Tech workers - what did your IT Security team do that made your life hell and had no practical benefit?

nobleshift, 1 year ago

InfoSec guy here for the salty tears of the unwashed masses …

tty5, 1 year ago

I’m torn if I should be nodding and patting myself on the back for not doing any of this insanity or cackling and taking notes…

Krudler, 1 year ago

Taking notes?!? If you can’t make idiotic decisions on your own, you’re not much of an IT guy to begin with.

Fixbeat, 1 year ago

Are you twirling your mustache?

_haha_oh_wow_, 1 year ago

I used to work with a guy who glued the USB ports shut on his labs. I asked him why he didn’t just turn them off in BIOS and then lock BIOS behind a password and he just kinda shrugged. He wasn’t security, but it’s kinda related to your story.

¯_(ツ)_/¯

Security where I work is pretty decent really, I don’t recall them ever doing any dumb crazy stuff. There were some things that were unpopular with some people but they had good reasons that far outweighed any complaints.

afraid_of_zombies, 1 year ago

I just wrote a script that let me know if usb devices changed and emailed me. It was kinda funny the one time someone unplugged a USB hub to run a vacuum. I came running as like 20 messages popped up at once.

Krudler, 1 year ago (edited 1 year ago)

I completely hear you.

When they did this for the stated reason of preventing data theft via thumb drive, the mice & keyboards were still plugged into their respective USB ports, and if I really wanted I could just unplug my keyboard and pop in a thumb drive. Drag, drop, data theft, done.

Further to this madness, half of the staff had USB hubs attached to their machines within a week which they had purchased at dollar stores. Like…?

At any time, if I had wanted to steal data I could have just zipped it and uploaded it to a sharing site. Or transferred it to my home PC through a virtual machine and VPN. Or burned it using the optical drive. Or come up with 50 other ways to do it under their noses and not be caught.

Basically just a bunch of dingbat IT guys in a contest to see who could find a threat behind every bush. IT policy via SlashDot articles. And the assumption that the very employees that have physical access to the computers… are the enemy.

Okay I’ll concede that SOMEWHERE in the world there exists a condition where somebody has to prevent the insertion of an unauthorized thumb drive, they don’t have access to the BIOS, they don’t have the password, or that model does not allow the disabling of the ports. No other necessary devices are plugged in by USB. Policy isn’t or can’t be set to prevent new USB devices from being added to the system. And this whole enchilada is in a high-traffic area with no physical security and many with unknown actors.

Right.

argentcorvid, 1 year ago

Gotta put something good on the monthly/ quarterly activity report/personnel review!

_dev_null, 1 year ago

machine had a RW optical drive

Ah, the Private Manning protocol.

Krudler, 1 year ago

Less the Lady Gaga obfuscation.

We had 40,000 blank discs laying around at all times… because they were a regular part of sending art/data proofs to customers.

o_O

Treczoks, 1 year ago

The network has been subnetted into departments. Problem: I, from development, get calls from service about devices that have issues. Before the subnetting, they simply told me the serial number, and I let my army of diagnosis tools hit the unsuspecting device to get an idea what’s up with it. Now they have to bring it over and set up all the attached devices here so I can run my tests.

shasta, 1 year ago

Surely IT can make an exception for you or create a VM with multiple NICs for you.

Rand0mA, 1 year ago

Or configure a local port on the dev vlan… Sounds like a corporate environment where the many IT teams dont talk to each other, or network team are hiding out in a comms cupboard.

argentcorvid, 1 year ago

Oh my… no.

Illecors, 1 year ago

Hasn’t made life hell, but the general dumb following of compliance has left me baffled:

• users must not be able to have a crontab. Crontab for users disabled.
• compliance says nothing about systemd timers, so these work just fine 🤦

I’ve raised it with security and they just shrugged it off. Wankers.

mesamunefire, 1 year ago

Thats really funny. Made my day thanks.

Are they super old school and not know about systemd? Or are they doing something out of compliance that they may hate too? I have so many questions.

Illecors, 1 year ago

I actually think they’re new school enough where Linux to them means a lot less than it does to us. And so they don’t feel at home on a Linux machine and, unfortunately, don’t care to learn.

I could totally be wrong, though. Maybe I’m the moron.

mesamunefire, 1 year ago

I dont think your the moron. Thats super strange. I can only think it might be some sort of standard that they had to comply with…or whatever.

dual_sport_dork, 1 year ago

Not my IT department (I am my IT department): One of the manufacturers for a brand of equipment we sell has a “Dealer Resource Center,” which consists solely of a web page where you can download the official product photography and user’s manuals, etc. for their products. This is to enable you to list their products on your e-commerce web site, or whatever.

Apparently whoever they subcontracted this to got their hands on a copy of Front End Dev For Dummies, and in order to use this you must create a mandatory account with minimum password complexity requirements, and solve a CAPTCHA every time you log in. They also require you to change your password every 60 days, and if you don’t they lock your account and you have to call their tech support.

Three major problems with this:

1. There is no verification check that you are actually an authorized dealer of this brand of product, so any fool who finds this on Google and comes up with an email address can just create an account and away you go downloading whatever you want. If you’ve been locked out of your account and don’t feel like picking up the telephone – no problem! Just create a new one.
2. There is no personalized content on this service. Everyone sees the same content, and it’s not like there’s a way to purchase anything on here or anyway, and your “account” stores no identifying information about you or your dealership that you feel like giving it other than your email address. You are free to fill it out with a fake name if you like; no one checks. You could create an account using obvioushacker@pwned.ru and no one would notice.
3. Every single scrap of content on this site is identical to the images and .pdf downloads already available on the manufacturer’s public web site. There is no privileged or secure content hosted in this “Resource Center” whatsoever. The pictures aren’t higher res or anything. Even the file names are the same. It’s obviously hooked up to the same backend as the manufacturer’s public web site. So if there were such a thing as a “bad actor” who wanted to obtain a complete library of glamor shots of durable goods, for some reason, there’s nothing stopping them from scraping the public web site and coming up with literally exactly the same thing.

It’s baffling.

Salsa5924, 1 year ago

One word Kickback

AtariDump, 1 year ago

That’s three words.

Krudler, 1 year ago

That’s is only one word, dumby

d00phy, 1 year ago

The IT company I work for purchased me, along with some number of my coworkers and our product line from my former employer. Leading up to the cut over, we’re told that on midnight of the change, our company email will stop working. No forwarders or anything. BUT, we will get a new email that consists of gibberish@stupidsubdomain.company.com. When the password on this new account expires, because we can’t change it because we’re no longer employees, we have to go to a website to request a password change. This emails us a link to our new company email address, but we can’t use that link. We have to manually change part of the URL for it to work. I had them manually change my password twice before I gave up on the whole process. Figured I didn’t work for them anymore. What would they do if I stopped using this bogus account/email address, fire me?

RogueBanana, 1 year ago

Is it actually gibberish? I have never seen a company use anything other than parts of first name last name at company.

d00phy, 1 year ago

I’m sure it meant something to someone, but it was just letters and numbers to me.

Zeth0s, 1 year ago

They set zscaler so that if I don’t access an internal service for an unknown number of months, it means I don’t need it “for my daily work”, so they block it. If I want to access it again I need to open a ticket. There is no way to know what they closed and when they’ll close something.

In 1 months since this policy is active, I already have opened tickets to access test databases, k8s control plane, quality control dashboards, tableau server…

I really cannot comment how wrong it is.

ShunkW, 1 year ago

Zscaler is one of the worst products I’ve had the displeasure to interact with. They implemented it at my old job and it said that my home Internet connection was insecure to connect to the VPN. Cyber Sec guys couldn’t figure out the issue because the logs were SO helpful.

Took working with their support to find that it has somehow identified my nonstandard address spacing on my LAN to be insecure for some reason.

I kept my work laptop on a separate vlan for obvious reasons.

Natanael, 1 year ago

Pretty sure it’s some misapplied heuristics for previously identified bad clients, but that should only trigger an alert (with details!) in most cases and not block you if it’s not also paired with any known malicious activity

ShunkW, 1 year ago

I’m going off memory from early 2021. But it was my private IP on the laptop using a Class B private address according to their support team. I was flabbergasted. Maybe they just expected every remote worker to use Class C or something. Who knows?

serial_crusher, 1 year ago

Blocked the OWASP web site because it was categorized as “hacking materials”.

banneryear1868, 1 year ago

My favorite filter was “distasteful,” for a sysadmin forum page or reddit thread that had what I hoped would be relevant information.

Amends1782, 1 year ago

That is so retarded

countflacula, 1 year ago

Removed admin access for all developers without warning and without a means for us to install software. We got access back in the form of a secondary admin account a few days later, it was just annoying until then.

Brkdncr, 1 year ago

Local admin of your interactive account is just. Ad though.

glad_cat, 1 year ago

I had the same problem once. Every time I needed to be an admin, I had to send an email to an outsourced guy in another country, and wait one hour for an answer with a temporary password.

With WSL and Linux, I needed to be admin 3 or 4 times per day. I CCed my boss for every request. When he saw that I was waiting and doing nothing for 4 hours every day, he sent them an angry email and I got my admin account back.

The stupid restriction was meant for managers and sales people who didn’t need an admin account. It was annoying for developers.

mesamunefire, 1 year ago

I worked at a big name health insurance company that did the same. You would have to give them an email, wait a week, then give them a call to get them to do anything. You could not install anything yourself, it was always a person that remote into your computer. After a month, I still didn’t have visual studio installed when they wanted me to work on some .Net. Then they installed the wrong version of Visual Studio. So the whole process had to be restarted.

I got a new job within 3 months and just noped out.

Lexam, 1 year ago

Locked down our USB ports. We work on network equipment that we have to use the USB port to log in to locally.

mesamunefire, 1 year ago

One place I worked at did this but had bluetooth on no issues. People brought all kinds of things to the office.

flop_leash_973, 1 year ago

Ours is terrible for making security policy that will impact technical solution options in a vacuum with a few select higher level IT folks and no one sorts out the process to using the new “secure” way first. Ending up in finding out something you thought would be a day or 2 task ends up being a weeks long odyssey to define new processes and technical approaches. Or sometimes just out right abandoning the work because the headache isn’t worth it.

lightnsfw, 1 year ago

Ours does this too. Except they stick to their guns and we end up having to just work around the new impediment they’ve created for months until it happens to inconvenience someone with enough pull to make them change it.

GissaMittJobb, 1 year ago

Access to change production systems was limited to a single team, which was tasked with doing all deploys by hand, for an engineering organisation of 50+ people. Quickly becoming overloaded, they limited deploy frequency to five deploys per day, organisation-wide.

Bit of a shit-show, that one.

Aceticon, 1 year ago

Here in Portugal the IT guys at the National Health Service recently blocked access to the Medical Doctor’s Union website from inside the national health service intranet.

The doctors are currently refusing to work any more overtime than the annual mandatory maximum of 150h so there are all sorts of problems in the national health service at the moment, mainly with hospitals having to close down emergency services to walk-in patients (this being AskLemmy, I’ll refrain from diving into the politics of it) so the whole things smells of something more than a mere mistake.

Anyways, this has got to be one of the dumbest abuses of firewalling “dangerous” websites I’ve seen in a long while.

sturmblast, 1 year ago

I got to say after reading a couple stories here I can understand the frustrations and some very legitimate stories here make a lot of sense in the context of it teams fucking up. but I also think there’s a lot of ignorance about what people are actually trying to accomplish in some of these stories as somebody that does it security and a lot of compliance work sometimes we’re doing these things because we have to not so much that we want to.

shasta, 1 year ago

Doesn’t matter to the end user whose fault it is. The spirit of this discussion is what was done to make your life harder. If you want to, go ahead and read it as “IT workers, what stupid things were you mandated to do that made your workers jobs harder?” The end user doesn’t know why a thing happens, just that IT did it. They’ll complain to IT and if it’s not their fault, it’s their responsibility to push back on whoever is calling these shots. The idiot in charge won’t know any better unless he’s called out on his bullshit.

sturmblast, 1 year ago

I understand, I often have to explain to large groups of people why we make the choices we make as a security team and it’s not always a very popular thing I make a lot of people upset because security and convenience don’t really work well together.