another wonderful day
Thank you, Simon.
"Yeah, so we just need you to upgrade these machines," the Beancounter says. "Upgrade them to what, Windows 8?" I ask, suppressing the gag reflex. "No I mean upgrade them with the updates." "Oh, so you mean upDATE them, not upGRADE?" "It's the same thing!" he simpers. "Not at all. An upDATE is when the system stays …
"Think of it this way. An upDATE is when your Missus gets you to buy a new suit and and upGRADE would be when she gets Brad Pitt in whatever clothes he's wearing. She may upDATE his clothes at some stage in the future or she might just be too pleased with the upGRADE to bother."
My missus would probably unDRESS Brad rather than upDATE but pretty sound analysis
oh is that the time...
Nah. I'd guess guncotton burns to fast and with too little heat to do much beyond singing the hair off the Boss. Also the I believe the resultant kinetic energy would be to dispersed to do much, unless you could somehow have him internalize the robe in question before ignition. (Any cavity should do.)
A thermite lined robe, with a powdery substance in the seams, and a leaky bottle of some sweet, oily substance just might light the way.
We've managed to weed out most of the Applications that require Administrator rights to run (some of them walk over parts of the registry, some of them walk over parts of the disk, some of them should be taken out and shot ... but there are still a couple of programs that will not run unless as administrator.
Those machines have local groups modified to allow specific users to have access, as power users if possible, or administrators if not.
The biggest issue was for some of the laptops that go on site, with no internet access and "I need the ability to install a new printer when you're not available" ... we solved that issue by buying a large stack of USB inkjet printers (20+) of the same type and sticking them in all the offices so that people could pick up a disposable one at any time. without the need for new drivers.
Doesn't Windows start nagging you for admin rights to install 'new' drivers if it detects a printer with a different serial, even if it's the same make and model?
(I networked my private printer years ago, and USB-printers 'just don't happen' at the office, so I'm not up to date on that crap)
Also, for the terminally forgetful sysadmin:
Rig up a USB stick on a lanyard round your neck with software setup to automatically lock/unlock the workstation when that particular memory stick is removed/inserted. Very much in the style of a jet ski emergency cut off.
In the Linux world, there's "Blue Proximity" that requires a particular Bluetooth device to be close enough to the computer to keep it unlocked. Walk away with your phone in your pocket, and your machine automatically locks itself. It's a great way of automatically keeping prying eyes and unwanted digits away from your computer!
"In the Linux world, there's "Blue Proximity" that requires a particular Bluetooth device to be close enough to the computer to keep it unlocked."
We've had something similar setup with our developer pool for a few years, however we've recently added a "name and shame" component to it where it sends an email promising to pay for friday's beer to the rest of the team.
Youc an configure Linux to recognise the Bluetooth ID of your mobile.
If the mobile moves out of range the screen is locked.
When I worked for a Financial Services company, my boss was very fussy about locking the screen even if we just went to the loo or for a glass of water. If he saw any of us hadn't locked theirs, he would send a spoof email to the rest of the team from that account - usually a resignation notice with a really silly reason given.
That was, up until the day he left his own PC unlocked and his PA sent us all an email from him. I would repeat the reasons given for his "resignation", but there are laws regarding obscene publications!
I thought better of Simon. Obviously he was unwilling to confess that either "the boss" got him so pissed one night he was able pry the information out of Simon, or, like one of mine, he just said, "your access or your job. I own those machines, not you. So cough up the access." The handiest way of curing that attitude is to monitor the system and, when he starts traipsing around where he shouldn't, booby trap the system so he panics and screams for help. You then respond, "you're the admin. What did you do?"
Leave your session open, even unprivileged, is a sign that you want your collegues to send out insults and love mails on your behalf to select memebers of the company.
Paris, because she would love getting an invite for you and her in the copy room at 6 this evening...
Count yourself lucky for presumably being in an office with bpfh. First time you forget to unlock the screen in my office, you send yourself a nice mail. Or maybe to your wife. Second time, you'll be telling the CEO what you think of his business conduct.
Anon, in case someone from my office is reading...
My last company the IT guys would send emails to each other. Amazing how often the only female member of staff got emails of undying love from the other members of her team. Less said about the youtube videos sent from the IT Director the better (I thought you wanted videos on "goat sex").
In a previous incarnation as an engineer I once changed the desktop wallpaper on a colleagues desktop machine each morning to a different photo of the 5 koala bear paper clips that were kidnapped at the start of the week with an accompanying ransom demand. Day 1 showed them lined up with blindfolds and paws tied together. Day 2 photoshopped one of their heads onto the floor (with obligatory red smear under head). Day 3 saw 2 of them sold into sexual slavery...
Made better by the fact that the Aussie tech in the department was also taking the photos and emailing them back home to his family in Australia :)
> More likely there would be a sealed envelope with password written inside, hidden in a safe. To be accessed only in case of emergency. That's why mention of "seal being broken", I guess.
Wouldn't work, the envelope would be all covered in horse shit, to say nothing of trumpeter footprints. The whole unlocked workstation thing spoiled it for me a bit.
Went to the Middle East to setup a new office that wasn't connected to the rest of the world (they were operating off 3G for mail until a future date when services like electricity and telecoms were installed....
During the setup of a local AD, he ran into a problem. A couple of problems actually, but the technical issue was a permissions problem. Giving the whole office Enterprise Admins quickly fixed that and he could spend some more time on the jet ski....
Early on in a new position in education I was on the server, looking at the student files they had turned in for a class. I did something fairly ordinary without thinking (possibly created a subfolder--whatever it was, it wasn't destructive or disruptive) and then it hit me I shouldn't have been able to do that. I went to the network boss and asked if I had mistakenly made an administrator. He said that because the dozen or so of us MIGHT need to do certain things, for convenience we had all been made administrators way in the past. That way, we wouldn't have to go to the real administrator and ask to have it done.
From that point on, I was VERY careful what I did on that server. Over the years, I don't recall hearing that anything ever got messed up, so I guess all of us were careful.
Same thing happened to me, in essence. Found I could move files I shouldn't have been able to modify; and, when I went poking about I found I could see content of the company President's network folder, which was not supposed to be publicly visible. I asked and was told I was a network admin. My response was something akin to "Okaaaay, and you thought I needed this, Why?" Had to be mindful of what I did on the network after that.
Posting as Anon to protect identities of the innocent.
I did that once, accidentally dragged a folder into another one and realised afterwards that I shouldn't have been able to do it at that level in the directory tree. Ironically, that was at the company with the most locked-down network I've ever experienced.
One gets careless if the network protects you against your mistakes, I've picked up most of my better habits from painful experience of losing data because I did something stupid (I go back to CP/M, so plenty of opportunities) and then modifying how I did things.
The hoops we have to jump through!
I have local admin rights to my company laptop, but the group policy has removed the ability to extend the length of time it takes for the company screensaver to kick in. No amount of reg hacking could fix it, and I'm not a windows expert so I have had to resort to a mouse mover program (that's actually quite neat when you get into the options!)
Since we have to be on instant chat all the time, every time the screen locks it marks me as unavailable and makes it look dodgy since I'm wfh a lot. Just because I'm kvm'ing to another machine now and again to look up stuff in places that the company laptop might not like I don't see why anyone should be given the false impression that I'm not working like a beaver.
Once had a "boss" (technically not my boss, but he thought he was) demand the domain admin password from me.
He'd bought a load of dictaphones that only saved in WMA (yes, seriously!)
And a piece of junk software that only loaded from MP3
And he insisted the two work together. Given that I had had no say in the purchase of either of the above, the short answer was No and the long answer only involved more O's. But he insisted. I knocked up a workaround using a piece of freeware that would convert any file saved in a particular "WMA" folder into an equivalent "MP3" folder. That wasn't enough apparently.
He was STILL phoning me several months later (after I'd left) to demand a domain admin password. Because, you know, they make these things all just kind of work no matter how possible they are.
He was (politely at first, then rudely as he disturbed me more and more about things I was no longer responsible for, while I was trying to work for a proper employer) directed to his boss, who happened to have signed off on my hand-off. This hand-off included two identical copies of a disc containing all possible information about the system - including passwords - and warned them only to give it to people who were taking on my responsibilities AND NOT this guy that was bugging me. Oh, and to store one in a separate safe place like... well.. a safe.
This guy knew nothing of the discs, though, nothing of the handover, nothing at all until I mentioned them - but was STILL ringing me weeks later demanding I give him domain administrator passwords that his boss was obviously in possession of (and his boss and I got on quite well, so they could have rung up personally if they'd lost them or something). In the end I had to just be rude and tell him to speak to his own boss about why he hadn't been given the passwords direct rather than hassling me. Eventually the calls stopped. I don't even care if he got the password, but I very much doubt that he did.
All because he was too stupid to check compatibility first. And thought that an admin password was the be-all-and-end-all of making things work.
That sounds vaguely similar to one of my previous roles.
To put the company in perspective I'm 100% certain that despite making sure the person with the most knowledge leaves a company with the worst feelings towards said company all the passwords for the doors and computers will still be the same ones that were being used when I left. Hell, whenever they sack someone for stealing at a remote site they still don't change the passwords on the banking sites that they use, and because they're generic accounts there's no way to tell who is logged in at any given moment. Pretty sure my admin account probably still exists as well... (No, I haven't tried it, I enjoy freedom too much and I'm damned if I'm going to tell them how to do their jobs)
Hint for the future:
FORCIBLY MAKE THEM change any and all passwords when you leave.
1) It leaves you with a cast-iron defence if anything does go wrong after you've walked.
2) It means that someone has to take responsibility for everything you WERE doing before you go.
3) It'll mess up their systems something chronic when they don't realise where all the passwords used to be plugged in automatically.
Did this to my last place. I don't usually leave with bad feeling but in this case I had to go or sue them for constructive dismissal, basically. For sure I wasn't going to give them an easy way to blame me for something on my way out.
They were getting shirty about my access anyway (I'm the fecking domain admin, it's worth more than my reputation to bother to do anything, and I could almost certainly have done something you wouldn't even notice if I *DID* have any kind of malicious intent), so I made them change every password. Everything. The website. The servers. The cloud providers. The domain hosts. The network swtiches. The phones. The CCTV system. The Microsoft VL store. Everything I'd ever touched that could, potentially, be accessible remotely. About the only thing we couldn't do was local admin passwords / local BIOS passwords etc. (which are infeasible to change and I have to be in the damn place to make any use of them anyway).
This meant that they had to get someone in to take all those passwords off me, on short notice. They had to watch me do it - even on my laptop and other machines. They had to sign off to say they'd witnessed it being done (and, because they were employed just for that, they were very careful in their scrutiny before they would sign-off). They had to take the passwords onto paper and - with them - the responsibility. They had to know that there was no excuse for not having a password for system X because I'd given them everything. Verifiably. To an independent witness. They had to know that they couldn't say I hadn't shown them something because we'd had to remove the password for everything and give them admin to it somehow.
I made them clear the admin list on the domains. I made them verify my personal hard drives had nothing work-related on them (yep - I went through every folder on a laptop that was shared work/home but was using my personal hard drive in its second slot). I made them take responsibility for every system and subsystem and be the only person with the credentials / knowledge to do that. I even made them change my voicemail password. Hell, I not only handed in my access cards and keys, I had the guy revoke all the card numbers in front of me and double-check there were no rogue accounts or other accounts associated with those cards.
So now, no matter what hits the fan there, I cannot be held responsible for it. Not even vaguely. The system I handed over is the system you got, and I have no further part in it. When something crashes the next week, nothing they can do but fix it themselves. They can't claim improper handover. And it probably cost them a bomb to have someone come in and do that with me - while still paying my wages.
And, also, all those niggly problems that I "just had" to fix before I left? Suddenly not so important compared to getting such a handover. I wasn't subjected to rubbish time-filling tasks, or handing over credentials to idiots to fix minor problems, or power-trip instructions from people who knew I was going, or anything else. They could not deny that the handover was the most important thing, especially as I was in charge of every machine - including the ones that paid wages and probably held all their secrets (I'm honest, so I never even look, but I for sure feel that a quick jaunt through their network areas would reveal an awful lot of dodginess to interested parties).
It's about liability. Let them take it. Let them forcibly and provably take it from you. Because the only outcome is that they then have all the liability while you have none.
I honestly used to look away every time our finance people typed in their passwords or authorised a smartcard bank transaction. They used to ask me why, when I had full access to everything they had - at least in theory - and had set up most of those systems. The answer was "Because I don't want to know it." It's for deniability. I can safely say that, although in theory I could have had theoretical access to anything, I never even knew their passwords (or could do anything but change them, thus arousing attention) so I could never have done anything with them.
Trust me, if you leave a workplace in bad feeling, you don't want to know these things. Force yourself to hand them - and their responsibility - over to the mug, sorry replacement, that takes over from you.
If a place is that bad that you take it upon yourself to leave, make sure every part of you leaves. Including your responsibilities towards them, and any accusations/suspicions against you. I haven't heard from my former employer since. They'd have an almost impossible task to even come up with an excuse to ring me.
That was my last role, very happy to help them out, even pointed the IT guys in the direction of the databases I'd been building to support the systems I was working on. Not their fault, their biggest client went titsup.com owing them over a quarter million.
The role BEFORE that however was literally walked out the door, here's a box and don't think about coming back. This was AFTER I'd fixed the problem caused by one of the clients (which incidentally involved a hell of a lot of data we weren't supposed to have and would cost the company thousands in fines for breaches of data protection). No warning, nothing. At least I know my domain access and email account would have been stopped immediately, which may cause them a few problems when it comes to renewal time for the remote access software :p My only satisfaction was knowing the Finance Director was using my name as a swear word for months afterwards after the company solicitor took one look at my letter to them and demanded that they pay me.
In a previous role one of the Directors decided he was now in charge of all things IT despite having no IT skills at all, made worse by one of the other Directors deciding he needed oversight of IT as well. So effectively that gave me 2 competing bosses who spent most of their time trying to out-compete themselves for IT ignorance. As a result we moved from a Platinum certified Cloud provider to one that could barely be classed as Silver certified and I was originally tasked with moving everything within 2 weeks while having zero input while still having to do the day job and hand holding the IT (*cough*) person moving the web server and the SQL servers. Yes, the new provider had no one with any experience of setting up a SQL backend IIS front end system. It took them a month just to get the backups working on the SQL databases. Cue Director 2 moving the website design to a new company and myself then having to fix all the css scripts because the web design company couldn't code css for our websites despite being given a copy of the entire website for coding purposes. All in the name of "saving money". Anyway, you can imagine the disaster when they decided to upgrade all the security permissions for the remote workers, resulting in around 50 folders having individual permission groups being setup followed by the complaints when permissions didn't work because Jenny from Site A was at Site B helping Tony today. Almost as much fun as having myself setup as a special permission group despite being their only IT person so that I was actually locked out of most of their reporting folders, including the reports that I designed and built for them. So when a "Boss" decides they know better than their IT department now I just say go ahead, I'm just glad I'm no longer the one having to fix the god awful cluster f%&k that is the inevitable outcome.
Yes, it happened in our office. It was the morning we came in to find someone had applied a Frontpage theme to the entire website. (Yes, we had FPSE. No, I was not given a say in the matter.) In investigating to narrow down the potential suspects we found that we had somehow ended up with about 50 domain admins. Sadly there was no way of knowing which heads to roll in our case.
One time a fellow system admin left his computer unlocked. So I took it upon myself to upgrade his computer from Windows XP. I downloaded an executable but can't remember if I just ran it or set it as the shell. It had a brilliant word processor and an amazing thing called the web. Funny thing, took him ages trying to get out of it. I finally terminated it because I vaguely remember my life being threatened.
I started in a company where they rolled out 3270 terminals to all devs about a month after I started (when I started it was 1->4). The boss was a clean desk fanatic and we everything had to be put away even if we were just moving 5 yards to get to the tea lady's trolley & the desk was sight the whole time.
To enforce the locking of computers he had me develop an SPF script that he could link to the F3 (Save & quit ) key if he saw an unattended terminal. It was known as the finger , and did a very very slow roll up the screen (ASCII art of "the finger" ie middle finger extended). Given the speeds of the terminals and the loops I was asked to put in it took 5 minutes to run. Its use was no longer required after about 2 weeks,
Simon, you're my hero. You have no idea (or, perhaps, you do) how much the users in your blogs sound like the real users that we face out here in the wild, particularly when it comes to Enterprise MDM Helpdesk. It's amazing to see how either the users, their PC Support Group, and/or the domain admins can screw things up so badly. And it's even more frightening how many executives who lack technical skill to operate even iOS devices, will put their assistant up to calling us when technical support is needed. Of course, she's often less skilled than her boss. These people find very interesting ways to screw up easy to use technology and say things like, "My iPad doesn't work", after which, we naturally have to ask what specifically isn't working on their iPad. Naturally, that infuriates them and rather than own up to having weak communication skills, they claim that we just "don't understand" what they are saying. HA!!! Then of course, there are the liars who claim that an icon somehow just vanished from their home screen, but probing questions always find what they did to cause that nonsense. My personal favorites are the ones who claim something is wrong with their iPhone 4S so that we'll RMA it, but naturally, they ask if they can get an upgrade to an iPhone 5 and are disappointed to learn that they will receive an iPhone 4S, just like what they had previously. These geniuses will brake them once a week, for weeks on end, thinking frequent failures will result in an upgrade to an iPhone 5? No can do on that, sir/madame. You get like for like, no matter how many times you brake it, unless you'd prefer to pay the $750 full price for an iPhone 5. That suddenly reduces the number of times they brake their iPhone 4S. :-D
On a Windows box, it is pretty easy. Just install Linux and be done with it. Actually works quite well.
For the timid, one of the desktop spins works OK as well. Won't leave behind (too much) incriminating evidence.
Comments on Linux vs. Windows vs. MacOS notwithstanding.
Many years ago (15, I guess), I was involved in a Y2K project - I was PC app packaging, but one of the other running projects was an upgraded Hospital system running on VMS. After I packaged the Terminal Emulator, I tested it on the pre-prod system. Everything seemed to work, but I wanted to push a little deeper. So while playing I crashed the app (I don't remember how, it may have happened by accident, but I may have done it deliberately), and found myself at a VMS DCL prompt. Curious (and possessed of some VMS skills from a former life), I set out to find out what rights I had in the system - full admin access for the account the application was running as.
So I wrote a note to the System Manager pointing out how an error in their shiny (and very expensive) new platform had allowed a normal user full Admin access to the VMS system, and how easy it would be to trash the entire thing in a few lines of DCL. I don't know if they ever restricted the rights of the application user - it would have been a piece of cake in VMS, as it had superb rights management, but I steered clear of that particular team and app for a while.
I cant believe that the BOFH would have the capabilities for ANYONE giving themselves domain access.
Even if they were using HIS access to do it, had instructions on how to do it, it should fail.
A SMART BOFH would have traps laid, such as a particular script having to be used to properly change domain access.
Then, if this isn't used, it will give the appearance of giving access and then alert BOFH and PFY so that they can plan some "atmospheric readjustment testing" (aka throwing someone off the roof into the skip).
Biting the hand that feeds IT © 1998–2020