Slashdot Mirror
Guerrilla IT, Embracing the Superuser?
snydeq writes "First it's letting users manage their own PCs and now it's sanctioning the shadow IT projects they do on the down low: 'You probably know them. They're the ones who installed their own Wi-Fi network in the break room and distribute homemade number-crunching apps to their coworkers on e-mail. They're hacking their iPhones right now to work with your company's mail servers. In short, they're walking, talking IT governance nightmares. But they could be your biggest assets, if you use them wisely. The reason superusers go rogue is usually frustration, says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." The solution? Put them to work.'"
You can't let the end user have any power. Just ask the BOFH ;)
On a long enough timeline. The survival rate for everyone drops to zero. Chuck Palahniuk, Fight Club, 1996
Great...now I get to do IT's job for them. In addition to my own work. So, I'll get paid for all the extra time I put in working on an IT project, right? Remind me why we even have an IT dept. again?
Insisting on "correct" English is like saying that there is only one, definitive recipe for chili.
In which case they should toe the god damn line, because they're fucking shit up for other people.
Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network, resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.
I don't like meaningless limitations any more than the next guy, but these know alls who think they're 'superusers' because they can set up a wifi network need to lay off - they don't have the big picture, they just think they're being clever. Guerilla? Arse-scratching chimp, more like.
I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.
Please tell me people don't really talk like that. "Grew the solution"? "Drive business value"? These people need to get a hold on themselves and listen to the feces streaming out of their mouths.
hahaha, let the users have admin rights?
does the author have **any** experience of the commercial environment?
We've actually moved away from this, fairly strongly. We work in a healthcare organization and having people develop applications on our servers can potentially cause huge issues. While it's possible to create little sandbox areas for them, it's an administrative hassle, and it's always hard to be positive their applications can't cross security lines or impact another application's performance. Then there's the support issues - who fixes their business critical application when they've left or are on vacation? It's like the days when people would make Microsoft Access applications for everything, and then it would be dumped in our lap.
Our reponse has been to staff up to meet customer demand and spent a lot of time bringing other IT folks up to speed on web development. It's worked out fairly well, and the number of times I've been called in to fix a Microsoft Access report or the like has dropped dramatically.
If you look back in history, people originally used computers together, sharing access, tips, and source code. Now it's all top down - someone dictates what you'll do and how you do it. You, as the unempowered user, receive prebuilt restrictions, prebuilt computers, prebuilt binaries. You can't tinker, you can't fix, and you aren't even supposed to poke around.
The problems of restriction in DRM, restriction in EULA, restriction by not providing source code, restriction in IT are all the same. Instead of educating users and providing them the ability to solve problems, IT mirrors large software companies and media companies, and removes any control, forcing them to be "stupid." When users can't even diagnose on their own, and are forced to run to IT for the most minor software install, the bureaucracy justifies itself. IT is necessary because it's been made necessary. Dumb down the users and they need someone to hold their hand. But create a community of educated and empowered individuals and people will share information.
In a community of empowered users people don't just share solutions, they create solutions.
"Put them to work?" I'm not about putting the beatdown on non-it tech guys, but I'm also not about giving them free reign. Isolate them from the bulk of the network, where their antics won't cause problems for the regular users, and impress upon them that they have a level of responsibility for their data and any problems that crop up with their projects. Make sure you bring their managers into the loop and impress upon them the problems that could crop up when their Access and Excel scripting guru runs amok, and then let 'em do their thing.
Oh, and wireless? I don't think so. Messing with network infrastucture is a cardinal sin, and any organization that doesn't have its internal network secured well enough to prevent someone setting up their own wireless inside the building needs to do some serious self-examination. Some things you just do not screw around with.
In my experience, the biggest problem is that the non-it power users don't have the same appreciation for security as the people whose job it is to make sure things are secure. Security is a pain in the ass; no question about it, and a lot of users view it solely as a pain in the ass, with their inconvenience rating much higher in their estimation than IT's "Unreasonable Paranoia". If you restrict those users too much, they're going to spend all their time trying to get around your rules...Same as a child will. But like a child, if you give them a certain amount of freedom inside the rules, then they're much more likely to be obedient. They will understand that the rules are there because they have to be, not just because you hate them and don't want them to be able to do what they want to.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Then, the proles can install Kazaa and LimeWire... and put the shares on the corporate servers.
Yes, I've seen that done.
I've been on both ends of the IT/user divide. I've administered networks of several hundred machines and am well aware of what some people will try to do with them. In my current position, however, I'm just a regular user. So when people in the department start talking about doing something that IT wouldn't approve of, I can usually explain to them in their terms why it wouldn't be such a good idea. OTOH, there have also been times where I've been called in by my boss to take care of a situation that IT hasn't been able to resolve, but that I've figured out because I face the problem daily. In those instances, I don't mind making a quick lap around the department and tweaking the machines a bit, because I know that it's exactly what IT would be doing anyways if they could be bothered to figure it out. And before someone says anything, I've contacted IT before to explain the problem and the fix. It's just that it's usually such an esoteric issue that they can't even begin to get their heads around it (e.g., font caching issues involving using certain programs in a certain sequence).
This guy's the limit!
My last employer had firewalls that only allowed traffic through ports 80, 443, and an unusual port for VPN. I heard they also sniffed unencrypted packets, mostly to watch for viruses and breakins. Some of my coworkers wanted to use IM, although it was banned on the network. So I set up an encrypted squid proxy through my work desktop and home server. My whole team had IM and was able to communicate more efficiently.
One day I got called into the boss's office. He says, "I hear you've installed IM on everyone's desktop." So immediately I think I'm in trouble. Then he says, "Would you mind setting it up for me? How did you get it on the network?" He realized it increased productivity and any personal use wasn't seriously inhibiting work.
The point is don't hinder technology for a whole company only because you're afraid one ignorant user will bring in a virus. If power users want something, it's typically because it'll make them better at their job. Figure out a way to let them have it.
Developers: We can use your help.
Just because someone can plug a device into a data jack does NOT mean they're a "SuperUser".
Yeah, that might work at HOME. But in the OFFICE someone (me) has to be responsible for security of our data. That includes YOUR social security number in HR's database.
If you do not like the "restrictions" you are working under, then explain to YOUR boss how much more money you'll make for the company if you get X. And your boss will talk to my boss and I will explain how much it will take to implement X (money, time, security changes, etc).
If the net is an increase in profits, we'll probably do it.
If it will open us up to a new risk WITHOUT an increase in profits, I don't care how much you love your idea. It's not going to happen.
Writing code which floods the network with packets? Crashes workstations? Worse, crashes servers?
Deletes logfiles? Rewrites config files?
Sorry - if it's my name on the line for a given piece of equipment, I want control of that piece of equipment. I left a place last February where that wasn't strictly true - and I'm relatively certain my fellow outsourced contractors were breaking stuff. I never did decide if it was accidental or intentional, but the missing log files made me go "hmmm . . .".
It really depends on the organization. There may be some overriding legal or safety reasons why you don't want to let anyone out of the sandbox: end user apps may not place nice with air traffic control or nuclear plants. ;)
On the other hand, some IT departments fully live up to the Dilbert character, Mordac, Preventer of Information Services. My IT department happens to be one of those, and the main consequence of my supervisor's blanket refusal to do anything that bothers him is that everyone, including his boss, comes to me to get things done. And that's okay with my boss, because his real objection is to doing anything unfamiliar, not the fact that it's being done somewhere.
But that's obviously a dysfunctional situation. The problem is that our IT department -- and presumably many others, including some of the snitty, arrogant posters in this thread -- isn't doing its job. By definition, if the IT department is either preventing necessary work from being done, failing to help get it done, or imposing arbitrary obstacles to get out of doing work in the first place, the solution is not necessarily giving end users IT responsibilities; the solution is for upper management to kick ass and, if necessary, hire IT people willing to do their jobs.
Contrary to some of the polarized views I've seen here, IT isn't always the problem, nor are end-users always the problem. Most often, it's a failure of both to work constructively and flexibly together and a failure of upper management to insist that they do.
Of course, if the dysfunctionality in your company isn't going anywhere anytime soon, you may have to look for workarounds, and the solution proposed by the original poster might work in some situations.
Proud member of the Weirdo-American community.
...and even I think this is a BAD idea. You want to mess with your own PC, okay - there's some merit there for some people. Mess with the network - hell no. There are too many things that need to get done, and the ability for one person - even an otherwise knowledgeable person - outside of IT to screw things up is just too much of an unknown.
I'm not usually one to chime in on the side of IT, as they often throw out the baby with the bath water, but letting people who's primary function is something other than keeping the network up mess with the network is just a massively bad idea. Screw up a workstation and one guy is dead for a day. Screw up the network and the whole company can go toes up.
Is it just my observation, or are there way too many stupid people in the world?
I can relate to this issue. My co-workers often come to me to fix their email and various other apps that have been screwed up by an incompetent IT staff. I try, I really do try to get my coworkers to call IT if their is a problem, but sadly, they often don't trust them. I have been accused of all sorts of things by various IT employees and none of it true or even provable if it was. The truth is mine is the only computer they are _not_ regularly fixing (or screwing up) here in my office.
Bad attitudes like yours always crack me up. Why? Because, with the exception of the mainframe administrators, it is exactly the kind of user you are complaining about that CRATED YOUR JOB. No, I don't mean users. I mean those Arse-scratching chimps that think they are superusers. The PC in the work place is a direct result of people trying to get computing power under the radar of the mainframe administrators. So, if people had followed your advice 30 years ago, you wouldn't have a job.
First of all, it depends on the context whether this is a good idea or not. In some environments, the IT group is the one and only IT wizard. In others (esp. in companies where IT development and IT research are the core business), the official IT group often is not at all capable of even understanding what the engineers are doing and supposed to do.
I've always worked (nearly 18 years now) in the latter situation. Once upon a time, I was one of those superusers in that I was had an IT degree, but worked in engineering (research, actually) where most of my collegues were non-IT engineers. They were very IT savy at a personal level, but generally missed the wider scope. So far so good. The not so good thing, was that the IT department had no clue whatsoever of what the real business needs in terms of IT were (and neither had the company's management). The consequence was an ever worsening war between IT and IT users, amongst other things resulting in ever more shadow systems. We solved this by establishing a working group that took care ensuring there regular was bidirectional communication between parties (I was one of the founding fathers and later on was the chairman for many years). This worked wonders. (Note: It worked so well, that when I finally left the company, the IT group tried to convince me to stay by proposing that I might join them in quite senior positions.)
Part of the whole concept was to do exactly what TFA says: the real superusers were identified; they earned the trust/respect they deserved; and then gained the appropriate - for our context - access to specific systems. (I personally managed the whole repository of OSS as well as some commercial soft we had installed centrally on UNIX. No, I did not have root, as I designed the complete setup such that I did not need it, but it will also be clear that with that level of access I potentially could access a lot of data and that capturing root would not have been difficult had I wanted. Some superusers can be trusted afterall.) Many succesful applications were developed in the same way: some superuser developed - with the knowledge of IT - a prototype that was taken into production for a larger audience after review by the working group and possibly some clean up by IT.
Actually, all this is nothing new. Strategic alignment between business and IT is a core part of IT governance. So is making sure that IT governance is not a buzzword hidden in a bi-monthly meeting between the CTO and CIO, both of whom generally do not understand the issues, but that it is something that is built into the whole system at all levels. And yes, this includes the superusers (at least the capable ones).
Concluding remark: I've since obtained an MBA. As part of the IT course, I wrote a paper describing the complete history of IT management & governance at my previous employer detailing the above story at length. That paper made a very happy professor, as he considered that I was absolutely spot on. Afterwards he started using me as an in-class assistant for the remainder of his course.
Linux user since early January 1992.
Are you seriously saying that the company you work for would support you NOT helping an employee recover his system just because he broke it himself?No, seriously, the company supports that position for you?Again, and the company supports that position?That's a LOT different from what you've been saying.
We only support our standard configuration. Yet if a machine breaks, whether from an employee's actions or not, we still repair/recover as much as we can.
I'm fascinated that you seem to be claiming to work for a company that values your self-esteem over actual customer contracts.
We work in a healthcare organization and having people develop applications on our servers can potentially cause huge issues.
...their applications can't cross security lines... Then there's the support issues - who fixes their business critical application when they've left or are on vacation?
And why exactly would dev's get to touch production? This is the reason why change control , documentation and good service topography is so vital. Your dev system should be a snapshot of production minus personal data. Your infrastructure should support that all the way back to the dev shop. Anything less is laziness. Most of which is probably way outside of your control. I gave management the options and rationale and they make poor choices. Don't lose too much sleep over it.
While it's possible to create little sandbox areas for them, it's an administrative hassle
In theory, that's your job. You and I both know in practice, the reality is much uglier, but this gets back to having an appropriate test environment.
Get out of the blame-shifing game. Make the issue sknown and go on with your day. If management doesn't want to spend the money and time to manage contingencies well, then it's their fault not yours.
Comments like this are my #1 pet peeve. Get in front of these issues by communicating well and if nothing changes it's a no-win situation where blame default shifts to IT. Move on. There are greener pastures.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
In short, if you see these people as nightmares, chances are there's a good reason they're taking things into their own hands and you should get off your ass and find out what's going on, and find a way to fix it so they don't have to. You shouldn't have to do their job and they shouldn't have to do yours.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Maybe the guy who wrote this article works in a building full of programmers or something, because short of that this is the dumbest idea I've ever heard. If I let my users have control of anything the PC's would be full of yahoo toolbars, itunes and some random spyware app that "automatically switches their desktops".
I know plenty of these self proclaimed techies. They go home, they watch tech TV, they read all the latest computer magazines and they can recite what the best video card is down to the chipset revision number... The things they don't know are the most important though, and its info you wouldn't be privi to unless you knew the system, like say a sys admin or desktop support tech would. You know like program dependencies... drive mappings, registry hacks. I honestly don't know one out of the box solution that we use at our company. Every one of our apps, including the mainstream ones, have been customized to work with our environment.
I wish these dumb assholes would learn that not all PC's are your home PC. Just because you can add and remove programs sufficiently at home bears no indication that you can do anything useful in a production corporate environment. Your windows XP home edition bears little to no resemblence to the system we've put in your office. Leave it alone. We QA and test every image that goes into production, your app may not jive with our app... There are reasons to have specialists in every area. People just want to be know-it-all assholes. I don't pretend to be a cosmologist because I watch Discovery Space.
People just have no respect for IT and because of that everyone always has a better solution. people should concentrate on their jobs and stop worrying about how to get rid of the IT department, we're here, we're not going anywhere. If your IT department is lazy or can't provide solutions for you, get rid of the certificate junkies and get some real techs in place. If you give a roadmap of what you need we can make unicorns appear, at least my IT department can.
However, a very large number of users within the organisation use Macs. Some of these are self-funded, others are paid for by their departments. The one thing in common is that we support each other, have a wiki page with most configuration and want as little to do with IT as possible.
In the year I've been using my Mac (some have used theirs for years and years), I have to say it's worked exceptionally well. It's not for everyone. Some are content to tow the line and use their Lenovos.
IT turn a blind eye to the several thousand (and growing) of us. In fact, they support us in some ways (mostly secretly and below the radar). It's universally acknowledged that those employees who are itchy to use Macs instead of Windows and self-support are more productive than they would be were they forced in to a corp. IT environment.
The same goes for the very large linux community within the organisation too.
Now there's one hoopy frood who really knows where his towel is!
I worked as the regional it director of a financial services firm which dealt with stocks, bonds, and securities. This meant we fell under the regulatory umbrella of the National Association of Securities Dealers (among others). They are a quasi-governmental agency and have absolute power (no appeals) in their sphere.
The deal that made me lock down everything was this little policy the NASD has of fining IT staff directly. Not the company, not the department...me. Personally. Starting at $100,000 and going up for security or privacy breaches.
That'll make you think twice. Oh yeah, any publicly traded companies officer (C level) can be sent to JAIL for violating certain IT regulatory policies.
So yeah, there is a reason for the control.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
It all really biols down to the company, its history, the type of industry it's in, its size, its management, etc.
/.ers, they have to fill out forms in triplicate just to talk to someone in IT. In our company, you simply go talk to the guys in IT. If you need a printer or an app installed, we do it in a few minutes.
There are companies and situations where superusers can be a great value, and others not so much.
Personally, I'm in a company of about 200 people. We have a fairly defined and rigid set of IT policies. It's well communicated and well known that you don't install any apps or programs without IT's permission. If users have requests or need software, we'll install it for them after testing it first. That being said, there's very little deviance on behalf of the users, and overall, we have very few problems with rogue users or PCs.
It really just depends on the company. At minimum, you need to have a coherent, plain language IT acceptable use policy that all employees need to be familiar with.
Then, there's something to be said about why superusers deviate. From the sounds of alot of
But again, there's so many factors that come into play, you have to take it piece by piece.
Most "powerusers" go by the creed "Tis better to beg for forgiveness, than to ask for permission." Case in point, my team runs a Fortune 100 company's storage environment. We're running about 1.2PB of EMC DMX and NetApp storage (not including VTL). If a department needs NAS for some project we have a easy webpage for them to go to, they fill it out with the sharename they'd like, and we automatically find them a filer and create a 100GB CIFS/NFS share for them. Already integrated with active directory and NIS. End user can specify who can see it by specifying a group such as .group and everyone in their dept can have read/write access to it. Or you could just specify a list of users.
Sounds pretty easy. It's backed up, regular hourly snapshots are taken. It's backed up to tape, firmware upgraded and when the lease on the filer is up, *WE* migrate all the data to another filer off hours and you continue on with your life. Anyhow...
Some PowerUser user decided he wanted to 'play IT'. And decided he wanted his own storage that he could limit who accessed. While we would have been more than happy to allocate him 100GB of storage. He proceeded to go out and build some linux box under his desk with some home-office grade disk enclosure. He then demanded that *WE* back it up to tape, and *WE* integrate it in with NIS/active directory. It should also be known that the few outlets in the cubes are not spec'd to have servers/arrays plugged into them but laptop/dock and monitor type equipment.
Long story short. Someone came along and walked off with the homeoffice disk array and all the data on it. I got to go to all the meetings and watch this asshat explain why he lost customer data.
Hey powerusers... how much privs do you need? You say you want to install whatever you want on your PC. Which btw you didn't purchase. You say you want to pick our the exact model of server your app runs on, but you don't want to be the one to stock the 97.56GB drives as replacements, nor do you want to carry a duty pager to swap out parts when they break at 2am.
Why stop there? Why not just ask for the admin password on the core routers. I'm sure your expansive knowledge of networking (and installing dd-wrt on your linksys does not make a BGP expert out of you) could provide invaluable when the DWDM gear is malfunctioning. We're upgrading to AIX6 shortly, maybe your vast experience in managing/installing mysql at home will help us optimize a 10TB DB/2 database. Please help us out, since you installed parallels on your mac, you can lend us some of your expertise in VMs when we consolidate two z990s into a z10.
You say you manage a 5TB nfs server at home? Please show us the wisdom of your ways as we try to consolidate 50 EMC DMX arrays so we can save on power and cooling.
When we fuck-up, an entire company and its' customers feel the pain. When you fuck up, you prevent us from doing our job as we clean up your mess.
Users should be given just enough privileges to do their job. This is why you do not have root on your server, you download pre-packaged software from the intranet, you do not have admin on the core routers, physical access to the datacenter and why we don't "tinker." You want to tinker, go work in your garage where you can tell your wife that you built a jumpstart server for the two linux boxes in your home media center and thump your chest. We support hundreds, thousands of users whom would rather spend their days focusing on doing their job.