People love the "We installed WIFI ourselves and all was joyous" stories. But you never hear the, "We installed WIFI ourselves and breached security on the network/ate up all the DHCP addresses/allowed a guy with a trivial WEP breaking program to sniff everyone's network passwords" story.
There are very good reasons why WIFI can't always be installed. No one ever wants to hear it, but it's true. If all you need is internet access, it's trivial. If you need access to secure servers, it is substantially more difficult.
Absolutely. Unfortunately there are a lot of Access jockeys out there, and they have a tendency to create Access applications that are massive and byzantine.
I tend to replace them with web apps, when their progenitor dies or gets fired, because it's usually easier to start them over from scratch than it is to support them, but I've never been in a position where I could force other departments to hire someone who would do it right the first time.
If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.
I'll restore an image. I'll recover files, though frankly they should already be on the network share. I'll give you a fresh install. That's it.
Why, you ask, would any corporate IT support such a radical position? Because that guy's time isn't worth more than mine.
We've all got jobs to do and if I have to spend a week fixing a screwed install (and it'd have to be me or one of the other senior guys because the regular techs aren't equipped to do it), then a weeks worth of my work won't be getting done. That's more unacceptable to everyone involved than making one guy reinstall his own unsupported apps.
If you're going to give them any extra permissions, they have responsibilities there. If they can't be trusted not to make a complete mess of it, then they should never be granted those permissions in the first place.
The whole goal should be to make things more efficient and get more work done. If those things aren't happening, you're doing it wrong.
Yep, and I've had that problem, so I appreciate it. Still, in the long run, it was probably a net gain for the IT department because that guy fielded a lot of tedious report and database issues before he quit, and by the time he left they had a better grasp on what they needed, so we could deploy supportable webapps to provide them the same functionality.
I'm currently working the other end of the stick with a crappy phone system that no one is willing to pay to upgrade...And we need the upgrade.
And I know that sometimes the stupid thing gets upgraded; we got an upgrade for an graphics management system which wasn't really required, and which is about to be rendered obsolescent by outsourcing after only 18 months in operation. Total cost would have paid for the new phone system, which would have paid for itself in 3 years without any help.
Well, they broke the machine didn't they? With privilege comes responsibility. The same would apply to me, if I hosed my development equipment...I've done it before, and it's just a cost of doing business.
I'm in favor of allowing the leeway, but its a two way street. When someone like that screws their machine, it's usually not pretty, and it's not the sort of thing that can be easily fixed. I'm happy to restore an old image if you asked me to make one. I'm happy to recover files if it's possible.
But I'm not responsible for rebuilding a machine that has been rendered non-functional by a user who insisted that he knew what he was doing. I always make this stuff clear when a manager requests these sorts of permissions for one of their people. We support the standard configuration, once you deviate from that, all bets are off.
That's one thing I see a lot; a lack of communication between the users and IT. They need something, something that we could provide if we knew they needed it, but we don't spend any time up there, and they don't know enough to ask for it.
I've tried things like getting IT people invited to departmental meetings, cross-training the new guys in other departments...Whole lotta nothin has come out of that.
I think in the long run it's jsut going to require that the average user becomes tech savvy enough to know what to ask for, or we start hiring guys whose official role is like "embedded IT"; they work in other departments, but they report to IT.
Blah blah blah. Every third response is something along the lines of, "Well my last experience with IT sucked, so they must be worthless."
So a simple question: "What's the alternative?"
Seriously. Are you suggesting throwing the entire corporate infrastructure open to maintenance from anyone who thinks they can do it?
Frankly, I'm fucking tired of everyone sitting around with nothing better to do than complain about this or that thing. I've got crap to work with; too few employees, ancient systems, no money for software, hardware, or training.
When I do get an upgrade, everyone who doesn't benefit immediately starts calling it a stupid purchase and a waste...Godforbid someone wants to switch to IP telephony, because we all know that that tech is never going to catch on, and it's a much much better idea to keep paying for old fashioned phone trunks every month than just one nice internet connection.
I think most good IT departments are okay with allowing a certain amount of freedom. Where I work we don't give out admin logons, but we do allow some users to admin their local machine, and we do allow some users the privileges to do basic crap on other people's machines. If you have a guy who is willing and capable of doing annoying little changes for people and taking some of the headache off of the IT staff, more power to 'em.
But that stuff should always come with a "screw it up, and you're going to have to fix it yourself" caveat. If you pick your people well, then they should be okay with that in the first place.
The maintenance thing is definitely one of the biggest headaches...Those fricking Access apps can be a cast iron bitch.
With Healthcare I can definitely see getting rid of those guys; HIPPA concerns alone would be a good reason to have only professional applications. The costs of a security leak would be disastrous.
Still, for other businesses, it's harder to squeeze the money for extra FTEs in IT, and some of the slack in reporting especially, will have to be taken up by access junkies who can be slipped onto another departments payroll.
"Put them to work?" I'm not about putting the beatdown on non-it tech guys, but I'm also not about giving them free reign. Isolate them from the bulk of the network, where their antics won't cause problems for the regular users, and impress upon them that they have a level of responsibility for their data and any problems that crop up with their projects. Make sure you bring their managers into the loop and impress upon them the problems that could crop up when their Access and Excel scripting guru runs amok, and then let 'em do their thing.
Oh, and wireless? I don't think so. Messing with network infrastucture is a cardinal sin, and any organization that doesn't have its internal network secured well enough to prevent someone setting up their own wireless inside the building needs to do some serious self-examination. Some things you just do not screw around with.
In my experience, the biggest problem is that the non-it power users don't have the same appreciation for security as the people whose job it is to make sure things are secure. Security is a pain in the ass; no question about it, and a lot of users view it solely as a pain in the ass, with their inconvenience rating much higher in their estimation than IT's "Unreasonable Paranoia". If you restrict those users too much, they're going to spend all their time trying to get around your rules...Same as a child will. But like a child, if you give them a certain amount of freedom inside the rules, then they're much more likely to be obedient. They will understand that the rules are there because they have to be, not just because you hate them and don't want them to be able to do what they want to.
I like flock because, used intelligently, it can accurately secure files and allow multiple processes to run without having to worry about file corruption or process write violations.
Offtopic, but it irks the fire out of me that "illegal" opiates (e.g Heroin, morphine, etc) are forbidden to people with terminal diseases...What possible rationale could there be for denying a guy with bone cancer (for example) the strongest possible drugs?
I'm still not following. If I was addicted to really raunchy S&M porn in my lunch hour, would it be anyone's business but my own? Likewise how much coffee I drink, or my prescription meds, or, frankly, my recreational meds, are my business, and not anyone elses.
Under normal circumstances, the rationale for drug testing is that the user may become a problem at work. Since, in this particular case, we're talking about people who are judged purely by results...I just don't see a problem. If they don't perform, don't fund 'em. If they do perform, don't mess with it. Science is hard work, and people do weird things to get their mind in that groove.
The thing is, it's not hard to get a prescription for Provigil; just keep complaining of tiredness to your doctor until he prescribes it...Is he going to tell you you're lying about it?
I don't know of any serious side-effects other than those attendant on other stimulants. It's been out for about 25 years, so you'd think they would have shown up by now, so the cocaine analogy is flawed. If caffeine was illegal, would consuming it be okay?
How do you figure? I mean, they should be getting grants because they're good at what they do, right? If the drugs are a part of that, then they're a part of the reason the guy is getting the grant in the first place.
Somebody said it above; this isn't sports. It's not "cheating" to use a performance enhancing drug in your job. Most of us are addicted to a common one: caffeine. That's considered perfectly normal, but if you're using Provigil without a prescription its a wholly different thing.
The problem is one of perception. Some things are "drugs" and shouldn't be "abused", and some other things that seemingly belong in that category as well...aren't there.
I've seen some big corporate firewalls with "Allow All" set for outbound connections. Doesn't matter how sexy the firewall if the guy configuring it is a moron.
These things are trivial to discover, frankly. If they're using the botnet for Spam, it's probably coming primarily through exploited business machines (since consumer ISPs have gotten pretty good at blocking port 25).
If you've got a business account, it should be obvious if you're sending a ton of spam, especially if you're paying for bandwidth...Your ISP will be sending you nastygrams, never fear. You should also just be able to monitor your port 25 traffic...The level of spam these are sending out is well above any normal usage for all but the largest companies.
It's always a good policy to block port 25 for all machines except the designated mail machines, so you don't have to worry about spam bots on anything but those machines. No business really needs multiple mail servers, unless you're sending a lot of crap through email that you shouldn't be.
I assume you mean outbound; any large business is going to have problems if they try to use whitelists for all their incoming mail...You really have to let the spam filter take care of the junk that will come through, though stripping out.exe and archive files is smart.
...install a more secure OS, and take the time to learn to properly use your new OS. Whenever someone says this in reference to a *nix, I have to roll my eyes. There is a reason Unix admins are well paid, and it's not because it's trivial to competently admin a unix/linux machine. You have to master a number of skills to even begin looking for possible exploits on your machine, and to be able to say with certainty that it is secure? I don't know what that would take.
If it's not secure out of the box, then the odds that a person who doesn't specialize in unix is going to be able to figure out the issues is pretty low, and the amount of time a user would have to put in to get that sort of knowledge is prohibitive.
I do agree wrt using Live CDs; that's about the safest way of running a secure system. Deploying a security appliance can be done with a customized Knoppix, and the system will be effectively unhackable...Even the worst exploit could be fixed with a reboot. Most ATMs work this way, with their software stored in read-only media.
Ma Bell is alive and well, and living under the name "AT&T" these days, which is technically what she was known as before the whole "Ma Bell" thing...but the current company is technically SBC (Southwest Bell), which happened to be the nastiest and most voracious of the little bells. They switched their name to AT&T inc after they bought the "original" AT&T co which was the chunk of the original company that was allowed to keep the name after the divesture.
(I know the preceding paragraph is nearly incoherent. The business relationships are completely incestuous.)
Half of the original Bells are owned by AT&T these days, and with buyouts like Cingular, it's arguably nastier than before.
That doesn't even apply to "conscious" differences. If I'm talking on the phone and typing in my password with my left hand (which will take a bit because I'll have to do the pinky-thumb shift dance to do the special characters), it's going to lock me out because I don't type like me?
The only use I see for this is for an amusing/ironic plot twist in a hollywood movie, where someone gets killed because he can't type in the password like he would normally type it in due to some contrived stress situation.
The thing that killed me about LOTR was the Two Towers movie.
In the book the Ents were (entishly) spoiling for a fight. In the movie, they didn't even know that they were losing trees until a buncha hobbits clued them in. Worst Tree Shepherds ever.
And Rohan? In the book, once Theoden is "awakened" he moves directly into ass-kicking mode. In the movie, not only do we have Eomer wandering off with the whole army (wtf?) but Theoden does this fricking "King Lear" impersonation for the last 40 minutes of the film.
Oh yea, and the Elves? They're going to leave without a fight? And fricking Elrond throwing down on his daughter for having the hots for a human? Elrond Half-Elven? Jesus Christ.
If you're going to hollywood it, at least make it make sense.
Slashdot Mirror
People love the "We installed WIFI ourselves and all was joyous" stories. But you never hear the, "We installed WIFI ourselves and breached security on the network/ate up all the DHCP addresses/allowed a guy with a trivial WEP breaking program to sniff everyone's network passwords" story.
There are very good reasons why WIFI can't always be installed. No one ever wants to hear it, but it's true. If all you need is internet access, it's trivial. If you need access to secure servers, it is substantially more difficult.
Absolutely. Unfortunately there are a lot of Access jockeys out there, and they have a tendency to create Access applications that are massive and byzantine.
I tend to replace them with web apps, when their progenitor dies or gets fired, because it's usually easier to start them over from scratch than it is to support them, but I've never been in a position where I could force other departments to hire someone who would do it right the first time.
You're being a jackass, but I'll respond anyway.
If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.
I'll restore an image. I'll recover files, though frankly they should already be on the network share. I'll give you a fresh install. That's it.
Why, you ask, would any corporate IT support such a radical position? Because that guy's time isn't worth more than mine.
We've all got jobs to do and if I have to spend a week fixing a screwed install (and it'd have to be me or one of the other senior guys because the regular techs aren't equipped to do it), then a weeks worth of my work won't be getting done. That's more unacceptable to everyone involved than making one guy reinstall his own unsupported apps.
If you're going to give them any extra permissions, they have responsibilities there. If they can't be trusted not to make a complete mess of it, then they should never be granted those permissions in the first place.
The whole goal should be to make things more efficient and get more work done. If those things aren't happening, you're doing it wrong.
Yep, and I've had that problem, so I appreciate it. Still, in the long run, it was probably a net gain for the IT department because that guy fielded a lot of tedious report and database issues before he quit, and by the time he left they had a better grasp on what they needed, so we could deploy supportable webapps to provide them the same functionality.
I'm currently working the other end of the stick with a crappy phone system that no one is willing to pay to upgrade...And we need the upgrade.
And I know that sometimes the stupid thing gets upgraded; we got an upgrade for an graphics management system which wasn't really required, and which is about to be rendered obsolescent by outsourcing after only 18 months in operation. Total cost would have paid for the new phone system, which would have paid for itself in 3 years without any help.
Well, they broke the machine didn't they? With privilege comes responsibility. The same would apply to me, if I hosed my development equipment...I've done it before, and it's just a cost of doing business.
I'm in favor of allowing the leeway, but its a two way street. When someone like that screws their machine, it's usually not pretty, and it's not the sort of thing that can be easily fixed. I'm happy to restore an old image if you asked me to make one. I'm happy to recover files if it's possible.
But I'm not responsible for rebuilding a machine that has been rendered non-functional by a user who insisted that he knew what he was doing. I always make this stuff clear when a manager requests these sorts of permissions for one of their people. We support the standard configuration, once you deviate from that, all bets are off.
That's one thing I see a lot; a lack of communication between the users and IT. They need something, something that we could provide if we knew they needed it, but we don't spend any time up there, and they don't know enough to ask for it.
I've tried things like getting IT people invited to departmental meetings, cross-training the new guys in other departments...Whole lotta nothin has come out of that.
I think in the long run it's jsut going to require that the average user becomes tech savvy enough to know what to ask for, or we start hiring guys whose official role is like "embedded IT"; they work in other departments, but they report to IT.
Blah blah blah. Every third response is something along the lines of, "Well my last experience with IT sucked, so they must be worthless."
So a simple question: "What's the alternative?"
Seriously. Are you suggesting throwing the entire corporate infrastructure open to maintenance from anyone who thinks they can do it?
Frankly, I'm fucking tired of everyone sitting around with nothing better to do than complain about this or that thing. I've got crap to work with; too few employees, ancient systems, no money for software, hardware, or training.
When I do get an upgrade, everyone who doesn't benefit immediately starts calling it a stupid purchase and a waste...Godforbid someone wants to switch to IP telephony, because we all know that that tech is never going to catch on, and it's a much much better idea to keep paying for old fashioned phone trunks every month than just one nice internet connection.
I think most good IT departments are okay with allowing a certain amount of freedom. Where I work we don't give out admin logons, but we do allow some users to admin their local machine, and we do allow some users the privileges to do basic crap on other people's machines. If you have a guy who is willing and capable of doing annoying little changes for people and taking some of the headache off of the IT staff, more power to 'em.
But that stuff should always come with a "screw it up, and you're going to have to fix it yourself" caveat. If you pick your people well, then they should be okay with that in the first place.
The maintenance thing is definitely one of the biggest headaches...Those fricking Access apps can be a cast iron bitch.
With Healthcare I can definitely see getting rid of those guys; HIPPA concerns alone would be a good reason to have only professional applications. The costs of a security leak would be disastrous.
Still, for other businesses, it's harder to squeeze the money for extra FTEs in IT, and some of the slack in reporting especially, will have to be taken up by access junkies who can be slipped onto another departments payroll.
"Put them to work?" I'm not about putting the beatdown on non-it tech guys, but I'm also not about giving them free reign. Isolate them from the bulk of the network, where their antics won't cause problems for the regular users, and impress upon them that they have a level of responsibility for their data and any problems that crop up with their projects. Make sure you bring their managers into the loop and impress upon them the problems that could crop up when their Access and Excel scripting guru runs amok, and then let 'em do their thing.
Oh, and wireless? I don't think so. Messing with network infrastucture is a cardinal sin, and any organization that doesn't have its internal network secured well enough to prevent someone setting up their own wireless inside the building needs to do some serious self-examination. Some things you just do not screw around with.
In my experience, the biggest problem is that the non-it power users don't have the same appreciation for security as the people whose job it is to make sure things are secure. Security is a pain in the ass; no question about it, and a lot of users view it solely as a pain in the ass, with their inconvenience rating much higher in their estimation than IT's "Unreasonable Paranoia". If you restrict those users too much, they're going to spend all their time trying to get around your rules...Same as a child will. But like a child, if you give them a certain amount of freedom inside the rules, then they're much more likely to be obedient. They will understand that the rules are there because they have to be, not just because you hate them and don't want them to be able to do what they want to.
I like flock because, used intelligently, it can accurately secure files and allow multiple processes to run without having to worry about file corruption or process write violations.
What?
Offtopic, but it irks the fire out of me that "illegal" opiates (e.g Heroin, morphine, etc) are forbidden to people with terminal diseases...What possible rationale could there be for denying a guy with bone cancer (for example) the strongest possible drugs?
I'm still not following. If I was addicted to really raunchy S&M porn in my lunch hour, would it be anyone's business but my own? Likewise how much coffee I drink, or my prescription meds, or, frankly, my recreational meds, are my business, and not anyone elses.
Under normal circumstances, the rationale for drug testing is that the user may become a problem at work. Since, in this particular case, we're talking about people who are judged purely by results...I just don't see a problem. If they don't perform, don't fund 'em. If they do perform, don't mess with it. Science is hard work, and people do weird things to get their mind in that groove.
The thing is, it's not hard to get a prescription for Provigil; just keep complaining of tiredness to your doctor until he prescribes it...Is he going to tell you you're lying about it?
I don't know of any serious side-effects other than those attendant on other stimulants. It's been out for about 25 years, so you'd think they would have shown up by now, so the cocaine analogy is flawed. If caffeine was illegal, would consuming it be okay?
I thought religion was the opposite?
How do you figure? I mean, they should be getting grants because they're good at what they do, right? If the drugs are a part of that, then they're a part of the reason the guy is getting the grant in the first place.
Somebody said it above; this isn't sports. It's not "cheating" to use a performance enhancing drug in your job. Most of us are addicted to a common one: caffeine. That's considered perfectly normal, but if you're using Provigil without a prescription its a wholly different thing.
The problem is one of perception. Some things are "drugs" and shouldn't be "abused", and some other things that seemingly belong in that category as well...aren't there.
I've seen some big corporate firewalls with "Allow All" set for outbound connections. Doesn't matter how sexy the firewall if the guy configuring it is a moron.
These things are trivial to discover, frankly. If they're using the botnet for Spam, it's probably coming primarily through exploited business machines (since consumer ISPs have gotten pretty good at blocking port 25).
If you've got a business account, it should be obvious if you're sending a ton of spam, especially if you're paying for bandwidth...Your ISP will be sending you nastygrams, never fear. You should also just be able to monitor your port 25 traffic...The level of spam these are sending out is well above any normal usage for all but the largest companies.
It's always a good policy to block port 25 for all machines except the designated mail machines, so you don't have to worry about spam bots on anything but those machines. No business really needs multiple mail servers, unless you're sending a lot of crap through email that you shouldn't be.
I assume you mean outbound; any large business is going to have problems if they try to use whitelists for all their incoming mail...You really have to let the spam filter take care of the junk that will come through, though stripping out .exe and archive files is smart.
...install a more secure OS, and take the time to learn to properly use your new OS. Whenever someone says this in reference to a *nix, I have to roll my eyes. There is a reason Unix admins are well paid, and it's not because it's trivial to competently admin a unix/linux machine. You have to master a number of skills to even begin looking for possible exploits on your machine, and to be able to say with certainty that it is secure? I don't know what that would take.If it's not secure out of the box, then the odds that a person who doesn't specialize in unix is going to be able to figure out the issues is pretty low, and the amount of time a user would have to put in to get that sort of knowledge is prohibitive.
I do agree wrt using Live CDs; that's about the safest way of running a secure system. Deploying a security appliance can be done with a customized Knoppix, and the system will be effectively unhackable...Even the worst exploit could be fixed with a reboot. Most ATMs work this way, with their software stored in read-only media.
Ma Bell is alive and well, and living under the name "AT&T" these days, which is technically what she was known as before the whole "Ma Bell" thing...but the current company is technically SBC (Southwest Bell), which happened to be the nastiest and most voracious of the little bells. They switched their name to AT&T inc after they bought the "original" AT&T co which was the chunk of the original company that was allowed to keep the name after the divesture.
(I know the preceding paragraph is nearly incoherent. The business relationships are completely incestuous.)
Half of the original Bells are owned by AT&T these days, and with buyouts like Cingular, it's arguably nastier than before.
God help me for laughing at that.
That doesn't even apply to "conscious" differences. If I'm talking on the phone and typing in my password with my left hand (which will take a bit because I'll have to do the pinky-thumb shift dance to do the special characters), it's going to lock me out because I don't type like me?
The only use I see for this is for an amusing/ironic plot twist in a hollywood movie, where someone gets killed because he can't type in the password like he would normally type it in due to some contrived stress situation.
The thing that killed me about LOTR was the Two Towers movie.
In the book the Ents were (entishly) spoiling for a fight. In the movie, they didn't even know that they were losing trees until a buncha hobbits clued them in. Worst Tree Shepherds ever.
And Rohan? In the book, once Theoden is "awakened" he moves directly into ass-kicking mode. In the movie, not only do we have Eomer wandering off with the whole army (wtf?) but Theoden does this fricking "King Lear" impersonation for the last 40 minutes of the film.
Oh yea, and the Elves? They're going to leave without a fight? And fricking Elrond throwing down on his daughter for having the hots for a human? Elrond Half-Elven? Jesus Christ.
If you're going to hollywood it, at least make it make sense.