However, that didn't stop a bad Samba configuration from causing nightmares. Samba is getting close to being banned.
It decided to claim to be the Master Browser, but the PDC was and knew it was right. Faulty election code, and the Samba box forced enough elections to crash my PDC.
Is this buggy code on MS's part? Absolutely. Was I annoyed? Absolutely.
Linux creates new headaches if SAMBA is installed. Without SAMBA, there really isn't much of a reason to worry about it. Let it do its own thing.
It is likely being used as a workstation, and you are not going to have licensing issues (normally), so there isn't a problem.
If someone is setting up an unauthorized server... well that person may need to be fired.
Now, a tolerant IT staff will have a policy on unsupported systems. They should allow them without support, but if they disrupt others, they need to be decommissioned. Rediculous overreactions are stupid, but having no policy and allowing a free-for-all is asking for spending Friday nights at the office debugging...
Alex
as a programmer i have to say - that HAS got to be the worst and most draconian policy ever.
Did you actually read the post you're now slamming? His comments were, imho, quite reasonable. If you consider them Draconian, I wish you luck finding an employer that meets your requirements of an IT department.
its the people who USE those workstations that make money for your company - not you or that IT department.
This narrow minded view is about enough to invalidate your entire post. Does the concept of a team effort mean anything to you? The presence of programmers, marketers, customer service reps, etc. wouldn't be worth five cents without a solid IT department keeping it all running. Don't think for a moment a qualified group of network admins doesn't help a company make money.
Indeed, one of the biggest concerns when a company is being considered for a contract is the quality of their network. Speaking as a programmer for a company that's been scrutinized and approved by more than a few large corporations, I assure you that one of the key factors of our getting contracts is the quality of our network and the reliability of the systems.
by definition people who use workstations should be allowed to do whatever they like assuming that they dont interfere with the network in any way.
By definiton? Oh, please. The definition of a workstation is not "You can do whatever you want with it, as long as it doesn't hurt the network". Your workstation is not your responsibility when it breaks, or when it acquires a virus. It's IT's responsiblity. They're the people who will be held accountable for your workstation's functionality, not you. Therefore, it is most certainly not yours to do with as you please.
'd be really horrified to work at a company which didnt let me install the OS i liked on the machine i have for my exclusive use.
Again, I wish you luck finding an employer that meets your somewhat skewed outlook on reality. I'll also assume you didn't read his entire post, because he explicitly stated that if somebody presented a good reason to install an alternate OS, it would be considered, tested, and approved or disapproved. It's not Draconian as you'd like to scream and wail, it's the protection of their time and their responsibilities.
Another point. It's not your box, it's not yours for exclusive use, and it's certainly not your property. If you're home sick one day, the company has every right to let somebody other than you use the system, or log into it to look up something in your mail. It's a reality check: The computer isn't yours.
if i want to be my own admin what rights does the IT department have to fiddle with my personal workstation or fire me ?
This should be obvious by now, from what I've covered above, but I'll say it again. It's not yours. You didn't pay for it, you didn't install it, you don't maintain it. The computer belongs to the company, and the company can do with it whatever it wants. How is it you don't understand this?
you must be at some really brain dead firm to be considering policies like that.
Well, the rest of your post isn't worth responding to, so I'll just leave it at that.
What all this comes down to is that IS in some organizations (like "Mr. 'Destroy their servers and fire them'," a top flight CIO from a Tennessee school district) is on a power trip.
As someone here pointed out, the glass house saw PC's as a threat to their power base, and IT created policies against them. They're doing the same thing with Linux--it's something they don't understand, don't want to learn, that cuts into their power base.
The article chronicles Netware sneaking in when mainframes dominated. Then NT slithering in when Novell dominated. Now Linux is permeating (currently) NT dominated shops.
Anyone else see a pattern here? Ultimately, Linux, FreeBSD, or other open source tools will come to dominate because they meet the needs of the organization.
Just like computing managers saying things like "PC's are just a fad, big iron and dumb terminals are where it's at" adapted or left, those saying "Linux is non-standard, unauthorized, and a fireable offense" won't be able to stay in denial forever.
This really bothers me, but I try to keep mum because it's been addressed before. This is supposed to be "News for Nerds" not "News for Linux users".
You may not use Windows 2000. I use it all the time. I like it. I like Linux as well, but Linux has a LONG way to go before it even touches the usability in the GUI department for me.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.