Desktop Linux Sliding in Under the Radar? 742
Paul Johnson asks: "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications, but there is a wider issue. At present the 'official' penetration of Linux into the desktop market is something around 1%. The writer of this article doesn't give figures, but it sounds like he may have stumbled on several times that percentage of desktop Linux installations. If so then this is an important trend. Linux got its foot in the datacentre door in exactly the same way a few years ago, with unofficial installations doing odd server jobs.
If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"
IT headaches (Score:5, Insightful)
This could make the case for desktop Linux look worse, if people are not securing their dektops and/or keeping up with security updates.
Remember... (Score:2, Insightful)
If you told me the guy who runs General Electric's desktops found that 50% were running Linux, then you might be onto something.
But Jr. Sysadmin flunky at tiny company in bumfuck Iowa means nothing. Nothing.
Lets apply those critical reasoning skills, people.
We did this a couple of times at my old workplace (Score:2, Insightful)
Since they cut the training budget, we obviously had to learn new skills somehow
I've done this (Score:1, Insightful)
they better not (Score:1, Insightful)
the users don't own their machines - the company does. if they want to piss around with _any_ os, let them do it on their own time, on their own network, and on their own equipment.
Re:IT headaches (Score:3, Insightful)
and i highly doubt they were "unsecured", if these people went through the trouble of installing linux on a work machine they probably have moderate clue.
and im not going to point out that no matter how "secure" your personal workstations are, that once a cracker penetrates that far into your network your screwed.
this guy sounds like he is getting overly paraniod about something he more than likely doesnt understand.
Re:VMWare rules! (Score:5, Insightful)
I have a hard time getting my company to purchase anything beyond the minimum tools I need (NuMega and similar were out of my pocket, since I didn't mind owning them myself). VMWare's been on the wish list - but only as a wish.
Nope Not at all (Score:5, Insightful)
In truth beyond the server farms ive worked with at said companies the only person possessing any *nix varient has been myself (including mac os X...) While i can see this as being an occasional happening in dorkier companies... even then i find it not very likely.
mainly because buisness use predominataly revolves around outlook exchange's shared meetings and various other stupid stuff.... in addition to the baseline ease of use (overall managerialy) network administration of an all windows environment.
I would NEVER support a linux desktop distro amongst my users.... MAC OS X ... yes.... but not Linux for any reason on gods green earth... can you say nightmare? I love Linux.... but it just is NOWHERE near as streamlined as windows or macintosh... especialy from a support stance.
My personal feelings are *nix for network devices.... Windows server/client for data sharing email and so on.... and Mac os X for end users who are more inclined towards media production (basicly people who arent finance/sales).
This setup puts the *nix boxes in my realm... and id be greatfull that no unwitting user *accidently* installs another DHCP, DNS, SMTP, etc... server on my network. Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use.... or how to fix their freakin window manager because KDE offers 5 different programs just to change the layout/widgets.... no thank you.
Of course this poster assumes that the people who do so, do so knowing people like myself wont support them... and more than likely will be highly un-happy with their network being potentialy compromised...
not trying to spread FUD.... but ill wait for a tighter distro before i promote *nix on the desktop.... only one so far (with flying colors) is OSX.
Re:Remember... (Score:5, Insightful)
Re:they better not (Score:2, Insightful)
And I'm sure you'd be shortly disciplined or out of a job for destroying valuable data, negotiations, documentation, whathaveyou. Sheesh, some moderators don't recognize a troll when they see one.
As. If. (Score:2, Insightful)
And "we all know" that if he gets fired, he'll be marched straight from being told, empty his desk under supervision, and be escorted off the premises.
Any company that lets him near a pc, networked or not, after he's been told that he's going to pursue opportunities elsewhere is being run by dolts.
T&K.
Re:they better not (Score:5, Insightful)
Maybe the authorization got misrouted.
Maybe you are wrong about either the authorization or the requirement for it.
Maybe it was an experiment on a dept. system.
Maybe it wasn't hooked to the network.
Maybe we were testing the system's Linux compatibility at the end of the day and left it 'till the morning to finish.
In my tenure at Dell, all these things were true at some point or another, and no one formatted our systems. We were too busy to get in the pissing matches that would have started.
Certainly you should quit abusing your very limited power and try to help rather than simply jumping to conclusions.
Re:they better not (Score:5, Insightful)
If end users are not supposed to do something it's your job to configure the gear so they can't. Rules forbidding something are a failure in IT.
If the user has no agent for the desktop license management how is that a problem exactly? Either they are not using any licensed software our your management software is not to hot on the managing front.
If you're running round playing tattle tale who do you think the finger is really pointing at? Go back to your sever room and lock the door.
Re:jesus fucking cyberfascist punk (Score:1, Insightful)
Never supported tens of thousands of users, have you? If you had, you would realize the only way to do it with a high rate of success requires uniformity on the desktop.
Now go back to your dorm room, and try to convince your English Lit roommate you know what the hell you're talking about.
Re:they better not (Score:3, Insightful)
> any imminent linux virus threats.
That attitude works up until the world gets surprised by the first real nasty one.
> Desktop license management?
> I thought linux was free.
Perhaps, if your time is worthless. But anyhow, he was refering to license management for any potential commercial software they may have illicitly installed.
> If you have the ability to install linux,
> you probably have the ability to install
> security updates.
Perhaps, but you're assuming people have the attention span. They usually don't. Don't depend on your users to go out of their way here.
> Also, unlike windows, linux is a bit
> more secure straight out of the box....
> or rather, iso.
And just as easy to make insecure, with the running of a single config script or shell script.
I feel sorry for IT people. Users aren't generally as saavy as they think they are.
Re:Nope Not at all (Score:5, Insightful)
firstly you wouldnt have to worry about them installing a rogue DHCP server if you didnt give them root. As a matter of fact dont even install KDE if you dont need it. you really must have no experience with modern desktop linux installs, otherwise you would have known that: "Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use" is rather retarded since most apps work fine nowadays, Redhat has a unified desktop which makes the "visual" differance between kde and gnome moot, and redhat would support any other issues you have if you bought a support contract. same as with any other OS.
as for streamlined management well you could simply run a local up2date server with cronjobs as neccasary, and run ssh locally on the clients so that when (and this will be very rare) there is an issue you can just ssh into the box and fix it.
i personally work at an outsourcing company, 3500 employees and we have about a 20% linux desktop install, growing slowly. why ? ease of administration. you have a policy that states what IT supports (evolution, mozilla, gaim etc) and whenever somebody asks for help with something not supported you point and say "No". And the best part is you dont have to have someone running around constantly re-imaging all of those windows boxes....
Re:they better not (Score:4, Insightful)
It may be suprising to you that his job depends on ensuring corporate standards are in place and enforced on IT infrestructure.
I understand a user wanting to run thier own show on the workstation assigned to them, but if a major problem with Linux surfaces and the sysadmin didn't do anything about a non-standard installation that they knew about, that's akin to dereliction of duty, and they should be fired. A corporate environment requires stringent management, or it spirals into a huge, black, money sucking pit.
IOW, it's up to the SA to ensure that everyone plays nice on the network. If you want to use Desktop Linux at work, ask . Maybe the sysadmin be a lot more friendly towards the idea - I know I would.
Soko
Re:they better not (Score:3, Insightful)
I certainly see your point. The company pays to maintain my laptop for me, the company pays for the support and pays for me not to have to worry about it. They pay you to do all that for me.
I see my employer as someone who pays me to do a job. I'm not that good at windows. I can do many things with *nix better or faster or both. If I asked my manager if I could modify my laptop and my productivity would increase by 10%, she'd approve it. Personally, I can keep a Linux install up to date, well maintained and all the appropriate patches on it. Certainly better than the company can do that to my windows equipped laptop while they tiptoe around taking me down at inconvenient times.
The company pays you to keep me out of trouble. The company pays me to be efficient. If I can be more efficient and keep myself out of trouble, why should you care that you have one less Windows machine to maintain (to say nothing of the grumpy luser you have to deal with)? Of course, if I get 0wned, you need to come down on me hard and make sure that my manager knows you're here to keep that from happening to me but I didn't let you.
As far as license management goes, maybe you could work with a rogue Linux user and find out how to satiate your needs and his / hers?
Re:they better not (Score:2, Insightful)
While the parent post is rather harsh, there are plenty of organizations which would discipline you for installing unauthorized software on your machine. I know of some departments where you need authorization to install stupid stuff like ICQ or winzip.
Lots of managers would wonder why you just spent company time to install a new OS on your machine. You would be expected to justify your actions in that the new OS somehow assists in your job performance. That would be a difficult thing to justify, seeing that if the management team believed in the benefits of Linux, your shop would probably use it already.
Re: _A&T Manual ;-) (Score:5, Insightful)
Re:Undercover LINUX (Score:5, Insightful)
Ok, I'm confused here. What exactly is extreme about limiting access to known MAC addresses? Any sprawling network where access to the backbone (i.e. wallplates) can't be controlled should do this. It's just common sense.
As for not allowing anyone on without them telling you what they have, how do you make sure they keep updating? Was it fine for people with WinXP boxen to join the network when XP was first released? Being "up to date on patches on 10/07/02" is great, but utterly meaningless if no patches have been installed since then. Having a required set of patches is nice, but having a good security policy is far better.
Of course, I've always wondered about college networks, since they seem to prefer sending nastygrams or denying access to users, rather than prevent users from doing those things. Want to stop shared folders, file sharing, worms?, set the switches to only allow traffic to pass completely through the switch, not between ports on the switch.
Besides, the average user has no need to be accessible from any other machine, and especially not from outside the local network. Use NAT, separate users from each other, and be done with it. If a user gets a virus/trojan/worm, f@*k-em, at least it won't spread through the network.
Re:I only wish! (Score:5, Insightful)
Actually in all honesty I wouldn't want people installing Linux on their own anyway. All users with admin priveleges? I don't know what kind of heaven you're going to, but count me out! =P
This is why I hate IT departments (Score:3, Insightful)
Re:they better not (Score:5, Insightful)
> That attitude works up until the world gets surprised by the first real nasty one.
should i even bother explaining why it is damn near the most unlikely thing to happen in IT ? or should i just point out that _if_ a virus ever hits a unix there would be open source anti-virus software within a few days ? (few months max) or point out that the unix type of OS is about 30 years old. and to date there havent been any virus's in the "wild". (and dont give me that "not attractive target" for virus writers crap either, unix still runs mainframes, bank computers, ATM's etc
se the wonderful thing about linux is you dont have to run a damn thing as root, and the few things you do have to run as root can be chroot'd so the virus/worm can't do diddley. some linux distros come like this by default.
>> Desktop license management? I thought linux was free.
> Perhaps, if your time is worthless. But anyhow, he was refering to license management for any potential commercial software they may have
> illicitly installed.
oh please. take your gartner studies (microsoft funded BTW) and shove em'. the amount of time it takes to install and optimally config a std. linux system is in the hours worth of time. admining that same install MIGHT take 30minutes per month. windows ? yeah friggin right, pick one of their OS's if you spend less than two hours per month admining that box its vulnerable. this argument is moot. since anyone who is going to install linux by choice obviously wasnt bugging the IT guys and hence didnt need to be trained, so there is no time lost their.
Linux is FREE to any person who knows what they are doing, simply because spending the few hours it takes to install free's them of the years of misery that lies behind them, and the years that would have laid ahead of them if they had still been running windows.
Well.. does Knoppix count? (Score:3, Insightful)
We also have several Linux servers, but no desktops as of yet.
Re:they better not (Score:4, Insightful)
You need to find a good surgeon to remove the stick from your ass...
Basically, what you're saying is that you aren't confident enough with your security measures that anyone inside your network can wreak havok? In a big company, that's pretty fuckin' pathetic; a rogue user had better not be that big of a security concern!
the users don't own their machines - the company does. if they want to piss around with _any_ os, let them do it on their own time, on their own network, and on their own equipment.
IMO, this is exactly what is wrong with corporate America. You're not a person, you're a drone, don't try to learn anything.
It slipped into my workplace quickly. (Score:3, Insightful)
After we began shipping a linux version of our main server product, I began to notice more and more linux desktop ( and cygwin ) installation on our staff systems. Now, even my project manager and the company owner have seperate or dual boot linux desktops that see significant use. All it took to get all this going was a few internal howto documents that walked them through a simple secure installation.
This obviously couldn't happen in a more regulated atmosphere, but at small companies like mine you can often get away with anything you want so long as you continue to be productive and do not cut into the IT budget.
BLH
Re:This is unexpected? (Score:3, Insightful)
Ummm... because they can't "click" to install Linux. Sure, some of the bootable installers are pretty easy and click-able but it generally requires removing the Windows partition.
Users are dumb.
Create a Windows-installable Linux distro that will coexist/dual-boot on NTFS and you will have tens of MILLIONS of Linux installations. Hell... if you could make it install itself with a pop-up active-x applet, you could pull a Gator and install it without most users even knowing.
Now *that* would be cool...
Re:This is unexpected? (Score:2, Insightful)
Re:Ignoring the standard MS shot... (Score:4, Insightful)
Re:I don't believe it (Score:2, Insightful)
" The number of end-users with the skills, permission and motivation to install" WINDOWS or any other OS "on their work desktop is extremely low."
I really can't stand it when people proclaim that Linux is some how more complicated than Windows. It most certainly is NOT. Its simply different.
There is something fundamentally wrong with the world when something like a Linux desktop is rejected not for its own faults, but because its "different" than what we are used to... and what we are used to... it sucks.
I doubt very seriously that any corporate environment, excluding a place that actually DOES computer support or development of some kind, has more than a handful of people that could install anything on any system.
I think what MS needs to really worry about is the world waking to the fact that there are other options beside MS's proprietary document formats. In the meantime... CrossOver office anyone?
Look at the sysadmins waving their wangs around (Score:5, Insightful)
If you were actually any good at your jobs you should be asking why these people (who may or may not be risking their jobs) feel the need to install linux? What is it that the current policy doesn't provide? Why has sysadmin become so unapproachable that they did it without asking (this should be an easy one)?
Actually do something useful rather than wandering around the network marking your territory.
Re:"Insecure" Linux, Cygwin and RedHat (Score:2, Insightful)
I don't really care about support either. Most of the time I don't use it and when I'm forced to I'm often way out of there league already.
The main reason why you pay for support that you don't need is for managemnet. Support is like insurance you don't really want to use it but if something goes wrong you want it to be fixed. If you died tommorow they want someone that can fix it if it breaks.
So while it doesn't make sence at first in the end it does.
Re:Bull cocky times five (Score:3, Insightful)
and my setting a "No" policy on unsupported software is different from a policy of "acceptable" software how ? someone is still saying no, i am not a hard ass, but i also have no reason to get some half shit mail client to work when evolution already does so.
My entire post was based on the thought of "rather than being a flaming asshole perhaps you should work WITH the users to make linux work." because if they are installing linux their is obviously a reason for it. your job as a sys-admin is to make shit work, what if linux works better for XYZ marketing crap than windows ? then what ?
you install a specific set of programs, same as on windows. thereby limiting the "variables" involved. you seem to think that Linux must have 3G worth of unused crap installed. you know what "NEEDS" to be installed in most cases is rather simple: X, gnome, evolution, mozilla, gaim, vim, ssh. thats it, if they need openoffice then stick that on there. just because kde is included as an install OPTION doesnt mean its needed. The job of the sysadmin is to get shit to work, but no sysadmin can support everything, and as such the realm of what is supported must be limited. simple as that.
As to your "no" policy... i seriously laugh at you. If your in the buisness of shooting down your users
you just completely missed the boat. my job is to make the shit that is neccasary work. sorry they by and large dont need to see the latest homestar cartoon. go away. some half shit un-needed third party crap is not my job, and them even trying to install it when their is already a working alternative is a waste of company time.
Re:IT headaches (Score:4, Insightful)
but a standard desktop install of 9 is one HELL of alot more secure by default than any windows version i have seen.
NOTE: desktop implies no server services.
Re:they better not (Score:4, Insightful)
Ummm...actually, in 1988 (fifteen years ago) Robert Morris wrote a worm that attacked UNIX machines via a number of different routes (holes in sendmail, finger, and a few other approaches that I don't recall at the moment). In the space of something like 24 hours, Morris' worm brought thousands of computers to a grinding halt (a fair percentage of the machines that were networked in the US at that time), and those computers were running UNIX.
This is actually the worrisome issue: a *NIX is not inherently more secure than anything else. I think that there are UNIX-based machines out there that are far more secure than anything else you can find, but that's becuase those particular machines are administered by paranoid freaks...paranoid freaks that are extremely good at what they do... :)
I'm guessing that this isn't the case, but if your position is that "'I don't have to run a damn thing as root' and therefore my linux box is by definition going to be secure forever," then going to get screwed -- and screwed hard -- one of these days.
Re:This is unexpected? (Score:3, Insightful)
If I ever found out my employers were spying on me, they would probably have my resignation by the end of the day.
Re:IT headaches (Score:3, Insightful)
I'm talking about desktop PC's. If you're talking about something else, then it's a different ball game.
Re:User Installed *anything* (Score:5, Insightful)
If I install a program as a user on my Linux box, or even in my user space on the departmental server... it has no effect WHATSOEVER on the rest of the server or the other users. Thats what a multi-user OS "is". You can't even TOUCH that with ANY Windows implementation.
This discussion is not about "Oh, I can break into any box and install Linux". Sure you can. There is no way to stop. Lock it up? pick the lock. Remove the floppy and cdrom? install one or do a network install via crossover cable and another box. Blah blah blah.
The idea is that Linux IS in far more places than people know. And it will only grow in the future. Will it supplant MS as the "King of the desktop"? Who the hell cares... but people have a choice now.. and they ARE choosing it.
Unoffical instals of ANYTHING is not allowed (Score:3, Insightful)
Not cool.
Re:Not exactly ... (Score:5, Insightful)
I used to agree with giving employees freedom to run whatever OS they are comfortable with, but you have to keep into consideration the Information Security view on things. A *nix OS with a few network tools installed, gcc, and some skills can lead to a lot of problems for the company.
Think that's silly? Think again. Think about doing technical support for bitter and unthankful lusers. Your boss is an asshole. You make $23k/year and missed your shot as an [insert engineer/developer position here] before the bubble popped. No hope for a future with the company since they have a revolving door system in place where 3/4 of the low-level staff is on temporary contracts that expire every 90-300 days.. I know, it's sad and I've seen a lot of talent from people stuck in these types of jobs and feel terrible for them. But, this is a common person in technical call centers. I've seen enough from that single profile to type pages, but I'll stop and save it for another post.
Do you trust this employee enough to let him run FreeBSD? You want him having direct access to the 'net without a proxy? I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits. What if he's okay but his box ended up getting owned because he downloaded bad BitchX source? That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical. That's the tip of the ice berg when it comes to what happens when your office gets owned. Even if workstations are usable, every workstation on the local subnet and server they have ports open to via the firewall have to be investigated. This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again. Somewhere around noon, the guy from Public Relations will likely be on the phone wanting to know what to tell CNN when he calls them back. Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share. That's potential millions depending on how big your company is.
Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax. I'm very pro-Linux/BSD, but not in an enviroment where it's not needed (All those workstations came with an OS you paid for anyway). I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.
My stories are actual events portrayed by actors.
He's got a point you know (Score:2, Insightful)
The company makes volume licensing agreements which means we HAVE to use certain software. Since software licensing can be a liability, ALL machines are required to have audit software, including *nix boxes! In fact, Linux is explicitly prohibited except where VP approval is obtained, so as SA for my site, I definitely would show extreme prejudice if I found a Linux installation. Moreover, we even tell users that we reserve the right to reimage their PCs at any time. They keep things on their local drives at their own risk. Again, it's not about the way *I* think things should be (because I definitely hate administering Windows boxes), it's about what I'm paid to do (and when I'm ready to find another job because I don't like these software policies, I'll do that).
The point is, if it's against the rules, prepare to face the consequences, whatever they may be (be happy if your workplace doesn't care). If you get approval to run a box, good for you, but your local IT damn well should know about.
Re:they better not (Score:1, Insightful)
Ummm...actually, in 1988 (fifteen years ago) Robert Morris wrote a worm
WORM, not virus.
that attacked UNIX machines via a number of different routes (holes in sendmail, finger, and a few other approaches that I don't recall at the moment).
FYI:
THE SENDMAIL ATTACK:
In the sendmail attack, the worm opens a TCP connection to another
machine's sendmail (the SMTP port), invokes debug mode, and sends a
RCPT TO that requests its data be piped through a shell.
THE FINGERD ATTACK:
In the fingerd attack, it tries to infiltrate systems via a bug in
fingerd, the finger daemon. Apparently this is where most of its
success was (not in sendmail, as was originally reported).
THE RSH/REXEC ATTACK:
The third way it tried to get into systems was via the
able to migrate to.
The above is from http://www.worm.net/page_worm.txt
Re:Look at the sysadmins waving their wangs around (Score:3, Insightful)
First of all, I don't do desktop support--I work entirely on the heavy server end, and am fairly regularly calling the desktop guys for permission to install this software or that on my PC (if I have one--most of the time these days, a Sun box does everything I need).
But any medium+ sized company will have a policy (and it's generally a blanket policy) about installing software without authorisation. This is a Good Thing, with a Good Reason: Companies are LIABLE for their machines!
Install a virus on your work PC and infect half the planet? The company is liable. Put Kazaa (etc.) on your machine and download (or worse--share out) hundreds of movies? The company is liable for the copyright violations. Install Linux and cause various problems due to bad software (which is what the article indicated), and the company's liable. Install Linux, lock it down intelligently, and do your job productively with it, and...there's no real liability. Should the company then have a SPECIAL rule for ***YOU*** because you're so elite and well, special? No. It's very simple. If the policy is there, then anyone who violates it deserves to be dealt with ruthlessly, regardless of the motives.
ASK your administrator, dammit! Even those funny Windows folks are usually Good People, and quite happy to let you do your job better, as long as it doesn't screw up the rest of the company. If you decide to ignore them and do what you want, and then get in trouble, do you know how much sympathy you get?
Zero.
And do you know how much sympathy you deserve?
Zero.
Re:where I work (Score:1, Insightful)
Re:IT headaches (Score:5, Insightful)
Yeah, telling your boss no is such a great way to keep your job. The conversation would go like this.
Boss: "I hear that this Linux thing is saving other companies millions of dollars a year. Let's do a test pilot."
You: "No."
Boss: "OoooooKay... Why not?"
You: "We don't know anything about Linux in the entire IT department."
Boss: "But from everything I am reading it is the next BIG THING [TM]"
You: "We don't know anything. And even though I don't know anything, I am guessing that it costs more to install, train and hire for it."
Boss: "Isn't that what a pilot program would tell us? I tell you what. Hire someone who knows Linux and have them perform a pilot."
You: "No."
Boss: "Look, I am getting a little tired of this. Do what I say."
You: "No."
Boss: "You're fired."
You: "Booo Hoooo!"
>> None of us know Linux very well, unfortunately.
You don't know Linux? Is your head buried in the sand? Haven't you been hearing more and more and more about Linux over the past 5 years? Do you have so little motivation that you can't download a free iso image from the internet, burn it to a blank CDROM and then install Linux on an old Pentium computer you have just laying around?
>>It would cost a fortune in training and hiring as well as the labor involved changing everyone over.
Actually, the payback for switching over to Linux is immediate and begins paying back the first year, if Linux will work for you at all. Do a pilot program and see if it will work for your company. At the very least, even if you keep using windows look at switching the non power users over to open office.
>> Besides, with our Dell account we basically get the OS for free when we buy PC's.
Oh, you pay.
Re:Not exactly ... (Score:5, Insightful)
I don't know about your company, but at my school (I was resident Geek), we set it up so that the DHCP server would automatically set the proxy up as a gateway. We never had any problem about people accessing the internet without going through a proxy.
And aren't the chances actually better of getting some form of backdoor greater for windows? Picking them up via email, bad downloads, even browser security flaws.
I see where having an unauthorized anything running could be a problem, but just linux in general, no, danger isn't in the software as much as it is in the hands of the user.
Re:Not exactly ... (Score:5, Insightful)
In my case (I'm a scientist) I would be seriously inconvenienced if some pointy-headed bureaucratic fool came along and overwrote my Linux partitions with Windows, and my immediate reaction would be to take it up with his boss.
You seem to be operating on the premise that all staff are luddites, vandals or criminals and not to be trusted. I would have thought that, far from losing sleep over this, you should be pleased that this is one person who is not going to be passing out viruses via Lookout Express. In any base, as long as you implement sensible policies (firewalling, quotas or whatever you need to do) there is no reason why your network should not operate transparently without applying unnecessary restrictions.
Re:Ignoring the standard MS shot... (Score:3, Insightful)
Really? How?
Re:Not exactly ... (Score:2, Insightful)
That is; key distinction is not the OS, but whether the person in question is INSIDE or OUTSIDE your secure network. If they are inside, it's much more difficutl to secure anything in the intranet. Not impossible but difficult; need to make sure users have no admin/root access to their own systems, can not boot from CD or floppy; all the things one would do for publicly accessible terminals. Easiest way to do this would be to use, say, x-terminals (SunRays or such).
Re:Not exactly ... (Score:5, Insightful)
You've got to be kidding (Score:5, Insightful)
2) If you sieze machine and reimage them to fit with some policy you're following, your ass would be heading out of town from mass user complaints at any company I've been at. You are IT. You are present to help workers get their damn work done, not to push some random personal agenda. If you wipe an entire system and kill that employee's work, you are a serious impediment to getting work done. I simply am amazed at the total lack of regard for the employee, and lack of perspective you've displayed. You could disconnect the thing from the network. You could ask the user to move his files to another machine so that you can reformat it, though I think you're already pushing the limits. But when you simply grab a machine and reformat it, you're in a position where you are a liability to your company. When the developer tells his boss that IT wiped out his work, his boss tells his boss, and his boss tells his VP, I guarantee that your boss will not cover for you.
You want him having direct access to the 'net without a proxy?
WTF does this have to do with what OS you're running?
I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits.
This is ridiculously paranoid. I've seen the occasional IT type who considers the users he is supporting his enemies, but this is beyond belief.
What if he's okay but his box ended up getting owned because he downloaded bad BitchX source?
What if the same damn thing happened because he downloaded a Word file to his Windows box? Which of the two happens in far greater numbers?
That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical.
You've worked in an 8,000 unit shop and you honestly believe you have zero penetrations? And your setup is such that you need to spend three days and nights mirroring HD images *after* an attack?
This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again
And again, WTF does the OS have to do with this?
Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share.
Ridiculous. This is a theoretically possible but completely impractical story of what might happen in an attack.
Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax.
Amazing. God, I'm glad the IT people that support me have different views.
(All those workstations came with an OS you paid for anyway).
The infamous sunk cost fallacy. Which they teach you to avoid in Business 101.
I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.
It's not. That kind of behavior from IT would generate serious user complaints where I work. Matter of fact, IT is trying to quickly adapt to support people that want to use Linux here, and has compiled resources for them. That's what I consider doing a good, solid job. Helping the users instead of attacking them.
Re:Not exactly ... (Score:5, Insightful)
Also, I was not trying to give a full IS proceedure, just a quick run of some thoughts of what I have experienced in the past decade.
For starters:
Linux, MacOS, etc is not 'sub-optimal', if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.
Your situation is what would be considered a special case by an IT staff. You are a scientist. Silly goose, you will probably need all kinds of things a typical employee will not need. Think about the percentage of scientists versus customer service reps and support people in call centers. Think of the costs associated with each one of these people anually versus what you cost. It's a big difference.
You speak at the end about trust and the suggestion that a network operate transparently without many restrictions. You have to understand that most companies are not in the ISP business for their employees. If you sit down in front of a computer in an office, it's their network, their assets, their butt on the line, their bandwidth costs, etc.
For example, I have worked in a group who's new office was suffering terribly. About a 1400 user network, but the bandwidth leaving the building was always pegged. Upon watching traffic for a few days, it appeared that a major portion was porn and streaming media traffic. We implemented a filter file for the proxy and traffic went from ~97% down to ~30% utilization. This sort of thing is very cost effective and saves people from themselves (female employee walks up on porn mongering male, female complains, male goes unpunished, female cooks up discrimination suit, etc -- just preventative medicine, not a cure for a likely issue in the future).
I guess those who are knocking my tales have never been exposed to a real IT group before. Either that, or they are prepared to lose their jobs someday due to a lack of enforcement or policy that matches your typical fortune 500 company. The suits will not have much pitty for your balls to give excess freedom to employees with their investor-purchased resources.
The downfall of your average geek is the inability to ever see things from an executive, bean counter, or investor's point of view. Threats are real, liability is real, the end result of your investments are real. The joy of an office behind a very trusting packet filter is short lived and a flagerant disregard for company assets, especially if the company is publically held. Your investors are well within their power to take you to court and sue you for every dime you have if there is big enough loss associated with an act that was easily prevented. We never know the limitations of these types of suits because they are civil and not criminal. In a civil suit, you never know if you are going to be made an example. For instance, the massive settlements on people burning themselves with McDonalds coffee. You just don't know what's going to happen. At least with a criminal case, there are boundries clearly defined by law.
You go back to being a scientist and I'll go back to saving people like you from yourselves with your lack of understanding regarding the need for real security policy. I promise I won't pick apart or call FUD when you speak of something technical regarding your line of work... That is, if you don't tell me ficticous realities about how e
Re:Not exactly ... (Score:5, Insightful)
First a minor quibble--you say:
if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.
If a worker is more productive in a differennt OS or Office Suite or whatever, then the monetary cost of that unused software is insignificant. Not to mention that the company shoulnd't be buying software unless it will be used.
The bigger problem with your entire post and attitude toward users is best seen here:
People need to quit thinking they have rights to anything in an office. You do what they say or find work elsewhere. There's a big job market out there right now, lots of options, right?
I see the smiley, so I'm hoping this is mostly a joke, but if a company harbors contempt for it's employees, it is doomed. If the option is "my way or the highway", the good employees will eventually choose the highway, regardless of the economy. All you will have left will be compliant losers who don't think for themselves, managed by control freaks who have to do all the thinking for them, deciding which color pen to use.
Or which OS.
Re:Not exactly ... (Score:3, Insightful)
I'm not saying it's the way things should be. It's just the way things have evolved in larger companies. The reality of a 'right to work' state is basically what I said. It's just like office dress codes, codes of conduct, etc in the workplace.
I would quit dribbling over worries about what OS is used and that sort of thing. Just think about all the poor saps in this world who are stuck having their hair cut a certain way, wearing uniforms, being forced to address any slime-ball customer as 'sir' or 'maam', codes against visible tatoos, etc. These are far more intrusive control measures employers inflict on their employees, not to mention far more widespread than, say, a tight IT policy where Jill can access all the databases required to do her work, but not her favorite manporn site.
Notice though, how I never said that any of these companies do not allow various OS's in particular circumstances. It's just another of 1000 rules in any corporation. To get around the problem, simply fill out a helpdesk request for permisson/reasons for the need of a 'non-standard' OS to be installed and they can get with your technical lead and make sure the request is valid and you are in the clear if there is a job need for it.
Anyway, always assume my thoughts in these posts are incomplete. I just type and hit submit. My goal is to generate thoughts more than to give factual details with all my points well covered.
Re:Not exactly ... (Score:3, Insightful)
When people buy machines, they don't go through me. They have to justify it through the accounting guy. I only get involved if they don't know how to set it up on the network. In fact, I usually don't know about computer purchases until _after_ they've arrived.
The reason? People use what they need to get the job done. That's not my business. My business is to help all the computers talk to each other so that we are more productive.
The threat facing companies is not someone installing their own OS on the computer. The threat is every person who doesn't know about computers running Outlook.
We run Windows 9x, 2000, XP, Mac OS 9, Mac OS X, and RHL here, and I just keep Appletalk, NFS, and SMB running on the server, as well as DHCP.
I have never seen a company with a truly secure intranet - most of them are just appearances of security. To have a truly secure intranet it requires that you implement security policies that waste time and productivity. When severe security policies are implemented, the users just go around them, making it even more secure than if there were lax protocols.
Case in point - the _big_ company I used to work for kept all of their root passwords for their UNIX machines in an access database that was available on the intranet, and on several desktops. I'm sure they had access restrictions on the file, but really, trusting SMB for every server's root password? Putting them all in the same file, in an Access database, where many users copied it locally to their own hard drive?
If you don't believe me, email me and I'll tell you which company I'm referring to.
Re:Not exactly ... (Score:1, Insightful)
You have a very concisely worded, coherent, almost literary post on how the IT department views themselves as the enemy of all computer users in their charge. Nicely done. You've pretty much displayed the epitome of the IT head that every script kiddie in the world is trying to rape.
There is nothing invalid in your statements on the whole. You've expressed exactly the concerns of upper management and how both people and capital investment are just systems... all can be liquidated and easily replaced. All need to be visciously chained to corporate regulations in an effort to protect yourself from the shadowy unknown of civil liability lawsuits. Thus giving upper management a constant reason to whine, flex their muscles and justify their otherwise palsy existance... and enabling the lawyers to stay on retainer for yet another year.
Lighten up.
Most people here are simply trying to tell you that it doesn't matter how the IT runs their department... your going to have to deal with internal damage. It's part of life. Some one is going to use that only open port to connect to the outside world and do what they want to do. Whether that's an ftp connection for exporting intellectual property... or downloading porn. In the end the IT department can only make it more difficult, but can not stop it.
In reality, if you treat you users like the enemy... you will get your pants torn off and butt F*@# hard, all because you treat your employees like any one else on the streets... and not as part of a team. If they themselves don't know how to do it, I guarantee there's a friend of their's who does. And since you've been so kind as to homognize the system so that all diversity is removed, your vulnerabilities are MUCH more exposed.
Treat people as if they're jews on the way to Aushwitz, and you're just the engineer... and see what happens.
Re:Not exactly ... (Score:2, Insightful)
No one is willing to pay for security any more! No
one gives a damn! So your Information Security claim is irrevelant. Why is Windows on the desktop? Because it's quick and it's easy and when it gets hacked you just reinstall. It's cheaper to ignore the security problem.
Point 2:
Yes threats are real (see point 1), but you have products to ship, contracts to uphold, and work to get done. If Linux allows you to do that faster, it makes good business sense. If you don't want to pay the tech support people $3 more because they have to know Linux as well... It makes good business sense to have Linux be hush, hush.