Oh my dear god, I wanted to avoid this, but now I can't hold back the flood... Anecdotes follow.
I was once instructed to fill all the USB ports of all the computers with hot glue, except one port for keyboard and one port for mouse on each computer, and to install padlocks on all the computer chassis. At that particular company, outbound access to the internet was completely unregulated - you could very easily upload everything to China or Russia or wherever, using any protocol you like. There was also no countermeasure to USB hubs or simply living without the mouse or keyboard for a little while to make room for your USB storage device. I do not recall anymore, why exactly we didn't care about the optical drives - maybe they were all read-only? I forget. Anyway, I refused to do the hotglue thing (tried to engage discussion about what problem we're actually solving, and trying to solve it in some way that would be effective), and got fired a couple weeks later. Later, I worked for a small company that got acquired by a big company. Small company is located inside an incubator, where the cleaning crew is provided by the incubator. Security folks of big company required us to install locking ethernet jack hole plugs and replace all our regular ethernet cables with locking ethernet cables to plug up each and every ethernet outlet, so the cleaning crew could not plug in a laptop. (Unless they have a butter knife strong enough to bend the plastic, or a smartphone capable of photographing the whiteboards, or a pair of wire snippers and knowledge of ethernet pinout). Data closet was located in the incubator-provided datacenter on the 14th floor, behind cages which we were able to secure even against the incubator host company, who allowed us to change the locks and keep our own keys. Secure, that is, unless they have an ethernet cable at least 10 inches long and a stick and some duct tape, sufficient to reach right through the holes of the cage to plug an ethernet cable into the obviously visible and reachable switches. Oh yeah. I mentioned we plugged up all the ethernet jacks of the 3rd floor, which go to a network closet on the 3rd floor, where we had to do the same cage-lock-changing shenanigans as the 14th floor. But the 3rd and 14th floors were connected to each other via fiber optic cable that ran through the incubator's duct work and conduit. Big company security folks *almost* required us to armor the fiber optic cable as a countermeasure to cutting & splicing, until I came up with the brilliant idea of enabling a VPN from our switches on the 3rd, to the switches on the 14th. So we built an on-premise LAN site-to-site VPN as an alternative to armored cables. Same company, we were forced to disable all ssh servers in favor of telnet and ftp, so the traffic could be monitored. "Improved security." Because hey, otherwise they can't monitor the traffic to see what you're transferring from where to where. "Improved security." We had some ubuntu servers, and we preferred to keep a local apt repository that we downloaded via rsync protocol. This is an outbound rsync connection, used to download files from the internet. New firewall blocked rsync port, and they denied our request to open outbound rsync protocol. Reason: rsync could be used to upload confidential information out of the company. Conclusion: Use http to download instead. (As if http couldn't be used to upload information out of the company.) I probably have more, but I choose to quit now. I am currently laughing painfully. ;-) I wish these stories were untrue. I got fired from one company and quit the other because of these. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
