Pointless IT rules and how to break them - Petty Grievances thread

[Evie__Rivka]

My school district after seening one south of us get ransomwear has decided to go with a very agressive security policy driven not by back end tech but by rules nannies at all of our campuses turning level 1 & 2 tech support into wanabee KGB agents.

My specific frustration is this - I have a smart board in my room that doesn't wirelessly connect to my laptop. As teachers we have laptop stands and are supposed to be up and moving with our laptops. Sitting down is seen as unproffesional or something. Anyway I bought a microsoft widi dongle and have been using that for years. This is apparently a security problem this year and I was handed a stiff 10ft HDMI cable.... WTF?

Oh and the laptop I use all day - personal one with two boot drives, one for school. I'm accessing their networks and THEY DON'T EVEN KNOW IT with an unauthorized device but my wireless screen dongle is.

（ﾉಥ益ಥ）ﾉ ┻━┻

 

[snotnose]

I like the idiots that go overboard on password rules. Last week I made a throwaway account. I have throwaway passwords I modify for sites like that, think passwordArs. My default password is pretty good.

Anyway, I got "password too short". So I made it longer. Got "must contain at least 2 punctuation", so I added an underscore. Got "underscore not allowed" so I changed it. Then got "must have at least 4 numbers". You get the idea. My easily remembered password turned into a frankenmess. I didn't bother saving it, I don't expect to ever use that site again.

 

[UserIDAlreadyInUse]

Try this: ask them to explain the rationale behind the new rules. You're not quite understanding the risks, so it needs to be explained in words of one syllable - or less - why the changes are being implemented with the specific policies. Frame it as an opportunity to teach the class as well, for their home networks and the protection of their families as well. Education matters, and the IT staff can now be part of it. Sometimes, if they can't justify why they do it, then they'll have that discussion internally and roll back the policy.

Oh, and just from me, as a twenty-year+ SysAdmin? Never, never, never, never, never, never connect your personal devices laptops, phones, whatever, to the corporate network, and especially never use them to do your work. I know it's convenient to do it, I understand why people do it, but believe me; if things ever go south for any reason and it's traced back to a personal device? That's a can of worms you don't want opened. Wifi dongles, wireless HDMI devices, and other hardware-only devices (you other admins, you know what I mean!) walk that line - it's on the side of hardware specific vs a software component - but most other personal devices with storage or an user-accessible OS? Trust me, don't connect them.

 

[MichaelC]

Might not even be the IT making the policy. They might just be grudgingly implementing it. Sometimes these decisions are not theirs to make.

I remember having to send out a really stupid email to define a new policy about email messages. This was because an executive did not like, what was at the time new, access to email stationary and fonts in the mail application. So some people started using that kind of stuff. So we had a meeting about it and I was made to tell everyone that pain text only messages were allowed with no embedded imagery.

I mean, sure, I like things better that way, but it's not that big a deal. But I had to be bad guy and get crap for it.

On the other hand, sometimes IT is the bad guy. From onerous password expiration rules to ... I cannot recall the details. But a friend told me their IT guy had some really strict and bizarre rules about file share use. I remember I agreed it was overkill, highly restrictive to the point of not really being usable by the people for whom it was intended. That the guy was forgetting he was there to provide a service and the users were not interfering with his job.

 

[Q]

I had to uninstall Power Toys because one of the toys (Awake) can bypass the lock screen settings that are mandatory to comply with some audit or another. Awake wasn't even enabled, I only used Fancy Zones. Anyway, I didn't do anything to break the rule afterward, I just found a (worse) utility that sort of did the same thing as Fancy Zones.

 

[Evie__Rivka]

Try this: ask them to explain the rationale behind the new rules. You're not quite understanding the risks, so it needs to be explained in words of one syllable - or less - why the changes are being implemented with the specific policies. Frame it as an opportunity to teach the class as well, for their home networks and the protection of their families as well. Education matters, and the IT staff can now be part of it. Sometimes, if they can't justify why they do it, then they'll have that discussion internally and roll back the policy.

Oh, and just from me, as a twenty-year+ SysAdmin? Never, never, never, never, never, never connect your personal devices laptops, phones, whatever, to the corporate network, and especially never use them to do your work. I know it's convenient to do it, I understand why people do it, but believe me; if things ever go south for any reason and it's traced back to a personal device? That's a can of worms you don't want opened. Wifi dongles, wireless HDMI devices, and other hardware-only devices (you other admins, you know what I mean!) walk that line - it's on the side of hardware specific vs a software component - but most other personal devices with storage or an user-accessible OS? Trust me, don't connect them.

I would LOVE to use the district provided device, unfortunately it was never fast and when you get the filtering software, the DB connection software and whatever eldrich horror lives in our update pacts loaded 1st block is over and then the damn thing still won't let me show a clip from YOUTUBE. Probably 15 years ago we got locked into a contract with Dell and MS, Dell for hardwear and MS for backend and it's just been an expensive buggy nightmare as we can't seem to keep anyone qualified in our infastructure role for $55k, let alone all those below on the IT ladder. The only person in county IT that gets paid well is the directior at ~$116 occording to board minutes but his is a non-technical role.

I say fuck it, $200 chromebooks for everyone and lets use google classroom rather than our discipline system, our enrollment system, sheduling system, LMS, ect.

 

[meisanerd]

...

Oh, and just from me, as a twenty-year+ SysAdmin? Never, never, never, never, never, never connect your personal devices laptops, phones, whatever, to the corporate network, and especially never use them to do your work. I know it's convenient to do it, I understand why people do it, but believe me; if things ever go south for any reason and it's traced back to a personal device? That's a can of worms you don't want opened. Wifi dongles, wireless HDMI devices, and other hardware-only devices (you other admins, you know what I mean!) walk that line - it's on the side of hardware specific vs a software component - but most other personal devices with storage or an user-accessible OS? Trust me, don't connect them.

As someone who also has done IT, as well as been a main contractor for one of our local agencies to do forensic capture of devices for criminal or civil legal cases. Very much this. You do not want to be losing your personal device for months just because it was connected to the corporate network and might have evidence needed. Or be the individual that brought in ransomware to the corporate network because your home security was lacking (or the other way around, have your personal device infected because corporate got hit, I've seen a few of those too, and we aren't responsible for trying to get 15 years of family vacation photos back for you because your personal device got infected, our job is recovery for company-owned property).

 

[UserIDAlreadyInUse]

Not to mention that if the organization-provided devices are lacking, the L2 folks are likely just as frustrated as you are, and using a personal laptop as a workaround does them no favours.

Without people logging tickets to get basic functionality - such as playing a YouTube video for the class - they have no ammunition to lobby for improvements themselves. Without a history of tickets they can point to of poor hardware or overzealous applications, they can't make the case for improvements either, and neither can management. After all, no one's calling in so everything's fine, right?

I'm sure that historically a few tickets were submitted and not much done with them - happens everywhere - and people started looking for workarounds. Human nature. But it's the steady stream of constant, consistent calls that makes change happen. They need to be able to justify it up the chain, and tickets are often the only way they can. It's annoying, but that's how it goes.

 

[Coriolanus]

My specific frustration is this - I have a smart board in my room that doesn't wirelessly connect to my laptop. As teachers we have laptop stands and are supposed to be up and moving with our laptops. Sitting down is seen as unproffesional or something. Anyway I bought a microsoft widi dongle and have been using that for years. This is apparently a security problem this year and I was handed a stiff 10ft HDMI cable.... WTF?

Oh and the laptop I use all day - personal one with two boot drives, one for school. I'm accessing their networks and THEY DON'T EVEN KNOW IT with an unauthorized device but my wireless screen dongle is.

I don't think it's an unreasonable request to not have unauthorized hardware on your devices or network. You don't know if there are any malware payloads on those things.

 

[Anacher]

As someone who also has done IT, as well as been a main contractor for one of our local agencies to do forensic capture of devices for criminal or civil legal cases. Very much this. You do not want to be losing your personal device for months just because it was connected to the corporate network and might have evidence needed. Or be the individual that brought in ransomware to the corporate network because your home security was lacking (or the other way around, have your personal device infected because corporate got hit, I've seen a few of those too, and we aren't responsible for trying to get 15 years of family vacation photos back for you because your personal device got infected, our job is recovery for company-owned property).

When both corporate and my contract say you can BYOD , just do these things.. my first thought is... F no! I don't want to have access to my work email at all times. Even if I did, I'm not answering it! And then they would exert partial control over my own phone. nope nope nope.

 

[Coriolanus]

When both corporate and my contract say you can BYOD , just do these things.. my first thought is... F no! I don't want to have access to my work email at all times. Even if I did, I'm not answering it! And then they would exert partial control over my own phone. nope nope nope.

Yeah, I declined bringing my own device. I don't even let my work phone connect to my home wifi unless I set up wifi that is isolated just for that device.

 

[UserIDAlreadyInUse]

When both corporate and my contract say you can BYOD , just do these things.. my first thought is... F no! I don't want to have access to my work email at all times. Even if I did, I'm not answering it! And then they would exert partial control over my own phone. nope nope nope.

More people should follow this! Not just as a quality of life thing, but for their own protection.

If corporate data gets exfiltrated from a corporate device due to user action, they'll fire the user. If corporate data gets exfiltrated from a personal device due to user action, they'll make an example of that user. Seen it happen too many times.

 

[Not_an_IT_guy]

How is it accessing work email through webmail (microsoft)?

 

[Hound of Cullen]

I like the idiots that go overboard on password rules. Last week I made a throwaway account. I have throwaway passwords I modify for sites like that, think passwordArs. My default password is pretty good.

Anyway, I got "password too short". So I made it longer. Got "must contain at least 2 punctuation", so I added an underscore. Got "underscore not allowed" so I changed it. Then got "must have at least 4 numbers". You get the idea. My easily remembered password turned into a frankenmess. I didn't bother saving it, I don't expect to ever use that site again.

Current NIST password guidelines call for 16 characters, including numbers, specials, and varied case.

Passwords should only be changed if you suspect they have been exposed.

Password guidelines should be published in the employee manual or something similar so folks have some idea of what they're in for.

Throwaway accounts on non-work related sites get passwords generated by a password manager, which is set to NIST guidelines for me. If you're not using a password manager, why not? Bitwarden is free for personal use and is quite polished. LastPass and Keepass have been around for a while and are robust (although LastPass has been the target of several infiltration attempts).

 

[leet]

Throwaway accounts on non-work related sites get passwords generated by a password manager, which is set to NIST guidelines for me. If you're not using a password manager, why not? Bitwarden is free for personal use and is quite polished. LastPass and Keepass have been around for a while and are robust (although LastPass has been the target of several infiltration attempts).

I mostly agree with this, but have had a few experiences where I couldn’t generate a password. I think it’s when I needed an app to do something. I probably still have a login saved for some random restaurant that required an account for a discount with the password “RandomRestaurant2016change”.

 

[meisanerd]

I mostly agree with this, but have had a few experiences where I couldn’t generate a password. I think it’s when I needed an app to do something. I probably still have a login saved for some random restaurant that required an account for a discount with the password “RandomRestaurant2016change”.

I now generate them in KeePassDX on my Android device, then use the keyboard for that app to auto-type them into the app I am generating the password for. These used to be a pain, though.

 

[KD5MDK]

Current NIST password guidelines call for 16 characters, including numbers, specials, and varied case.

It should probably be like 6 characters but 2 of them must be Unicode outside of ISO8859-1.

 

[Diabolical]

More people should follow this! Not just as a quality of life thing, but for their own protection.

If corporate data gets exfiltrated from a corporate device due to user action, they'll fire the user. If corporate data gets exfiltrated from a personal device due to user action, they'll make an example of that user. Seen it happen too many times.

This. Holy mothers of all the gods in every pantheon ever, this.

And "example" gets even more terrifying when you replace 'corporate' with 'government'.