Slashdot Mirror
Desktop Linux Sliding in Under the Radar?
Paul Johnson asks: "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications, but there is a wider issue. At present the 'official' penetration of Linux into the desktop market is something around 1%. The writer of this article doesn't give figures, but it sounds like he may have stumbled on several times that percentage of desktop Linux installations. If so then this is an important trend. Linux got its foot in the datacentre door in exactly the same way a few years ago, with unofficial installations doing odd server jobs.
If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"
"This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications,..."
This could make the case for desktop Linux look worse, if people are not securing their dektops and/or keeping up with security updates.
One datapoint does not a trend make.
If you told me the guy who runs General Electric's desktops found that 50% were running Linux, then you might be onto something.
But Jr. Sysadmin flunky at tiny company in bumfuck Iowa means nothing. Nothing.
Lets apply those critical reasoning skills, people.
Mostly with "unused" computers.
...
Since they cut the training budget, we obviously had to learn new skills somehow
> --- All Of The Above --- >
I run Win2000 'officially', by Knoppix Debian on the sly - the only thing stopping me migrating completely is the lack of a working Novel client.
i don't deal much with desktops (i'm a server guy), but if i did "stumble across" unauthorized linux desktops, they'd be formatted with extreme prejudice. they almost certainly would have no antivirus software, no agents for our desktop license management, and almost certainly wouldn't be keeping up with security updates.
the users don't own their machines - the company does. if they want to piss around with _any_ os, let them do it on their own time, on their own network, and on their own equipment.
I have a hard time getting my company to purchase anything beyond the minimum tools I need (NuMega and similar were out of my pocket, since I didn't mind owning them myself). VMWare's been on the wish list - but only as a wish.
I write code.
In truth beyond the server farms ive worked with at said companies the only person possessing any *nix varient has been myself (including mac os X...) While i can see this as being an occasional happening in dorkier companies... even then i find it not very likely.
mainly because buisness use predominataly revolves around outlook exchange's shared meetings and various other stupid stuff.... in addition to the baseline ease of use (overall managerialy) network administration of an all windows environment.
I would NEVER support a linux desktop distro amongst my users.... MAC OS X ... yes.... but not Linux for any reason on gods green earth... can you say nightmare? I love Linux.... but it just is NOWHERE near as streamlined as windows or macintosh... especialy from a support stance.
My personal feelings are *nix for network devices.... Windows server/client for data sharing email and so on.... and Mac os X for end users who are more inclined towards media production (basicly people who arent finance/sales).
This setup puts the *nix boxes in my realm... and id be greatfull that no unwitting user *accidently* installs another DHCP, DNS, SMTP, etc... server on my network. Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use.... or how to fix their freakin window manager because KDE offers 5 different programs just to change the layout/widgets.... no thank you.
Of course this poster assumes that the people who do so, do so knowing people like myself wont support them... and more than likely will be highly un-happy with their network being potentialy compromised...
not trying to spread FUD.... but ill wait for a tighter distro before i promote *nix on the desktop.... only one so far (with flying colors) is OSX.
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
And "we all know" that if he gets fired, he'll be marched straight from being told, empty his desk under supervision, and be escorted off the premises.
Any company that lets him near a pc, networked or not, after he's been told that he's going to pursue opportunities elsewhere is being run by dolts.
T&K.
Political language
I'll bite, you forkin' moron.
Never supported tens of thousands of users, have you? If you had, you would realize the only way to do it with a high rate of success requires uniformity on the desktop.
Now go back to your dorm room, and try to convince your English Lit roommate you know what the hell you're talking about.
-- search the web
We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.
Ok, I'm confused here. What exactly is extreme about limiting access to known MAC addresses? Any sprawling network where access to the backbone (i.e. wallplates) can't be controlled should do this. It's just common sense.
As for not allowing anyone on without them telling you what they have, how do you make sure they keep updating? Was it fine for people with WinXP boxen to join the network when XP was first released? Being "up to date on patches on 10/07/02" is great, but utterly meaningless if no patches have been installed since then. Having a required set of patches is nice, but having a good security policy is far better.
Of course, I've always wondered about college networks, since they seem to prefer sending nastygrams or denying access to users, rather than prevent users from doing those things. Want to stop shared folders, file sharing, worms?, set the switches to only allow traffic to pass completely through the switch, not between ports on the switch.
Besides, the average user has no need to be accessible from any other machine, and especially not from outside the local network. Use NAT, separate users from each other, and be done with it. If a user gets a virus/trojan/worm, f@*k-em, at least it won't spread through the network.
--That's the point of being root, you can do anything you want, even if it's stupid.
Installing Linux on their own is a bit much. My dreams are really simple - like I just have this button that shocks people and they just magicly get a clue - like why sending a 5 meg bitmap to a guy who accesses his email through a 28.8 modem is a dumb idea.
Actually in all honesty I wouldn't want people installing Linux on their own anyway. All users with admin priveleges? I don't know what kind of heaven you're going to, but count me out! =P
As a developer, this is why I hate IT departments. They are very often stupid, irrational people who follow "policy" insteading of *thinking*. Fact is, the only time I need their "help" is when they have something locked up and I don't have the password or the access rights, or know the IP address of the proxy server, etc. I just had a run in with some dolt who first accused me of using a personal laptop on the company network (its a company laptop) and who then tells me that I can't have the laptop on the network at all because it is not allowed. Why? Its a Macintosh PowerBook running OS 10.2. My job here: write software for the Macintosh. Yet, I'm not supposed to have a Mac on the network. (It has to be on the network to get to the source repository at the bare minimum.) (My solution was to lie to her and tell her it wasn't attached to the network and I was "doing tests" with the Mac. She left me alone.) Why was this dolt at my desk? Some glitch in their system caused my Windows machine to be removed from the domain and I didn't have the admin password to re-add it. I've dealt with lots of IT people - some are better than others. Generally in small companies you get people who are okay. They will at least think and respond realistically to a situation. In larger companies, I've mostly dealt with power tripping dolts. I would really prefer these folks keep their shit working and leave the responsibility of keeping my machine running correctly to me.
Avoid Missing Ball for High Score
I killed my ISP access at home, so I need ways of moving new version of applications to my home machine without needing a network connection. While I'm at work, I download the latest .rpm's or tar files (or even Windows .exe's for my Win desktop). The problem them becomes, how to get them home? Well, I have a USB keychain device (128 megs, more than enough to hold stuff that I download, like blender (a hefty 2 megs)). The problem is, our IT "image" disables the use of removable storage devices, such as USB keychains. So, I just boot up my Knoppix CD, it automagically mounts all my drives, pop in the USB keychain and copy the files over, reboot back into Windows, done! :)
We also have several Linux servers, but no desktops as of yet.
If you were me, you'd be good lookin'. - six string samurai
After we began shipping a linux version of our main server product, I began to notice more and more linux desktop ( and cygwin ) installation on our staff systems. Now, even my project manager and the company owner have seperate or dual boot linux desktops that see significant use. All it took to get all this going was a few internal howto documents that walked them through a simple secure installation.
This obviously couldn't happen in a more regulated atmosphere, but at small companies like mine you can often get away with anything you want so long as you continue to be productive and do not cut into the IT budget.
BLH
If users will install random spyware and games on work machines, why wouldn't they do the same for an entire operating system?
Ummm... because they can't "click" to install Linux. Sure, some of the bootable installers are pretty easy and click-able but it generally requires removing the Windows partition.
Users are dumb.
Create a Windows-installable Linux distro that will coexist/dual-boot on NTFS and you will have tens of MILLIONS of Linux installations. Hell... if you could make it install itself with a pop-up active-x applet, you could pull a Gator and install it without most users even knowing.
Now *that* would be cool...
Life is the leading cause of death in America.
god forbid they have a bootable CD of morphix or some shit... Elitists are dumb.(sic)
Carpe Canem - Seize the Dog
If there's a box on his network that he doesn't know about then either he needs a new network analyzer or new networking people that know what they're doing. Not trying to be a jerk but you should know what is on your network and if you don't, then you're not paying attention and/or trying hard enough.
Carpe Canem - Seize the Dog
Actually, in almost any corporate environment ...
" The number of end-users with the skills, permission and motivation to install" WINDOWS or any other OS "on their work desktop is extremely low."
I really can't stand it when people proclaim that Linux is some how more complicated than Windows. It most certainly is NOT. Its simply different.
There is something fundamentally wrong with the world when something like a Linux desktop is rejected not for its own faults, but because its "different" than what we are used to... and what we are used to... it sucks.
I doubt very seriously that any corporate environment, excluding a place that actually DOES computer support or development of some kind, has more than a handful of people that could install anything on any system.
I think what MS needs to really worry about is the world waking to the fact that there are other options beside MS's proprietary document formats. In the meantime... CrossOver office anyone?
-K.
If you were actually any good at your jobs you should be asking why these people (who may or may not be risking their jobs) feel the need to install linux? What is it that the current policy doesn't provide? Why has sysadmin become so unapproachable that they did it without asking (this should be an easy one)?
Actually do something useful rather than wandering around the network marking your territory.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
Management!
I don't really care about support either. Most of the time I don't use it and when I'm forced to I'm often way out of there league already.
The main reason why you pay for support that you don't need is for managemnet. Support is like insurance you don't really want to use it but if something goes wrong you want it to be fixed. If you died tommorow they want someone that can fix it if it breaks.
So while it doesn't make sence at first in the end it does.
" People who hold the above attitude are very BAD admins.... our role in general is to make people happy as best we can without going over-board."
... your not a very good sysadmin. While you most certainly shouldn't encourage or offer active support for non-approved SW... Users are users, and simply want their shit to work. The more you can facilitate that with ease the better the admin you are. thats "support".
and my setting a "No" policy on unsupported software is different from a policy of "acceptable" software how ? someone is still saying no, i am not a hard ass, but i also have no reason to get some half shit mail client to work when evolution already does so.
My entire post was based on the thought of "rather than being a flaming asshole perhaps you should work WITH the users to make linux work." because if they are installing linux their is obviously a reason for it. your job as a sys-admin is to make shit work, what if linux works better for XYZ marketing crap than windows ? then what ?
you install a specific set of programs, same as on windows. thereby limiting the "variables" involved. you seem to think that Linux must have 3G worth of unused crap installed. you know what "NEEDS" to be installed in most cases is rather simple: X, gnome, evolution, mozilla, gaim, vim, ssh. thats it, if they need openoffice then stick that on there. just because kde is included as an install OPTION doesnt mean its needed. The job of the sysadmin is to get shit to work, but no sysadmin can support everything, and as such the realm of what is supported must be limited. simple as that.
As to your "no" policy... i seriously laugh at you. If your in the buisness of shooting down your users
you just completely missed the boat. my job is to make the shit that is neccasary work. sorry they by and large dont need to see the latest homestar cartoon. go away. some half shit un-needed third party crap is not my job, and them even trying to install it when their is already a working alternative is a waste of company time.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Because they're doing it behind his back maybe? Methinks you should look up the word spy in the dictionary.
If I ever found out my employers were spying on me, they would probably have my resignation by the end of the day.
I think we are forgetting something fundamental here... the whole idea of policies and security with respect to installing rogue applications stems from the fact that Windows and Windows networks are so damn easy to completely break.
If I install a program as a user on my Linux box, or even in my user space on the departmental server... it has no effect WHATSOEVER on the rest of the server or the other users. Thats what a multi-user OS "is". You can't even TOUCH that with ANY Windows implementation.
This discussion is not about "Oh, I can break into any box and install Linux". Sure you can. There is no way to stop. Lock it up? pick the lock. Remove the floppy and cdrom? install one or do a network install via crossover cable and another box. Blah blah blah.
The idea is that Linux IS in far more places than people know. And it will only grow in the future. Will it supplant MS as the "King of the desktop"? Who the hell cares... but people have a choice now.. and they ARE choosing it.
-K.
While many here may think its cute, its a bad bad bad thing to have users running around installing an OS on your network with out your prior approval.
Not cool.
---- Booth was a patriot ----
I am not buying into this article for the fact that I've worked in large 'shops' of 2,000 workstations up to about 8,000. None of these shops would find, then allow a non-approved OS to continue to run on their networks. This type of thing is basic "Information Security did a weekly scan, found it, helpdesk siezed the machine and re-imaged it with Windows 2000" routine.
I used to agree with giving employees freedom to run whatever OS they are comfortable with, but you have to keep into consideration the Information Security view on things. A *nix OS with a few network tools installed, gcc, and some skills can lead to a lot of problems for the company.
Think that's silly? Think again. Think about doing technical support for bitter and unthankful lusers. Your boss is an asshole. You make $23k/year and missed your shot as an [insert engineer/developer position here] before the bubble popped. No hope for a future with the company since they have a revolving door system in place where 3/4 of the low-level staff is on temporary contracts that expire every 90-300 days.. I know, it's sad and I've seen a lot of talent from people stuck in these types of jobs and feel terrible for them. But, this is a common person in technical call centers. I've seen enough from that single profile to type pages, but I'll stop and save it for another post.
Do you trust this employee enough to let him run FreeBSD? You want him having direct access to the 'net without a proxy? I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits. What if he's okay but his box ended up getting owned because he downloaded bad BitchX source? That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical. That's the tip of the ice berg when it comes to what happens when your office gets owned. Even if workstations are usable, every workstation on the local subnet and server they have ports open to via the firewall have to be investigated. This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again. Somewhere around noon, the guy from Public Relations will likely be on the phone wanting to know what to tell CNN when he calls them back. Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share. That's potential millions depending on how big your company is.
Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax. I'm very pro-Linux/BSD, but not in an enviroment where it's not needed (All those workstations came with an OS you paid for anyway). I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.
My stories are actual events portrayed by actors.
The company makes volume licensing agreements which means we HAVE to use certain software. Since software licensing can be a liability, ALL machines are required to have audit software, including *nix boxes! In fact, Linux is explicitly prohibited except where VP approval is obtained, so as SA for my site, I definitely would show extreme prejudice if I found a Linux installation. Moreover, we even tell users that we reserve the right to reimage their PCs at any time. They keep things on their local drives at their own risk. Again, it's not about the way *I* think things should be (because I definitely hate administering Windows boxes), it's about what I'm paid to do (and when I'm ready to find another job because I don't like these software policies, I'll do that).
The point is, if it's against the rules, prepare to face the consequences, whatever they may be (be happy if your workplace doesn't care). If you get approval to run a box, good for you, but your local IT damn well should know about.
My bet is that in this case had developers asked for Linux boxes they would have got them. Holy hell was raised because of the sloppy and insecure user installs, not out of some vocational personality defect.
I don't know about your company, but at my school (I was resident Geek), we set it up so that the DHCP server would automatically set the proxy up as a gateway. We never had any problem about people accessing the internet without going through a proxy.
And aren't the chances actually better of getting some form of backdoor greater for windows? Picking them up via email, bad downloads, even browser security flaws.
I see where having an unauthorized anything running could be a problem, but just linux in general, no, danger isn't in the software as much as it is in the hands of the user.
Stop the Slashdot effect! Don't read the articles!
In my case (I'm a scientist) I would be seriously inconvenienced if some pointy-headed bureaucratic fool came along and overwrote my Linux partitions with Windows, and my immediate reaction would be to take it up with his boss.
You seem to be operating on the premise that all staff are luddites, vandals or criminals and not to be trusted. I would have thought that, far from losing sleep over this, you should be pleased that this is one person who is not going to be passing out viruses via Lookout Express. In any base, as long as you implement sensible policies (firewalling, quotas or whatever you need to do) there is no reason why your network should not operate transparently without applying unnecessary restrictions.
" The point is, a sysadmin can patch and update winders machines remotely and en masse."
Really? How?
War is necrophilia.
That is; key distinction is not the OS, but whether the person in question is INSIDE or OUTSIDE your secure network. If they are inside, it's much more difficutl to secure anything in the intranet. Not impossible but difficult; need to make sure users have no admin/root access to their own systems, can not boot from CD or floppy; all the things one would do for publicly accessible terminals. Easiest way to do this would be to use, say, x-terminals (SunRays or such).
I think most people are missing the point here. most, AND I MEAN MOST companies are not huge corporate giants running 3 flavors of oracle/informix/peoplesoft. in fact, most huge places still don't run windows. I have worked for 3 seperate companies where almost every male employee ran linux. especially in ISP and hosting/datacenter enviornments. this view is typical of the MCSE type IT person who eats, sleeps, sh!t's and breathe's micro$oft and ZDnet. I personally have noticed alot more personal freedom to run whatever OS you choose, as long as your firewalled or are fully capable of doing your job. I haven't used windows in the work place since Netware 5.00 was released and I don't see my self doing it any time soon either. another thing to point out. you made a mention of proxy? again, purely micro$oft induced thinking. proxy servers are great for low bandwidth connections but are extreemly exploitable by nature. in trying to put up a protection point you expose your self to the internet even more. true ip routing and firewalls are your best bets for internet access and security. also they allow you to control alot more of what your company can do online without infringing on exec's ability to communicate in private. the internet and corporate computing were built on unix, are _STILL_ unix based in some variant or another, AND ALLWAYS WILL BE. it still takes a farm of dual xeon windows boxes to do what 1 p3-ghz with 256mb ram unix box can do in it's sleep. in the broader scheme of things I personally see linux coming of age in the workplace as a desktop OS. new tools enable it to be far more expandable, secure, and user-friendly than windows can ever be. if your a stickler for IT security, there is no reason on earth to run windows in a corporation. the NSA said it best "There is not enough man power in the entire US government to secure windows for proper use by federal agencies".
1) You have to be kidding. You can use attack software on *any* OS. Linux is no weaker (and actually a bit stronger in that it has some semblance of local security) than Windows here.
2) If you sieze machine and reimage them to fit with some policy you're following, your ass would be heading out of town from mass user complaints at any company I've been at. You are IT. You are present to help workers get their damn work done, not to push some random personal agenda. If you wipe an entire system and kill that employee's work, you are a serious impediment to getting work done. I simply am amazed at the total lack of regard for the employee, and lack of perspective you've displayed. You could disconnect the thing from the network. You could ask the user to move his files to another machine so that you can reformat it, though I think you're already pushing the limits. But when you simply grab a machine and reformat it, you're in a position where you are a liability to your company. When the developer tells his boss that IT wiped out his work, his boss tells his boss, and his boss tells his VP, I guarantee that your boss will not cover for you.
You want him having direct access to the 'net without a proxy?
WTF does this have to do with what OS you're running?
I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits.
This is ridiculously paranoid. I've seen the occasional IT type who considers the users he is supporting his enemies, but this is beyond belief.
What if he's okay but his box ended up getting owned because he downloaded bad BitchX source?
What if the same damn thing happened because he downloaded a Word file to his Windows box? Which of the two happens in far greater numbers?
That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical.
You've worked in an 8,000 unit shop and you honestly believe you have zero penetrations? And your setup is such that you need to spend three days and nights mirroring HD images *after* an attack?
This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again
And again, WTF does the OS have to do with this?
Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share.
Ridiculous. This is a theoretically possible but completely impractical story of what might happen in an attack.
Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax.
Amazing. God, I'm glad the IT people that support me have different views.
(All those workstations came with an OS you paid for anyway).
The infamous sunk cost fallacy. Which they teach you to avoid in Business 101.
I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.
It's not. That kind of behavior from IT would generate serious user complaints where I work. Matter of fact, IT is trying to quickly adapt to support people that want to use Linux here, and has compiled resources for them. That's what I consider doing a good, solid job. Helping the users instead of attacking them.
May we never see th
No FUD, sir. Information Security groups have got to view the employees of a large company as untrusted, unproven people as a whole. Our capitalist and litigation happy society requires this. It's not like when you go through any other form of security it's loving and trusting. Look at airport security, the police, anything to do with protection usually starts off with the attitude of not being too terribly trusting.
Also, I was not trying to give a full IS proceedure, just a quick run of some thoughts of what I have experienced in the past decade.
For starters:
Linux, MacOS, etc is not 'sub-optimal', if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.
Your situation is what would be considered a special case by an IT staff. You are a scientist. Silly goose, you will probably need all kinds of things a typical employee will not need. Think about the percentage of scientists versus customer service reps and support people in call centers. Think of the costs associated with each one of these people anually versus what you cost. It's a big difference.
You speak at the end about trust and the suggestion that a network operate transparently without many restrictions. You have to understand that most companies are not in the ISP business for their employees. If you sit down in front of a computer in an office, it's their network, their assets, their butt on the line, their bandwidth costs, etc.
For example, I have worked in a group who's new office was suffering terribly. About a 1400 user network, but the bandwidth leaving the building was always pegged. Upon watching traffic for a few days, it appeared that a major portion was porn and streaming media traffic. We implemented a filter file for the proxy and traffic went from ~97% down to ~30% utilization. This sort of thing is very cost effective and saves people from themselves (female employee walks up on porn mongering male, female complains, male goes unpunished, female cooks up discrimination suit, etc -- just preventative medicine, not a cure for a likely issue in the future).
I guess those who are knocking my tales have never been exposed to a real IT group before. Either that, or they are prepared to lose their jobs someday due to a lack of enforcement or policy that matches your typical fortune 500 company. The suits will not have much pitty for your balls to give excess freedom to employees with their investor-purchased resources.
The downfall of your average geek is the inability to ever see things from an executive, bean counter, or investor's point of view. Threats are real, liability is real, the end result of your investments are real. The joy of an office behind a very trusting packet filter is short lived and a flagerant disregard for company assets, especially if the company is publically held. Your investors are well within their power to take you to court and sue you for every dime you have if there is big enough loss associated with an act that was easily prevented. We never know the limitations of these types of suits because they are civil and not criminal. In a civil suit, you never know if you are going to be made an example. For instance, the massive settlements on people burning themselves with McDonalds coffee. You just don't know what's going to happen. At least with a criminal case, there are boundries clearly defined by law.
You go back to being a scientist and I'll go back to saving people like you from yourselves with your lack of understanding regarding the need for real security policy. I promise I won't pick apart or call FUD when you speak of something technical regarding your line of work... That is, if you don't tell me ficticous realities about how e
You are scaring me... :-)
:)
First a minor quibble--you say:
if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.
If a worker is more productive in a differennt OS or Office Suite or whatever, then the monetary cost of that unused software is insignificant. Not to mention that the company shoulnd't be buying software unless it will be used.
The bigger problem with your entire post and attitude toward users is best seen here:
People need to quit thinking they have rights to anything in an office. You do what they say or find work elsewhere. There's a big job market out there right now, lots of options, right?
I see the smiley, so I'm hoping this is mostly a joke, but if a company harbors contempt for it's employees, it is doomed. If the option is "my way or the highway", the good employees will eventually choose the highway, regardless of the economy. All you will have left will be compliant losers who don't think for themselves, managed by control freaks who have to do all the thinking for them, deciding which color pen to use.
Or which OS.
Send lawyers, guns, and money. Dad, get me out of this.
"I see the smiley, so I'm hoping this is mostly a joke, but if a company harbors contempt for it's employees, it is doomed. If the option is "my way or the highway", the good employees will eventually choose the highway, regardless of the economy. All you will have left will be compliant losers who don't think for themselves, managed by control freaks who have to do all the thinking for them, deciding which color pen to use."
I'm not saying it's the way things should be. It's just the way things have evolved in larger companies. The reality of a 'right to work' state is basically what I said. It's just like office dress codes, codes of conduct, etc in the workplace.
I would quit dribbling over worries about what OS is used and that sort of thing. Just think about all the poor saps in this world who are stuck having their hair cut a certain way, wearing uniforms, being forced to address any slime-ball customer as 'sir' or 'maam', codes against visible tatoos, etc. These are far more intrusive control measures employers inflict on their employees, not to mention far more widespread than, say, a tight IT policy where Jill can access all the databases required to do her work, but not her favorite manporn site.
Notice though, how I never said that any of these companies do not allow various OS's in particular circumstances. It's just another of 1000 rules in any corporation. To get around the problem, simply fill out a helpdesk request for permisson/reasons for the need of a 'non-standard' OS to be installed and they can get with your technical lead and make sure the request is valid and you are in the clear if there is a job need for it.
Anyway, always assume my thoughts in these posts are incomplete. I just type and hit submit. My goal is to generate thoughts more than to give factual details with all my points well covered.
I'm the IT guy at my (small) company (I also wear many other hats around here). Anyway, my job is to do the following: support everyone else in what they are doing.
When people buy machines, they don't go through me. They have to justify it through the accounting guy. I only get involved if they don't know how to set it up on the network. In fact, I usually don't know about computer purchases until _after_ they've arrived.
The reason? People use what they need to get the job done. That's not my business. My business is to help all the computers talk to each other so that we are more productive.
The threat facing companies is not someone installing their own OS on the computer. The threat is every person who doesn't know about computers running Outlook.
We run Windows 9x, 2000, XP, Mac OS 9, Mac OS X, and RHL here, and I just keep Appletalk, NFS, and SMB running on the server, as well as DHCP.
I have never seen a company with a truly secure intranet - most of them are just appearances of security. To have a truly secure intranet it requires that you implement security policies that waste time and productivity. When severe security policies are implemented, the users just go around them, making it even more secure than if there were lax protocols.
Case in point - the _big_ company I used to work for kept all of their root passwords for their UNIX machines in an access database that was available on the intranet, and on several desktops. I'm sure they had access restrictions on the file, but really, trusting SMB for every server's root password? Putting them all in the same file, in an Access database, where many users copied it locally to their own hard drive?
If you don't believe me, email me and I'll tell you which company I'm referring to.
Engineering and the Ultimate
I think you've completely missed the point that the replies are trying to make.
You have a very concisely worded, coherent, almost literary post on how the IT department views themselves as the enemy of all computer users in their charge. Nicely done. You've pretty much displayed the epitome of the IT head that every script kiddie in the world is trying to rape.
There is nothing invalid in your statements on the whole. You've expressed exactly the concerns of upper management and how both people and capital investment are just systems... all can be liquidated and easily replaced. All need to be visciously chained to corporate regulations in an effort to protect yourself from the shadowy unknown of civil liability lawsuits. Thus giving upper management a constant reason to whine, flex their muscles and justify their otherwise palsy existance... and enabling the lawyers to stay on retainer for yet another year.
Lighten up.
Most people here are simply trying to tell you that it doesn't matter how the IT runs their department... your going to have to deal with internal damage. It's part of life. Some one is going to use that only open port to connect to the outside world and do what they want to do. Whether that's an ftp connection for exporting intellectual property... or downloading porn. In the end the IT department can only make it more difficult, but can not stop it.
In reality, if you treat you users like the enemy... you will get your pants torn off and butt F*@# hard, all because you treat your employees like any one else on the streets... and not as part of a team. If they themselves don't know how to do it, I guarantee there's a friend of their's who does. And since you've been so kind as to homognize the system so that all diversity is removed, your vulnerabilities are MUCH more exposed.
Treat people as if they're jews on the way to Aushwitz, and you're just the engineer... and see what happens.
Point 1:
No one is willing to pay for security any more! No
one gives a damn! So your Information Security claim is irrevelant. Why is Windows on the desktop? Because it's quick and it's easy and when it gets hacked you just reinstall. It's cheaper to ignore the security problem.
Point 2:
Yes threats are real (see point 1), but you have products to ship, contracts to uphold, and work to get done. If Linux allows you to do that faster, it makes good business sense. If you don't want to pay the tech support people $3 more because they have to know Linux as well... It makes good business sense to have Linux be hush, hush.
-Tom