Tech workers - what did your IT Security team do that made your life hell and had no practical benefit?

One chestnut from my history in lottery game development:

While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.

Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.

Hogger85b,

Set the automatic timeout for admin accounts to 15 minutes....meaning that process that may take an hour or so you have to wiggle the mouse or it logs out ..not locks.... logs out

From installs to copying log files, to moving data to reassigning owner of data to the service account.

netburnr,
@netburnr@lemmy.world avatar

There is no compliance item I am aware of that has that requirement, some CISO needs to learn to read.

Hobo,

Misunderstood STIG from the sound of it. The STIG is only applicable to unprivileged users but tends to get applied to all workstations regardless of user privileges. Also I think the .mil STIG GPOs apply it to all workstations regardless of privileges.

The other thing that tends to get overlooked is that AC-12 let’s you set it to whatever the heck you want. Ao you could theoretically set it to 99999 year by policy if you wanted.

www.stigviewer.com/stig/…/V-69243

chiliedogg,

And that’s why people use mouse jigglers and keep their computers unlocked 24/7.

fat_stig,

Mine was removed by Corporate IT, along with a bunch of other open source stuff that made my life bearable.

Also I spent 5 months with our cyber security guys to try and provide a simple file replication server for my team working in a remote office with shit internet connectivity. I gave up, the spooks put up a solid defense, push all the onerous IT security compliance checking onto my desk instead of taking control.

Not as bad as my previous company though, outsourced IT support to ATOS was a nightmare.

0xD,

The internal IT at that hellhole is a nightmare as well.

FooBarrington,

That’s why you buy a jiggler that you place your mouse onto. Not detectable by IT :)

lightnsfw,

I set my pocket knife on the ctrl key when I have to step away.

lazylion_ca,

That works?

lightnsfw,

Idk about every application but it keeps windows from timing out which serves most purposes for me.

FooBarrington,

Does that keep your status in Teams as “online”? That’s what I use the jiggler for - if I’m waiting for CI tests which take 30+ minutes and I sit in front of the laptop, I don’t want to have to manually jiggle my mouse every couple of minutes just to keep my status.

lightnsfw,

Yep

FooBarrington,

Awesome, thank you!

Krudler,

Ahhh the old “level up an RPG Skill by jamming a pen cap into a key and going to watch Night Court reruns” method.

Thanks, I actually didn’t know holding CTRL would keep the system awake!

fat_stig,

After mine was disabled, I found that if I run videos of old meetings or training onscreen, it keeps the system alive…

Works nicely when I’m WFH.

Aceticon,

It’s reasonably easy to make a hardware mouse wiggler with an Arduino Micro (and I don’t mean something that physically moves a mouse, rather something that looks like a USB mouse to the computer and periodically sends mouse movement messages).

If you’re desperate enough, look it up as it’s quite simple so there should be step by step instructions out there.

drudoo,

Absolutely love my Uno keyboard for this keyhive.xyz/shop/uno-single-key-keyboard

Got like 6 commands on a single key and one of them is to press shift every 30seconds so my computer doesn’t lock. Lifesaver.

glue_snorter,

I used a Sidewinder keyboard for years with programmable macros.

Yeah, I had my password as a macro.

Dick move on my part as the macro, I’m fairly sure, is stored in plaintext on the PC. But the convenience was great. I don’t do that any more.

Aceticon,

Yeah, it’s surprisingly simple to get these microcontrollers to become essentially programmable keyboard/mouse emulators, by which point if you’re familiar with the stuff to program them (Arduino being the simplest and most widespread framework) it really just becomes a coding task and you can get it to do crazy stuff.

I suggested an Arduino Micro board because it bypasses the whole hardware side of the problem, but something like what you mention is even simpler.

steal_your_face,
@steal_your_face@lemmy.ml avatar

Can also just buy one from Amazon if you’re lazy or not technically inclined.

Aceticon,

Well, my off the cuff suggestion was what seems simple to me in this domain ;)

That said I get what you mean and agree.

d00phy,

The IT company I work for purchased me, along with some number of my coworkers and our product line from my former employer. Leading up to the cut over, we’re told that on midnight of the change, our company email will stop working. No forwarders or anything. BUT, we will get a new email that consists of gibberish@stupidsubdomain.company.com. When the password on this new account expires, because we can’t change it because we’re no longer employees, we have to go to a website to request a password change. This emails us a link to our new company email address, but we can’t use that link. We have to manually change part of the URL for it to work. I had them manually change my password twice before I gave up on the whole process. Figured I didn’t work for them anymore. What would they do if I stopped using this bogus account/email address, fire me?

RogueBanana,

Is it actually gibberish? I have never seen a company use anything other than parts of first name last name at company.

d00phy,

I’m sure it meant something to someone, but it was just letters and numbers to me.

tsz,

Mine refuses to use ipmi. Also all switches use the same password.

thisbenzingring,

I was a network administrator at a site, which just made me a glorified system admin with responsibility for the network and switches.

Everyone in the IT Dept had the password for the switches. After one person gave a 3rd party vendor the password, I had to change the passwords and exclude him from having it… but then everyone else got the password.

That place was nuts, between that and a few other stupid boss actions, I just moved on. Found a much better job and it was for the best.

Canopyflyer,

Over 150 Major Incidents in a single month.

Formerly, I was on the Major Incident Response team for a national insurance company. IT Security has always been in their own ivory tower in every company I’ve worked for. But this company IT Security department was about the worst case I’ve ever seen up until that time and since.

They refused to file changes, or discuss any type of change control with the rest of IT. I get that Change Management is a bitch for the most of IT, but if you want to avoid major outages, file a fucking Change record and follow the approval process. The security directors would get some hair brained idea in a meeting in the morning and assign one of their barely competent techs to implement it that afternoon. They’d bring down what ever system they were fucking with. Then my team had to spend hours, usually after business hours, figuring out why a system, which had not seen a change control in two weeks, suddenly stopped working. Would security send someone to the MI meeting? Of course not. What would happen is, we would call the IT Security response team and ask if anything changed on their end. Suddenly 20 minutes later everything was back up and running. With the MI team not doing anything. We would try to talk to security and ask what they changed. They answered “nothing” every god damn time.

They got their asses handed to them when they brought down a billing system which brought in over $10 Billion (yes with a “B”) a year and people could not pay their bills. That outage went straight to the CIO and even the CEO sat in on that call. All of the sudden there was a hard change freeze for a month and security was required to file changes in the common IT record system, which was ServiceNow at the time.

We went from 150 major outages (defined as having financial, or reputation impact to the company) in a single month to 4 or 5.

Fuck IT Security. It’s a very important part of of every IT Department, but it is almost always filled with the most narcissistic incompetent asshats of the entire industry.

Seasm0ke,

Jesus Christ I never thought id be happy to have a change control process

Tar_alcaran,

Lots of safety measures really suck. But they generally get implemented because the alternative is far worse.

Machindo,

At my current company all changes have to happen via GitHub PR and commit because we use GitOps (ex: ArgoCD with Kubernetes). Any changes you do manually are immediately overwritten when ArgoCD notices the config drift.

This makes development more annoying sometimes but I’m so damn glad when I can immediately look at GitHub for an audit trail and source of truth.

It wasn’t InfoSec in this case but I had an annoying tech lead that would merge to main without telling people, so anytime something broke I had his GitHub activity bookmarked and could rule that out first.

shasta,

You can also lock down the repo to require approvals before merge into main branch to avoid this.

Machindo,

Since we were on the platform team we were all GitHub admins 😩. So it all relied on trust. Is there a way to block even admins?

shasta,

Hm can’t say. I’m using bitbucket and it does block admins, though they all have the ability to go into settings and remove the approval requirement. No one does though because then the bad devs would be able to get changes in without reviews.

Machindo,

That sounds like a good idea. I’ll take another look at GitHub settings. Thanks!

Canopyflyer,

The past several years I have been working more as a process engineer than a technical one. I’ve worked in Problem Management, Change Management, and currently in Incident for a major defense contractor (yes, you’ve heard of it). So I’ve been on both sides. Documenting an incident is a PITA. File a Change record to restart a server that is in an otherwise healthy cluster? You’re kidding, right? What the hell is a “Problem” record and why do I need to mess with it?

All things I’ve heard and even thought over the years. What it comes down to, the difference between a Mom and Pop operation, that has limited scalability and a full Enterprise Environment that can support a multi-billion dollar business… Is documentation. That’s what those numb nuts in that Insurance Company were too stupid to understand.

Krudler,

You poor man. I’ve worked with those exact fukkin’ bozos.

RaoulDook,

Lack of a Change Control process has nothing to do with IT Security except within the domain of Availability. Part of Security is ensuring IT systems are available and working.

You simply experienced working at an organization with poor enforcement of Change Control policies. That was a mistake of oversight, because with competent oversight anyone causing outages by making unapproved changes that cause an outage would be reprimanded and instructed to follow policy properly.

Treczoks,

The network has been subnetted into departments. Problem: I, from development, get calls from service about devices that have issues. Before the subnetting, they simply told me the serial number, and I let my army of diagnosis tools hit the unsuspecting device to get an idea what’s up with it. Now they have to bring it over and set up all the attached devices here so I can run my tests.

shasta,

Surely IT can make an exception for you or create a VM with multiple NICs for you.

Rand0mA,

Or configure a local port on the dev vlan… Sounds like a corporate environment where the many IT teams dont talk to each other, or network team are hiding out in a comms cupboard.

argentcorvid,
@argentcorvid@midwest.social avatar

Oh my… no.

perviouslyiner,

Admin access needed to change the clock, which was wrong. Missed a train because of that.

sturmblast,

I got to say after reading a couple stories here I can understand the frustrations and some very legitimate stories here make a lot of sense in the context of it teams fucking up. but I also think there’s a lot of ignorance about what people are actually trying to accomplish in some of these stories as somebody that does it security and a lot of compliance work sometimes we’re doing these things because we have to not so much that we want to.

shasta,

Doesn’t matter to the end user whose fault it is. The spirit of this discussion is what was done to make your life harder. If you want to, go ahead and read it as “IT workers, what stupid things were you mandated to do that made your workers jobs harder?” The end user doesn’t know why a thing happens, just that IT did it. They’ll complain to IT and if it’s not their fault, it’s their responsibility to push back on whoever is calling these shots. The idiot in charge won’t know any better unless he’s called out on his bullshit.

sturmblast,

I understand, I often have to explain to large groups of people why we make the choices we make as a security team and it’s not always a very popular thing I make a lot of people upset because security and convenience don’t really work well together.

serial_crusher,
@serial_crusher@lemmy.basedcount.com avatar

Blocked the OWASP web site because it was categorized as “hacking materials”.

banneryear1868,

My favorite filter was “distasteful,” for a sysadmin forum page or reddit thread that had what I hoped would be relevant information.

Amends1782,

That is so retarded

Aceticon,

Here in Portugal the IT guys at the National Health Service recently blocked access to the Medical Doctor’s Union website from inside the national health service intranet.

The doctors are currently refusing to work any more overtime than the annual mandatory maximum of 150h so there are all sorts of problems in the national health service at the moment, mainly with hospitals having to close down emergency services to walk-in patients (this being AskLemmy, I’ll refrain from diving into the politics of it) so the whole things smells of something more than a mere mistake.

Anyways, this has got to be one of the dumbest abuses of firewalling “dangerous” websites I’ve seen in a long while.

_haha_oh_wow_,
@_haha_oh_wow_@sh.itjust.works avatar

I used to work with a guy who glued the USB ports shut on his labs. I asked him why he didn’t just turn them off in BIOS and then lock BIOS behind a password and he just kinda shrugged. He wasn’t security, but it’s kinda related to your story.

¯_(ツ)_/¯

Security where I work is pretty decent really, I don’t recall them ever doing any dumb crazy stuff. There were some things that were unpopular with some people but they had good reasons that far outweighed any complaints.

afraid_of_zombies,

I just wrote a script that let me know if usb devices changed and emailed me. It was kinda funny the one time someone unplugged a USB hub to run a vacuum. I came running as like 20 messages popped up at once.

Krudler, (edited )

I completely hear you.

When they did this for the stated reason of preventing data theft via thumb drive, the mice & keyboards were still plugged into their respective USB ports, and if I really wanted I could just unplug my keyboard and pop in a thumb drive. Drag, drop, data theft, done.

Further to this madness, half of the staff had USB hubs attached to their machines within a week which they had purchased at dollar stores. Like…?

At any time, if I had wanted to steal data I could have just zipped it and uploaded it to a sharing site. Or transferred it to my home PC through a virtual machine and VPN. Or burned it using the optical drive. Or come up with 50 other ways to do it under their noses and not be caught.

Basically just a bunch of dingbat IT guys in a contest to see who could find a threat behind every bush. IT policy via SlashDot articles. And the assumption that the very employees that have physical access to the computers… are the enemy.

Okay I’ll concede that SOMEWHERE in the world there exists a condition where somebody has to prevent the insertion of an unauthorized thumb drive, they don’t have access to the BIOS, they don’t have the password, or that model does not allow the disabling of the ports. No other necessary devices are plugged in by USB. Policy isn’t or can’t be set to prevent new USB devices from being added to the system. And this whole enchilada is in a high-traffic area with no physical security and many with unknown actors.

Right.

argentcorvid,
@argentcorvid@midwest.social avatar

Gotta put something good on the monthly/ quarterly activity report/personnel review!

csm10495,
@csm10495@sh.itjust.works avatar

In high school they blocked dictionary.com for some reason.

SgtAStrawberry,

I’m going to guess either because it starts with dic or because you can look up dirty words on it.

willis936,

You wouldn’t want high school boys running around with enlarged dictions.

ElderWendigo,

Worse yet, the girls might become cunning linguists.

glue_snorter,

Think of the lexiconsequences

GissaMittJobb,

Access to change production systems was limited to a single team, which was tasked with doing all deploys by hand, for an engineering organisation of 50+ people. Quickly becoming overloaded, they limited deploy frequency to five deploys per day, organisation-wide.

Bit of a shit-show, that one.

FooBarrington,

I had to run experiments that generate a lot of data (think hundreds of megabytes per minute). Our laptops had very little internal storage. I wasn’t allowed to use an external drive, or my own NAS, or the company share - instead they said “can’t you just delete the older experiments?”… Sure, why would I need the experiment data I’m generating? Might as well /dev/null it!

Taringano,

Oh hey I was living this a few months ago!

flop_leash_973,

Ours is terrible for making security policy that will impact technical solution options in a vacuum with a few select higher level IT folks and no one sorts out the process to using the new “secure” way first. Ending up in finding out something you thought would be a day or 2 task ends up being a weeks long odyssey to define new processes and technical approaches. Or sometimes just out right abandoning the work because the headache isn’t worth it.

lightnsfw,

Ours does this too. Except they stick to their guns and we end up having to just work around the new impediment they’ve created for months until it happens to inconvenience someone with enough pull to make them change it.

disconnectikacio,

Very short screensaver timeouts, useless proxy, short timeouts from intranet pages, disabled browser extensions, to make impossible to automatize our very repetitive work, daily DB access requests for work, etc.

AstralWeekends,

Screensaver?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • asklemmy@lemmy.world
  • localhost
  • All magazines
    •
    Loading…
    Loading the web debug toolbar…
    Attempt #