Unchain the Office Computers...your thoughts....
-
[url]Unchain the Office Computers[/url]
Hello, first post. I'm not an IT guy, but I do enjoy this site a lot. I would like to get a reaction from this story from slate.com, regarding control by IT managers in the workplace. Some of the examples in the story may be WTF material.
-
You must be new here, you clearly expect rational link behaviour.
That link is to this page.
-
-
Sounds like a lot of uninformed whining. IT departments can certainly be bureaucratic nightmares (and I imagine gov't agencies are particularly bad) but "letting users install any software they want" is a recipe for disaster. Viruses already cost untold millions (possibly billions) in damage, not just to the companies that are infected, either, but also to targets of spam from botnets, etc. The job of IT is to keep the systems working so people can do their jobs and locking down access makes this easier.
-
There are a lot of reasons why things turned out this way with respect to IT and management, and most of it has to do with the core idea that a 'personal computer' is 'personal'. The best analogy I can think of is this; consider that you might upset your IT people if you put dinosaur stickers on your work computer like I know everybody does on their home computer (really who can resist?). Applications treat the windows\system directory (and back in the day, the extensions folder in macos) like that. Most computer users aren't savvy enough to know which apps are the worst in this regard and as a whole, people generally pick the worst anyway.
Add to that the increasing use of outsourced IT firms employing scripted call center people, and unfortunately, the person you talk to for IT help is likely less experienced than the average word user.
Add to that the risk averse way some IT managers tend to work; they have a CS masters degree in principle, but they generally read more case studies about 'enhanced enterprise synergy through knowledge sharing initiatives' than cnet's magazines. For somebody like that, having everything just automatically come from a big strong vendor is a kind of safety net that's likely hard to let go of.
I think there's one way we can fix it; make the computer itself 'impersonal' but give each user a 'personal' slice. The half-assed attempts at doing this by lugging around home directories and registry slices that windows does are totally insufficient and rely on consistent, alike configuration of computers (it's got what IT managers crave!) to provide a consistent experience.
Nothing says an operating system couldn't work this way, and nothing prevents *your* computer from working that way except the inertia and legacy of programs expecting to be 'installed'. At some point, we'll have to decouple application installation from the 'impersonal computer' and make the application 'personal', not the computer.
-
@arty said:
<snip>
Your argument only covers the virus end of why IT does this. There are other reasons.
1. If you loose your google docs (or other program) document IT has no way to retrieve it from backup
2. If you are using MyFreeEditMonster and you don't know how to make bullets, you call up IT who can't possibly support 800 different text editors
3. Internal IT programs are often written to support only 1 browser. When people start calling about Firefux not working it wastes time. Some of the people using Firefox don't even know it is different than IE.
Not that your solution would actually solve the virus problem. If you installed a virus it doesn't matter where the virus went or how it installed or didn't install, IT has to spend resources to clean it.
-
@tster said:
<snip>
To add to that:- If you computer crashes (like hardware-failure to BSoD on boot) IT will usually respond by giving you a freshly imaged computer. If you can install your own software then when you get your new computer _you_ have to waste time installing all the stuff you had before since it is impossible for IT to know what you had.
- Say you start running a service on your local-box, eventually your entire department starts using it, now you either 1) report that your computer is really slow now 2)Shutdown your computer because you're going on a 3 week vacay, now your entire department can't access the server and floods the HD will suport calls.
- Say someone installs "productivity" software like bittorrent (and a tracker) and they start using this for file sharing (instead of SMB, FTPS or NFS) now the network is crippled because there's bittorrent flooding it with packets. Any software that generates a large amount of packets for normal operation works here (oricingal quake with the chain-gun fits the bill)
-
@Lingerance said:
Any software that generates a large amount of packets for normal operation works here (oricingal quake with the chain-gun fits the bill)
aha, that's why our network at work is so slow
-
@tster said:
@arty said:
<snip>
Your argument only covers the virus end of why IT does this. There are other reasons.
1. If you loose your google docs (or other program) document IT has no way to retrieve it from backup
2. If you are using MyFreeEditMonster and you don't know how to make bullets, you call up IT who can't possibly support 800 different text editors
3. Internal IT programs are often written to support only 1 browser. When people start calling about Firefux not working it wastes time. Some of the people using Firefox don't even know it is different than IE.
Not that your solution would actually solve the virus problem. If you installed a virus it doesn't matter where the virus went or how it installed or didn't install, IT has to spend resources to clean it.
I'm completely ignoring viruses for the time being, just focusing on the 'why not?' part. I agree that moving settings and resources into the user profile doesn't fix that. Speaking of viruses, there's a lot of hanging rope and most of it isn't in the user's part of the noose. I don't expect most users to be able to avoid jpeg or wmf exploits that only need the outlook preview pane to trigger and spread.
I've been in a few of organizations that treat powerusers and programmers like children and that's mostly what I (personally) would like to not have happen in the future. I'm thinking of firefox users in this category too. As for the "comet cursor" and "spyware santa screensaver"s of the world, I'm mainly looking at ways to make damage control easy. If the user profile peels off correctly, then a power cycle will disable anything that doesn't do a local admin privelege attack and install itself in OS space. That the user, upon downloading malware, will have to have their profile clobbered after important files are copied out is also intended and intentional. Once bitten twice shy as they say. It beats having the whole computer unbootable, and not being able to recover anything at all.
I agree with your other points about support, and trust me, I know people who call me and start their call with 'how do i get back to dos?'. Those are people who need the kinds of protection and coddling that a locked down environment provides. Most users are this kind and I don't blame IT people for wanting to keep them from experimenting. Ultimately, what I typically want is some kind of give and take relationship where IT can responsibly give me some ownership. I think that the ideal of making a majority of applications live entirely in importable and separable user-owned space achieves this to a degree.
Perhaps, regarding IT departments that only target IE6, one might augment urlmon and shell32 to make the launched application sensitive to what it's peeking at. It'd be relatively easy to have a corporate configuration of firefox that only takes outward facing (not intranet) URLs with the right changes under the hood wiring it in.
I do think that the desktop computer as a platform is seriously hurting from lack of attention to this topic. It's a dinosaur that's less reliable than a 1980 MGB, more expensive per month to operate than an oil drill, gets dirtier quicker (metaphorically) than the ass end of a steam locomotive and like an old airplane skinned in silk gets bits of everything it passes lodged in it.
It's not impossible to make most of these problems disappear in a corporate lan environment just by changing how we think about what it means for applications to be installed. Solving these problems also allows the user a degree of ownership, making part of the computer (your profile) actually personal again, in that it's totally mutable while the desktop computer itself remains unchanging.
It pains me when I hear somebody say that their computer was 'screwed up' so they bought a new one. I wonder how much computer hardware we send to landfills every year due to broken (probably irrecoverable) software misconfiguration? If it's even 10% of thrown away computers, it'd be worth fixing the software to save them.
-
@arty said:
I've been in a few of organizations that treat powerusers and programmers like children and that's mostly what I (personally) would like to not have happen in the future. I'm thinking of firefox users in this category too.
I agree with you about the programmers. However, assuming someone is a power user because they use firefox is a huge mistake. My dad uses firefox and he doesn't even know what the "start" button is.
-
@tster said:
I agree with you about the programmers. However, assuming someone is a power user because they use firefox is a huge mistake. My dad uses firefox and he doesn't even know what the "start" button is.
Point taken.
-
@tster said:
My dad uses firefox and he doesn't even know what the "start" button is.
He's a hardcore Linux aficionado?
-
@arty said:
I've been in a few of organizations that treat powerusers and programmers like children and that's mostly what I (personally) would like to not have happen in the future. I'm thinking of firefox users in this category too.
I know I'm a bit late to this discussion. But you cannot claim to be a power user and not being able to use Firefox on a locked-down image.
-
@bjolling said:
I know I'm a bit late to this discussion. But you cannot claim to be a power user and not being able to use Firefox on a locked-down image.
You can white-list/black-list programs with a GPO, which pretty much counters that idea, provided you actually go the whitelist route. At school they had blacklisted FireFox.exe and PortableFireFox.exe for whatever reason, renaming the exe to PortableIceWeasel.exe works fine though.
-
@Lingerance said:
@bjolling said:
The blocked firefox.exe with the virus scanner at my work. Funny thing was... we list firefox as supported browser for our application. And thus, engineers that we are, we found work arounds. Disabling the virus scanner is easy. Those things run as service, and with administrator rights you can stop the service (even while the virus scanner UI won't allow you). But a much more brilliant solution we found was access rights. The virus scanner runs as system user, and you can deny read rights to a directory to anyone except yourself. So you can deny the system user from reading it. (On McAfee atleast)I know I'm a bit late to this discussion. But you cannot claim to be a power user and not being able to use Firefox on a locked-down image.
You can white-list/black-list programs with a GPO, which pretty much counters that idea, provided you actually go the whitelist route. At school they had blacklisted FireFox.exe and PortableFireFox.exe for whatever reason, renaming the exe to PortableIceWeasel.exe works fine though.
-
I'm fine with IT making an effort to keep people from installing all kinds of exotic viruses. I understand that 5 seconds after the IT department lets users install whatever they want, half the computers in the organization will have Weather Buddy Extreme and Adorable Puppy Screensaver (Now with EXTRA VIRUSES!) installed. I get that.
So I disagree with that part of the article. What I agree with, though, is the part about just leaving the workers the fuck alone and not treating them like 5 year-olds.
I hate working in places where manager types walk around and give a "tsk, tsk" to anyone they catch checking their Facebook page. Those managers aren't ensuring productivity, they're ensuring their workers aren't having fun. But that's not how we as workers should be judged, is it? I mean, if someone can spend half their day reading Facebook and still get an acceptable amount of their work done, who cares? Yes, yes, I understand that those damn Facebook addicts are wasting company time, essentially getting paid to surf the web, but why does that matter, provided work is getting done? You do hire people to get work done, right, and not to fill a seat and have nega-fun? Then manage like it!
Give your workers tasks to complete, tell them when those tasks need to be completed, and leave it at that. If they get their tasks done in the alloted amount of time, great. If not, then you need to have a chat to figure out why. If it's because they're wasting time all day instead of doing their work, then disciplinary action might be necessary. I realize that's more difficult than just strolling about the office periodically to make sure no one is having anything resembling fun, but that's why you're paid the big bucks, Mr. Manager.
This is all hard to do though, because somewhere along the way, we decided every job everywhere ever had to be paid based on hours worked rather than results. I get paid a set amount each year, but I'm still considered an hourly employee, and I still have to fill out a timesheet. So that hour you spent surfing the web instead of completing your TPS report? You charged the company for that...you made them pay you for something of no value to them. I can understand how a manager might get a little pissed off by something like that, even moreso if the employee doing the time wasting is a highly paid contract employee.
But I still maintain that it shouldn't matter. When you hire an employee, you are hiring that person to get shit done for you. Yes, you stated the details of your contract with that employee in terms of hours, but you never really, actually cared about hours; you hired the person to do X, that person said it would take N hours at Y rate per hour to do X, you tallied up how much money that would add up to, and then you decided if getting X done was worth N*Y dollars. If you determine that, yes, it is worth N*Y dollars to get X done, then fuck off and stop hassling the employee about their Facebook time.
