Slashdot Mirror
Guerrilla IT, Embracing the Superuser?
snydeq writes "First it's letting users manage their own PCs and now it's sanctioning the shadow IT projects they do on the down low: 'You probably know them. They're the ones who installed their own Wi-Fi network in the break room and distribute homemade number-crunching apps to their coworkers on e-mail. They're hacking their iPhones right now to work with your company's mail servers. In short, they're walking, talking IT governance nightmares. But they could be your biggest assets, if you use them wisely. The reason superusers go rogue is usually frustration, says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." The solution? Put them to work.'"
You can't let the end user have any power. Just ask the BOFH ;)
On a long enough timeline. The survival rate for everyone drops to zero. Chuck Palahniuk, Fight Club, 1996
Great...now I get to do IT's job for them. In addition to my own work. So, I'll get paid for all the extra time I put in working on an IT project, right? Remind me why we even have an IT dept. again?
Insisting on "correct" English is like saying that there is only one, definitive recipe for chili.
In which case they should toe the god damn line, because they're fucking shit up for other people.
Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network, resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.
I don't like meaningless limitations any more than the next guy, but these know alls who think they're 'superusers' because they can set up a wifi network need to lay off - they don't have the big picture, they just think they're being clever. Guerilla? Arse-scratching chimp, more like.
I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.
Please tell me people don't really talk like that. "Grew the solution"? "Drive business value"? These people need to get a hold on themselves and listen to the feces streaming out of their mouths.
hahaha, let the users have admin rights?
does the author have **any** experience of the commercial environment?
Turning rogue users loose to allow who-knows-what into your network??? Who keeps wtiting this irresponsible crap? Botnet articles cannot coincide with these articles, make up your minds.
"To err is human, to mod Funny divine."
We've actually moved away from this, fairly strongly. We work in a healthcare organization and having people develop applications on our servers can potentially cause huge issues. While it's possible to create little sandbox areas for them, it's an administrative hassle, and it's always hard to be positive their applications can't cross security lines or impact another application's performance. Then there's the support issues - who fixes their business critical application when they've left or are on vacation? It's like the days when people would make Microsoft Access applications for everything, and then it would be dumped in our lap.
Our reponse has been to staff up to meet customer demand and spent a lot of time bringing other IT folks up to speed on web development. It's worked out fairly well, and the number of times I've been called in to fix a Microsoft Access report or the like has dropped dramatically.
If you look back in history, people originally used computers together, sharing access, tips, and source code. Now it's all top down - someone dictates what you'll do and how you do it. You, as the unempowered user, receive prebuilt restrictions, prebuilt computers, prebuilt binaries. You can't tinker, you can't fix, and you aren't even supposed to poke around.
The problems of restriction in DRM, restriction in EULA, restriction by not providing source code, restriction in IT are all the same. Instead of educating users and providing them the ability to solve problems, IT mirrors large software companies and media companies, and removes any control, forcing them to be "stupid." When users can't even diagnose on their own, and are forced to run to IT for the most minor software install, the bureaucracy justifies itself. IT is necessary because it's been made necessary. Dumb down the users and they need someone to hold their hand. But create a community of educated and empowered individuals and people will share information.
In a community of empowered users people don't just share solutions, they create solutions.
And I can't get stuff working right. Our monitoring solution (OpenSpew) is managed by a central group so we don't have the ability to know if our changes are being made. So we don't get pages when we need them and we get pages from 2 weeks ago at all hours. When we ask for additional features, we're told it'll cost $20,000 and there's no money in the budget.
As a result, the other groups have set up their own monitoring solution and shoot alerts to OpenView. And now we're getting ready to implement our own monitoring and stats solution (Nagios and RRDTool).
[John]
Shit better not happen!
"Put them to work?" I'm not about putting the beatdown on non-it tech guys, but I'm also not about giving them free reign. Isolate them from the bulk of the network, where their antics won't cause problems for the regular users, and impress upon them that they have a level of responsibility for their data and any problems that crop up with their projects. Make sure you bring their managers into the loop and impress upon them the problems that could crop up when their Access and Excel scripting guru runs amok, and then let 'em do their thing.
Oh, and wireless? I don't think so. Messing with network infrastucture is a cardinal sin, and any organization that doesn't have its internal network secured well enough to prevent someone setting up their own wireless inside the building needs to do some serious self-examination. Some things you just do not screw around with.
In my experience, the biggest problem is that the non-it power users don't have the same appreciation for security as the people whose job it is to make sure things are secure. Security is a pain in the ass; no question about it, and a lot of users view it solely as a pain in the ass, with their inconvenience rating much higher in their estimation than IT's "Unreasonable Paranoia". If you restrict those users too much, they're going to spend all their time trying to get around your rules...Same as a child will. But like a child, if you give them a certain amount of freedom inside the rules, then they're much more likely to be obedient. They will understand that the rules are there because they have to be, not just because you hate them and don't want them to be able to do what they want to.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The idea of putting them to work is indeed an interesting one but, I still have some questions. The first question is: What is their current job? While they and their cohorts might think that installing rogue access points in the break room is tre cool, I'm wondering what their real job is supposed to be and if it's being done? And how well is it being done?
... How would a package delivery company react to its drivers or call center operators tinkering under the hood of the delivery vehicles? Putting dubs and 22 inch wheels on the truck might seem totally cool to a good number of people within the company but, that still doesn't make it a good thing. And arguing that it saves gas might still not be enough to make it acceptable.
To drag out the obligatory broken automotive analogy
My thought is that these people should work in IT if that is what they want to do. But, if they choose to be an accountant, they should stick to that and realize that they might not have all the information necessary to make the best IT decisions.
I thought that was code in the black community for openly heterosexual males engaging in secret homosexual trysts. Is that really how end-users see dealing with IT? When we make the next supply run, should we throw in some astro-glide, too?
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
I worked in a couple IT departments for years, and I agree with the article in that many of the IT departments fail to provide what is needed to run the business. I've seen IT departments slow down large projects, make many projecs come in way past due dates rendering them worthless, and having projects killed because IT just cannot get it done.
Then I watched my IT overlords blow their bbudget because they wanted to upgrade the entire phone system to a Cisco IP based one - "because they are cool."
Kevin
Irrational Diversions
Then, the proles can install Kazaa and LimeWire... and put the shares on the corporate servers.
Yes, I've seen that done.
breaking big rocks in to little ones or maybe digging holes and filling them again ... at GITMO
signed,
BCLEFH*
* CLE == C-Level Executive
muahahahahaaa
I've been on both ends of the IT/user divide. I've administered networks of several hundred machines and am well aware of what some people will try to do with them. In my current position, however, I'm just a regular user. So when people in the department start talking about doing something that IT wouldn't approve of, I can usually explain to them in their terms why it wouldn't be such a good idea. OTOH, there have also been times where I've been called in by my boss to take care of a situation that IT hasn't been able to resolve, but that I've figured out because I face the problem daily. In those instances, I don't mind making a quick lap around the department and tweaking the machines a bit, because I know that it's exactly what IT would be doing anyways if they could be bothered to figure it out. And before someone says anything, I've contacted IT before to explain the problem and the fix. It's just that it's usually such an esoteric issue that they can't even begin to get their heads around it (e.g., font caching issues involving using certain programs in a certain sequence).
This guy's the limit!
The old adage that a little knowledge is a dangerous thing applies here. Yes, there are people who know what they're doing and will behave responsibly with a free run of your infrastructure, but the majority are people who just want to install Bonzai Buddy or that cool Bittorrent thing that lets you download movies.
Even more dangerous are those who "know better" than the IT department and decide to set up their own services because yours haven't been configured correctly according to some guy they know on IRC. Next thing you know you've got rogue DHCP servers and all your desktop machines are PXE booting Gentoo.
No; it's one thing to give a little administrative leeway to knowledgeable users who need it, but letting people run their own pet projects on company hardware is a disaster waiting to happen.
My last employer had firewalls that only allowed traffic through ports 80, 443, and an unusual port for VPN. I heard they also sniffed unencrypted packets, mostly to watch for viruses and breakins. Some of my coworkers wanted to use IM, although it was banned on the network. So I set up an encrypted squid proxy through my work desktop and home server. My whole team had IM and was able to communicate more efficiently.
One day I got called into the boss's office. He says, "I hear you've installed IM on everyone's desktop." So immediately I think I'm in trouble. Then he says, "Would you mind setting it up for me? How did you get it on the network?" He realized it increased productivity and any personal use wasn't seriously inhibiting work.
The point is don't hinder technology for a whole company only because you're afraid one ignorant user will bring in a virus. If power users want something, it's typically because it'll make them better at their job. Figure out a way to let them have it.
Developers: We can use your help.
They stop only when they're escorted out the door (or to jail) and then sometimes that's not enough.
People who persist in breaking IT rules after multiple warnings are usually "control freaks". If you give them responsibility, they will end up assuming more than they were granted, arguing with administration, causing chaos and personnel problems.
Best to nip this problem in the bud.
- Been there, done that.
Put them to work? Good idea - they can start by fixing the mess that all the other amateurs make when they start writing crappy apps and sticking their noses into design decisions they not only don't understand, but don't understand that they don't understand.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I don't have a problem with this. I have 140 users split into various different departments. In each of these departments is a (fairly) technically able person. This means that the user will normally go to them first leaving me free to, uhhmm, reply to threads on /.
Yeah, I'll get RIGHT on that. And when the share holders or customers ask for documentation as to why the system is down 25% of the time and we tell them "Oh, it's because we gave RandomUserX on the Docks Admin rights to speed up response time on help desk. It's cool, he has his MCSE!"
I'm sure I could leverage getting a college co-op before getting the CIO to sign off on letting "Power users" run loose on the network to fix problems.
Ask not what you can do for your country. Ask what your country did to you
Just because someone can plug a device into a data jack does NOT mean they're a "SuperUser".
Yeah, that might work at HOME. But in the OFFICE someone (me) has to be responsible for security of our data. That includes YOUR social security number in HR's database.
If you do not like the "restrictions" you are working under, then explain to YOUR boss how much more money you'll make for the company if you get X. And your boss will talk to my boss and I will explain how much it will take to implement X (money, time, security changes, etc).
If the net is an increase in profits, we'll probably do it.
If it will open us up to a new risk WITHOUT an increase in profits, I don't care how much you love your idea. It's not going to happen.
Writing code which floods the network with packets? Crashes workstations? Worse, crashes servers?
Deletes logfiles? Rewrites config files?
Sorry - if it's my name on the line for a given piece of equipment, I want control of that piece of equipment. I left a place last February where that wasn't strictly true - and I'm relatively certain my fellow outsourced contractors were breaking stuff. I never did decide if it was accidental or intentional, but the missing log files made me go "hmmm . . .".
It people don't appreciate being called "assets".
Keep that in mind.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
My work actually is forcing all computers with XP to turn off autorun today. The funny thing is, the reason is that someone had "spyware and/or viruses" installed from the disks.
Really, do you think autorun is the issue here? I think it's safe to say that running Mcafee might not be the best idea to keep a computer safe (I seem to recall Clam doing a thousandfold better job), and also plain old stupidity from one of the users no doubt.
sorry, but I don't think letting anyone have their way is going to fly.
try all they want but its my job to set in place what the auditors tell the big guys what we have to have to comply.
no one wants to not be in compliance and subject to some idiot in government who one day got bad service/etc from someone in your company.
so, if these power users can't confine their play to home then I don't need them here.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
It's not to get a pat on the head--there tend to be three reasons people poke their head up in class. (1) They're stuck in the overachieving freshman mentality, where they're effectively talking heads who aren't necessarily that productive. (2) Class participation counts towards their grade, and they need to spew up something once or twice a class to make sure they get that percentage of their grade. In terms things that are only tangentially related, maybe it's a choice between vaguely interesting BS and BS they've already covered in class. Which would you choose? (3) They're actually curious about something. Like a CS student who's learning about handles for the first time, who thinks `hey, could that be used for garbage collection?'
Granted, those are for issues remotely related to the topic. Someone who raises their hand during a CS class and asks about the fall of Rome might just need to be whacked on the head.
As an organization, the IT department should give the corporate users a choice. They can take the blue pill, which means their computer is managed by the IT department. People who aren't knowledgeable about the inner workings of their system and just want to get their work done without getting too sophisticated technically will probably choose this option. Or they can take the red pill and manage their own system, under one condition: The IT department has within it several 1337 h4x0rz who will be allowed to try and hack into these self-managed systems at any time that they wish. So long as they cannot find an exploit, the user is left alone. But if they find an exploit, that user has to buy everyone dinner. Or something along those lines. That way, people who want to control their own systems will have the opportunity to do so, but not in a manner that puts corporate data at risk.
McCain/Palin '08. Now THAT's hope and change!
It really depends on the organization. There may be some overriding legal or safety reasons why you don't want to let anyone out of the sandbox: end user apps may not place nice with air traffic control or nuclear plants. ;)
On the other hand, some IT departments fully live up to the Dilbert character, Mordac, Preventer of Information Services. My IT department happens to be one of those, and the main consequence of my supervisor's blanket refusal to do anything that bothers him is that everyone, including his boss, comes to me to get things done. And that's okay with my boss, because his real objection is to doing anything unfamiliar, not the fact that it's being done somewhere.
But that's obviously a dysfunctional situation. The problem is that our IT department -- and presumably many others, including some of the snitty, arrogant posters in this thread -- isn't doing its job. By definition, if the IT department is either preventing necessary work from being done, failing to help get it done, or imposing arbitrary obstacles to get out of doing work in the first place, the solution is not necessarily giving end users IT responsibilities; the solution is for upper management to kick ass and, if necessary, hire IT people willing to do their jobs.
Contrary to some of the polarized views I've seen here, IT isn't always the problem, nor are end-users always the problem. Most often, it's a failure of both to work constructively and flexibly together and a failure of upper management to insist that they do.
Of course, if the dysfunctionality in your company isn't going anywhere anytime soon, you may have to look for workarounds, and the solution proposed by the original poster might work in some situations.
Proud member of the Weirdo-American community.
You're either being very clever, or you don't know the difference between a Guerilla and a Gorilla.
If it's the first, well done. If it's the second, not so much.
The biggest problem I see is that the employees who are trying this do NOT understand the full spectrum of the job assigned to IT.
... but what happens when the lawyers come in and want full records of X?
... and deleted them when they quit along with the rest of their email. Yeah, it sounds good when you're only thinking of yourself. But that kind of logic does not work when it involves a company.
Yeah, you CAN find a way around X
It isn't just about keeping your computer safe from viruses. Most employees understand the single-user model of computing.
What they do NOT understand is having multiple users hitting a shared resource such as a server.
Or backups for recovering deleted files from yesterday _vs_ backups for recovering information from 3 years ago _vs_ keeping current files at a "disaster recovery" site for when the office building burns down.
I've had to go back and recover email from years ago because of a lawsuit when our people did NOT print out important documents
...and even I think this is a BAD idea. You want to mess with your own PC, okay - there's some merit there for some people. Mess with the network - hell no. There are too many things that need to get done, and the ability for one person - even an otherwise knowledgeable person - outside of IT to screw things up is just too much of an unknown.
I'm not usually one to chime in on the side of IT, as they often throw out the baby with the bath water, but letting people who's primary function is something other than keeping the network up mess with the network is just a massively bad idea. Screw up a workstation and one guy is dead for a day. Screw up the network and the whole company can go toes up.
Is it just my observation, or are there way too many stupid people in the world?
I can relate to this issue. My co-workers often come to me to fix their email and various other apps that have been screwed up by an incompetent IT staff. I try, I really do try to get my coworkers to call IT if their is a problem, but sadly, they often don't trust them. I have been accused of all sorts of things by various IT employees and none of it true or even provable if it was. The truth is mine is the only computer they are _not_ regularly fixing (or screwing up) here in my office.
Bad attitudes like yours always crack me up. Why? Because, with the exception of the mainframe administrators, it is exactly the kind of user you are complaining about that CRATED YOUR JOB. No, I don't mean users. I mean those Arse-scratching chimps that think they are superusers. The PC in the work place is a direct result of people trying to get computing power under the radar of the mainframe administrators. So, if people had followed your advice 30 years ago, you wouldn't have a job.
Most IT departments think that they know everything there is to know about computers and the network. The problem is that they don't know half of the shit they think they do. In particular they usually know nothing about what their users need in order to be productive. Instead most IT departments focus exclusively on control, control, control. While control is great you must have an idea of what you need to control and why and that is where IT departments are out to lunch. Security is not the only responcibility of IT, usability is just as important. If I can't use my computer I might as well not even have it. Its just a waste of space and money if it is locked down so tight that I can't get my job done. Time and time again it has been shown that with physical access to a system you can gain control over it.
Stop being a disabler and start being an enabler. Show people how to user their computers effectively while keeping them safe through education.
When I went to highschool the network was ridiculously insecure. I spent a lot of time sniffing around and breaking into things. I had more access than the junior admin's did. The chief admin could have banned me, and in retrospect, he had every reason to. I didn't break anything, and I told him about all the security flaws I found. However, I didn't stay within the terms of the computer user agreement. The admin and I had a really good working relation. He allowed me to keep my derived super user powers, and in return, I attempt to figure out how to break things, and then help him fix the holes that would allow me to break things if I so desired. We both benefited from the arrangement.
First of all, it depends on the context whether this is a good idea or not. In some environments, the IT group is the one and only IT wizard. In others (esp. in companies where IT development and IT research are the core business), the official IT group often is not at all capable of even understanding what the engineers are doing and supposed to do.
I've always worked (nearly 18 years now) in the latter situation. Once upon a time, I was one of those superusers in that I was had an IT degree, but worked in engineering (research, actually) where most of my collegues were non-IT engineers. They were very IT savy at a personal level, but generally missed the wider scope. So far so good. The not so good thing, was that the IT department had no clue whatsoever of what the real business needs in terms of IT were (and neither had the company's management). The consequence was an ever worsening war between IT and IT users, amongst other things resulting in ever more shadow systems. We solved this by establishing a working group that took care ensuring there regular was bidirectional communication between parties (I was one of the founding fathers and later on was the chairman for many years). This worked wonders. (Note: It worked so well, that when I finally left the company, the IT group tried to convince me to stay by proposing that I might join them in quite senior positions.)
Part of the whole concept was to do exactly what TFA says: the real superusers were identified; they earned the trust/respect they deserved; and then gained the appropriate - for our context - access to specific systems. (I personally managed the whole repository of OSS as well as some commercial soft we had installed centrally on UNIX. No, I did not have root, as I designed the complete setup such that I did not need it, but it will also be clear that with that level of access I potentially could access a lot of data and that capturing root would not have been difficult had I wanted. Some superusers can be trusted afterall.) Many succesful applications were developed in the same way: some superuser developed - with the knowledge of IT - a prototype that was taken into production for a larger audience after review by the working group and possibly some clean up by IT.
Actually, all this is nothing new. Strategic alignment between business and IT is a core part of IT governance. So is making sure that IT governance is not a buzzword hidden in a bi-monthly meeting between the CTO and CIO, both of whom generally do not understand the issues, but that it is something that is built into the whole system at all levels. And yes, this includes the superusers (at least the capable ones).
Concluding remark: I've since obtained an MBA. As part of the IT course, I wrote a paper describing the complete history of IT management & governance at my previous employer detailing the above story at length. That paper made a very happy professor, as he considered that I was absolutely spot on. Afterwards he started using me as an in-class assistant for the remainder of his course.
Linux user since early January 1992.
On the surface, it looks great - power users in an non-IT org doing things their group can use without distracting IT from more pressing enterprise wide issues, getting immediate help with basic desktop support problems without wading through X number of tiers in the corporate helpdesk.
However, how can you expect these so-called non-IT IT people to keep in line with the path of corporate IT when it really counts? If a power user is subverting corporate IT policies, procedures, etc how could IT management keep him in check, since he is already disregarding corporate IT policy. For power users, it is easier to apologize than to ask permission...that is why they are doing what they are doing in the first place: they feel the need to subvert the system, to break the rules. They will continue to break the rules despite their acceptance. For example, will a power user recognize a company's desire to maintain software license compliance if they become accepted as "extra help" by the IT group because they installed their personal copy of photoshop on a work computer?
Regardless of their official acceptance as "extra IT help" or not, the problem still remains - this person is doing something that they're really not supposed to be doing, and it can have disasterous effects. This is especially true in huge, global enterprises that have things like change control boards and IT labs in place to ensure that each little thing will not cause problems with something else.
Anybody who is any good is going to have ideas, and an enlightened organization will find a way to accomodate them.
The ground rules where I work are pretty clear: we are expected to spend a bit of time playing with things on the side. Some of these have become products. We are expected to refrain from hacking important servers, flooding the network with garbage and similar misdeeds. If we break something, we are expected to fix it. I have all sort of things hanging off the network, have all sort of SDKs and neat little boxes and things kicking around, and, as a senior technical person, am expected to show good judgement in what I do with them.
If I come up with something really neat, my boss wants to know about it.
...laura
Comment removed based on user account deletion
Are you seriously saying that the company you work for would support you NOT helping an employee recover his system just because he broke it himself?No, seriously, the company supports that position for you?Again, and the company supports that position?That's a LOT different from what you've been saying.
We only support our standard configuration. Yet if a machine breaks, whether from an employee's actions or not, we still repair/recover as much as we can.
I'm fascinated that you seem to be claiming to work for a company that values your self-esteem over actual customer contracts.
i've been some variant of a sys admin for eleven years. my experience has shown by far that the worst user isn't the guy trying to set up his own wifi or hack his iphone to work with exchange, it's the ones that really have no idea what they're doing but don't want to bother IT with their requests. they try to find work-arounds, don't report when things stop functioning, and just generally cause ten times more harm than good by not following any guidelines, all in the name of "well i know how busy you guys are". yeah, i'm busy and it's certainly not my fault that we have an IT staff of two for 130 users, but letting me know on monday that something broke last wednesday but you have to have it up and running today is the cause of half of the problem. i just see a lot of complaints about protocol from people who never follow it in the first place. i can't fix your network/hardware/software or the way we do things if i don't know it's broken.
The reason superusers go rogue is usually frustration,
I have to disagree in general. That may account for some, but the worse roguers are just tinkering addicts. They tweak for the hell of tweaking, like an explorer in a deep dark cave.
Table-ized A.I.
Two reasons that cause people to bypass IT rules - 1. IT not doing their jobs. 2. IT making all their policy and architecture decisions based on what is best for IT rather than what is best for the users.
e.g. #1 Newguy arrives at work and is given new PC by IT guy. IT guy didn't set up the network printers on the PC. Newguy can't print. What is better ? a. newguy calls help desk, opens ticket, 45 minutes later IT sets up network printers or b. I walk over and set up printers for him, time elapsed 2 minutes.
e.g. #2 We used to have our own mail and CAD licence server at our office. IT decides to make their life easier by centralizing all mail and CAD license servers in one office 4 timezones away. Much easier for IT to admin that way. Except now, when we can't get to the mail and CAD license server because IT dorked up the routing somewhere in Cucamonga or Omaha or whatever, or hosed the DNS doing routine maintenance, or lost any of the links on the WAN, or _renamed_ the fzcking servers without telling anyone west of the rockies (oops) our entire 70 man office grinds to a halt for an hour or two because nobody has CAD, phone lists, calendars or mail until the FUBAR du jour gets fixed.
None of them can see the clouds; The polished wings don't care.
If they don't like their IT options they are free to get a job elsewhere. When they are paying for the infrastructure and cost of management then they can fiddle.
I'm pretty sure the people who advocate letting users manage their own machines and letting 'super' users play around have never had to manage any IT shop bigger than like 50-100 users.
Put them to work? People who often know enough to be dangerous? Not likely, and as already pointed out in this discussion, why would they want to work for free? They do have other jobs, which I might add they are supposed to be doing instead of messing around.
The problem with allowing techy types more permissions within the work environment is that they're mostly concerned with enhancing their stuff. Most of them don't do much for their users, other than sharing out equipment over the network, that should be tracked, and then resulting in security going nuts.
We do have a few building specific groups with their own support, but even there, corp IT has reserved the rights to push to domain and such. Fun thing is when you get a user moving out of a special area and plopping their machine down in a vanilla spot; techs love running across stuff not set up per corporate spec.
I drank what? -- Socrates
We work in a healthcare organization and having people develop applications on our servers can potentially cause huge issues.
...their applications can't cross security lines... Then there's the support issues - who fixes their business critical application when they've left or are on vacation?
And why exactly would dev's get to touch production? This is the reason why change control , documentation and good service topography is so vital. Your dev system should be a snapshot of production minus personal data. Your infrastructure should support that all the way back to the dev shop. Anything less is laziness. Most of which is probably way outside of your control. I gave management the options and rationale and they make poor choices. Don't lose too much sleep over it.
While it's possible to create little sandbox areas for them, it's an administrative hassle
In theory, that's your job. You and I both know in practice, the reality is much uglier, but this gets back to having an appropriate test environment.
Get out of the blame-shifing game. Make the issue sknown and go on with your day. If management doesn't want to spend the money and time to manage contingencies well, then it's their fault not yours.
Comments like this are my #1 pet peeve. Get in front of these issues by communicating well and if nothing changes it's a no-win situation where blame default shifts to IT. Move on. There are greener pastures.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
It's the superuser after all, right?
Comment removed based on user account deletion
The bit about who will maintain the systems is especially true. I've been involved in situations where a user has had some IT skills over and above what is required to do their job and has taken over some of the IT responsibility. When they leave their replacement is chosen on the basis of the criteria of their position - not what they've been doing, often because there simply isn't the budget to hire someone with those skills, leaving a vacuum.
Another problem if you are the user is that if you have a process that takes 3 hours and you automate it so it takes 5 minutes your work will expand to fill the saved time. Do this a couple of time and if the automation breaks you will neither have the time to do the process manually or to fix it and you'll get it in the neck when people notice jobs aren't being done.
My company took another approach. It is a subsidiary of a larger holding entity. That entity also has an 'IT' subsidiary that is supposed to provide all IT services - but that group is really geared towards enterprise data-center level applications, and can not effectively handle either one-sy-two-sy type work, or conversely larger projects that required a great deal of change/integration with other systems and 24/7 support. Project after project failed, or was delivered in a crippled state - and not in time to take advantage of limited windows of opportunity in many cases.
We set up a small team of developers dedicated to doing reporting and internal tools (I am one of the developers - and we are not super users - I am a CS/*nix guy) for the operations group as part of a reorganization. This grew organically from the technical engineering and system administration groups. Where IT can't or won't build a given application, we step in. We also interface with the end/super users - and fold in their requirements into the projects we are pursuing.
This does two things:
1. It keeps development and testing on dedicated development systems, and deployment on our dedicated production systems...no worries of a rogue superuser cratering the network.
2. It satisfies the needs of the business to accomplish those tasks that fall through the cracks in the IT process and scope. Management likes not getting the run-around when they need something fast.
This probably wouldn't work for all organizations - since the talent and resources to do development in a safe manner (dedicated development/test/production systems, version control, knowledge of a wide range of application and network issues surrounding client/server applications etc) is probably not available. One solution in such an environment might be to dedicate some IT resources for this purpose exclusively.
Get in the trenches, live with the users, eat some of that dog food you're serving.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Then set up your own IT department which you do not call IT so the constraints you put on IT do not apply.
That's what I'm seeing.
The end result is an unproductive mess with major systems essentially designed and implemented by non-IT people who have absolutely no clue about the enterprise or long term interconnectivity issues or it works great but takes a dozen people to keep going instead of running automatically... but they are not IT people... so it's okay.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
If you do not understand the situation sufficiently that you can express the benefit of X in terms of dollars and cents, then why should the company pay you to play with it?What about it?
Are you threatening to leave just because you didn't get to play with X?
No, change that, are you threatening to leave just because you could not make a business case for you getting to play with X?
That pretty much answers how much you are worth as an employee.It's nice how you know so much more than I do about this field.If you put something on my network, it WILL be found. If you really knew as much as you thought you did, you'd know how I'd find it and why it is impossible to hide it from me.Sure you do. Sure you do. And, sure you do.And yet you claim you get MORE "leeway" when you're working "for the military".
Fascinating.
When someone cuts the lock off their machine to reset the BIOS passwd jumper and reinstalls the OS just so they can install a game or skip the mandated proxy, call your information security and HR folk and get them fired fast. If you give them a warning, they'll only try and be sneakier the next time they do something (like corporate espionage). These people don't belong in an organization; they would feel much more comfortable as lone-wolf contractors, so you're doing them a favor.
We let our users do pretty much what they want until it starts effecting normal operations. If it starts
effecting normal operations then and only then do we come down on them.
If we do get bothered by something a end user wrote "excel crap" for instance we just get them up and 3 am
to share the love....The rule is that if you wrote it you will be the one maintaining it.
I got tired of Blackboard's idiocy, and when combined with our CMS, I was... disgusterpated. Luckily, I know something about Apple computers (having worked there for 3 years) and our local IT dood, while a miracle worker, is more windows/unix centered, and isn't really totally up on Leopard and similar systems like I am. So I help him with some things, and we have a great working relationship.
I told him of my frustration with the system that exists, and he is also utterly pissed at the idiotic policies that seem to have been carved out of stone in the late 1990s. So, he said - hey - I have a server for this building you share with a neighbouring department that hardly uses it...
So, I set up all my courses on the server, with none of the idiotic design limitations from CMS, or any of the file size limits from Blackboard. I'm happy, he's excited to do fun and much more interesting work supporting this thing, and the students really like this supplement to the system. The result: Win Win Win, except for the the draconian bureaucrats who run CMS and Blackboard.
I still use blackboard for grading, but other than that, it's a waste of my time, and I don't have to wait 20 minutes for updates to my site to show up, and neither me nor my students have to deal with microscopic file limitations.
I can attest to guerrilla IT. When you're dealing with responsible adults who are trying to get a job done, it all works out really really well. It's not hard to imagine scenarios where people of "Diminished Responsibility" could really make an unholy mess of things, but over all, I think it streamlines services a great deal, i.e.:
"It Works For Me!"
RS
Shoes for Industry. Shoes for the Dead.
I love how out of all of the comments there are only like three that aknowledge that there ought to be some middle ground on this...
My personal fav:
"I work for a large governmental entity that has policing powers and I assure you, such people are worthy of dismissal only. Once you give them an inch, they'll take a mile...Best to nip this problem in the bud."
Gawd, working for this company must suck-a-c0ck! Would I get fired if I miss the noon IT manager worshiping session? Do I really need to address littlewink as "The Almighty"?
I worked in a logistics center and referred to myself as the Covert Logistics Information Technology Team, C.L.I.T.T for short.
Someone hates these cans.
The users have a real business need.
You don't have the resources to meet that need.
They say, "Well, let us do it for ourselves."
You say, "But if it doesn't work out, then we'll have to pick up the pieces."
They say, "That won't happen; if it doesn't work out we'll be on our own."
Then you say to yourself, "My life would be a lot easier if I came down hard on this." Then you remind yourself, "But it's not my job to make my life easy. It's my job to try to get the needs of the company met."
Then you decide to look the other way, the project fails, serious business repercussions threaten, you're called in to clean up the mess, and by the way you don't get any more resources to do it.
File it under: no good deed goes unpunished.
I've been on the other end of the stick, an application developer with decades of experience in multiple industries, having to wait on some kid whose development knowledge amounts to having read "Access for Dummies" to figure things out.
I don't think there should be a hard and fast rule on this, but I think if you let user projects go forward, it's a bad idea to turn a blind eye towards them. If the project looks like it's going to have some impact, either by succeeding or failing, I'd probably require the user to make a proposal, as if he were a vendor, and I'd track it the way I'd track a vendor project. He should make a business case, show he's the best person to do it we can get for the money available, then he should commit to deliverables, milestones, acceptance tests and so forth.
If the product doesn't pass tests, you pull the plug on it before the company starts relying upon it.
If a user just wants to hack his iPhone for his own amusement, then he should buy his own iPhone. If he wants to hack his iPhone in a way that arguably solves a problem for the company, I might entertain him doing this, but only if I were prepared for him to brick the thing. If it's not worth a bricked iPhone, it's not worth letting him do it with company property.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
"Woah, looks like the app I just installed completely destroyed my paritions. Well, that's what I get for fooling around the day before a big project is due. Guess I'll be up all night typing, probably take me a few days to finish! But that's my own fault. Goodnight, support, see you in the morning!"
"Woah, looks like Bob over there installed some really suspicious software that may be interfering with my ability to work. Guess I'll go over there and spend the rest of the night digging out the crapware on his machine. No need to call support - we wanted it this way."
"Mr. Big Boss, the reason this project isn't done is the file server we run locally crashed last night and we're still recovering it. Of course IT isn't to blame: we run it. It's entirely our fault, no need to call IT."
"No, I don't need admin on my machine, are you nuts? I don't know what I'm doing, I'm not a power user."
In my years in IT, some (not all) of the reasons for crappy IT policies is that everyone wants freedom... until something breaks. Then, regardless of what has been said, it's the IT staff's job to fix it. After a couple of rounds of this (and shrinking budgets), pretty soon the IT staff is shutting down anything not immediately necessary for work.
Throw a couple of technologically illiterate folks on either side of the equation, and you have a corporate IT department.
Ack!
I work at Apple. When I started last year, during new employee orientation, we were told: "Your computer is your own. We won't install software on it or tell you what to install or what you can't. The only thing is, if you break it, you'll have to figure out how to fix it, or get help from a coworker to fix it. We'll keep the network running, you keep your desktop running." Which is quite a refreshing change from my previous company where they wouldn't even give you admin access to your own bloody machine...
I'm already looking for anything the crackers might have gotten past me.No, it does not assume anything. That you would even suggest so demonstrates how little you understand networking and systems.
It's called "computer science" for a reason. It is not magic.If you really understood what you think you understand, you'd know that those terms are meaningless out of context. Let me provide you some context.
So your run your web server on 8080 instead of 80. Big deal. That box is not SUPPOSED to have port 8080 open. I'd find it.
So you run your web server with encryption. I'd find the port.
So you rename the web server file. I'd find the port.
WTF do "dead-man-switches" have to do with this? Those are for when something does NOT happen. Yeah, you might set it to wipe your web server if you don't log in for a week (you've been fired), but that does not stop me from finding the web server in the first place.You are confusing "competence" and "knowledge" with "arrogance".
Again, this is a science. It is not magic.
Somewhere at infoworld.com, there is a rogue superuser who's created a devilish hack to fit all the contents of an article onto a single page. Someone needs to embrace that guy.
I argued in favor of giving the users more rights, and was criticized by everybody that responded. But I'm sticking to my guns. I think the structure of IT in most corporations is not ideal.
I think what would make much more sense then is to have distributed IT; various departments have key members that are responsible for IT management for their department. The IT department proper would handle big projects (software development, mainframe, networking, other big ticket or impact items), while desktop admin, software installations, user setup, troubleshooting, etc., database admin, should be done by the IT 'poweruser' staff in each department.
Right now, it's a mess, because individual departments know what needs done from a business perspective, but don't have the trained staff or permission to do it, while the IT team has the people and power to do it, but only a vague idea of what really needs done. The structure can tend to make IT vs other departments take on a mutually adversarial relationship, which is bad for the company.
I've done hacky, ugly stuff in MS Access, because it was too difficult to get access to any of my company's SQL server boxes, and it would have turned a two day project into six months to get IT involved. On the other hand IT hates MS Access, for several entirely valid reasons, and so they get even more irritated at users 'not doing it right'. Lo and behold, everybody's unhappy.
I tried to make this point the last time the subject came up. I got modded down into oblivion. I hope that you fair better.
At Cisco, you manage and setup your own systems, if you can. Sometimes you need coordination (mostly physical stuff) but no one really gets in your way of getting things done. You can create your own domain if you want to. Also, there are tools that enable global sys admin stuff to just about anyone.
Off topic (kinda), but this reminded me of the time one of my users deleted some of his MS Office directories so he could copy the full Sonic the Hedgehog Dreamcast CD to his hard drive. They were quite disappointed to learn that neither Sonic, or MS Word would run . . .
I'm not tense. I'm just terribly, terribly, alert.
And while you're creating this community, your network is busily being infested with malware, unlicensed software and pirated music.
And how is this different from what happens when the company has a software monoculture designed and administered by its IT department and the major vendors (who design the major TARGETS of malware)?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I don't care about "should". I care about the realities.
If you allow users to install software that they want, unsupported, the data files WILL end up on their local drive.
And you WILL be responsible for trying to recover them when they're lost.
No matter what you said when you granted them those rights. The company will NOT support your self-esteem over the employee's data.
In short, if you see these people as nightmares, chances are there's a good reason they're taking things into their own hands and you should get off your ass and find out what's going on, and find a way to fix it so they don't have to. You shouldn't have to do their job and they shouldn't have to do yours.
"When information is power, privacy is freedom" - Jah-Wren Ryel
I will SEE the traffic on the network.
You do NOT understand that.Then I would suspect a cracker had gotten past me. I know what ports are open on what boxes and WHY they're open (what service is using them). And what machines on my network connect to those boxes on those ports. If that box is not a mail server, then why would it have port 25 open?I know you could not. But you believe that you could. I would not be suspicious when a brand new "printer" shows up on the network? That doesn't seem to be taking any print jobs? That registered itself as a workstation earlier? Instead of in the range I've assigned for printers?Of course you do. Because you believe that you know what you're talking about.
Meanwhile, I can trace the traffic from any point on my network.
It's called "Intrusion Detection". You might want to look it up.Yes, because it is so easy for you to find what I do WITHOUT tripping anything designed to catch just that kind of activity.
At least
The original question being:And your reply was:And now you're changing that.
I didn't really believe that any company would let you operate in that fashion. You're paid to support the company's IT infrastructure which is supposed to be making the PROFIT earning employees more productive/faster/safer.
Maybe the guy who wrote this article works in a building full of programmers or something, because short of that this is the dumbest idea I've ever heard. If I let my users have control of anything the PC's would be full of yahoo toolbars, itunes and some random spyware app that "automatically switches their desktops".
I know plenty of these self proclaimed techies. They go home, they watch tech TV, they read all the latest computer magazines and they can recite what the best video card is down to the chipset revision number... The things they don't know are the most important though, and its info you wouldn't be privi to unless you knew the system, like say a sys admin or desktop support tech would. You know like program dependencies... drive mappings, registry hacks. I honestly don't know one out of the box solution that we use at our company. Every one of our apps, including the mainstream ones, have been customized to work with our environment.
I wish these dumb assholes would learn that not all PC's are your home PC. Just because you can add and remove programs sufficiently at home bears no indication that you can do anything useful in a production corporate environment. Your windows XP home edition bears little to no resemblence to the system we've put in your office. Leave it alone. We QA and test every image that goes into production, your app may not jive with our app... There are reasons to have specialists in every area. People just want to be know-it-all assholes. I don't pretend to be a cosmologist because I watch Discovery Space.
People just have no respect for IT and because of that everyone always has a better solution. people should concentrate on their jobs and stop worrying about how to get rid of the IT department, we're here, we're not going anywhere. If your IT department is lazy or can't provide solutions for you, get rid of the certificate junkies and get some real techs in place. If you give a roadmap of what you need we can make unicorns appear, at least my IT department can.
You should look forward to the day one of those laptops gets "owned" and your company is in the news headlines laughing at you for losing your clients (or business partners) data.
If the company gives a laptop to somebody it is for work, not for personal use.
If you don't know how to secure such a laptop don't use as an excuse giving freedom to your users.
IANAL but write like a drunk one.
When I see my pay increase for the work I do for other then I will share how I get my job done efficiently as I do.I refuse to allow my users to have superuser access. Since being taken away I have had minimal problems with the computers. With the exception of my ID10T's
The law of unintended consequences applies here.
You can secure very well a network, but if you allow random vectors of attack on it, one of them will succeed in bringing your whole infrastructure to its knees.
I have seen it all: unintended DOS attacks (how many times does your shit application needs to reinvent the nslookup command? Why your shitty window manager has to cache itself all user names from the enterprise name servers instead to allow the OS to do so?), macro viruses, spam viruses (flooding the network so badly that no traffic could continue). So don't give me that about network being secure or otherwise being rubbish. Network may be secure, but they don't have infinite resources.
I don't want your mum introducing a virus in my network, neither do I want an stupid application that she found cute hitting one of the corporate services, or her machine being "owned" because the little thing is not programmed securely.
IANAL but write like a drunk one.
I have users who go into their program and tweak the code because they think they know how it works, or who will delete a folder that they think is useless because they don't understand what's in it. They often can glean knowledge from poking around, but they get cocky with it and start messing things up without understanding all the ramifications. When you try to give them extra information that would help them to do things competently or systematically, they're unable to absorb it because it isn't something they think they need to know.
The issue is not whether they have the knowledge to do useful things, but whether they have the maturity to use the knowledge responsibly. If they're hacking work computers so that they can use them for gaming or warez, they are not responsible, and should not be given any more access or power than they already have.
If the need is legitimate there will be procedures in place to source, test and secure the software needed.
The only think you are advocating is cowboyism and amateurism.
Fix your processes if you may, get adequate resources to certify that software is safe (and here you would be surprised how often companies that should know better screw up big time. I am talking about well known names, don't get me started about companies with 20 employees pushing a product for the first time in a blue chip company), put fast-tracking procedures in place if needed, but installing stuff "because there is a business need" without adequate technical oversight gives a green light to everybody to do exactly the same and is the mark of a company that does not take security seriously.
In such a situation I would not want to work in your company and will leave you with the mediocre administrators that you would deserve.
IANAL but write like a drunk one.
IT is an utility.
Go suggesting to waste water, electricity or something else and try to make a business case for it. I look forward to your proposal been laughed off.
For some reason people wasting IT resources think that is perfectly fine, after all IT people's work is barely more valuable than the janitor's.
IANAL but write like a drunk one.
I never worked in a company that allowed people bringing their own machines to put company's data there.
Oh wait, I have only worked for big, successful companies.
My bad.
IANAL but write like a drunk one.
Lock them down and scold them for doing crap to the network and machines outside of the set parameters they were given. I'm sorry but people create too many problems once you open the floodgates to just say it's a-ok for these people do to this. They generally have no idea how things are setup, they may be a "power user" and have a good working knowledge of some systems/applications, but when they screw something up, then they have to call the IT department to fix something they may or may not know how to fix, all over an issue that shouldn't have been one to begin with. And lets not forget about the fact if you give non-IT, peon, workers more rights/privledges in the infrastructure on their machines, the ones who know nothing at all about technology but are on the same level as the super-user in their department, they will feel slighted and demand the same access too. What are you going to do? Discriminate and tell them no b/c "you don't know what you're doing".
However, a very large number of users within the organisation use Macs. Some of these are self-funded, others are paid for by their departments. The one thing in common is that we support each other, have a wiki page with most configuration and want as little to do with IT as possible.
In the year I've been using my Mac (some have used theirs for years and years), I have to say it's worked exceptionally well. It's not for everyone. Some are content to tow the line and use their Lenovos.
IT turn a blind eye to the several thousand (and growing) of us. In fact, they support us in some ways (mostly secretly and below the radar). It's universally acknowledged that those employees who are itchy to use Macs instead of Windows and self-support are more productive than they would be were they forced in to a corp. IT environment.
The same goes for the very large linux community within the organisation too.
Now there's one hoopy frood who really knows where his towel is!
You wanna thinker? Give me a business need and I'll set you up in a way that is safe for our business, normally in a segregated test environment.
You can play all what you want there.
You just wanna play? Buddy, go to your garage for that, Any play done in my network has to be justified and done safely.
IANAL but write like a drunk one.
Is it fishing? No? Then why should I teach them to fish anything, let alone allow them to learn empirically how to fish in the dime of the company?
If the job of these people is not to maintain and resolve network problems I don't want to see them doing so.
If they have a job to do what is wrong to ask them to get it done? Is that such a novel idea or what?
IANAL but write like a drunk one.
I worked as the regional it director of a financial services firm which dealt with stocks, bonds, and securities. This meant we fell under the regulatory umbrella of the National Association of Securities Dealers (among others). They are a quasi-governmental agency and have absolute power (no appeals) in their sphere.
The deal that made me lock down everything was this little policy the NASD has of fining IT staff directly. Not the company, not the department...me. Personally. Starting at $100,000 and going up for security or privacy breaches.
That'll make you think twice. Oh yeah, any publicly traded companies officer (C level) can be sent to JAIL for violating certain IT regulatory policies.
So yeah, there is a reason for the control.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Fire their ass. Not coddle them.
Im sorry but if you want to run a tight ship you can not allow such nonsence.
There are business reasons we don't go off and do our own thing, no matter how harmless it may seem at the time.
---- Booth was a patriot ----
... you and your boss would be dusting off your respective CVs, and would not expect a good recommendation from your current employer.
It would have been great somebody accessing your home server and eavesdropping in your IM sessions.
What would have been your excuse then ?
IANAL but write like a drunk one.
There are very few ways that two workstations can connect to each other over Ethernet. Seeing as how I am the network administrator, I have access to the physical media in almost every one of those scenarios.
Because I have access to the physical media, I can monitor the flow of packets.
Because I can monitor the flow of packets, I can see who is connecting to whom and on what port.
That is the same for ANY network. But then, anyone who knew as much as you claim to know about networking would know that you CANNOT hide a web server on a network. It's basic science.No. The point is that you do not UNDERSTAND networking.
a. I do NOT have to watch "everything" that closely. I just have to monitor for things that are not supposed to happen. That's simple.
b. There is no way you can "disguise" it because I control the physical media connecting the machines. It is basic science.
c. There is no "noise". Again, you're demonstrating your ignorance. The packets have a very clearly defined format with a source and a destination clearly identified. It is BASIC science.*waves*There have been HOW MANY posts here where I've continued to demonstrate where you are wrong (and ignorant of basic science) and yet you still believe that you'd have some value to a company?
It's science, not magic. Believe whatever you want to believe.
Because in my case I would make sure sure you are given a first notice to go in your file for violating company policies. If you are a contractor that would mean your contract would be terminated, if you are a permanent employee that would mean two more and you are out.
If you think breaching your employment contract is the best way to get your job done, go ahead, be my guest, just ensure you remember you have been warned.
IANAL but write like a drunk one.
e.g. #3 Users don't have an overall view of the systems and think that their actions are harmless, which usually aren't.
IANAL but write like a drunk one.
Apparently so...
Ack!
The IM sessions were encrypted end-to-end by the client software. I may have been stupid for doing it, but I'm not that stupid.
Developers: We can use your help.
It all really biols down to the company, its history, the type of industry it's in, its size, its management, etc.
/.ers, they have to fill out forms in triplicate just to talk to someone in IT. In our company, you simply go talk to the guys in IT. If you need a printer or an app installed, we do it in a few minutes.
There are companies and situations where superusers can be a great value, and others not so much.
Personally, I'm in a company of about 200 people. We have a fairly defined and rigid set of IT policies. It's well communicated and well known that you don't install any apps or programs without IT's permission. If users have requests or need software, we'll install it for them after testing it first. That being said, there's very little deviance on behalf of the users, and overall, we have very few problems with rogue users or PCs.
It really just depends on the company. At minimum, you need to have a coherent, plain language IT acceptable use policy that all employees need to be familiar with.
Then, there's something to be said about why superusers deviate. From the sounds of alot of
But again, there's so many factors that come into play, you have to take it piece by piece.
I had no idea what "Bonzai Buddy" was, so I had to look it up.
At first I thought it had something to do with minature trees - maybe something like that light-hearted widget from a decade ago that let you put put animated sheep all over the place. Just install, and park a little plant on your taskbar, and prune it from time-to-time. What would be so wrong about that?
Nope. Instead, you get the frankenstein-like intersection of Grape Ape, Clippy, and GatorWare, along with the disaterous super-set of ethical implications from those aggregate parts. BonziBuddy will verbally abuse your children, sleep with your wife, drain your bank account, kick your dog, eat over the sink, run-up your cellular bill, re-program your favorite channels on the cable remote, and leave the cap off of the toothpaste tube, all after first keying your Lexus on the way up the driveway. It will lumber around on your computer like a 30-something, jobless, unemployed son-in-law that won't leave your couch "'cause X-Play is on". It will do this, all the while screaming "fire bad!", as it stumbles its way to the neighbor's house because you're "out of Mountain Dew and Doritos."
I am very glad that I never had to cross paths with this thing, let alone having to explain to people why they can get what they need if they "just google it".
That's fine until one of your employees begins sexually harrassing someone using the IM. What you weren't keeping proper logs? Oh, you were but wont turn over the entire system logs, your own personal data backups etc on your home system? What, now you are now being sued as a party to a crime/harassment?
You may think this is far fetched, but it happened at my last office. There are reasons IM's are banned at many offices.
If I were the boss of a company with an IT department, I would trust my geeks.
Unless and until someone passes muster with IT, and/or proves that they are worthy of the title of "geek", they are absolutely not allowed to install anything themselves.
Screwing with computers is an automatic termination if you do not have an IT certificate!
My concern isn't too much productivity and "lording it over" my users, but rather, security.
There's simply too much malware out there that can, pardon the pun, worm its way into a user's machine for me to trust a mere novice to be mucking about. Heck, I'm a nerd myself and even I got hit with a boot sector virus. Granted it was an old machine donated to me, but I still got burned.
Now, here's the catch.
Anyone who passes an IT competency exam will be granted the privilege of administrating their own machine.
Users of both types are subject to having their computers periodically checked and searched for malware, porn, and other stuff.
Slackers need to get off my payroll, as do boobs who get my machines compromised and in turn risk what is almost CERTAINLY confidential info. Heck, if one of those machines turns rogue, I could be facing a HUGE lawsuit. Which is precisely why I only want qualified geeks screwing with the machines to begin with.
If someone is geeky enough to be trusted with the machine, AND he manages to get his work done, I really don't care if he plays solitaire or WoW. All I ask is that he do the job I hired him for without chewing up resources. If he can have fun in the process, more power to him.
My IT department is a bunch of control freak who often hijack my conn... Sorry, I mean that the Gods of the IT Department are so nice, and lovely, and cute...
Most "powerusers" go by the creed "Tis better to beg for forgiveness, than to ask for permission." Case in point, my team runs a Fortune 100 company's storage environment. We're running about 1.2PB of EMC DMX and NetApp storage (not including VTL). If a department needs NAS for some project we have a easy webpage for them to go to, they fill it out with the sharename they'd like, and we automatically find them a filer and create a 100GB CIFS/NFS share for them. Already integrated with active directory and NIS. End user can specify who can see it by specifying a group such as .group and everyone in their dept can have read/write access to it. Or you could just specify a list of users.
Sounds pretty easy. It's backed up, regular hourly snapshots are taken. It's backed up to tape, firmware upgraded and when the lease on the filer is up, *WE* migrate all the data to another filer off hours and you continue on with your life. Anyhow...
Some PowerUser user decided he wanted to 'play IT'. And decided he wanted his own storage that he could limit who accessed. While we would have been more than happy to allocate him 100GB of storage. He proceeded to go out and build some linux box under his desk with some home-office grade disk enclosure. He then demanded that *WE* back it up to tape, and *WE* integrate it in with NIS/active directory. It should also be known that the few outlets in the cubes are not spec'd to have servers/arrays plugged into them but laptop/dock and monitor type equipment.
Long story short. Someone came along and walked off with the homeoffice disk array and all the data on it. I got to go to all the meetings and watch this asshat explain why he lost customer data.
Hey powerusers... how much privs do you need? You say you want to install whatever you want on your PC. Which btw you didn't purchase. You say you want to pick our the exact model of server your app runs on, but you don't want to be the one to stock the 97.56GB drives as replacements, nor do you want to carry a duty pager to swap out parts when they break at 2am.
Why stop there? Why not just ask for the admin password on the core routers. I'm sure your expansive knowledge of networking (and installing dd-wrt on your linksys does not make a BGP expert out of you) could provide invaluable when the DWDM gear is malfunctioning. We're upgrading to AIX6 shortly, maybe your vast experience in managing/installing mysql at home will help us optimize a 10TB DB/2 database. Please help us out, since you installed parallels on your mac, you can lend us some of your expertise in VMs when we consolidate two z990s into a z10.
You say you manage a 5TB nfs server at home? Please show us the wisdom of your ways as we try to consolidate 50 EMC DMX arrays so we can save on power and cooling.
When we fuck-up, an entire company and its' customers feel the pain. When you fuck up, you prevent us from doing our job as we clean up your mess.
Users should be given just enough privileges to do their job. This is why you do not have root on your server, you download pre-packaged software from the intranet, you do not have admin on the core routers, physical access to the datacenter and why we don't "tinker." You want to tinker, go work in your garage where you can tell your wife that you built a jumpstart server for the two linux boxes in your home media center and thump your chest. We support hundreds, thousands of users whom would rather spend their days focusing on doing their job.
There, I corrected it for you!
Interesting article.
I'm a programmer at a public radio station and "they" (station management) won't install a fellow programmers music database for him, so he just called me asking for me to "hack" it for him and install his database.
Nothing a little flash distro of Puppy LINUX can't do.
All fixed, and nobody's the wiser (because our sys op isn't exactly a pro).
If it don't GO... chrome it. ~ Frank Banks