Tech workers - what did your IT Security team do that made your life hell and had no practical benefit?

_dev_null, 1 year ago

machine had a RW optical drive

Ah, the Private Manning protocol.

Krudler, 1 year ago

Less the Lady Gaga obfuscation.

We had 40,000 blank discs laying around at all times… because they were a regular part of sending art/data proofs to customers.

o_O

DaneGerous, 1 year ago

Disabled “unnecessary” services on all member servers including netlogon. That was a fun couple of weeks.

Krudler, 1 year ago

The “we’ll just disable everything until somebody complains” strategy. Idiots!

teichflamme, 1 year ago

Often times it’s the only strategy because most admins or system owners have no clue what services they actually need

willis936, 1 year ago

I am not allowed to change my wallpaper.

waterbogan, 1 year ago

Even worse here - we cant change the screensaver or screen lockout timeout settings!

I have a workaround by running a little looping script that keep the screen active. Its not that I particularly object to the screensaver, but once it activates I have to Ctrl Alt Delete 3-4 times and enter my password to get my desktop open again. Also it is an active screensaver that sometimes mucks up my desktop layout (I have a multiple monitor setup)

sizzling, 1 year ago

That is so annoying… when I’m working from home I just start a meeting with myself in Teams to keep the pc from autolocking.

lightnegative, 1 year ago

That’s actually genius. Here’s me writing a script to just move the mouse randomly lol, starting a Teams meeting would’ve been way simpler

feddylemmy, 1 year ago

This came from your security team? I usually see it from HR / management selling it as a branding issue or “professional” thing.

Rin, 1 year ago

Mozilla products banned by IT because they had a vulnerability in a pervious version.

RantIt was so bullshit. I had Mozilla Firefox 115.1 installed, and Mozilla put out an advisory, like they do all the fucking time. Fujitsu made it out to be some huge huge unfixed bug the very next day in an email after the advisory was posted and the email chain basically said “yk, we should just remove all Firefox. It’s vulnerable so it must be removed.” I wouldn’t be mad if they decided that they didn’t want to have it be a managed app or that there was something (actually) wrong with it or literally anything else than the fact that they didn’t bother actually reading either fucking advisory and decided to nuke something I use daily.

Dicska, 1 year ago

Nah mate, they were completely right. What if you install an older version, and keep using it maliciously? Oh wait, now that you mention, I’m totally sure Edge had a similar problem at one point in the past. So refrain from using Edge, too. Or Explorer. And while we’re at it, it’s best to stay away from Chrome, as well. That had a similar vulnerability before, I’m sure. So let’s dish that, along with Opera, Safari, Maxthon and Netscape Navigator. Just use Lynx, it’s super lightweight!

EDIT: on another thought, you should just have stopped working for the above reason. Nothing is safe anymore.

Krudler, 1 year ago

Can’t use Lynx either.

www.cvedetails.com/cve/CVE-2010-2810/

All web pages must now be phoned in via a touch-tone system, and delivered on paper printouts via regular post.

PoolloverNathan, 1 year ago

Touch-tones had some sort of vulnerability too; you’re going to have to mail in your HTTP requests.

mesamunefire, 1 year ago

We cant run scripts on our work laptop because of domain policy. Thing is, I am a software developer. They also do not allow docker without some heavy approval process, nor VMs. So im just sitting here remoting into a machine for development…which is fine but the machine is super slow. Also their VPN keeps going down, so all the software developers have to reconnect periodically all at the same time.

At my prior jobs, it was all open so it was very easy to install the tools we needed or get approval fairly quickly. Its more frustrating than anything. At least they give us software development work marked months out.

pahlimur, 1 year ago

Thought my work was bad. We at least can use VMs. I literally can’t do my job without one, Rockwell being what it is. Companies don’t like upgrading PLC software so I need to use old versions of windows occasionally to run old Rockwell stuff.

There was also a bug for a bit that would brick win11 PCs when trying to update PLC firmware, fun stuff.

afraid_of_zombies, 1 year ago

Same boat. I use dedicated laptops. This is for my old Rockwell stuff, this is for my old Siemens stuff, this is my normal laptop with AD stuff, this one for Idec, and the last one for Schneider. Pretty much every laptop at the company gets retired it becomes mine.

Also works for on site access. Customer needs support? Mail them a laptop. I got one laptop that has been in Canada, both coastlines in America, Australia, and Vietnam.

Krudler, 1 year ago

I cannot remember the specifics because it’s going back almost 15 years now but at one point…crontab (edit and other various vital tools) was disabled by policy.

To get necessary processes/cleanup done at night, I used a scheduled task on a Windows PC to run a BAT that opened a macro program which opened a remote shell and “typed” the commands.

Fuuuuuuck.

afraid_of_zombies, 1 year ago

I hate this stuff. When I had a more devops role I would just VM everything. Developers need their tools, here is a VM with root. Do what you want and backups run on Friday.

SpookySnek, 1 year ago

My dev pc isn’t allowed to be connected to the internet :D

mesamunefire, 1 year ago

Yep you have it the worst. Shut down the thread.

SpookySnek, 1 year ago

Wait, I haven’t even started talking about the fact it’s a huge unstructured legacy project using SharePoint 2016 and…

Where did everyone go?

afraid_of_zombies, 1 year ago

I had a software developer job where they expected me to write code in Microsoft notepad, put it on a USB, and then plug it into airgapped computers to test it. Wasn’t allowed to even use notepad++.

Oh it felt so freaken good leaving that job after 6 weeks. It felt even better when I used my old manager’s personal phone number on a fake grinder profile I made. She kept a tally of my bathroom breaks.

PutangInaMo, 1 year ago

Jump systems are a good practice but they gotta have the resources you need… I hate to say it but it sounds like y’all need to just move to a cloud platform…

disconnectikacio, 1 year ago

Very short screensaver timeouts, useless proxy, short timeouts from intranet pages, disabled browser extensions, to make impossible to automatize our very repetitive work, daily DB access requests for work, etc.

AstralWeekends, 1 year ago

Screensaver?

flop_leash_973, 1 year ago

Ours is terrible for making security policy that will impact technical solution options in a vacuum with a few select higher level IT folks and no one sorts out the process to using the new “secure” way first. Ending up in finding out something you thought would be a day or 2 task ends up being a weeks long odyssey to define new processes and technical approaches. Or sometimes just out right abandoning the work because the headache isn’t worth it.

lightnsfw, 1 year ago

Ours does this too. Except they stick to their guns and we end up having to just work around the new impediment they’ve created for months until it happens to inconvenience someone with enough pull to make them change it.

FooBarrington, 1 year ago

I had to run experiments that generate a lot of data (think hundreds of megabytes per minute). Our laptops had very little internal storage. I wasn’t allowed to use an external drive, or my own NAS, or the company share - instead they said “can’t you just delete the older experiments?”… Sure, why would I need the experiment data I’m generating? Might as well /dev/null it!

Taringano, 1 year ago

Oh hey I was living this a few months ago!

GissaMittJobb, 1 year ago

Access to change production systems was limited to a single team, which was tasked with doing all deploys by hand, for an engineering organisation of 50+ people. Quickly becoming overloaded, they limited deploy frequency to five deploys per day, organisation-wide.

Bit of a shit-show, that one.

csm10495, 1 year ago

In high school they blocked dictionary.com for some reason.

SgtAStrawberry, 1 year ago

I’m going to guess either because it starts with dic or because you can look up dirty words on it.

willis936, 1 year ago

You wouldn’t want high school boys running around with enlarged dictions.

ElderWendigo, 1 year ago

Worse yet, the girls might become cunning linguists.

glue_snorter, 1 year ago

Think of the lexiconsequences

_haha_oh_wow_, 1 year ago

I used to work with a guy who glued the USB ports shut on his labs. I asked him why he didn’t just turn them off in BIOS and then lock BIOS behind a password and he just kinda shrugged. He wasn’t security, but it’s kinda related to your story.

¯_(ツ)_/¯

Security where I work is pretty decent really, I don’t recall them ever doing any dumb crazy stuff. There were some things that were unpopular with some people but they had good reasons that far outweighed any complaints.

afraid_of_zombies, 1 year ago

I just wrote a script that let me know if usb devices changed and emailed me. It was kinda funny the one time someone unplugged a USB hub to run a vacuum. I came running as like 20 messages popped up at once.

Krudler, 1 year ago (edited 1 year ago)

I completely hear you.

When they did this for the stated reason of preventing data theft via thumb drive, the mice & keyboards were still plugged into their respective USB ports, and if I really wanted I could just unplug my keyboard and pop in a thumb drive. Drag, drop, data theft, done.

Further to this madness, half of the staff had USB hubs attached to their machines within a week which they had purchased at dollar stores. Like…?

At any time, if I had wanted to steal data I could have just zipped it and uploaded it to a sharing site. Or transferred it to my home PC through a virtual machine and VPN. Or burned it using the optical drive. Or come up with 50 other ways to do it under their noses and not be caught.

Basically just a bunch of dingbat IT guys in a contest to see who could find a threat behind every bush. IT policy via SlashDot articles. And the assumption that the very employees that have physical access to the computers… are the enemy.

Okay I’ll concede that SOMEWHERE in the world there exists a condition where somebody has to prevent the insertion of an unauthorized thumb drive, they don’t have access to the BIOS, they don’t have the password, or that model does not allow the disabling of the ports. No other necessary devices are plugged in by USB. Policy isn’t or can’t be set to prevent new USB devices from being added to the system. And this whole enchilada is in a high-traffic area with no physical security and many with unknown actors.

Right.

argentcorvid, 1 year ago

Gotta put something good on the monthly/ quarterly activity report/personnel review!

Aceticon, 1 year ago

Here in Portugal the IT guys at the National Health Service recently blocked access to the Medical Doctor’s Union website from inside the national health service intranet.

The doctors are currently refusing to work any more overtime than the annual mandatory maximum of 150h so there are all sorts of problems in the national health service at the moment, mainly with hospitals having to close down emergency services to walk-in patients (this being AskLemmy, I’ll refrain from diving into the politics of it) so the whole things smells of something more than a mere mistake.

Anyways, this has got to be one of the dumbest abuses of firewalling “dangerous” websites I’ve seen in a long while.

serial_crusher, 1 year ago

Blocked the OWASP web site because it was categorized as “hacking materials”.

banneryear1868, 1 year ago

My favorite filter was “distasteful,” for a sysadmin forum page or reddit thread that had what I hoped would be relevant information.

Amends1782, 1 year ago

That is so retarded

sturmblast, 1 year ago

I got to say after reading a couple stories here I can understand the frustrations and some very legitimate stories here make a lot of sense in the context of it teams fucking up. but I also think there’s a lot of ignorance about what people are actually trying to accomplish in some of these stories as somebody that does it security and a lot of compliance work sometimes we’re doing these things because we have to not so much that we want to.

shasta, 1 year ago

Doesn’t matter to the end user whose fault it is. The spirit of this discussion is what was done to make your life harder. If you want to, go ahead and read it as “IT workers, what stupid things were you mandated to do that made your workers jobs harder?” The end user doesn’t know why a thing happens, just that IT did it. They’ll complain to IT and if it’s not their fault, it’s their responsibility to push back on whoever is calling these shots. The idiot in charge won’t know any better unless he’s called out on his bullshit.

sturmblast, 1 year ago

I understand, I often have to explain to large groups of people why we make the choices we make as a security team and it’s not always a very popular thing I make a lot of people upset because security and convenience don’t really work well together.

perviouslyiner, 1 year ago

Admin access needed to change the clock, which was wrong. Missed a train because of that.