Princess Fix IT

You are never going to win the laptop battle. The best you can hope for is for the company to buy virus scanning software for people who want to bring laptops in.

Just like there's a good reason for virus protection, there's a good reason we bring laptops in. Any IT policy that doesn't take that into account would be like an IT department that thinks PD is going to someday start working banker's hours.

It's actually quite easy to win the laptop battle by blocking port access. If an individual brings a laptop in, they simply ask IT to open that port. IT checks their machine and ta dah, we're on our way. Many businesses do things this way.

Banker's hours, that's classic. Still no word on my extended support hours request (sigh).

Forgive an ignorant cape-wielder, but what does port-access have to do with it? If we're talking physical ports, (Ethernet jacks, somesuch), most of the programmers have a hub/switch in their office anyway. No gain. (And you could just plug out your desktop machine and plug in the laptop)

Now, if you blocked DHCP for non-registered MAC addresses, that'd be a huge step forward. That means everybody who just plugs in a laptop without malicious intent and/or IT approval will be stopped dead in their tracks.

Step 2: Laptops get IP adresses on a separate subnet. Stuff like the DCOM virus is stopped in its tracks (except for other laptops, but that's (legitimately) not ITs problem then)

As for asking for port access - since when is IT there on weekends? And do you really want to come to the office at three in the morning just to plug in my laptop??

There are plenty of other ways how that problem could be solved, but at the core, you NEED to separate laptops from the rest of the network.

BTW: Have we revoked the cape privileges from the infection vectors?

- Robert

I am SHOCKED Vince didn't believe in virus protection. It's like asking why a firewall is necessary.

As a side note, I once told a friend that nothing she does could really screw up her PC so she should learn to use it and not worry, as long as she doesn't go randomly deleting files. Hooboy. I realize now how out of date that advice is. She clicked on one popup which had a nasty cascade effect leading into her nt kernel becoming corrupt and requiring me to sit down and explain that maybe she should be a bit more careful. I'm also left with HD that needs a fresh install of windows.

I think you are taking my quote out of context, its not that I don't believe in virus protection (i mean, obviously, it exists), but the way the IT department shoved it down our throat just got me (and a lot of other people) pissed off.

I seem to remember a certain e-mail (not from the Pricess, who knows better, of course) telling programmers to only disable protection while compiling and then flip it back on when done. (See, the virus scanner has a nasty habit of making Visual C++ hang) That someone in IT would seriously suggest this "solution" (instead of just allowing us to exclude the directories we build stuff in) shows that they have no fucking clue what we actually do or how many times in a day we actually compile, and feeds into our IT department's world-view that the entire company exists just so we can have an IT department.

An example: one of our build machines kept hanging because the virus protection mysteriously kept flipping itself back on the build directories. There have been three IT tickets to permanently exclude the build directories, and someone keeps screwing it up.

Note: the Princess is part of the solution, not the problem.

ahh, yeah that sounds more like it. I just read that and I was like "wtf??" You're usually a guy who's on the ball with shit, so that just threw me for a loop.

we're actually not allowed to bring laptops in, our DHCP is set only to company MAC addresses. All incoming producers, execs etc get their own PC setup here.

Addressing all ya?ll?

I'm sorry if I misunderstood, but I have to say, I totally disagree that we shoved it down ya'll's throats, man! I think some of you forget what it's like for most other companies. You, as a user, have close to zero control, certainly not local Admin privileges. IT Departments across the board set the standards because that's why we're hired, correct? We are there to protect you. Period. We are more knowledgeable in our field, just as you are in yours. We had several problems with people removing the anti-virus clients, disabling them and infecting several machines along with their own in the process. It?s a means to an end. A valid one, I think.

I completely agree that turning off the RT Protection during builds is not the solution and maybe that individual should have sought a more informed solution.

As far as the buildbot goes, the issue was a new option that automatically turns on the RTP after a set amount of time.

DHCP vs. Static IP is not the solution either. What I meant by blocking the ports is foreign machines would be detected when plugged in anywhere on the network (switches included) and thus denied entry, most likely based on approved MAC Addresses.

Weekends? No matter. Three people are always on 24-7 call in the IT Department; One from Desktop, one from Network and one from Telecom. If someone needed access and it was the weekend, then we would deal with the situation, no matter the time or day. This is what we do! I think you've seen my shiny happy face there several times during the off hours for such issues :)

I understand all your points, but I am asking you to understand mine as well. I believe virus protection is absolutely necessary and since it?s existence was tampered with in the past, things have come to this. It has come to us forcing it upon you and giving you zero control. You can thank your fellow users for that. I agree that we have some serious communication issues between IT and PD, but welcome to the world, gentlemen! You know enough IT people, programmers and such to know not all of us are socially adept. If you have comments, suggestions or what-have-you, I suggest you make them. Try to avoid being a smartass and offer concise, intelligent and honest requests. I ask that you understand what a difficult job it is conveying these necessities to a group of men who believe, and quite possibly are, smarter than myself. We in IT know ya?ll are smart, capable men. You don?t need to remind us so often :) We ARE here to support you, but we are also here to protect you and yes, sometimes that is protection from your co-workers. I firmly believe that giving Admin rights to all that walk through the door is not a great idea, but until ADS, that is the best alternative for you as users. I have so much more to say, as I?m sure ya?ll do as well, but I think I have covered most of it that pertains to the issue at hand.

No current red cape wearing programmers have been revoked of their privileges. That would just be heartbreaking. I love watching all of ya?ll twirl around the office in them too much!

I wish to point out that official IT policy is not 'No unapproved laptops' -- it's no laptops that aren't owned/operated strictly by Midway. Direct word from the top is that the company will not install anti-virus software on personally owned machines.

Sweetie, I hope you're fuckin' with me, cause I didn't get that memo! Which 'top' are you referring to, mine or the collective top?

I would make comments but I can't get in the IT Fort to talk to anyone - its for 'authorized personel only.'

Dammit. It'll suck if they start restricting access by MAC address.

That will mean I'll have to bring in my off-the-shelf linksys router that has a configurable MAC address and does NAT for anything behind it with little or no configuration.

How inconvenient is *that*?

(That sound you hear is my cape fluttering)

Steve's cape has been revoked! Revoked I tell you!

My previous comments were intended to be smart assed...but I went away and thought about it and there's a deeper point.

The point is that a lot more can be achieved through cooperation than through demands and mandates and (even worse) countermeasures.

Both sides have a job function to perform, and the only way both objectives can be pursued in harmony is through cooperation.

Excellent point!

Time and again the problem is the MO of the IT department. The virus scanning thing was a perfect example -- I'm sorry Princess but I think you may be engaging in a little revisionist history, as I seem remember that when the virus scanning was originally being rolled out, there was not going to be a provision for people to exclude directories. It wasn't until a few programmers yelled and shouted how this was basically going to prevent us from doing our job that the policy was changed.

So there's the beef. The IT department rolls out policies like this without even getting our input, forcing us to scream and yell. We are not children, we know a lot about computers and software, some of us have even worked on the products you are installing (cape flutters). We just want to be consulted before big changes in IT policy are made.

As I mentioned to you earlier today Vince, not all of you are children, but some of you indeed are. Can't argue with that.

We do need input from our users and sometimes we don't realize it until a policy has been rolled out. That's just natural, albeit unfortunate. I think the powers that be are learning from experience.

I think you hit the nail on the head right there, buddy boy...you yell and shout. You don't have to! We are just as much adults as you are and appreciate the same amount of respect we give to you. We expect your input, value it in fact. We just wish it wouldn't come across as condescending, uppity and rude. I don?t expect PD to bow down before IT, that's just ridiculous, we are after all, here to support you, but common courtesy is certainly appreciated. We are still a department in it's infancy and things will come along that need patience and faith in our technical ability.

Do I think that we should have sought input from PD, absolutely. Do I wish our users were a bit more respectful in the way they give us their input, again...absolutely. I think we have started to bridge the gap of communication and hope to continue on that path.

Unfortunately, I think it's going to have to be IT that makes the running on this issue. PD always has ridiculous deadlines to meet and so of course we scream if yet another thing gets in our way.

So here's my wishlist:
- It would be nice if IT would get a better feel for what we do.
- It would be nice if IT would _anticipate_ our needs.
- It would be nice if IT took complaints as an indication that something is wrong.
- It would be nice if IT wouldn't roll out policies in a "Thou shalt" 10 commandment type-way that we *have* to break in order to do our jobs.
- It would be nice if it didn't feel like getting tech support outside of banking hours wasn't a super-big-hassle.

Calm down, Princess, none of this is aimed at you...but what you could do is list your wishlist for improving PD's conduct.

Oh, in fact, there's one more:
- It would be nice if there was a much needed IT/PD liaison role that the Princess could have specifically to encourage dialog on these issues with a nice fat salary increase to boot.

Little add-on to Steve: I used the shout-and-yell approach before. (Stop looking surprised. You know I do!)

For some weird reason (I guess I'm getting older and reading the Princess' blog gives me a soft spot for IT people - or somesuch), when the last ridiculuous e-mail went out, I decided to try a polite reply.

The ridiculous e-mail said that every private laptop was forbidden, a menace to the network, etc. My reply was asking (through the proper channels, even! No direct talking to the head honcho!) politely if IT could maybe give us guidelines what we could for our private laptops to make them safer. I did not mention that I thought it ridiculous to outlaw them - I just asked what we could do to use them.

Lo and behold, the man behind the fort actually replied in person and promised something like that for the next IT newsletter. How cool is that? Moral: Even if the other side doesn't behave you like you want it, still treat them like you want to be treated yourself. It might help.

Was an eye-opener for me. It was a very nice reaction that I did not expect at all. Don't expect me to be all nice and fuzzy in the future, though - you cape wearers can live with my bitching and moaning. It's just that IT is more sensitive :)