Foo - Sysadmins - pulling hair out

Little rant here, do any of you have those users that just don't get it. They don't listen or comprehend what you say or do. They forget passwords CONSTANTLY, needing them reset everytime they pee, they ignore your tutorials and help only to ask the same question every week without regard for how stupid they seem. I manage a large network on my own so I do everything from the menial (change passwords etc) to the high end stuff. While generally I love the diversity I just hate people who have such a little amount of respect for what I do, that they put the education required behind having the power to use a computer on such a low level. These people deserve type writers. If you have a tool you use daily, pull your head out of your ass and take the time to show respect to the tool.

One of my apps recently changed its password processing in conjuction with the US CC companies enforcing PCI compliance more stringently. The password is alpha numeric non dictionary small and large case. I sent out a nice tutorial on how to generate complex passwords that are easy to remember. Postal code and first name with the last initial capitalize. Phone number and computer name etc. 5 different possibilities. I have about 200 users and 198 of them got it. One in particular refuses to try. She writes the password down, and forgets, she makes it as easy as pie and forgets, she forgets what the paper has one it and can't read. I don't get it, this isn't rocket science, its damn easier than her job, WHY DON'T PEOPLE JUST FING GET IT.

**** they have time to whine and complain about how complicated it is, why not take that 50 minutes of whining and practice a little memory skills. I have about 100 passwords in my head, the average person should be able to maintain 5 (keep in mind all passwords can be generated by a basic set of formulaic rules which make memorizing easier), and yes, I was even so nice as to work with her to match up all the passwords she might use....

3 days later she forgot.

I blame bc bud...

/end rant

Send it here, all we have is junk!

Send it here, all we have is junk!

And become an international dealer...naw, not worth the pains considering how strict your gov't is with lil ole pot. Doesn't mean you can't come up for a puff haha

"do any of you have those users that just don't get it. They don't listen or comprehend what you say or do."

Yea.. and those users that rant all the time.

Ok, mini-back-rant:

I hate it when sys-admins decide that passwords have to be changed every 3 months, and given N passwords, the new one can not match any of the last N+1 passwords. All any of us do is use password1, password2, etc...so it's hardly any more secure except that by the time it gets to 15 or 20, we start to forget if we're on password16 or password17. And then to make it even more fun, they introduce a separate system that requires a change every four months, so if you try to use the same scheme, the numbers don't match up. And just for a bonus, they add in one more system with the additional rule that none of the first seven letters can match the corresponding letter position from the expired password.


As for your dumb users...implement a "security upgrade" which has the unfortunate side-effect that password resets require one hour to propagate to workstations (ie, just wait an hour to reset it). They might get the clue if every time they forget their password they're unable to use their computer for an hour.

I hate it when sys-admins decide that passwords have to be changed every 3 months, and given N passwords, the new one can not match any of the last N+1 passwords. All any of us do is use password1, password2, etc...so it's hardly any more secure except that by the time it gets to 15 or 20, we start to forget if we're on password16 or password17. And then to make it even more fun, they introduce a separate system that requires a change every four months, so if you try to use the same scheme, the numbers don't match up. And just for a bonus, they add in one more system with the additional rule that none of the first seven letters can match the corresponding letter position from the expired password.Yep, my password at work (of forced complexity) needs changing every two months or so, and can't resemble or be any of the last 24 passwords. I can roll with it okay, but I have a feeling that it just serves to lead most people to write their passwords down, which is worse than just having a good, stationary password.

I have a feeling that it just serves to lead most people to write their passwords down, which is worse than just having a good, stationary password.
I have the same feeling.

why don't they just get one of them fanger swipe thangs? i need one-a dem....

Ok, mini-back-rant:

I hate it when sys-admins decide that passwords have to be changed every 3 months, and given N passwords, the new one can not match any of the last N+1 passwords. All any of us do is use password1, password2, etc...so it's hardly any more secure except that by the time it gets to 15 or 20, we start to forget if we're on password16 or password17. And then to make it even more fun, they introduce a separate system that requires a change every four months, so if you try to use the same scheme, the numbers don't match up. And just for a bonus, they add in one more system with the additional rule that none of the first seven letters can match the corresponding letter position from the expired password.


As for your dumb users...implement a "security upgrade" which has the unfortunate side-effect that password resets require one hour to propagate to workstations (ie, just wait an hour to reset it). They might get the clue if every time they forget their password they're unable to use their computer for an hour.

Thanks, I do in fact do that now. I refuse to change their password promptly. I agree also, the passwords are ridiculous, but not my choice. That exactly how our passwords work (up to an 8 password history), as far as pci is concerned, if you are taking cc numbers there has to be x-level of security.

why don't they just get one of them fanger swipe thangs? i need one-a dem....

Ancient software, that works for the pc's if need be, but they will still need something for the individual software.

Baby Rant.. Password resets should be self help and not require people intervention in all but extreme security needs.

Ok, mini-back-rant:

I hate it when sys-admins decide that passwords have to be changed every 3 months, and given N passwords, the new one can not match any of the last N+1 passwords.

Then you need to come up with a valid reason so you don't have to have your password change or extend the timing for your password changes. I have that on one system I access, but had a good reason so I got the approval for it. Went from 90 days to 180 days.

I was a sysadmin for a number of years until this April (have moved on to greener pastures). Here's my take on this issue.

1) Any job that involves providing infrastructure services will be taken for granted if done well. Systems administration is an infrastructure service. The greatest praise you can get is for people to take great service for granted.

2) Systems exist to support the what people need. Unless there is a compelling reason to do otherwise, systems must accommodate user behavior rather than the other way around. Users must deal with a large number of insane password rules that are sometimes contradictory. Rather than forcing users to adapt passwords you know they will write down, systems should wait sufficient time between attempts or temporarily quarantine accounts to render dictionary attacks ineffective.

3) The greatest damage to data and systems are caused by mistakes and incompetence. Recognize the real threats and know how to recover. Overzealous security does an enormous amount of damage to productivity. Real security is about making data and services available to people when and where they need it and it should be unobtrusive the way it is when you go into a bank.

4) Users should be expected to know something about the tools they use every day. Some places encourage a culture of learned helplessness which encourages workers to act as if they are unable to perform tasks that we would expect a child with no computer skills to pick up quickly. Make it clear that you know the people you serve are intelligent and expect them to act that way.

I have heard people complain that systems people don't treat everyone equally. Speaking for people I have observed as well as for myself, this is unfortunately true. It is a pleasure to help even the most unsophisticated user if s/he is really trying to get it -- most sysadmins will tread air to help someone who tries their best to help themselves first and who learns from their experiences. However, some people cause the same problem over and over and refuse to listen. These people may find systems people less responsive.

I was a sysadmin for a number of years until this April (have moved on to greener pastures). Here's my take on this issue.


Congrats, I do enjoy 95% of my job. Thats a pretty good success rate as far as jobs go. Bonus being I am not just a sysadmin.



1) Any job that involves providing infrastructure services will be taken for granted if done well. Systems administration is an infrastructure service. The greatest praise you can get is for people to take great service for granted.


Thanks, good insight.



2) Systems exist to support the what people need. Unless there is a compelling reason to do otherwise, systems must accommodate user behavior rather than the other way around. Users must deal with a large number of insane password rules that are sometimes contradictory. Rather than forcing users to adapt passwords you know they will write down, systems should wait sufficient time between attempts or temporarily quarantine accounts to render dictionary attacks ineffective.


I agree, this is a movement done by our corporate company. Everyone and anyone who does anything with cc's (especially if it involves storage) will have a lot of growing pains in coming years. Most of it is common sense stuff, but shockingly, security is anti-service. I work in the hospitality industry and the security wizards lock things down, causing more security problems (for example, agents can't see cc's anymore, ok well now they store them in a binder ;))



3) The greatest damage to data and systems are caused by mistakes and incompetence. Recognize the real threats and know how to recover. Overzealous security does an enormous amount of damage to productivity. Real security is about making data and services available to people when and where they need it and it should be unobtrusive the way it is when you go into a bank.


Agreed.



4) Users should be expected to know something about the tools they use every day. Some places encourage a culture of learned helplessness which encourages workers to act as if they are unable to perform tasks that we would expect a child with no computer skills to pick up quickly. Make it clear that you know the people you serve are intelligent and expect them to act that way.


I make a concious effort to educate (courses, training, faq's, I make myself available), without proper training I would never have been able to reduce staffing levels and reduce after hour calls. Back in the day, I walked into the situation you described, the team (of 5 at the time) was busy constantly with basic support calls. I worked to create simple how to's, sit down and traing and reduce calls. We used to trade the pager, we would get paged minimum 1 call a night. Every morning we would wake up to 17 voicemails. Training is a key life saver for IT departments, if there is any take away from my experience here, its that training is of the utmost importance. It reduced labour costs, on call situations, increased productivity.



I have heard people complain that systems people don't treat everyone equally. Speaking for people I have observed as well as for myself, this is unfortunately true. It is a pleasure to help even the most unsophisticated user if s/he is really trying to get it -- most sysadmins will tread air to help someone who tries their best to help themselves first and who learns from their experiences. However, some people cause the same problem over and over and refuse to listen. These people may find systems people less responsive.

The last sentence applies to my rant to be sure. I work hard to help people, I understand the idea of giving chances, and I understand "IT stuff" is difficult for some (the same way organizing a 2500plate dinner throws me for a loop) so I work to help. This person literally said, "its to difficult to bother remembing when you can reset it"...

Maelstrom,

Recognize anyone here? :p

http://www.dilbert.com/comics/dilbert/archive/images/dilbert2007113333116.gif

4) Users should be expected to know something about the tools they use every day. Some places encourage a culture of learned helplessness which encourages workers to act as if they are unable to perform tasks that we would expect a child with no computer skills to pick up quickly. Make it clear that you know the people you serve are intelligent and expect them to act that way.

Speaking from a user's point of view, I think this is right on, especially if the following is true:


I make a concious effort to educate (courses, training, faq's, I make myself available), without proper training I would never have been able to reduce staffing levels and reduce after hour calls. Back in the day, I walked into the situation you described, the team (of 5 at the time) was busy constantly with basic support calls. I worked to create simple how to's, sit down and traing and reduce calls. We used to trade the pager, we would get paged minimum 1 call a night. Every morning we would wake up to 17 voicemails. Training is a key life saver for IT departments, if there is any take away from my experience here, its that training is of the utmost importance. It reduced labour costs, on call situations, increased productivity.

Maelstrom,

Recognize anyone here? :p

http://www.dilbert.com/comics/dilbert/archive/images/dilbert2007113333116.gif

Gotta love Dilbert hahaha

I have a better idea for you. Stop using stuff that require passwords!!! Inside a workplace, there's no need for passwords. If you absolutely need that hyper-extra-super-duper-mega-security, then for crying out loud, get personal cards and card readers at every computer station. There's no need whatsoever for passwords!

and then everyone forgets their card at home

I have a guy here that I always have to reset the password for. It's ridiculous, and we don't even have overly-stringent requirements for passwords.

Another thing that bugs me is IT people who knowingly talk over others' heads. I really don't understand this mentality. My boss does it all the time, and many of my co-workers hate talking to him for this exact reason, so they come to me first, as I make an actual attempt to speak like a normal person would. :rolleyes:

I have a better idea for you. Stop using stuff that require passwords!!! Inside a workplace, there's no need for passwords. If you absolutely need that hyper-extra-super-duper-mega-security, then for crying out loud, get personal cards and card readers at every computer station. There's no need whatsoever for passwords!

Stop smoking funny stuff, you obviously don't understand why almost every company requires some degree of permissions to access file rights, software etc. Some degree of authentication is required to seperate the finances from human resources etc.

Also how would you create seperate controls for individual pieces of ancient software that have no ability to allow access cards, security keys etc. While some (I stress some) software has that ability, most don't, so access controls need to be built into the application. Sorry but your assumtion of technologies capabilities does not coincide with a lot of existing software, especially in an industry which still uses rs232 for interfacing.



Another thing that bugs me is IT people who knowingly talk over others' heads. I really don't understand this mentality. My boss does it all the time, and many of my co-workers hate talking to him for this exact reason, so they come to me first, as I make an actual attempt to speak like a normal person would.


Are you sure hes capable. For a lot of IT people this is a learned skill. I have worked with and hired more than my fair share of guys who couldn't take the conversation down a notch. It was like school all over again, teaching them how to exlain stuff.

I have a better idea for you. Stop using stuff that require passwords!!! Inside a workplace, there's no need for passwords. If you absolutely need that hyper-extra-super-duper-mega-security, then for crying out loud, get personal cards and card readers at every computer station. There's no need whatsoever for passwords!
Here's the problem -- sysadmins often have little control the applications they must support. Normally, management says what applications must be supported without regard for a number of practical things -- what dependencies they have, how authentication is controlled, how you can get data in and out of the system, etc. This means that many systems problems are actually software acquisitions/choice problems.

Often, a sysadmin must install something that s/he has never heard of, has no idea what it does, nor what the people who rely on it really need. The sysadmin has to figure out how to make it run and work with everything else. Meanwhile, everyone expects that the systems people will know everything about it because it involves computers and provide training. It can be a tough job. Systems people learn about how things work the same way as everyone else -- they ask people, they read tons of documentation (often poorly written), and they experiment.

Management and users often assume that vendor support is good. Getting help takes a lot of time and is often a frustrating process. Others assume that open source stuff is always easy to use. This is often not the case and unless it is an application that you are familiar with, you have to learn how it works first.

Security is a pain, but you really need it. The trick is to make it as effective and unobtrusive as possible (which are somewhat conflicting goals). The worst security threats are actually inside jobs, and data needs to be protected from inadvertent or intentional damage -- including damage caused by systems personnel. Some people are irresponsible with information. Disgruntled, careless, and incompetent employees are extremely dangerous to data. If you are in charge of systems and a lot of data gets compromised, your head will be on a platter -- properly so, because systems that are not set up responsibly could literally ruin a company. The safety of the data I'm responsible for is something that has kept me up at night.

Are you sure hes capable. For a lot of IT people this is a learned skill. I have worked with and hired more than my fair share of guys who couldn't take the conversation down a notch. It was like school all over again, teaching them how to exlain stuff.
Very few systems problems cannot be articulated in a way that cannot be grasped by people without special training. When I evaluate systems personnel, one of the first things I notice is how they communicate when they are working with people with different levels of expertise.

People who speak exclusively in technobabble often don't know what they're doing -- it's impossible to clearly explain something that you don't understand yourself. If you really do understand, you'll know lots of ways to explain it.

Yeah, we have guys over here that will actually come over and think I can fix a server that's literally on fire....and then when I ask them why they didn't cut power since now half the rack is on fire, they just give me this stupid look.


Those folks make me wish I could carry a cattle prod around work.

Our admins here act like anyone who is not an admin is stupid and silly. I get along with them because I happen to know what they are talking about, without being an admin myself. But, they have the nerve to get upset with people who they set up to not understand in the first place.

I love it when admins say the people they are trying to help are hopeless. The "hopeless" people then come to me for help, and 5 minutes later they understand perfectly fine. They are not hopeless after all.

Our admins here act like anyone who is not an admin is stupid and silly.
Classic sign of someone who is insecure and overcompensating for their own deficiencies.

Our admins here act like anyone who is not an admin is stupid and silly. I get along with them because I happen to know what they are talking about, without being an admin myself. But, they have the nerve to get upset with people who they set up to not understand in the first place.

I love it when admins say the people they are trying to help are hopeless. The "hopeless" people then come to me for help, and 5 minutes later they understand perfectly fine. They are not hopeless after all.

I think part of the problem is the sysadmin's see themselves as the top of the food chain and the users see the sysadmin's as the bottom.

Well, in that the computer is a tool to help the business, not provide for the amusement of the IT departments, it should be noted that their function is "support".

There was a book a few years back called: "The inmates are Running the Asylum" basically about how business is often held hostage by the IT department.

Now, there is a lot of blame to go around, ranging from Microsoft itself (making things unnecessarily complicated) to old computer geeks who preferred things when they were a lot more opaque, to users that mentally shut down when people are trying to explain (computer)things to them.

Well, in that the computer is a tool to help the business, not provide for the amusement of the IT departments, it should be noted that their function is "support".

There was a book a few years back called: "The inmates are Running the Asylum" basically about how business is often held hostage by the IT department.

Now, there is a lot of blame to go around, ranging from Microsoft itself (making things unnecessarily complicated) to old computer geeks who preferred things when they were a lot more opaque, to users that mentally shut down when people are trying to explain (computer)things to them.

+1,000,000

I think part of the problem is the sysadmin's see themselves as the top of the food chain and the users see the sysadmin's as the bottom.
:beer: I believe we have a winner.

Our admins here act like anyone who is not an admin is stupid and silly. I get along with them because I happen to know what they are talking about, without being an admin myself. But, they have the nerve to get upset with people who they set up to not understand in the first place.

I love it when admins say the people they are trying to help are hopeless. The "hopeless" people then come to me for help, and 5 minutes later they understand perfectly fine. They are not hopeless after all.

Replace "admin" with "academic" and "people" with "students" and you'll have some idea of what it's like to teach at a major university.

The funny thing is that if you earn a reputation for being a good teacher, your colleagues will just assume that you're as dumb as your students.

I've been in IT for a while, and I've seen both sides, where cow-orkers [sic] deliberately liked locking things down due to ego. These people thought they were like correctional officers, assuming any user except their direct superiors were prisoners wanting a favor, and that "giving in" would mean their jobs or egos. These people I can't stand, because they taint it for people in IT that actually care about their jobs and how their department is viewed by the rest of a company. IT isn't corrections, and that attitude needs to be saved for the high security lockups, when it IS dangerous to assent to inmate requests.

Please don't condemn all IT people. Thanks to misguided regulations like SOX, if auditable security measures are not put into place, the whole business can be shut down by the SEC, and both the IT people and corporate officers whisked to prison for up to ten years. Even non publically traded companies are shackled by SOX due to contracts with companies that are. SOX is why EMC/Clariion is making a killing because every E-mail has to be archived for seven years in corporate finance and other departments. SOX is why IT has to make people change passwords every month, and use password rules.

This is less for "real" security, than CYA. Part of IT's job is two words: Due diligence. This means CYA stuff like showing that every single corporate machine has commercial antivirus and antispyware software on it (with lots of documentation to show the auditors or SEC that this is the case), even the ten year old Ultra 10 that just does backup DNS.

One company I worked for spent thousands on Mcaffee antivirus products for their Solaris boxes that do nothing but just sit, and fire off as cronjobs, one cronjob firing off every four hours for grabbing updated files, another cronjob late at night to scan the machine's filesystem, looking for viruses which do not exist (because the machine doesn't share Windows files), and will never exist. All of this was so they can sign off on a single checkbox saying "All corporate machines have antivirus/antispyware" software on them.

One company I posted about a while back even was more strict. Their main customer had in its contract to require antivirus/antispyware/firewall software on all machines, and all three had to be from different certified vendors.

In any case, audits, either internal, by an external party, or (yecch) by the SEC/IRS really suck. This is why I try to get IT departments use software like Net Octopus, Tivoli, Computer Associates, or OpenView. If people come knocking, its not hard to generate a thorough report on anything from how many copies of Office are in use at varying times of the day, to how many machines have low RAM when it comes time to sling out the next XP service pack.

A compromise on passwords:

Consider some type of device like a SecurID keyfob, an Aladdin eToken (the NG-OTP model), a VASCO Digipass (the Digipass Go 3 is what Paypal, eBay, and VeriSign give to their customers), or some similar appliance. Then, you can relax password restrictions to every 45-60 days. This will provide two factor security, and make logging in easier for users. Someone trying to breach won't be just able to try brute force, but have to have both the user's password and the device. I personally use Aladdin eTokens for my home Active Directory setup, but mileage may vary. If you give users keyfobs, *usually* you can convince management and/or legal that an 8 character password changed every 45 days is just as secure as a keyfobless password of 12-16 characters with 2-3 numbers and symbols in it that is changed monthly and can't repeat.

eTokens/smartcards can be more secure than just passwords. For example, my Aladdin eTokens will lock after a couple missed password attempts, prevent any more attempts at access. You can have administrative recovery of this via remote (user gives a challenge hex string, user types in the response to unlock their token.) Yes, a password may be only 6-8 chars, but an attacker has 3-5 guesses before the curtain closes.

Another compromise is self-serve password reset software. PGP's server offering gives users a way to recover lost private keys, provided they remember their dog's maiden name and other questions. I know that ADSelfServicePlus is free for 50 AD users, then starts off at $395 for 500 domain users, which is reasonable compared to the time it takes for staff to reset passwords.

Lastly, if you have to _really_ lock down a sector of a company, for example, financial departments where PCs cannot even reach the Internet, you can use stuff like Remote Desktop to allow users to access a secured server for their private Web browsing. Then, the machines are certified as secure and unable to access the Internet, and users can browse their stuff on the job.

\Please don't condemn all IT people. Thanks to misguided regulations ...
every E-mail has to be archived for seven years in corporate finance and other departments. SOX is why IT has to make people change passwords every month, and use password rules.....
If you ever suspect the IT people of doing nothing, it could be that they're working their tails off so that they can be in compliance with laws or regulations that may or may not make sense.

Where I used to work, logging and archiving functions took more system resources than all the services we provided combined. In other words, we skimped on hardware and human resources to support mission critical services so we could log years' worth of spambot connections and archive junk that was never read and didn't need to be.

With documents and email, you'd think that managers could be held responsible to make sure necessary stuff was kept and the other pitched the same way they do with paper, fax, and phone communications. But since everyone knows that computers have infinite capabilities and require no work to maintain, they just order the systems people to keep it all. The systems people should be expected to find anything people may need in terabytes of unstructured information even though the people they serve often can't find documents they saved themselves on their own hard drives and user directories.

In the real world, you throw the garbage in garbage can. You organize stuff in a way that makes sense. However, for some reason, few people seem to think these rules apply to the computer world. I'm convinced that most regulations were written by people with little or no technical knowledge because many provisions are hideously impractical and some are outright impossible unless you had an insane budget and army of staff that you'll never get.

Replace "admin" with "academic" and "people" with "students" and you'll have some idea of what it's like to teach at a major university.

The funny thing is that if you earn a reputation for being a good teacher, your colleagues will just assume that you're as dumb as your students.

Thats unfortunate. But then again, I am fairly anti-shool system. I believe most teacher have their heads to far up their asses to be effect at what they should be best at....teaching.