Desktop Linux Sliding in Under the Radar?

Paul Johnson asks: "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications, but there is a wider issue. At present the 'official' penetration of Linux into the desktop market is something around 1%. The writer of this article doesn't give figures, but it sounds like he may have stumbled on several times that percentage of desktop Linux installations. If so then this is an important trend. Linux got its foot in the datacentre door in exactly the same way a few years ago, with unofficial installations doing odd server jobs. If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"

Not exactly ...

[BabyDave]

If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"

I tripped over my mail server last week. Does that count?

Re:Not exactly ...

[Jeremiah+Cornelius]

This has been going on for YEARS. I was doing so at Schwab in '97 - and reading "Chips and Dips" and "Rob Malda's Window Maker Site".

I got about 4 or 5 of the Unx admins and a good number of the DBS'a doing this too.

In small shops - we had 6 Linux desktops running at the Multi-Media Developer I worked at in '94. XFree on ATI Mach32, anyone?

Re:Not exactly ...

[VPN3000]

I am not buying into this article for the fact that I've worked in large 'shops' of 2,000 workstations up to about 8,000. None of these shops would find, then allow a non-approved OS to continue to run on their networks. This type of thing is basic "Information Security did a weekly scan, found it, helpdesk siezed the machine and re-imaged it with Windows 2000" routine.

I used to agree with giving employees freedom to run whatever OS they are comfortable with, but you have to keep into consideration the Information Security view on things. A *nix OS with a few network tools installed, gcc, and some skills can lead to a lot of problems for the company.

Think that's silly? Think again. Think about doing technical support for bitter and unthankful lusers. Your boss is an asshole. You make $23k/year and missed your shot as an [insert engineer/developer position here] before the bubble popped. No hope for a future with the company since they have a revolving door system in place where 3/4 of the low-level staff is on temporary contracts that expire every 90-300 days.. I know, it's sad and I've seen a lot of talent from people stuck in these types of jobs and feel terrible for them. But, this is a common person in technical call centers. I've seen enough from that single profile to type pages, but I'll stop and save it for another post.

Do you trust this employee enough to let him run FreeBSD? You want him having direct access to the 'net without a proxy? I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits. What if he's okay but his box ended up getting owned because he downloaded bad BitchX source? That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical. That's the tip of the ice berg when it comes to what happens when your office gets owned. Even if workstations are usable, every workstation on the local subnet and server they have ports open to via the firewall have to be investigated. This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again. Somewhere around noon, the guy from Public Relations will likely be on the phone wanting to know what to tell CNN when he calls them back. Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share. That's potential millions depending on how big your company is.

Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax. I'm very pro-Linux/BSD, but not in an enviroment where it's not needed (All those workstations came with an OS you paid for anyway). I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.

My stories are actual events portrayed by actors.

Re:Not exactly ...

[Geek+of+Tech]

Not trying to be flaimbait, but, uh, if someone had a desire to compile a program, couldn't they just download MingW32 or DJGPP or something else?
I don't know about your company, but at my school (I was resident Geek), we set it up so that the DHCP server would automatically set the proxy up as a gateway. We never had any problem about people accessing the internet without going through a proxy.
And aren't the chances actually better of getting some form of backdoor greater for windows? Picking them up via email, bad downloads, even browser security flaws.

I see where having an unauthorized anything running could be a problem, but just linux in general, no, danger isn't in the software as much as it is in the hands of the user.

Re:Not exactly ...

[BrokenHalo]

I'm sorry, but I believe your post is largely FUD. It really depends on what type of work your shop needs to do. If you have a large number of people using their computers for a range of operations, it is counter-productive to force staff to use any operating system that, for whatever reason, they see as sub-optimal, no matter whether it be Windows. MacOSX or BeOS.

In my case (I'm a scientist) I would be seriously inconvenienced if some pointy-headed bureaucratic fool came along and overwrote my Linux partitions with Windows, and my immediate reaction would be to take it up with his boss.

You seem to be operating on the premise that all staff are luddites, vandals or criminals and not to be trusted. I would have thought that, far from losing sleep over this, you should be pleased that this is one person who is not going to be passing out viruses via Lookout Express. In any base, as long as you implement sensible policies (firewalling, quotas or whatever you need to do) there is no reason why your network should not operate transparently without applying unnecessary restrictions.

Re:Not exactly ...

[Malcontent]

Very few large corporations have the time or the tools to patch hundreds of MS desktops. As a result in every corporation there are hundreds if not thousands of vulnarable windows desktops and cluless IE users merrily surfing the web and getting hacked by script kiddies.

Re:Not exactly ...

[tkg]

Well, my employer allows virtually any os that a given user might need to run (we're a research facility). The IT people do regular vulnerability scans of the network and the linux users that I know (myself included) have never failed to pass the scan. The same can't be said for most of the MS users, or event the Solaris users for that matter. I don't hear much from the MAC users.

I guess my point is that it is not so much what os a person runs as it is the IT policies and how well they're enforced. Keep up with security patches, don't install untrusted software, good password policy, etc. These things aren't unique to any particular desktop OS and any user could potentially violate them. However, any user that depends on their system for everyday tasks isn't going to intentionally munge it up since they lose the use of it while you may be inconvenienced with rebuilding it. There is always the danger of the 'malicious insider' and we risk it every summer with an influx of student help that always includes some idiot that will try 'bad things'. Deal with them swiftly and harshly and make sure everyone knows about it and you can keep it to a minimum, but you can never eliminate the risks completely.

Re:Not exactly ...

[hellraizr]

I think most people are missing the point here. most, AND I MEAN MOST companies are not huge corporate giants running 3 flavors of oracle/informix/peoplesoft. in fact, most huge places still don't run windows. I have worked for 3 seperate companies where almost every male employee ran linux. especially in ISP and hosting/datacenter enviornments. this view is typical of the MCSE type IT person who eats, sleeps, sh!t's and breathe's micro$oft and ZDnet. I personally have noticed alot more personal freedom to run whatever OS you choose, as long as your firewalled or are fully capable of doing your job. I haven't used windows in the work place since Netware 5.00 was released and I don't see my self doing it any time soon either. another thing to point out. you made a mention of proxy? again, purely micro$oft induced thinking. proxy servers are great for low bandwidth connections but are extreemly exploitable by nature. in trying to put up a protection point you expose your self to the internet even more. true ip routing and firewalls are your best bets for internet access and security. also they allow you to control alot more of what your company can do online without infringing on exec's ability to communicate in private. the internet and corporate computing were built on unix, are _STILL_ unix based in some variant or another, AND ALLWAYS WILL BE. it still takes a farm of dual xeon windows boxes to do what 1 p3-ghz with 256mb ram unix box can do in it's sleep. in the broader scheme of things I personally see linux coming of age in the workplace as a desktop OS. new tools enable it to be far more expandable, secure, and user-friendly than windows can ever be. if your a stickler for IT security, there is no reason on earth to run windows in a corporation. the NSA said it best "There is not enough man power in the entire US government to secure windows for proper use by federal agencies".

Re:Not exactly ...

[VPN3000]

No FUD, sir. Information Security groups have got to view the employees of a large company as untrusted, unproven people as a whole. Our capitalist and litigation happy society requires this. It's not like when you go through any other form of security it's loving and trusting. Look at airport security, the police, anything to do with protection usually starts off with the attitude of not being too terribly trusting.

Also, I was not trying to give a full IS proceedure, just a quick run of some thoughts of what I have experienced in the past decade.

For starters:

Linux, MacOS, etc is not 'sub-optimal', if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.

Your situation is what would be considered a special case by an IT staff. You are a scientist. Silly goose, you will probably need all kinds of things a typical employee will not need. Think about the percentage of scientists versus customer service reps and support people in call centers. Think of the costs associated with each one of these people anually versus what you cost. It's a big difference.

You speak at the end about trust and the suggestion that a network operate transparently without many restrictions. You have to understand that most companies are not in the ISP business for their employees. If you sit down in front of a computer in an office, it's their network, their assets, their butt on the line, their bandwidth costs, etc.

For example, I have worked in a group who's new office was suffering terribly. About a 1400 user network, but the bandwidth leaving the building was always pegged. Upon watching traffic for a few days, it appeared that a major portion was porn and streaming media traffic. We implemented a filter file for the proxy and traffic went from ~97% down to ~30% utilization. This sort of thing is very cost effective and saves people from themselves (female employee walks up on porn mongering male, female complains, male goes unpunished, female cooks up discrimination suit, etc -- just preventative medicine, not a cure for a likely issue in the future).

I guess those who are knocking my tales have never been exposed to a real IT group before. Either that, or they are prepared to lose their jobs someday due to a lack of enforcement or policy that matches your typical fortune 500 company. The suits will not have much pitty for your balls to give excess freedom to employees with their investor-purchased resources.

The downfall of your average geek is the inability to ever see things from an executive, bean counter, or investor's point of view. Threats are real, liability is real, the end result of your investments are real. The joy of an office behind a very trusting packet filter is short lived and a flagerant disregard for company assets, especially if the company is publically held. Your investors are well within their power to take you to court and sue you for every dime you have if there is big enough loss associated with an act that was easily prevented. We never know the limitations of these types of suits because they are civil and not criminal. In a civil suit, you never know if you are going to be made an example. For instance, the massive settlements on people burning themselves with McDonalds coffee. You just don't know what's going to happen. At least with a criminal case, there are boundries clearly defined by law.

You go back to being a scientist and I'll go back to saving people like you from yourselves with your lack of understanding regarding the need for real security policy. I promise I won't pick apart or call FUD when you speak of something technical regarding your line of work... That is, if you don't tell me ficticous realities about how e

Re:Not exactly ...

[madfgurtbn]

You are scaring me... :-)

First a minor quibble--you say:
if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.

If a worker is more productive in a differennt OS or Office Suite or whatever, then the monetary cost of that unused software is insignificant. Not to mention that the company shoulnd't be buying software unless it will be used.

The bigger problem with your entire post and attitude toward users is best seen here:

People need to quit thinking they have rights to anything in an office. You do what they say or find work elsewhere. There's a big job market out there right now, lots of options, right? :)

I see the smiley, so I'm hoping this is mostly a joke, but if a company harbors contempt for it's employees, it is doomed. If the option is "my way or the highway", the good employees will eventually choose the highway, regardless of the economy. All you will have left will be compliant losers who don't think for themselves, managed by control freaks who have to do all the thinking for them, deciding which color pen to use.

Or which OS.

Re:Not exactly ...

[grmoc]

Unfortuantely a lot of management/business types really DON'T understand sunk cost.

You should buy something you want to use.
Using something simply because you bought it is moronic.

The waste happens on the purchasing side, not the usage side.

This is not a 'geek' view, this is a good economist/businessperson's view, and for anyone who disagrees with it, here is a good example.

You're stuck on a desert island. You knew you would be stuck here. TO prepare for being stuck here, you bought some cyanide-based glue (i.e. superglue). Your major problem is that there is no food on the island. Do you
1) Eat the cyanide-based glue
2) Don't eat the cyanide-based glue

The "Well, it would be going to waste if I don't eat it" argument obviously doesn't work here. If you don't get the right tool for the job, you shouldn't be forced to use it-- The damage is already done, no need to exacerbate it.

I only wish!

[pjack76]

I have this fantasy where I walk into work and everyone's installed Linux on their own and I don't have to image another NT workstation ever again, and I realize I've died and gone to heaven where the bad men can no longer hurt me.

Is the sysadmin sure he wasn't dreaming?

Re:I only wish!

[archen]

Installing Linux on their own is a bit much. My dreams are really simple - like I just have this button that shocks people and they just magicly get a clue - like why sending a 5 meg bitmap to a guy who accesses his email through a 28.8 modem is a dumb idea.

Actually in all honesty I wouldn't want people installing Linux on their own anyway. All users with admin priveleges? I don't know what kind of heaven you're going to, but count me out! =P

Re:I only wish!

[toddestan]

What's so hard about installing Linux? Actually what you need to do is stay late some night, and after everyone leaves put a Knoppix disk in their workstations, and reboot. The looks on everyone's face the next day should be priceless.

IT headaches

[niko9]

"This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications,..."

This could make the case for desktop Linux look worse, if people are not securing their dektops and/or keeping up with security updates.

Re:IT headaches

[vsprintf]

I can see where there might be some security concerns, but I think the real concern for IS (IT, whatever) is being in control.

I work for a company that was heavily Unix (and X-terms) until the LAN somehow became all MS PCs. Now people and projects are insisting on replacing not only MS but Sun and SGI stuff with Linux. We are meeting heavy resistance from IS.

They are claiming that it costs more to administer a Linux box, even though we've been in meetings and showed that it wasn't true, based on recent experience. They refuse to give even knowledgeable users superuser privileges on their own machines, although Windows users can install anything or delete everything on their boxes at will.

To me it appears that some of the people in IS are afraid of being made less powerful, less needed, and less relied upon.

Re:IT headaches

>> If management at our company asked for Linux, we would have to say no.

Yeah, telling your boss no is such a great way to keep your job. The conversation would go like this.

Boss: "I hear that this Linux thing is saving other companies millions of dollars a year. Let's do a test pilot."

You: "No."

Boss: "OoooooKay... Why not?"

You: "We don't know anything about Linux in the entire IT department."

Boss: "But from everything I am reading it is the next BIG THING [TM]"

You: "We don't know anything. And even though I don't know anything, I am guessing that it costs more to install, train and hire for it."

Boss: "Isn't that what a pilot program would tell us? I tell you what. Hire someone who knows Linux and have them perform a pilot."

You: "No."

Boss: "Look, I am getting a little tired of this. Do what I say."

You: "No."

Boss: "You're fired."

You: "Booo Hoooo!"

>> None of us know Linux very well, unfortunately.

You don't know Linux? Is your head buried in the sand? Haven't you been hearing more and more and more about Linux over the past 5 years? Do you have so little motivation that you can't download a free iso image from the internet, burn it to a blank CDROM and then install Linux on an old Pentium computer you have just laying around?

>>It would cost a fortune in training and hiring as well as the labor involved changing everyone over.

Actually, the payback for switching over to Linux is immediate and begins paying back the first year, if Linux will work for you at all. Do a pilot program and see if it will work for your company. At the very least, even if you keep using windows look at switching the non power users over to open office.

>> Besides, with our Dell account we basically get the OS for free when we buy PC's.

Oh, you pay.

I'm not a sysadmin

[SquadBoy]

but rather a network guy but I have 3 Linux boxen that MIS does not know about and the dept laptop is booted with a Knoppix CD about %90 of the time.

Re:I'm not a sysadmin

[Frymaster]

at my previous job (many moons ago) we would install linux on machines in plain view of our boss whose anti-linux stance was legendary (he called it the "hippy os").

the key was to install cde and tcsh and say it was solaris x86 (which he disapproved of too.. but less). since he never actually used the machines, this was easy.

Undercover LINUX

I work at the comptuer science department of a major universtiy, we've got runaway LINUX everywhere. We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.

Re:Undercover LINUX

[innosent]

We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.

Ok, I'm confused here. What exactly is extreme about limiting access to known MAC addresses? Any sprawling network where access to the backbone (i.e. wallplates) can't be controlled should do this. It's just common sense.
As for not allowing anyone on without them telling you what they have, how do you make sure they keep updating? Was it fine for people with WinXP boxen to join the network when XP was first released? Being "up to date on patches on 10/07/02" is great, but utterly meaningless if no patches have been installed since then. Having a required set of patches is nice, but having a good security policy is far better.

Of course, I've always wondered about college networks, since they seem to prefer sending nastygrams or denying access to users, rather than prevent users from doing those things. Want to stop shared folders, file sharing, worms?, set the switches to only allow traffic to pass completely through the switch, not between ports on the switch.
Besides, the average user has no need to be accessible from any other machine, and especially not from outside the local network. Use NAT, separate users from each other, and be done with it. If a user gets a virus/trojan/worm, f@*k-em, at least it won't spread through the network.

Unofficial installations

[cfl]

In a previous job I've found Linux and BeOS
desktop installations. While I was pro alternatives to Microsoft, there was the concern about security - e.g. open e-mail relays, unpatched servers. The company ended up with a policy of permitting Linux on the desktop, but not supporting it. If you had an application issue - you were on your own. The only users that ran it had a clue and we didn't run into issues. Being a research environment, Linux ended up replacing SGI systems as the scientific workstation standard.

Nope, not here

[canadiangoose]

Aside from my laptop and my desktop, we have no Linux desktops. I do network scans and such monthly, and aside from a few Linux-powered embeded devices, I've seen nothing interesting. Mind you, I work at a hospital. There are not very many technically inclined folks here.

Don't reinstall - boot linux from another disk

[jgaynor]

I wouldn't dare reformat a work machine with another OS. The feasibility isn't the problem - it's the wrath of an angry sysadmin that is. I would like to keep my job in this economy.

I DO, however, frequently boot my machine with knoppix. Most corporate IT environments prevent users from installing their own software - but Knoppix has pretty much every app I need. I sacrifice local file storage and some embedded data like PIM stuff, but its just more comfortable and doesn't raise the ire of the lesser IT geeks.

Re:Don't reinstall - boot linux from another disk

[Future+Linux-Guru]

The latest version of Knoppix will now allow you to save files on offline storage.

The question is printing.

Re:Don't reinstall - boot linux from another disk

[joelgrimes]

Very true. It's the coolest thing. Get yourself a $50 keychain drive and make it your persistent storage.

Then, no matter where you go, any machine you can get your hands on your machine.

Does this count?

[AWrinkler]

In the last infrastructure upgrade we did, all 60 machines were identical:
FreeBSD 4.7, autostart XFree86,
full-screen RDesktop to central Win2k Terminal Servers.

User's still think they have a windows
box(windows splash screen on boot).

Does this count?

Re:Does this count?

[netsharc]

Well one advantage I can think of is: no need to worry about applying MS security patches to those 60 machines.. just one central server to fix, and to break itself every few hours.

Not a problem

i dont have you worry bout this. the people at my organisation aren't clever enough to send an email, let alone install Linux

Re:VMWare rules!

[Satan's+Librarian]

Everyone in your company has $400 extra to blow on their computer to run multiple OS's? wow.... What kinda company? Pretty small, right?

I have a hard time getting my company to purchase anything beyond the minimum tools I need (NuMega and similar were out of my pocket, since I didn't mind owning them myself). VMWare's been on the wish list - but only as a wish.

Re:VMWare rules!

[cK-Gunslinger]

..now how much would you pay for VMWare?

But wait! There's more! The first Karma-whore to post about VMWare on Slashdot will receive some moderation points... absolutely FREE!

Order your copy now, while there's still time!

---

Sheesh.
I *wish* I had to time to make obnoxious posts to slashdot all day.
Er.. wait a minute...

Nope Not at all

[visionsofmcskill]

Between Two semi-large internet companies and several smaller ones i have NEVER run into any non-IT unix/linux box amongst my users.... EVER.

In truth beyond the server farms ive worked with at said companies the only person possessing any *nix varient has been myself (including mac os X...) While i can see this as being an occasional happening in dorkier companies... even then i find it not very likely.

mainly because buisness use predominataly revolves around outlook exchange's shared meetings and various other stupid stuff.... in addition to the baseline ease of use (overall managerialy) network administration of an all windows environment.

I would NEVER support a linux desktop distro amongst my users.... MAC OS X ... yes.... but not Linux for any reason on gods green earth... can you say nightmare? I love Linux.... but it just is NOWHERE near as streamlined as windows or macintosh... especialy from a support stance.

My personal feelings are *nix for network devices.... Windows server/client for data sharing email and so on.... and Mac os X for end users who are more inclined towards media production (basicly people who arent finance/sales).

This setup puts the *nix boxes in my realm... and id be greatfull that no unwitting user *accidently* installs another DHCP, DNS, SMTP, etc... server on my network. Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use.... or how to fix their freakin window manager because KDE offers 5 different programs just to change the layout/widgets.... no thank you.

Of course this poster assumes that the people who do so, do so knowing people like myself wont support them... and more than likely will be highly un-happy with their network being potentialy compromised...

not trying to spread FUD.... but ill wait for a tighter distro before i promote *nix on the desktop.... only one so far (with flying colors) is OSX.

Re:Nope Not at all

[1lus10n]

actually your post is pretty much just FUD.

firstly you wouldnt have to worry about them installing a rogue DHCP server if you didnt give them root. As a matter of fact dont even install KDE if you dont need it. you really must have no experience with modern desktop linux installs, otherwise you would have known that: "Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use" is rather retarded since most apps work fine nowadays, Redhat has a unified desktop which makes the "visual" differance between kde and gnome moot, and redhat would support any other issues you have if you bought a support contract. same as with any other OS.

as for streamlined management well you could simply run a local up2date server with cronjobs as neccasary, and run ssh locally on the clients so that when (and this will be very rare) there is an issue you can just ssh into the box and fix it.

i personally work at an outsourcing company, 3500 employees and we have about a 20% linux desktop install, growing slowly. why ? ease of administration. you have a policy that states what IT supports (evolution, mozilla, gaim etc) and whenever somebody asks for help with something not supported you point and say "No". And the best part is you dont have to have someone running around constantly re-imaging all of those windows boxes....

Re:This is unexpected?

[Noumena]

not only that, but my unoffical linux install is a good way for me to know that the corp doesn't have any spyware on my boxen. That and I stopped hitting my monitor so much after I installed linux.

Re:Remember...

[grungeman]

Yes, and that is exactly why they are asking for other sysadmin's experiences. Got it?

Re:they better not

[Vicegrip]

"anti-virus software", "desktop license management agents"

Apparently you've confused Linux for a version of Windows.

This kind of sysadmin crap is why I prefer working for a small company.

"Insecure" Linux, Cygwin and RedHat

[MyHair]

I can see how security might be lax. When I was new to Linux I enabled everything whether I needed it or not. I figured I'd get around to playing with bind, sendmail and ftpd sooner or later. Everyone I know who's tried Linux has only dipped his toe in, so to speak.

Now I know more and have played enough that I disable everything except what I need, make sure it's secure and then put up a firewall just to be sure. But heck, just the other day I realized I hadn't apt-get update'd and apt-get upgrade'd in a couple of months. Oops. I also had weak passwords until about a month ago.

I'm in a non-tech company, and the Linux penetration is well below 1%. Only one desktop--a dual-boot laptop--as far as I know (except when I boot up KNOPPIX), but I have three rouge servers of my own. (Squid, Nessus, nmap and Snort are my friends.)

I also have two Cygwin installs, but they're my workstations, not user PCs. Anyone seeing those on desktops yet?

In this article the guy chose RedHat. If you don't care for commercial support, why would you choose RedHat over Debian or Slackware? Especially if security is a concern.

Re:they better not

[Chewie]

they almost certainly would have no antivirus software

Oh, for the miniscule number of Linux viruses?

no agents for our desktop license management

Since *most* software that requires license management is either Windows-only or hard for Joe User to come by, I don't see this as a huge problem either.

and almost certainly wouldn't be keeping up with security updates.

Ah, now this is a real concern. I would hope that your company has firewalls, but I can certainly understand not wanting them to be your *only* line of defense.

the users don't own their machines - the company does. if they want to piss around with _any_ os, let them do it on their own time, on their own network, and on their own equipment.

I can certainly understand this. When you're responsible for eleventy jillion desktops, you can't have people going rogue on you. At least not without knowing that if you have to come fix their PC, it's getting reimaged.

Now, I personally happen to run a stealth RH install, dual-booting to Win2K for when I just have to do something in Windows. My workstation, however, is well-secured, and has updates applied regularly. I have *never* had to bug the IT department, and my workstation is exceedingly well-behaved on the network. If the IT department decide to be real hard-asses about it and reimage me, I'll understand. Doesn't mean I won't be cranky, though. :)

I work for M$

[civilengineer]

and all our systems have rouge linux installs. Its true! ;)

Re:Now that's one of those Ask Slashdots even I ca

[innosent]

Well, it's redundant because it's not a troll, it's not flamebait, and it's not offtopic. I suppose it could be overrated instead, but the point of the article was to hear experiences from people who have found desktop installations at work, not hear 600,000 "No" answers from people who haven't. If there was a "-1 Pointless Comment" mod, you'd have gotten that, but there isn't.

Re:they better not

[invoke]

I used to be a manager at Dell, and I can tell you that if you had presumed to format one of my or my developers machines without first getting authorization from me, you'd be fired and "walked out of the building" the following day.

Maybe the authorization got misrouted.
Maybe you are wrong about either the authorization or the requirement for it.
Maybe it was an experiment on a dept. system.
Maybe it wasn't hooked to the network.
Maybe we were testing the system's Linux compatibility at the end of the day and left it 'till the morning to finish.

In my tenure at Dell, all these things were true at some point or another, and no one formatted our systems. We were too busy to get in the pissing matches that would have started.

Certainly you should quit abusing your very limited power and try to help rather than simply jumping to conclusions.

Re:they better not

[Usquebaugh]

This is why IT is not consulted. Extreme prejudice indeed!

If end users are not supposed to do something it's your job to configure the gear so they can't. Rules forbidding something are a failure in IT.

If the user has no agent for the desktop license management how is that a problem exactly? Either they are not using any licensed software our your management software is not to hot on the managing front.

If you're running round playing tattle tale who do you think the finger is really pointing at? Go back to your sever room and lock the door.

You Have Been Served

[FreeUser]

}
}
}
} In the matter of SCO
} vs.
} Electric Cloud
}
}
}

Said defendent is alleged to have been running an unlicensed version of Lie-nucks, violating vaguely alluded to (but impossible to produce) 'intellectual property' alleged to belong to litigant, by virtue of having been written independently to superficially resemble an unpopular operating system the litigant overpayed to acquaire the rights of (c.f. UNIX), said litigant thusly excersizing their Constitutional Rights (tm) to sue uppity upstarts who dare make use of a legally engineered and freely provided system that competes with their abysmally unsuccessful, outdated, and buggy commercial offering.

Said litigant cites as prima facia evidence of infringement "a post to slashdot that indicated a successful deployment of the demonic system."

Defendents declined to comment, but did point out to the court that the daemon was a mascott for another, competing free operating system, and that perhaps counsel for the plaintiff would be so kind as to wipe the froth from his mouth and clarify.

Extreme prejudice 101

[T3kno]

localhost / # format c:
-bash: format: command not found
localhost / # fdisk c:

Unable to open c:
localhost / # deltree *.*
-bash: deltree: command not found
localhost / # del *.*
-bash: del: command not found
localhost / # sys c:
-bash: sys: command not found
localhost / # help
GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu)
<snip>
</snip>
{ COMMANDS ; }
localhost / # fsda;lkjafdjl;kwfoied
-bash: fsda: command not found
-bash: lkjasdjl: command not found
-bash: kwfoied: command not found
localhost / # <insert_vcr_led>


Sobbing....I HATE LINUX....

Somewhere a penguin smiles.

Re:Green Grass.

[tarquin_fim_bim]

"If I had real work to do, then I would use XP"

But you don't because you're an unemployed has been MSCE. haha

Re: _A&T Manual ;-)

[sICE]

Quote:

If you are trained in computer sciences, you unconsciously tend to think that everything that is easy for you is easy also for the others; well, it's not! All the knowledge you have built during many years is a mystery for them. On the net, you often find expert and trained people, because it's the right place to find them. Everywhere else in the world, they are rare.

_A&T

Re:they better not

[1lus10n]

>> Last time I checked, there weren't any imminent linux virus threats.

> That attitude works up until the world gets surprised by the first real nasty one.

should i even bother explaining why it is damn near the most unlikely thing to happen in IT ? or should i just point out that _if_ a virus ever hits a unix there would be open source anti-virus software within a few days ? (few months max) or point out that the unix type of OS is about 30 years old. and to date there havent been any virus's in the "wild". (and dont give me that "not attractive target" for virus writers crap either, unix still runs mainframes, bank computers, ATM's etc .... and linux and BSD run about 50% of the mid-range servers....)

se the wonderful thing about linux is you dont have to run a damn thing as root, and the few things you do have to run as root can be chroot'd so the virus/worm can't do diddley. some linux distros come like this by default.

>> Desktop license management? I thought linux was free.

> Perhaps, if your time is worthless. But anyhow, he was refering to license management for any potential commercial software they may have
> illicitly installed.

oh please. take your gartner studies (microsoft funded BTW) and shove em'. the amount of time it takes to install and optimally config a std. linux system is in the hours worth of time. admining that same install MIGHT take 30minutes per month. windows ? yeah friggin right, pick one of their OS's if you spend less than two hours per month admining that box its vulnerable. this argument is moot. since anyone who is going to install linux by choice obviously wasnt bugging the IT guys and hence didnt need to be trained, so there is no time lost their.

Linux is FREE to any person who knows what they are doing, simply because spending the few hours it takes to install free's them of the years of misery that lies behind them, and the years that would have laid ahead of them if they had still been running windows.

Ignoring the standard MS shot...

[el-spectre]

The point is, a sysadmin can patch and update winders machines remotely and en masse. If he doesn't know about the linux machine, then he obviously has a hole in his security plan.

Re:Ignoring the standard MS shot...

[boomer_rehfield]

If there's a box on his network that he doesn't know about then either he needs a new network analyzer or new networking people that know what they're doing. Not trying to be a jerk but you should know what is on your network and if you don't, then you're not paying attention and/or trying hard enough.

Re:Remember...

I work at one mega-monolithich US international -- though we're mostly nerds here (R&D).

I'm not a sysadmin, but I'm one of the people that has installed Linux (I didn't blow away the corporate windows install, for accounting sakes) on his own at work.

How did I get the corporate mail client (MS only) and other ends to work? I downloaded custom-wrapped wine rpms created (on their spare time) by other coworkers on the other side of the country at another research facility. This was hosted on a un-official internal "Go Linux!" website, for all of the company's employees to see (we're allowed to have personal and "club" websites) and download (they have all of MS Office 2K running smoothly, along with Notes, the corporate e-mail client).

I got a couple of coworkers excited about Linux -- mind you, we're not just another corporate center, this is a hardware R&D filled with geeks (the sort of people that aren't sysadmins, but might play them on slashdot!) so I imagine we're at one end of the scale in the corporate world. But, thanks to Knoppix (try out a recent Linux distribution with zero liability on the company's computer to see if all your stuff is recognized! What a sale!) I've managed to get even some of the "old crusties" excited about Linux.

Anyways, my sneaking suspicion (and my hope! so this probably biases my "suspicion") is that there is a large number of uncounted Linux installs, and growing.

I was concerned about security, but who are we kidding? I know to not rest on laurels and all that (keep this RH73 as up to date as possible), but the alternative for my machine is Win2K, and we've been through the wringer with updates, worms, reboots and virus infected computers on *that* platform .....

Re:Green Grass.

[tarquin_fim_bim]

"And you didn't even spell MCSE right"

I can't spell dinasaur either.

Look at the sysadmins waving their wangs around

[hayden]

"It's my network and anything that I don't know about gets trashed" blah blah blah *thumps chest*

If you were actually any good at your jobs you should be asking why these people (who may or may not be risking their jobs) feel the need to install linux? What is it that the current policy doesn't provide? Why has sysadmin become so unapproachable that they did it without asking (this should be an easy one)?

Actually do something useful rather than wandering around the network marking your territory.

Re:User Installed *anything*

[KevinJoubert]

I think we are forgetting something fundamental here... the whole idea of policies and security with respect to installing rogue applications stems from the fact that Windows and Windows networks are so damn easy to completely break.

If I install a program as a user on my Linux box, or even in my user space on the departmental server... it has no effect WHATSOEVER on the rest of the server or the other users. Thats what a multi-user OS "is". You can't even TOUCH that with ANY Windows implementation.

This discussion is not about "Oh, I can break into any box and install Linux". Sure you can. There is no way to stop. Lock it up? pick the lock. Remove the floppy and cdrom? install one or do a network install via crossover cable and another box. Blah blah blah.

The idea is that Linux IS in far more places than people know. And it will only grow in the future. Will it supplant MS as the "King of the desktop"? Who the hell cares... but people have a choice now.. and they ARE choosing it.

Re:This is unexpected?

[Jedi+Alec]

assuming for a second that the person involved is actually able to install Linux(not stuffing a CD-Rom and/or floppy drive into a machine does wonders) and has sufficient rights under Win2k/XP the answer would be to reduce the main partition a bit in size using for example partition magic, and then happily installing mandrake on the side. Red hat might be an option too, but that'd require installing NTFS "support" separately, which, otoh, isn't all that hard to do either...

From a personal perspective, my previous employer didn't give a rat's ass what OS I ran, as long as it ran the software we used. The reply I got when I asked if I could was something like "oh sure, but you do it on your own time, and if it breaks, don't come whining to us..."

Rogue Installs... Allow me to Retort...

[Angry+Pixie]

So there I am in my cubicle playing my usual rounds of mental foursquare with three other cube-mates. One of them still refers to her desktop wallpaper as a "screensaver." One of the men passes corrupted floppy disks around with the glee of an idiot passing out used condoms; and the other still thinks no one can see him playing Solitaire. As for me, I routinely spill coffee and break the no smoking policy while clogging the email system with idiotic Flash movies...

So who and where the hell are these marauding rogue agents running around installing Linux on office desktops. It can't be IS, they're too busy, and it can't be cube workers, they're afraid of their CDROMs!

You've got to be kidding

[0x0d0a]

1) You have to be kidding. You can use attack software on *any* OS. Linux is no weaker (and actually a bit stronger in that it has some semblance of local security) than Windows here.

2) If you sieze machine and reimage them to fit with some policy you're following, your ass would be heading out of town from mass user complaints at any company I've been at. You are IT. You are present to help workers get their damn work done, not to push some random personal agenda. If you wipe an entire system and kill that employee's work, you are a serious impediment to getting work done. I simply am amazed at the total lack of regard for the employee, and lack of perspective you've displayed. You could disconnect the thing from the network. You could ask the user to move his files to another machine so that you can reformat it, though I think you're already pushing the limits. But when you simply grab a machine and reformat it, you're in a position where you are a liability to your company. When the developer tells his boss that IT wiped out his work, his boss tells his boss, and his boss tells his VP, I guarantee that your boss will not cover for you.

You want him having direct access to the 'net without a proxy?

WTF does this have to do with what OS you're running?

I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits.

This is ridiculously paranoid. I've seen the occasional IT type who considers the users he is supporting his enemies, but this is beyond belief.

What if he's okay but his box ended up getting owned because he downloaded bad BitchX source?

What if the same damn thing happened because he downloaded a Word file to his Windows box? Which of the two happens in far greater numbers?

That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical.

You've worked in an 8,000 unit shop and you honestly believe you have zero penetrations? And your setup is such that you need to spend three days and nights mirroring HD images *after* an attack?

This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again

And again, WTF does the OS have to do with this?

Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share.

Ridiculous. This is a theoretically possible but completely impractical story of what might happen in an attack.

Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax.

Amazing. God, I'm glad the IT people that support me have different views.

(All those workstations came with an OS you paid for anyway).

The infamous sunk cost fallacy. Which they teach you to avoid in Business 101.

I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.

It's not. That kind of behavior from IT would generate serious user complaints where I work. Matter of fact, IT is trying to quickly adapt to support people that want to use Linux here, and has compiled resources for them. That's what I consider doing a good, solid job. Helping the users instead of attacking them.