Dear Users… (A thread for Sysadmin, Technical Support, and Help Desk people) Part 10

[arthwollipot]

I can't watch The IT Crowd for the same reason.

[Norman Alexander]

Originally Posted by BowlOfRed

The acronyms and names used in this video are smack dab on. I get the feeling that it's supposed to be an "over the top" parody, but it's close to documentary. Sort of the same feeling I get watching "King of the Hill". Those are normal neighbors on that show.

YouTube Video This video is not hosted by the ISF. The ISF can not be held responsible for the suitability or legality of this material. By clicking the link below you agree to view content from an external website.

I AGREE

They forgot the bits about version upgrades, firewalls, and relevant staff being on leave.

But otherwise, just transcribe this and put in the Meetings Notes page on our wiki.

[BowlOfRed]

My office is finally back to a significant opening (still not required to go in, but most services are open). Went in today and there's a lot of folks in the cafe, but almost no one in my office area.

I forgot how to run the office phones for meetings. At home I just use the local mute button. But in the office there's a keypad mute as well. I forgot...

[JoeMorgue]

Dear User,

If you stopped receiving [specific type of medical file] last Wednesday, but didn't tell anyone until 4:30 yesterday, no you have not been "Waiting a week for IT to address this issue."

[TragicMonkey]

Originally Posted by JoeMorgue

Dear User,

If you stopped receiving [specific type of medical file] last Wednesday, but didn't tell anyone until 4:30 yesterday, no you have not been "Waiting a week for IT to address this issue."

I once received an urgent priority one ticket for the failure of a data feed that they just noticed had stopped sending data two years prior. I received permission to tell them the fix was in the works when we replace the system in just three more years.

[a_unique_person]

Originally Posted by TragicMonkey

I once received an urgent priority one ticket for the failure of a data feed that they just noticed had stopped sending data two years prior. I received permission to tell them the fix was in the works when we replace the system in just three more years.

The more powerful and faster the CPUs get, the slower the adminsitration gets. Uniques' Paradox.

[Mongrel]

Originally Posted by a_unique_person

The more powerful and faster the CPUs get, the slower the adminsitration gets. Uniques' Paradox.

I think it's more that it throws the slowness of administration into sharp relief

[Wudang]

Originally Posted by Mongrel

I think it's more that it throws the slowness of administration into sharp relief

Oh yes. Working for a major bank a few years back a lot of teams were going Agile and trying devops etc and it was going great. Until we got near production systems where we were stuck with a process intended for mainframes of many years ago. Nothing against mainframes - I wrote a ton of stuff to streamline deployment of code and data to the UAT systems which was never allowed near prod. A large part of that was because a lot of ITIL Service Delivery people didn't really get computers. Maybe they tweak some JCL etc but they really just knew how to run processes in the manner of their fathers and their fathers' fathers back to when some civil servant said to Babbage "We should try to do this neatly".

The teams supporting trading (which moves very fast) got the backing of their senior management to go full devops and basically tell service delivery to sod off and the dead hand of IT Security to mind their own business. Again, security is vital but it needs to adapt to the needs of the business. </rant>

[a_unique_person]

There is a real cyberwar out there. Security has to be of paramount concern. You can guarantee that banks being tested 24 hours a day.


The other problem with going Agile is the difficulty of merging large changes from different teams working in parallel.

[Wudang]

Originally Posted by a_unique_person

There is a real cyberwar out there. Security has to be of paramount concern. You can guarantee that banks being tested 24 hours a day.

Yes, which means that IT Security needs to understand the business. I used to be a pentester for IBM in the 80's, helped design the RACF security model for an IBM product and left the bank to work with NHS data where security is even more critical. The NHS model is pragmatic and focused and carries swinging penalties. I tried working with IT Security and the bank and got some changes made to the DB security model and I swore never to do it again. Painful and because of the layers of isolation between me and the DB security "expert" the solution they came up with was effectively unworkable. In contrast at IBM when we were being humped by corporate audit we phoned the guy who wrote the security guidelines, explained why we did what we did and he changed the manual to reflect what we did.

Quote:

The other problem with going Agile is the difficulty of merging large changes from different teams working in parallel.

Nah, just adhere to contracts via interfaces, use dependency injection and identify cross cutting concerns and manage them. Sloppy practices are sloppy practices whether agile or waterfall.

[malbui]

Originally Posted by Wudang

Sloppy practices are sloppy practices whether agile or waterfall.

The other day I sat in an ITSC meeting where the head of our development team presented the results of a quality review performed three years after the organisation formally moved onto Agile as its preferred approach.

The results: all the same mistakes, but made faster and more independently.

[Wudang]

Originally Posted by malbui

The other day I sat in an ITSC meeting where the head of our development team presented the results of a quality review performed three years after the organisation formally moved onto Agile as its preferred approach.

The results: all the same mistakes, but made faster and more independently.

Yep. An unfortunately macho analogy I sometimes use is comparing waterfall and old coding shops to Napoleonic infantry. Lined up in rows, told when to step, when to load, when to fire, no idea of big picture. Agile is more like say USMC doctrine where every soldier knows the intended result, they move independently but together to achieve it, improvise adapt overcome yada yada. You can't just take a Napoleonic era rifleman and drop him in a USMC platoon and expect him to function. You need training, tools, mutual understanding etc.
This also unfortunately sounds insulting to the waterfall programmer. I've dealt with a few teams that had programmers handed specs, inputs, outputs etc and they wrote good code and so forth but they'd need a lot of time to adapt to agile.

[Filippo Lippi]

Originally Posted by Wudang

Yep. An unfortunately macho analogy I sometimes use is comparing waterfall and old coding shops to Napoleonic infantry. Lined up in rows, told when to step, when to load, when to fire, no idea of big picture. Agile is more like say USMC doctrine where every soldier knows the intended result, they move independently but together to achieve it, improvise adapt overcome yada yada. You can't just take a Napoleonic era rifleman and drop him in a USMC platoon and expect him to function. You need training, tools, mutual understanding etc.
This also unfortunately sounds insulting to the waterfall programmer. I've dealt with a few teams that had programmers handed specs, inputs, outputs etc and they wrote good code and so forth but they'd need a lot of time to adapt to agile.

Nicking this

[TragicMonkey]

Them: "What's the difference between the department report and the resource report?"
Me: "The department report displays the data by department. The resource report displays the data by resource."
Them: "Thanks!"

I can't wait until they ask what the difference is between the March report and the April report. The answer will blow their mind!

[Wudang]

Confusing names obviously. Try renaming as the 27b/6 and TLA(x2). Unless Elon Musk has used them as kids names.

[JoeMorgue]

This another one that's more of a general office complaint, but does tie back into the "I'm the IT guy, not the generic everything with a computer/electricity/everything" guy.

So this morning when I came in, did my normal rounds to make sure there were no immediate fires, literal or metaphorical, to put out I swung by the breakroom to grab a cup of coffee so I could sit down and start going through my ticket queue for the day. The vending machines sit right outside the breakroom and there was a guy there with the machine open doing work on it. Well I went into the breakroom, poured myself a cup of coffee, and made some generic smalltalk with a few of employees, and left.

Here is where it got a little weird. The vending machine guy let 4-5 of the actual of the employees of the business just walk past him, then stopped me. And like sorta aggressively, like stepping into my path. So like it obvious he looked at the crowd of people coming out of the breakroom and singled me out. And then proceeded to talk... again sort of not rudely or aggressively but that tone is just one step below it in that vague tone that's part rant, part frustration, part "let it out" stream of consciousness and just a hint of accusation about how if there was a bottle stuck in the slot (it's one of those glass front drink machines that has the little mechanical arm-thing) to stop buying sodas and not just keep buying them so they pile up and then he went on, again in this weird unbroken stream of consciousness ramble that was just a hair on the side of not full on angry.

And everything was like that, just barely on the socially acceptable side. He wasn't in my face, but he wasn't like totally not in it either, right there just a little bit inside what a reasonable personal space bubble for a conversation in an office would be. He wasn't like puffing his chest out and squaring off, but it he wasn't like totally not doing that either, he certainly was "projecting" in his body language if that makes any sense. Nothing crossed any lines so that any real warning bells started going off, but everything was just a little off. Just a tiny, tad bit more aggressive then it really needed to be.

I sort of just blew him off with a mumbled "Okay" because I was not awake enough to really deal with this and had **** to do, but it was just weird. I'm just so confused as to what made me be the guy who he just zeroed in on to halfway angrily data dump this too.

Do IT guys just put off some vibe?

[TragicMonkey]

Originally Posted by JoeMorgue

This another one that's more of a general office complaint, but does tie back into the "I'm the IT guy, not the generic everything with a computer/electricity/everything" guy.

So this morning when I came in, did my normal rounds to make sure there were no immediate fires, literal or metaphorical, to put out I swung by the breakroom to grab a cup of coffee so I could sit down and start going through my ticket queue for the day. The vending machines sit right outside the breakroom and there was a guy there with the machine open doing work on it. Well I went into the breakroom, poured myself a cup of coffee, and made some generic smalltalk with a few of employees, and left.

Here is where it got a little weird. The vending machine guy let 4-5 of the actual of the employees of the business just walk past him, then stopped me. And like sorta aggressively, like stepping into my path. So like it obvious he looked at the crowd of people coming out of the breakroom and singled me out. And then proceeded to talk... again sort of not rudely or aggressively but that tone is just one step below it in that vague tone that's part rant, part frustration, part "let it out" stream of consciousness and just a hint of accusation about how if there was a bottle stuck in the slot (it's one of those glass front drink machines that has the little mechanical arm-thing) to stop buying sodas and not just keep buying them so they pile up and then he went on, again in this weird unbroken stream of consciousness ramble that was just a hair on the side of not full on angry.

And everything was like that, just barely on the socially acceptable side. He wasn't in my face, but he wasn't like totally not in it either, right there just a little bit inside what a reasonable personal space bubble for a conversation in an office would be. He wasn't like puffing his chest out and squaring off, but it he wasn't like totally not doing that either, he certainly was "projecting" in his body language if that makes any sense. Nothing crossed any lines so that any real warning bells started going off, but everything was just a little off. Just a tiny, tad bit more aggressive then it really needed to be.

I sort of just blew him off with a mumbled "Okay" because I was not awake enough to really deal with this and had **** to do, but it was just weird. I'm just so confused as to what made me be the guy who he just zeroed in on to halfway angrily data dump this too.

Do IT guys just put off some vibe?

Perhaps he mistook you for the person in charge? Were you dressed fancier than the others? Do you carry an attitude of authority? Do you have a stern but noble face with wisdom in the lines of your forehead and jutting brows bushy with experience and a mighty nose like the prow of a ship cutting its way through an ocean of life that parts before your personal greatness of spirit? Or maybe you give off a deeply sexy vibe and this vendingman is simply awkward at flirtation?

[Wudang]

Perhaps he saw the herd of users doubtless chattering away about "how their diet was going so well and then they thought should I be really naughty and have a breadstick and I shouldn't really but then I did and then my diet was broken and so I thought I might as well have the mega chocolate surprise pork pie cake with double ice cream and candy coated lard and " and saw you on your own cut away from the herd and pounced.

[arthwollipot]

OMG it's actually happened. They've locked down the browsers. Now you can't save sessions and reopen the tabs you were last using. Since I routinely work with about a dozen tabs this means that I have to manually open each one at the beginning of the day.

They've also prevented storing passwords. Essentially forcing everybody to work without any kind of automated password management - every password has to be manually entered every time. And this is a whole-of-government thing too. I don't think anyone who makes these decisions realises how breathtakingly stupid it is.

My life just became a little more annoying, but I'll work with it. I have no choice.

[Norman Alexander]

Originally Posted by arthwollipot

OMG it's actually happened. They've locked down the browsers. Now you can't save sessions and reopen the tabs you were last using. Since I routinely work with about a dozen tabs this means that I have to manually open each one at the beginning of the day.

They've also prevented storing passwords. Essentially forcing everybody to work without any kind of automated password management - every password has to be manually entered every time. And this is a whole-of-government thing too. I don't think anyone who makes these decisions realises how breathtakingly stupid it is.

My life just became a little more annoying, but I'll work with it. I have no choice.

OK, which senior exec left their laptop in a taxi with their browser open to porn or a secure URL, and no password set? Make EVERYBODY pay!

Oh, just a sec. Election announcement due shortly, isn't it.

[BowlOfRed]

Originally Posted by Norman Alexander

OK, which senior exec left their laptop in a taxi with their browser open to porn or a secure URL, and no password set? Make EVERYBODY pay!

Very possible, but my vote is on a Mordac.

Ooo, it's possible to lock everything down like that? That would be more secure, wouldn't it? Make it happen!

[arthwollipot]

Originally Posted by Norman Alexander

Oh, just a sec. Election announcement due shortly, isn't it.

Nah, this has been coming for a long time.

[Wudang]

Can you save the URLs as desktop shortcuts? Write a little cmd file calling iexplore or whatever Bing is called?

[arthwollipot]

The nice thing is that this security update has restored my access to this forum. So no more Tapatalk for me.

I'm slowly finding workarounds for all the things that I can't do any more. Edge allows you to save a website as an app, and pin it to the taskbar. So I've done that for a number of sites that I use regularly, including this one. I will save my sessions and open tabs by simply not logging off in the evenings unless I absolutely have to. Windows is pretty stable for long periods these days, but I guess I'll see how it goes.

I have no workaround for the requirement to type my passwords constantly. I think this is by design. By forcing me to type my passwords constantly, they are effectively encouraging me (and everyone else) to make less secure, less complex passwords, and to re-use them on multiple sites. If they permitted Edge to store passwords, we could use better passwords. They're still protected by two-factor authentication because the entire desktop environment now has two-factor authentication. From a security standpoint, it just makes no damn sense.

[Blue Mountain]

Originally Posted by arthwollipot

(snip)

They've also prevented storing passwords. Essentially forcing everybody to work without any kind of automated password management - every password has to be manually entered every time. And this is a whole-of-government thing too. I don't think anyone who makes these decisions realises how breathtakingly stupid it is.

Just create a file on the desktop called PASSWORDS.TXT, save your passwords there, and copy and paste them!

Seriously, you can't even use KeePass?

[arthwollipot]

Originally Posted by Blue Mountain

Just create a file on the desktop called PASSWORDS.TXT, save your passwords there, and copy and paste them!

Seriously, you can't even use KeePass?

Nope. Absolutely no password managers of any kind. Period. Crazy, right?

And it's not just like they prohibited a whole lot of software and password managers just happened to be swept up in that. It was absolutely 100% deliberate and specific to disallow any kind of password management. There is a process for adding software to the Approved Software List. If I followed every step of that process correctly to request that KeePass be added to the ASL, my request would be denied on policy grounds.

[Wudang]

Good grief. Even <major global bank> implemented a single signon tool on its locked down PCs back in 2010 or so.

[Blue Mountain]

Originally Posted by arthwollipot

Nope. Absolutely no password managers of any kind. Period. Crazy, right?

Really crazy, and as you said earlier, breathtakingly stupid. I can see this policy changing in a couple of years after a series of embarrassing data leaks caused by bad password management.

Quote:

And it's not just like they prohibited a whole lot of software and password managers just happened to be swept up in that. It was absolutely 100% deliberate and specific to disallow any kind of password management.

Did the Powers That Be give any reasoning for this, or is it some I/T bigwig on a power trip?

Quote:

There is a process for adding software to the Approved Software List. If I followed every step of that process correctly to request that KeePass be added to the ASL, my request would be denied on policy grounds.

Said policy being "No password management programs"?

Now, I can see password managers being a point of failure if Mr. Skroob in accounting secures his with "12345." However, I looked up how KeePass works, and it's possible to install it on a network drive and point it to a configuration file that can't be bypassed. There is an option available that enforces minimum properties on the master key, so that wouldn't be a problem.

[TragicMonkey]

You can change programs but you can't change humans. The more frequently the passwords are forced to be changed, and the more of them you have to have, the greater the incidence of sticky-notes with the password written on it, stuck right to the monitors.

[Wudang]

Originally Posted by TragicMonkey

You can change programs but you can't change humans. The more frequently the passwords are forced to be changed, and the more of them you have to have, the greater the incidence of sticky-notes with the password written on it, stuck right to the monitors.

And the more variety in password rules.

supersecret
Needs capital letter
SUPERSECRET
Needs lower case letter
Supersecret
Needs numeric
Supersecret1
Needs special character
Supersecret@
'@' is not a valid special character.
The last one seems the most capricious.

[JoeMorgue]

Originally Posted by Wudang

Good grief. Even <major global bank> implemented a single signon tool on its locked down PCs back in 2010 or so.

I have over 30 users (out of roughly 500-ish) who don't own a smart device (or at least claim not to.) I have at least as many who don't have a PC at home.

And 90% of my user base as I have frequently mentioned are self described "widdle ole' ladies who just aren't good with these newfangled, what did you call them, computer things." not as an actual lack of skill as a personality trait.

My security is a shameful nightmare and I'm aware of it but we as an organization have tried to force any kind of change multiple times and it just won't happen.

The best we can do is get everything in writing and keep our butts covered.

[TragicMonkey]

Originally Posted by Wudang

And the more variety in password rules.

supersecret
Needs capital letter
SUPERSECRET
Needs lower case letter
Supersecret
Needs numeric
Supersecret1
Needs special character
Supersecret@
'@' is not a valid special character.
The last one seems the most capricious.

I had to get my mother a little book specifically designed for writing down all your passwords. There were simply too many for a lady pushing 80 to handle. (She also instinctively ignores punctuation so even when I write down a password for her "1914KittyCat!" she leaves off the exclamation point because she thought I was just being emphatic. And capitalization...she thinks it matters in email addresses but not in passwords and logins.)

[Wudang]

Originally Posted by JoeMorgue

My security is a shameful nightmare and I'm aware of it but we as an organization have tried to force any kind of change multiple times and it just won't happen.

Of course, when I worked for <major global bank> we scrupulously kept to all the rules. Although this guy I know worked for a bank and it seems it was sometimes a choice between having an effective security policy for some systems or obeying the rules.

[arthwollipot]

Originally Posted by Wudang

Good grief. Even <major global bank> implemented a single signon tool on its locked down PCs back in 2010 or so.

Yeah, most things are SSO. Our department has gone full Office 365/Azure Cloud and in general that means that most of the tools most users will need are synchronised. But here in Technical Services, we have a bunch of tools that aren't in that cloud. And they need separate signons. And of course it affects everything that is internet based, which a bunch of staff have legitimate reasons to use.

Originally Posted by Blue Mountain

Really crazy, and as you said earlier, breathtakingly stupid. I can see this policy changing in a couple of years after a series of embarrassing data leaks caused by bad password management.

Yeah, me too.

Originally Posted by Blue Mountain

Did the Powers That Be give any reasoning for this, or is it some I/T bigwig on a power trip?

It's actually in line with an all-of-government plan to modernise technology and harden government networks against cybersecurity threats, so it's coming from the highest levels of government. There was a pretty high-profile cyberattack on government systems a few years ago, and I think that triggered a major review.

Originally Posted by Blue Mountain

Said policy being "No password management programs"?

Explicitly, yes.

Originally Posted by Blue Mountain

Now, I can see password managers being a point of failure if Mr. Skroob in accounting secures his with "12345." However, I looked up how KeePass works, and it's possible to install it on a network drive and point it to a configuration file that can't be bypassed. There is an option available that enforces minimum properties on the master key, so that wouldn't be a problem.

KeePass, LastPass and others have enterprise versions of their software that allow them to be deployed for an entire organisation. The thing is, Azure Cloud already has an equivalent service, equally as secure and functional as any other password manager. It has been disabled.

Even with as little knowledge about cybersecurity practice that I have, it's easy to see how this could go horribly wrong.

[a_unique_person]

Originally Posted by BowlOfRed

Very possible, but my vote is on a Mordac.



Ooo, it's possible to lock everything down like that? That would be more secure, wouldn't it? Make it happen!

I'm going to have even more post-it notes next to my monitor now.

[BowlOfRed]

Speculation is that part of the OKTA (which my company uses heavily) incident involved the attackers finding a spreadsheet that had passwords in it, dumped from someone's lastpass and stored on a machine.

[arthwollipot]

Originally Posted by BowlOfRed

Speculation is that part of the OKTA (which my company uses heavily) incident involved the attackers finding a spreadsheet that had passwords in it, dumped from someone's lastpass and stored on a machine.

Pretty sure no password manager stores passwords in a way that can be dumped as clear text.

[BowlOfRed]

Originally Posted by arthwollipot

Pretty sure no password manager stores passwords in a way that can be dumped as clear text.

Why not? The thing has to have access to the full password so it can be sent on. It can't just store a hash locally since it's not the entity doing the final authentication.

Looks like lastpass can disable the option if you're on a business account, but it is available otherwise.

https://support.logmeininc.com/lastp...neric-csv-file


ETA:
Sorry. In case I wasn't clear, I didn't mean that the attackers found a lastpass store and extracted the passwords. I meant some lastpass user dumped the passwords and left them sitting around in plaintext (in a spreadsheet with "lastpass" as part of the name).

[Darat]

Originally Posted by arthwollipot

Pretty sure no password manager stores passwords in a way that can be dumped as clear text.

No, but they all allow you to export them in various non-encrypted ways. Perhaps some body had wanted to stop paying a subscription so exported theirs as a CSV file and then loaded it into a spreadsheet.

[Wudang]

Originally Posted by arthwollipot

Yeah, most things are SSO. Our department has gone full Office 365/Azure Cloud and in general that means that most of the tools most users will need are synchronised. But here in Technical Services, we have a bunch of tools that aren't in that cloud. And they need separate signons. And of course it affects everything that is internet based, which a bunch of staff have legitimate reasons to use.

Ah the one big bank used allowed website ids and passwords to be stored. Whether the websites had to pre-approved or not I don't recall. That was for general users. I do remember we built a custom "portal" type tool, the service operations desk, for our operators which allowed saving of passwords for everything including servers, websites etc and had an interface (API I think) into what I think is now called Dell One Identity (was e-DMZ's Password Auto Repository) for root and other authorised ids temporary passwords.