back to article Locking antlers with a network Nazi

Some contracting jobs are fun. I love the sexy ones that task me with rolling my own data center or spending a week’s worth of off hours poking holes in someone else’s network. Some contracting jobs are terrible; 14 consecutive hours of testing cables and ghosting workstations will leave me a gibbering mental wasteland. One …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Big Brother

    SEP

    Shitmantec Endpoint Protection has been causing us no end of woes: BSODs, LiveUpdates bringing our fileserver to its knees, mass updates clobbering our Virtual Infrastructure, etc. The only reason to run it is evidently for the reporting functionality, which means it's right up the alley of the sort of control freak who ran your job site.

    1. neb
      WTF?

      ah...

      ...a fellow serf of the en aitch ess?

    2. Ammaross Danan
      FAIL

      BSODs et al

      Apparently you have some configuration issues. Our Symantec EPP runs happily with our VI and actual end points and I have yet to see a single BSOD from it. LiveUpdates, albeit beefy (7GB for the mix of machines on our network) works fine. Reporting is great. Catches most virii, but some malware (browser toolbars mainly) still make it in. I know which machines are affected by such malware because EPP catches the virii that the malware tries to stuff on the machine, thus flagging it in the manager for me to have properly sanitized.

      Granted, our setup is no where near as Nazi'd as the situation the poor author ran into, which is why the AC is getting BSODs, likely utilizing such measures.

  2. Anonymous Coward
    Anonymous Coward

    Hmm...

    Clearly, the unprepared client is a pain in the arse. However, I thought at least they have some proper security implemented - until the fourth last paragraph...

  3. Rinsey

    WTF

    are sysadmins doing using Norton anything?

    1. Queos lvl42 mage
      Thumb Up

      Damn Straight!

      I used to push Norton AV* to my clients, until that Symantec 'Licensing Portal' started up and took me two months to get a damn upgrade license a few years ago. Then it was Eset NOD32, still is when people absolutely must pay for AV.

      ^Norton System Works (360 now) was always a PIA and caused more issues than it solved.

      One caveat though - Ghost - right up there next to sliced bread that one.

      1. Paul 129
        Linux

        Try open source, and get rid of ghost ;-)

        Linux can set you free.... netcat, ntfsclone, et al. Only thing I havn't done with it is multicast images. I'm not a corporate bod, so I havn't needed to sort out that option yet. Fast? Faster than the version of ghost id got my mitts on :-)

        1. Trevor_Pott Gold badge

          Ghost

          Reminds me of http://www.theregister.co.uk/2010/05/26/desktop_deployment/

    2. Tim Bates

      They aren't.

      Norton <insert variation here> is made by Symantec.

      Symantec Endpoint Protection is also made by Symantec.

      However, much like MS Office is not MS Windows, NortonAV is not SEP.

      I quite like SEP in it's standalone configuration... But the management console is a lesson in how not to write small programs! It basically kills my laptop (admittedly some years old, but it's got 2.5GB of RAM and a dual core CPU) even with just one client using it.

  4. J. Cook Silver badge
    Pint

    Good lord!

    O.O They locked down the domain Admin account?!?!?! Not a network Nazi (I might qualify as that if I ever get a blank check to build my own iteration of a secure network), but more of a minion of the aforementioned cthulu, or some other eldritch horror.

    Beer, because you deserve one.

  5. KLane
    Thumb Up

    Removing SEP

    Been there, done that!

    I have successfully used AppRemover (http://www.appremover.com) to get rid of Symantec Endpoint Protection when I need to decommission a PC (remove corp software) but don't want to wipe it. Hope that helps in the future!

  6. M Gale

    Nothing quite so interesting.

    That said, I do the occasional cash-in-hand thing for people. In this particular case, a web-site thing for a particular person. Problem is when, after spending hours making, testing and re-testing a order section that allows someone to mouse-drag their desired size of material and charges them X amount per 6 square inch block depending on how many total blocks there are.. it spends two days online and the guy says "can you just do this LITTLE thing?"

    Oh yeah. A little thing that requires changing the entire pricing logic structure so there are now 66 individual prices (instead of the logic saying 'X number of blocks which is Y price per block which is Z total price'), effectively 66 individual little PayPal "add to cart" buttons in a grid that have to be priced manually. Then he changes his mind again and wants to remove that bit entirely, and just offer 12 different sizes. This after I've gotten most of the way through implementing the changes.

    Oh and then he wants to change it so the sizes are measured in centimetres. After specifying inches from the start, so the entire goddamned pricing structure needs to be changed. Again.

    Grr. Grr, and an argh to go with it. If I was being paid consultant wages I wouldn't be complaining so much...

    1. Trevor_Pott Gold badge

      I feel you, sir.

      Scope creep sucks.

    2. Al fazed
      WTF?

      I believe

      an Service Level Agreement would have been handy.

      I've had a number of clients try this one and it just doesn't wash around here.

      New SLA please with a bigger bill attached.

      A lot of clients have no idea what they want, until you show them the end product.

      Then they suddenly get the "great ideas", which include treating the contractor like a chump.

      ALF

      1. Anonymous Coward
        Headmaster

        @I believe

        surely you mean contract, as it was an external supplier.

        woohoo, I've finally managed to apply some of my ITIL training!

  7. Al fazed
    Unhappy

    Without an End Point

    Server to blame or Symantic security software to screw with things, I was recently flummoxed when my own laptop (running XP) could no longer pass through my Router onto the internet.

    The wireless NIC was working and the router's signal at full strength. Encryption details were as configured in my notes, dealing with this machine by a fixed IP address for wireless connectivity. Just to keep me confused, I could log in to my router, and access my Web Server on this network by it's local Network IP address, but not via it's domain name.

    Everything worked just fine with a CAT5 cable connection.

    I had to admit that I wasn't going to be paying myself for this task.

    So, after two hours dicking about, checking the array of Windows Services modules, again and again, setting up a new wireless networking configuration and disabling the laptop's firewall and anti-virus, produced only the kill switch and bugger all else.

    Other than completely resetting my router, or the laptop, I was stumped then and I still am.

    This exercise didn't do a lot for my self confidence as I have been attaching wired and wireless devices to networks for about 15 years and never experienced anyting like this ...........

    ALF defeated by XP Home

    1. Trevor_Pott Gold badge

      ALF:

      Sounds like a corrupt TCP stack. NOt so common anymore, but it does happen.Remove IPv4 *and* IPv6 from all NICs. (Don't forget 1394!) Reboot. Re-add IPv4 and IPv6 to all NICs. Alternately, sometimes Start --> Command --> SFC /SCANNOW will solve it.

      1. Paul 129
        Pint

        If your lucky

        The other source of this type of thing is some viruses. These can be an absolute bugger to remove, at times (weird hooks in the registry). I do home PC repairs, ie backups, origional media == /dev/null, and your scenario is probably my most hated.

        Good Luck

    2. Tim Bates

      2 commands to run

      netsh winsock reset

      netsh int ip reset logfile.txt

      Could also be a buggered wireless card...

      1. tony trolle
        Pint

        I've had one of those "buggered" cards

        worked fine for 3 months in system then system started to "lock up"

        Worked fine with USB dongle and 3-com NIC for over 6 months after (then sold)

        Funny thing is "buggered" card worked fine in other systems and still does.

        And I did clean installs on a clean harddrive to pinpoint Mr "buggered"

  8. Anonymous Coward
    Anonymous Coward

    I don't have stories like this to share

    I run into a brick mental wall trying to recall them. Price of a burnout trying to do all that and more for an imploded dot-com. Why I didn't get out a year and a half earlier than the two years I ended up st(r)aying is still beyond me; it would have saved a considerable amount of lasting damage. One consequence is that I no longer will touch anything redmond. So sorry.

    Oh, alright, one then. Get a call some sales guy can't get onto the vpn. It's actually interesting how that works --a homebrew time-bound one-time-use password sent through registered SMS implemented in perl-- but this wasn't the time that some bozo in the USoA liked to drop the leading 1 from the CID, royally screwing up the identification, so nothing much to tell about that part other than "it worked". So on with the show.

    "So what's your IP address then?"

    "Er, 192.168...."

    "Aight, hold it <fires up tcpdump on the vpn box> and try and connect again please"

    So I see packets incoming and outgoing. His VPN apparently doesn't see packets incoming. Some tracing showed that the packets on the return leg got lost between $state_telco and $uptier_carrier, over in another country. So kick the problem up to my ISP, a small but highly clueful outfit. On no more evidence than my traceroute they fixed up their BGP preferences to make this thing work again. Kudos to them.

    Cue a few weeks later, another call, same problem. Turns out the big guys yonder finally figured out something was amiss in their network and fixed it; breaking my upstream's preferences. So I kicked it up to them again. They fixed that inside of two minutes and then apologized. That got them a lengthy note of thanks that they really needn't apologize for something they put in on my behalf earlier, and that I am indeed a happy customer with that sort of service. That was one of the few happy incidents at that burnout job.

  9. The Librarian

    Oook

    Once spent an entire Friday afternoon with a lanalyzer trouble-shhoting a thin ethernet segment that "occasionally crashes, but only when most of the systems connected are switched on", only to find that a "senior manager" had decided to hook something from his home up to it by stringing a new piece of make-before-break ethernet up to a new t-piece, and connecting a additional 50ohm terminator onto the other side of the t-piece. The lanalyzer couldn't make any sense of the segment, and was reporting breaks/shorts on a completely random basis, dependent on where I hooked it up, until I finally got all the way round the office segment to find the masterful piece of work from upper managerment looking me in the face.

    I had to pick my words very carefully at that point.

    The only bright side was that the office in question was only 10 minutes from home.

    1. Anonymous Coward
      Anonymous Coward

      Pffft, thin ethernet

      ten seconds with a multimeter would have told you what you needed to know and then a TDR would have pinpointed it for you if it was a large enough run to stop you walking it.

      1. John Smith 19 Gold badge
        Unhappy

        AC@:29

        "ten seconds with a multimeter would have told you what you needed to know and then a TDR would have pinpointed it for you if it was a large enough run to stop you walking it."

        We could not afford a TDR.

        We cold not afford the multimeter.

        We played find the loose connector the old fashioned way.

        No fun at 2am in the morning.

  10. Ken Hagan Gold badge

    I'm puzzled

    "go to the site, rename and readdress up to five PCs to meet the newest conventions. Remove Office Pro and install Office Standard to ensure proper license compliance"

    Yep. That's simple enough.

    So who the hell configured their domain? He (for my spider sense tells me it probably isn't a she) is clearly an evil soul, but equally clearly knows enough to do the job and yet it never occurred to the management to ask this person *who they are already paying*.

    Truly, er, ... interesting.

    1. Trevor_Pott Gold badge

      @Ken Hagan

      Absolutely no idea. I was a subcontractor. Some dude out of the center of the universe asked me to look at this, as he had no other wetware in my city. He was managing wetware packets all over the country, and I get the feeling we weren't the only country involved in this particular change.

      I am not even sure if the fellow that contracted me for the job was directly contracted by the company that owned the network. I got the distinct impression there were /at least/ two layers of contractors above me. Maybe as many as four.

      Who installed the thing? Haven’t the foggiest. What I want to know is...why the sweet merciful mother of fnord this all couldn't have been done centrally? The client systems had Teamviewer installed, but the Fortinet box programmed by the follower of Cthulhu was blocking the Teamviewer client from calling home. (How hard is it to whitelist Teamviewer's servers, really?) This sort of thing should have been handelled from a central location, using a remote control app.

      I mean, for the love of $deity, these were XP Pro Systems. On a domain! They have RDP capability built into the OS that is controllable via GPO! Why they needed a tech onsite to do a simple rename/readdress/reinstall of an Office ab is absolutely beyond me. Not htat I mind. In theory I'll get paid for this. It just makes me go "hmm..."

  11. CasaNegra
    Thumb Up

    They did not try hard enough

    Had they finished the job and hardcoded Proxy settings into the browsers and stopped modifications of this, you really would ahve been scuppered. Great Article

    1. Trevor_Pott Gold badge

      @CasaNegra

      They did. Fortunately, Domain Admins could still turn the proxy settings off for thier user. End users couldn't. You're right though; Windows XP has no wget. If the Domain Admin couldn't change the proxy settings, I would have been Q_Qing into my coffee.

  12. Anonymous Coward
    Pint

    I Hate SEP

    'Nuf said, its Friday.

    1. Michael Wojcik Silver badge

      Indeed, SEP is dreadful

      The Symantec software from the past several years has to be among the absolute worst software I've seen in the past quarter-century or so: abysmal usability, horrendous resource consumption, and riddled with bugs. And SEP is the worst of the lot.

      I've never - not once - seen it do anything useful, either. So it's pointless if the user's knowledgeable and halfway intelligent; and we all know that the idiots will always manage to do some damage regardless of anti-malware, unless the machine's isolated to the point of uselessness. (And then they'll probably spill something on it.)

  13. Anonymous Coward
    Thumb Up

    Just today, actually.

    Posting anonymously as my client reads the reg, but this tickled me.

    Not quite the same, but on a similar note of dealing with weird problems and finding surprisingly obvious solutions, I went out to a site in the middle of knowhere, where Outlook 2007 on Windows 7 was having problems - lots of 'not responding' for 30-60 seconds at a time, hooked up to a Kerio mailserver on the Offline Connector it uses to cache email locally.

    After muchos messing around, the receptionist told me she didn't have any of the problems that the boss had, so I checked her machine out. AVGs email scanner was not installed, as Kerio has it's own AV scanner.

    Ok, change AVGs install to drop the email scanner (I don't trust 'disabling' services - remove 'em or don't bother) and retry. Bingo, now any slowdown is perfectly understandable as the guys mailbox is a few gigabytes in size. Nice.

    I get a call from the (seperate company) who use the office upstairs. Similar problems, but my colleague has spent three months back and forth with Kerios support peeps in the US going through debug reports trying to find the cause of these lockups.

    I go up there, reinstall AVG without the email scanner, and I couldn't reproduce the fault.

    If I have fixed that problem, then not only have I found a compatibility issue between Win7/AVG/Kerio Offline Connector, but I've also made my colleague, inadvertantly, look like a complete chump.

    I'm not sure if this makes me the epitome of awsomeness, or just a bastard. You decide.

  14. JimC

    What irritated me today...

    Got an email to say that the penetration test people where very unhappy with my little general purpose external ftp/web server and I was supposed to take it off the network immediately and patch it... The little thing runs an ftp server and a very minimal apache install for various odd jobs. Dutifully unplugged it, which of course meant I can't download anything to it or ssl to it, found a screen and keyboard and fired up yast, and finally got given a copy of the pen test report with the desperately urgent vulnerabilities listed.

    "Unconfirmed" This version of Apache includes a vulnerable version of the mod _rewrite module. And nothing else at all.

    Unconfirmed? Of course its bloody unconfirmed you idiots. It doesn't run mod_rewrite or virtually any other Apache module beyond the very bare necessities. Every time I deal with these damn Penetration test "Experts" I come away with an unhealthy feeling I've just been talking to a bunch of idiot script kiddies.

    At least this time they didn't tell me my external DNS server must be insecure because its running Bind 4.83... (well not yet anyway come to think of it)

    The conversation usually went

    "4.83 is insecure"

    "yes, so"

    "well you need to upgrade it"

    "what makes you think its running 4.83"

    "that's what our script reports"

    [smiles: pats security "expert" on the head]

    "you didn't by any chance believe it did you?"

    1. Anonymous Coward
      Grenade

      Penetration testing (for) dummies

      Pentesting is at times a great job which is technically challenging and rewarding. There can be great team spirit between people with overlapping interests and enthusiasms who love challenges, and it can also be pretty well paid.

      It's also highly commercial, and is often delivered to uninspiring customers who only ask for it because someone tells them they should, have little interest in scoping it properly or setting up pre-requisites, and rarely care much about the output.

      Such customers are also awfully picky about actually having anything penetrated - it's not remotely uncommon to be asked to penetration test something, but not actually compromise any hosts. If a vulnerability scan thou shalt ask for, a vulnerability scan thou shalt get - whee! False positives!

      There's also the obvious but boring point that most customers RFP (or pick proposals) with price in mind. Good Pentesters can demand decent wages, and therefore the companies employing them tend to charge higher manday rates. If you ask for, or negotiate, lower ones, you're probably not going to get the best testers going either in the industry or within the company you've hired. Just saying.

      It's also not conducted by magicians - sometimes environments or systems are running more recent operating systems or bespoke builds and appliances that are pretty well locked down and where the only issues are low impact (or difficult to confirm).

      Often, the failure of a customer to implement pre-requisites and scope the test properly, or provide any technical contact who can actually respond to queries - and the unwillingness and bad attitude of many of the technical contacts given, who seem to treat penetration testing as a personal affront designed to knock them off their pedestal and trash their stuff - makes gathering any more information on these issues hard.

      In those instances, it's generally considered prudent to say something about what was found, even if it isn't world's-coolest-ever-0day. As fellow professionals who like minimising risk and doing a good job, and are capable of performing their own investigation when nudged in the right direction, we're sure you agree!

      (On a technical note, generally banner grabbing is generally fairly accurate. If someone thought you were running an old apache branch (from the description of the vulnerability you've given, I'm pretty sure that I know which version), then they're probably either right, or you recompiled it. Backpatches in common distros tend to be easily spotted, and not reported, which means you either had some really lame testers, or they had a point)

    2. Anonymous Coward
      Anonymous Coward

      @JimC

      It seems your pen testers are a bit, well, "special" would be a good way of putting it.

      However it also seems, with all respect, that you have a failure of understanding with regards to the intricacies and point of pen testing. That and an attitude problem. Just sayin'

      When I pen test stuff I report the issues highlighted by the various testing methodologies (which themselves depend on the nature and scope of the particular test). It is then expected that the customer (or their agent) will address each highlighted issue, in one of a number of ways: fix it, remove it, mitigate it, accept it, investigate it further or explain why it isn't a problem.

      Were I running a test on your system and found the same issue I would highlight it. I would then expect you to advise that you weren't using the vulnerable modules. I would then put a reference to this in the follow up report, accepting the security but advising of teh potential issues.

      Issues are generally listed as unconfirmed because customers object to us fucking their production network whilst looking for vulnerabilities. That would be like testing the airbags on my car by driving into a tree. So instead we identify possible vulnerabilities and advise they are fixed. It is not rocket science.

      And should a tool report Bind 4.83 and you are not using that version then the proper response would be "that is not the version we are running, we are using version X.Y instead" which would be noted (possibly verified) and detailed in the appropriate reports. Responding to a security audit with the IT equivalent of "I can piss higher up the wall than you" just makes you look like you are not that competent. If you did that to me I would detail the incident and highlight your lack of co-operation and probable lack of adequate technical understanding as a security issue in itself.

  15. Anonymous Coward
    Anonymous Coward

    Simple ...

    There is nothing worse, nothing more time consuming, than a five-minute job. Avoid them like the plague, and if you have to do them, allow all day. Or, of course, all night. Actually, it was sailing that taught me this.

    Tangentially, I used to have the following conversation, regularly, with one boss...

    Him, "Can you do this task?"

    Me, "I think so, but I've never done it before. I'm certainly willing to try."

    Him, "How long will it take?"

    Me, "I don't know: I've never done it before."

    Him (thinking it is necessary "management" to waste time pursuing such matters), "Give me an estimate."

    Me: "I told you: I don't know."

    Him: "I need an estimate..."

    Me, "two weeks."

    Him, "that's ridiculous!"

    Me, "yes, but if I say three hours, and it takes two weeks..."

    Him, "What could possibly cause it to take two weeks?"

    Me: "I don't know: I HAVE NEVER DONE IT BEFORE. Look, would you like me to get started, or shall we carry on like this?

    All true, only sometimes it got more abusive...

    1. Anonymous Coward
      Anonymous Coward

      hear hear!!

      "5 minute", "simple", "quick" etc etc

      these are words that scare me as it usually means that the task is no different from any other, but some numpty who fixed their own XP machine at home with a reboot (once last year when it crashed) thinks it should be a cheap task.

      Avoid or usually in my case enquire the basis for the adjective!!! - - then avoid!!

      1. Anonymous Coward
        Joke

        Can I just ...

        Have a quick question about that?

        ;-)

      2. Jacqui

        "5 minute", "simple", "quick" etc etc

        They all mean free or worthless. Anyone who does such jobs is tainted with the same description.

        When they turn out to be not as simple as expected "incompetent" usually ends up being added to the keyword list ...

        I do simple/quick for the boss (internally) but these are jobs and systems I know inside out.

        Long long experience acting as technical resources to various clients has lead to a spidey sense for certain phrases coming from thier customers :-)

        Jacqui

        1. Xaviar Onassis

          The worst word of all...

          "Just".

          Nobody's allowed to use the J-word when asking us to do stuff, on pain of stuff not getting done.

          If it's trivial enough to be described that way, it's clearly not worth doing and since we're already busy with all the other stuff people have asked us to do, you'll just have to do without...

          Xav

        2. Anonymous Coward
          Coffee/keyboard

          Re: "5 minute", "simple", "quick" etc etc

          Or the one I get all the time: "Next time you're passing, could you take a look at my CRT monitor/Windows 98 machine/genital warts/till in the canteen/etc...."

          "Next time you're passing" = "You don't think I'm going to pay you for doing this, do you?"

  16. Anonymous Coward
    Anonymous Coward

    Happens all the time

    I just inherited a Windows domain where the earlier out-sourced admin was fired for incompetence.

    The domain users fail to logon unless they belong to Domain Guests group;

    every device, computer and also the non-secure guest wlan is in the same network;

    no documentation whatsoever, even the admin password had to be hacked - fortunately(?) the same password was used in all the network gear as well, including the linux gateway - ye olde Pentium Pro desktop - whilst the rest of the stuff was reasonably new.

    Sorting all this out will take a while...

    This isn't exactly on isolated case. Most small to midsize companies have no idea about IT security or the possibilities their already owned stuff could already provide if they just were enabled. Year or two ago many were astonished to have their company email on their mobile phone. This happens because no-one is paid to administer or everything is done by the company owner's nephew and so on.

  17. Anonymous Coward
    Anonymous Coward

    My Worst...

    I was working on some temp contract work for a company as a friend is the IT director. He asked me in as the IT team had mostly left because they were either clueless, or got upset at doing anything other than playing games over the LAN all day when he took over. They were about halfway through a system refresh that had gone BADLY wrong due to lack of organisation, and had resulted in his predecessor being fired for missing the budget and timescale by over a year! They dealt with remote offices for the most part (3-6 machines in each location, all linking up through a nicely VPN'd Watchguard setup).

    One of the jobs he handed me was a hardware refresh on part of the company that was still running NT4 machines (in 2005!). This part of the company was a recent purchase, so hadn't had any "interference" as yet beyond their servers being moved, to the main location, and the VPN's being put in. I rolled up to the first job of the day with a new set of desktop machines, ready imaged (I figure a day spent imaging, and a couple of hours at each job is a Good Idea), and just needed unpacking again, their node names changing, adding to the domain and making sure the ICA client worked ok. This is the point where this part of the company showed why they hadn't been upgraded yet.

    "Dead easy this job" is running though my head as I pull up outside. Check the job sheet, 3 machines to slap on the desks, turn on, add-in to the domain and bugger off (no training needed as they had already had that done). No such luck. I ripped the machines off the desks, plugged the new ones in and booted them up. First one I switched on I come back to, go to add it to the domain and find that the domain password isn't working. Odd, it was supposed to be the same as the main domain (Servers had already been upgraded to 2k3 at the other end by this unit's IT support). So I call my mate, and he passes me through to the Service Desk admin, he says all the logins should be as it says on the worksheets they gave me. I gave him the password, he double checked it, but then pointed out that the support is by a 3rd party company for the most part in that business unit, and I would have to check they haven't changed things (terminating a contract would have been more expensive than letting it expire).

    He rings me back about 30 minutes later, and the tone of voice on it's own isn't good news. I'm told that the 3rd party company had revoked all the domain admin accounts, and would only allow their approved engineers access to the root accounts. He's not noticed this has happened because they didn't have a need to access anything on the servers or desktops because they were waiting for the upgrade before bringing the systems in-house properly, and that needed to wait until the service contract had expired. Now I like the guy, he's one of the 'old' team, and he's been promoted as he was one of the minority with clue. He's also been warned I have a bad temper when I either don't get paid, or I'm stopped from working. He's also rung the 3rd party, and he's had no joy, and prefers not to "bother" the IT director on a Weekend. I have no such qualms and he knows that, he also knows I was utterly obliterated with the Director the night before, so he'd prefer me to ring him. I do, lets just say he wasn't best pleased at what's happened. "I'll sort this shower of Sh*t out" was one of the nicer things.

    At this point I'm actually annoyed. I can ONLY do this job on a Sunday as they worked 6 days, and I can ONLY get in to the offices because the unit managers have kindly agreed to turn up and let me in. The poor woman was looking like she wanted to be elsewhere so I explained the problem to her. She responded with a comment along the lines of "Yeah, we've had this type of thing last time". Turned out that the 3rd party company had given them trouble before, even things like password resets had an SLA of 7 days. She'd been with the company for years, and they had never enjoyed ringing the IT desk because they got utterly fobbed off every single time. While she's telling me this my brain is getting The Rage, I'm wondering what type of company would work like this, and my mobile fires off. JOY! It's someone from the 3rd party company, turns out it's the Helpdesk manager. No they won't give me the passwords, no they won't add the machines to the domain unless it's an image they have created, no they won't send an engineer out on a Sunday (ever), and they won't do it without charging for each machine to be added to the domain. I'm protesting, and he put the phone down on me. I lost it, totally.

    Back on to the mate, and he's pissed now as well. He's trying to enjoy his Sunday lunch at this point (by this time I should have been on the 2nd or 3rd place). "Stay there", is all I get when I explain to the problems, and he hangs up on me. Bit later phone goes again. "Head Office, now" is all I get from him, and the phone goes down again. I head up the office which is a good hour away, and see my friend's car I the carpark, NOT a good sign as he _Doesn't_Work_Weekends_, beep myself in and go looking for him. Not in the office, hmm, head down to the IT desk, and the 2 guys there are looking sheepish. Before I speak they point me at the server room door. I go in and the IT Director, and Helpdesk manager are already pulling cables, neither look happy. I'm sat down at a desk with the server images, and told to extract the essential data, and reinstall. Ended up doing the desktops for the entire week after that.

    Turned out the refusal to allow access to their own systems was reason to terminate the contract, after the 3rd party guy had spoken to me he'd ranted at his own customer he'd told them it wasn't allowed, but my friend had noticed while madly reading the contract there was a term about always allowing access. The guy refused, and when told he'd need to supply all passwords or they had terminated the contract he'd responded with another term in the contact that said "within 28 days, and you can F**k Off if you think it'll be any sooner". Now my friend is pretty clued up(did the proper PFY route out of school), and figured he could slam the migration through fast in a couple of days if he had the manpower, and as they had already got all the hardware it wouldn't be a major issue to slap a bit of overtime out to folks so it could be done.

    I did have the misfortune a couple of years later of doing some contracting for the 3rd party I had to deal with that day. Lets just say "disorganised", being sent out to the same job 2 or 3 times because they hadn't packed up the van with the right kit, or hadn't given me the right info, or insisted on sending an engineer out as well as me doing a desktop refresh. I was thankfully paid by the hour, and they were supplying the transport, but a little demon at the back of my mind was screaming at me to warn these poor suckers what type of service they could expect!

    Anon as I'm not mentioning names (I've promised not to), and my friend just filled in a couple of bits I missed out!

  18. AndrewG

    Sounds like our office where the security guys keep making the domain unadministratable

    I've even been told off by the security guys becasue my poor servers refused to accept connections from their security probe servers - aparrently they didn't like my argument that if my corner of the company wasn't accepting connections from their systems because they didn't tell me they were probing, surley I'd passed their test.

    Then again, another time when they were able to monitor, they logged 6 months of remote connections to administer workstations all as one afternoons work. Next thing I know my boss is asking me why I'm appearing on the suspicious user report.

  19. JeffyPooh
    FAIL

    Symantec are idiots, and so are their customers

    Google: Symantec Sucks

    ...and you'll find the blog where their incompetence is fully documented in cut-and-paste glory. There's nothing left to prove. They're flaming idiots.

    Unless they can show me the receipt for the new brains they've subsequently had installed into their diminutive cranial cavities, I'll go with the assumption that they're still idiots.

  20. Anonymous Coward
    Flame

    Imagine all that "Sekuritee" combined with 1GB of RAM

    A major multi-national corporation has an IT infrastructure where each PC is loaded down with the ALL-OF-THE-ABOVE concept of security software. Everything including SEP mixed in with a half-dozen other such rubbish.

    Their standard PC has a mere 1GB of RAM, and the C:/ drive has been partitioned into a 4GB shadow of whatever it actually is.

    If you even try to open a large MS-Word file, your PC will crash. It will crash. And then they employ staff that will send out documents where the background of the coversheet is a 40MB uncompressed bitmap blue swirl.

    It's Dilbert Day every day.

  21. Anonymous Coward
    Anonymous Coward

    And another thing...

    Broadband at home has turned everyone into a network engineer. Everyone knows about 192.168.1.something; everyone thinks that their pet DNS makes their spreadsheets calculate faster.

    Frankly, I never was a network specialist. I knew enough to keep forty users and a hundred devices, plus a couple of VPNs from branch offices running.

    I knew enough to call for *help* if I needed to go deeper than this!

  22. Joe Montana
    FAIL

    Typical

    I have encountered far too many situations where various "security measures" were put in place, when all they serve to do is make life difficult for legitimate employees...

    Most of these measures have easy ways to work around them, and thats exactly what anyone malicious would do. The only achievement is to annoy and slow down legitimate users...

    Sometimes even legitimate users become so frustrated they break the rules (and often the workaround is far less secure than what they were trying to stop, for instance blocking removable media often results in people simply sending files via email)..

  23. Anonymous Coward
    Anonymous Coward

    Good and bad

    Good, late 90's get a short term gig for a large banks insurance arm, build and deploy around 40 laptops with NT4.0 and do some training with their sales peeps.

    Contract on offer was a 6 week gig, clearing a shade over a grand a week (23 years old and grinning like buggery when I saw that figure)

    Pitch up onsite, shifty little Swedish contractor bloke gives me the scare story from hell about this deployment and then tells me how he's been downloading drivers, install NT from scratch etc.

    One master image later I crack on and finish the build inside a week, hand the kit and training to the sales boys the next week.

    IT manager appears and says thanks for that, Swedish guy was really snowed with the job, but we can't see anything wrong with your corner cutting and we'll keep you in mind next time we need someone, - err no, the machines are deployed to the spec, Swedish guy doesn't have a clue and my contract is for 6 weeks, pay me up or I'm sitting in the corner drinking tea.

    Got my money, a few years later ran into said Swede at a consulting place, I think he made it to the end of that month before he was found out.

  24. Cpt Blue Bear

    Dealing with muppets

    Seen pretty much all of the above over the years: My personal most hated words are "while you are here..." These days I've become quite hard nosed about it. You pay for my time. Make the job more difficult and you pay more hours. That's it.

    Had one not long ago for a company that shall remain nameless because they're management are a pack of fools. Job must be done after hours for the usual reasons. I drive across town on the appointed afternoon to find that everyone at that office has knocked off on time 'cause no one told them I was coming. Ring my contact, log time. Next appointed day I find the warehouse manager waiting for me, but he doesn't have a key to the main office. I call my contact and log time. The third time turns out to be impossible because the central IT guys have some update process running for the hideous bespoke system the business runs on (it seems to be the major component of the franchise cost, near as I can tell) and it cannot be interrupted on pain of the whole thing going tit up. I ring my contact and log time. I also realise that they have remote access so I grant it to myself and go home via the pub.

    Practical upshot: they have 4 hours on the meter before I even get started, all because. their collective left hand does not talk to the their collective right. My business partner was all for billing them the alotted hours each time the job was aborted which would have been over a grand without any actual work done. I vetoed that on the basis that there would a quite a lot of future work there if what I saw was anything to go by.

  25. Trygve Henriksen
    FAIL

    You actually work in the industry?

    Just have to ask...

    You spent most of your time disabling or bypassing the security systems.

    (If you haven't been supplied with the tools you need, or the privileges needed to run them, tell the people that hired you. Mucking about like that is more likely to get you thrown out or handed over to the cops with a hacking charge)

    The fact that the Administrator password was continually being disabled probably means a service somewhere is set to run as Administrator, and with an old password.

    Try're locking down EVERYTHING on the PCs, but let an consultant install SW for them?

    Renaming a PC or removing/installing office can all be done using Remote Desktop.

    (Unless they'd blocked that, too?)

    In other words, were they some sort of muppets?

    1. hplasm
      Happy

      Are You a shifty Swedish Contractor?

      Just have to ask...

  26. omg

    Sometimes incompetence can work in your favour though...

    I had an unexpected email from a client a few years back saying they were very impressed by the pen test results on a new web site we were building for them. They included the report, from a security firm I'd not heard of. I was immediately suspicious of the 100% pass with not even a single minor issue, so I checked the site and sure enough, it was 100% secure, as we hadn't deployed the server yet. All their pen test had confirmed was that our firewall wasn't passing any traffic on that IP.

  27. Anonymous Coward
    Anonymous Coward

    If it wasn't for you pesky kids...

    Makes me think of a temp job I had one summer during my time at uni - data-entry for a major UK retailer. Basically they'd gone through a major backend database upgrade, but for some reason couldn't get their old system to talk to their new system. Hence they were employing a small army of temps to manually key the data from the old database into the new database. This boiled down to sitting at a terminal copying the contents of one window into another by hand for eight hours at a stretch.

    We were working on NT Workstation boxes, joined to a domain and supposedly locked down, i.e. no access to Explorer, no 'run' command, no control panel access, IE tweaked to disallow downloads to the local drive etc. Unfortunately they'd allowed access to notepad, the help system and hadn't explicitly disabled cmd.exe, just relied on the lack of run and explorer to stop you getting to it.

    So with a bit of poking around I rigged up a kixstart script that did my entire quota for the day in about 5 minutes. I showed my line-manager, who looked slightly shocked and skeptical and told me to carry on doing it by hand. Next day I had a visit from one of their IT guys, who looked slightly shocked and skeptical and then went away. I didn't hear from him again. I left very shortly after - data entry is tedious enough at the best of times, but when you also have a working automation script sitting there that you're not allowed to use? Forget it....

This topic is closed for new posts.

Other stories you might like