How To Thwart the High Priests In IT

GMGruman writes "You know the type: They want to control and restrict any technology in your office, maybe for job security, maybe as a power trip. As the 'consumerization of IT' phenomenon grows, such IT people are increasingly clashing with users, who bring in their own smartphones, use cloud apps, and work at home on their own equipment. These 'enemies' in IT are easy to identify, but there are subtler enemies within IT that also aim to prevent users from being self-sufficient in their technology use. That's bad for both users and IT, as it gets in the way of useful work for everyone. Here's what to look for in such hidden IT 'enemies,' and how to thwart their efforts to contain you."

Re:Wow, what a stupid post

In college, our home directories (using Linux) for the CS department were kept on NFS mounts. To distribute the load, the IT staff spread our home directories over numerous separate partitions, and to keep us within our allotted amount of space, so that we don't go, and fill up our accounts with junk (since we were using an old -- even for the time -- version of Slackware, "junk" could include Firefox, GNOME, and anything else that wasn't FVWM2.) the IT staff had turned on quotas.

If you think about it, there is one was to do all of this, that leaves a fairly large gaping security hole towards indefinite storage space. If you don't set everyone's quota to 0 on all the shares that do NOT contain their home directory, then you're giving the user unlimited quota space on that share. But how would they ever exploit something like that? I mean, it would require two students on two different shares to collude to have one of them setup a directory owned by the other in their own home directory, and thus all quotas on that partition would be meaningless. Why if setup properly, anyone could just soft-link this directory into their own home directory, and exploit all of the programs that the user has compiled and setup! The user/{rogue IT admin} could even make a script to make it easy as pie to import it, and even send out messages about updates, and upgrades!

Cut to months later, I had a usable GNOME installation, Firefox, and a recent version of OpenSSH that actually supported remote X support (I told you, this was a crazy old version of Slackware! Of course, out of concern for security of others, the "ssh" wasn't imported unless you had set the IMPORT_SSH environment variable to "1", so no claims of keylogging or whatnot) However during one unsuccessful build attempt, I seem to have filled up the partition, and left it in that state somehow, which resulted in the IT department finding out, which lead to them being very upset with me, and locking my account requiring me to come in and talk to them to unlock it.

On a positive note, I think they realized that they couldn't just use the same old slackware forever, and started upgrading the OS. The following year, we actually had GNOME and KDE available to us, and KDE by default, rather than FVWM2.

Job security, power trip, or good standards

[Culture20]

This was probably written by the dude who routinely roots his box (calls Dell to get the BIOS reset code, uses a bootcd, et voila) so that he can install PC anywhere because it's VITAL for his side business and he knows IT will say "no".

iPad2s are toys, no matter how much folks whine

[sandytaru]

I know how to break into one in about five seconds. They're an enormous security risk, and I'm not an "enemy" because I don't think they belong on my network. If Apple wants to made a ruggedized iPad designed to hook safely into a domain based corporate network, then I'll consider that a business machine, but until they do, I'm going to call the iPad what is is - a toy. Period.

Re:Sour Grapes

[girlintraining]

Sounds like the article was written by a tool with no understanding of how enterprise IT works, and no grasp of what bringing alien, unknown systems into contact with critical infrastructure can lead to.

Yeah... then there's my job, where somebody recently pushed out a GPO update that was supposed to make internet explorer "more secure" by preventing downloads. It's been five days now, and our company is at a virtual standstill... it's costing tens of millions every day, probably more. Bonus: I work for a major health insurance provider in the US.

The problem is when you get people who just start adding restriction after restriction with no understanding of what it does not just to productivity and worker morale, but in some cases to the very applications they support.

It's like how they've encrypted my whole drive and then added 3 antivirus scanners to it, running constantly... and now they're planning on upgrading to Windows 7. The only reason the system works at all is because it has 4GB to run XP ... and a couple web browser windows. It chokes on anything more.

No, IT policy is often both foolish and stupid, and getting around it is the only way to get work done. Unless you don't care about that sort of thing, in which case, yeah... feel free to do nothing until they fire you and replace you with someone who does bypass the policies. IT has become like marketing that way -- sure, it's probably against policy, but if you want to make quota, you better ignore them too.

Re:Wow, what a stupid post

[lakeland]

Well yes, but I think you're implicitly overestimating the typical cost of "resulting in regulatory fines or competitive disadvantage". When was the last time you heard of a company getting fined or giving data to a competitor as a result of a data leak from a lost piece of computer equipment? When was the last time you heard a salesman say they lose time to IT policies.

I personally have had two clients because it's easier for them to outsource the work than it is to get their IT enabling that work to be carried out internally. As you say it's all about compromises, but in my experience the way those compromises fall depends much more on the political clout of IT than on any intelligent assessment of the risk and benefit.

Re:Unbelievable.

The other reason to deny new and/or user supplied devices is the unwillingness to support every phone out there.

Yes, Android phones are largely the same and various versions of iPhone/iPad are largely the same. but it's wearing for IT staff to have to learn every new phone and its idisyncracies not jut to get it set up but to troubleshoot it when you're "sure" that the problem isn't your phone/carrier, but our network.

If IT doesn't jealously and rigidly enforce device standards, they end up supporting dozens of different devices regardless of a policy that says "bring in what you want, but you support it". Users whose phone has a bug, or are in a cell dead spot, or have some data plan missing will always claim that IT isn't letting them on the network and/or won't fix the issue on "the system" that is preventing them from connecting. IT has to take the device, troubleshoot it, and show that isn't the system causing the issue.

Users who don't know how to configure their phone will ask IT to configure it, if IT says they don't touch user supplied devices, the user complains that they aren't productive and IT is "asked" to fix the issue "just this once" so the user can start working. Repeat this 50 times and you now have IT supporting every user's phone or non-company supplied laptop. The exception(s) dwarf the rules.

Now that IT has touched it, most users think that IT can/should fix other issues that may have nothing to do with what was done in the first place-I've had users drop off laptops complaining that their anti-virus is slowing their computer down ever since we put VPN software or logmein on their computer, etc. So in proving our innocence, we find some resource sucking app that has been installed for years, or some new app that has long startup times, etc. and we have to explain that that's the cause and not the VPN software that runs without any issues on all of our computers and a couple dozen other non-IT machines.

User devices is nearly always a disaster and always a larger investment in time then made out to be. Companies don't want to hire a dedicated guy to troubleshoot user devices, but the same management expects a limited IT staff to "just this once" spend 2 or 3 hours troubleshooting some problematic laptop, or an hour and a half troubleshooting some vague issue on a phone that turns out to be carrier finickiness or another piece of software on that phone, etc.

I'd say that during normal working hours, we typically have 10 people and spend a minimum of 30 man hours per week dealing with user devices and many are repeats, don't listen to anything we say like when we tell them that it's not a surprise that they're brand new Android phone has shorter battery life then their old blackberry or flip phone and that it has nothing to do with Exchange ActiveSync. Some people have come to use with brand new phones they've had for a whole day or two, asked us to configure it, then return 2 or 3 days later to tell us that what we did is killing their battery. When we ask, they tell us that their old blackberry didn't need charging everyday, that this phone does and they imply that it must be us turning on activesync-nevermind that they didn't spend enough time with the phone to learn its battery life before getting us to set up activesync...

Then comes the users who switch personal phones every other month and expect to simply hand the phone to us so we can set up activesync, but don't give us the password OR don't have a password and get upset when activesync policy pushed from our server requires them to have a password. Two people in one department went form personal blackberry to htc droid to samsung droid to iphone 4 to iphone 4s in about 13 months. Each switch they expected us to export their contact list (which they explicitly chose not to sync with Exchange) and each time they expected us to waive the password policy for them. When we pushed back in the beginning, they complained and said they were OK with doing it themselves. They made no real effo