The Hub of All Blame: A Postmortem

[Morat20]

HR's motto should be "tort reform".  It probably is, actually.

Schlid's more right than he knows. "It's not our fault, it's the morons you work with" is pretty accurate.

It's not like "Get another job if you can't handle your boss hitting on you all day, and telling you you'll get that raise if you fuck him" or "Get another job if you can't handle the fact that your coworker is a fucking member of the KKK and leaves nooses on your desk" is always a viable option. Between health care, regional needs for skills, that sort of thing.

I think those of us who work in the tech industry take a lot for granted -- it's easy for us to find new, equivilant jobs rapidly. IT needs arose after businesses and government started instituting bans on sexual, racial, etc, harassment. So it's real easy for me to blow off HR's damn sensitivity training because no one I work with is going to be chasing tail across the office.

But the way I think about is like this -- each and every fucking year I'm required to take an IT security course, that covers such basics as "creating decent passwords", "virus scans", "not fucking emailing documents labeled 'confidential' without encryption", "don't open strange attachments", "don't fucking forward that fucking stupid email to all 100,000 people on the global list", "RUN YOUR FUCKING VIRUS SCAN AT LEAST WEEKLY", etc.

It's a stupid waste of time for me. Each and every year.

To about 90% of the people I work with, however, it's shit you have to hammer into their brains at least once a year. If you don't, then the email system craters when 10,000 people email the entire company the same damn thing at the same time. Or some idiot opens and attachment and a particularly nasty virus is leaping across our sytem (or god forbid, it's an Outlook one and it's killing our email systems too). Or some fucker sends confidential information to our competitors, his kids, the local PTA, and the janitorial staff and it's not even encrypted.

Same goes for all that boring shit that HR puts you through. Just because it's stupid and pointless to you doesn't mean there's not a surprisingly large number of employees who don't need the reminder. And if worse comes to worse -- by pointing out they HAD the training, your company is absolved of a lot of responsibility.

[Yegolev]

I agree with your observations.  Last count I saw, we have 70k employees.  Half of those are certainly below-average intelligence, even without adjusting for the Marketing department.

Somewhat related, a coworker pushed another coworker backwards over a chair.  HR was OK with keeping him but Legal said he had to go.  Draw your own conclusions.

As for your IT infrastructure, I'm glad I don't work wherever you do.  Choosing between having my laptop handle all the virus scaning itself, a draconian internet proxy, and the dozens of other automated processes, or attending a yearly security class, that's not hard.

[schild]

Edit: I need to come up with something snappier.

[Morat20]

As for your IT infrastructure, I'm glad I don't work wherever you do.  Choosing between having my laptop handle all the virus scaning itself, a draconian internet proxy, and the dozens of other automated processes, or attending a yearly security class, that's not hard.

Let's put it this way -- my specific department loads our own machines (I did mine), runs our own internal network, and does everything ourselves. We are in a distinct minority, and get away with it only through daring, panache, and quick wits -- oh, plus we need to since we're developers and not users.

Our users get a pre-defined load with minimal permissions, with updates pushed to them. That does handle the virus scan problems (for the most part, though the idiots keep opening attachments, bringing shit from home -- we'd disable the drives if they didn't need them) for the most part, and certainly the patch process. And our network (our developmental one and the bigger one we're part of) are guarded by some serious firewalls. Our primary security vulnerabilities come from laptops (people take them home), jump drives (ditto), email, and just straightfoward stupidity.

The problem is laptops. One of our contractors uses preloaded laptops -- their security settings are locked down so fucking tight that we can't even get them to connect to shit when they bring the laptops in (none of us have admin rights, and the users have squat in terms of access). 90%+ of our IT headaches come from this group and their insano security settings.

The other 10% -- people from all over the country with laptop settings that range from "my home laptop that I've never scanned for viruses ever, but surf porn on at night, can I hook it up to your secure, stand-alone, and HIGHLY CRITICAL network please?" to "Oh, this, it's running Windows 95 SP1, but I'm sure it's fine".

And it's not even my real job -- we just do IT support during critical events, mostly to make sure people don't hook up their virus-laden laptops to our network and explain to users, once again, how to connect to the printers. I shudder to think what it would be like without the annual security briefings.

Frankly, it's the same for the ethics training, sexual harassment training, workplace violence training, standards and practices training, hazardous materials training ("Don't drink the toner!"), safety training (you'd be surprised at how many idiots hurt themselves in an office enviroment -- although half of this site is far closer to industrial.), disaster training...it takes a grand total of about a day a year out of my working to handle all that. It's really not too bad, and way too many people really need it.

[bhodi]

I'm not saying stupidity should be a capital crime, but why don't we just take all the warning labels off everything and let the problem solve itself?

[Yegolev]

Survivors would sue.

I believe my corp is looking at supplying outsiders with prestaged laptops for use on the intranet.  Getting viruses onto our LAN is easiest done with flash drives, and even then it probably won't get far before the scans deal with it.  We haven't had a real virus problem in a couple years, but whereas you have it as a side job, we have an entire department for this.  They are pretty serious, too: they would take away my root password if they could but firecall would cripple this company.

[Morat20]

Survivors would sue.

I believe my corp is looking at supplying outsiders with prestaged laptops for use on the intranet.  Getting viruses onto our LAN is easiest done with flash drives, and even then it probably won't get far before the scans deal with it.  We haven't had a real virus problem in a couple years, but whereas you have it as a side job, we have an entire department for this.  They are pretty serious, too: they would take away my root password if they could but firecall would cripple this company.

We have serious, full-time departments for it for the vast (99%) of the systems here. It's just there's a set of isolated networks that users occasionally have need to access (sometimes 100 of them at once) and while the most secure stuff is done via workstations whose loads are determined and zealously guarded by Jesus himself, they do have need to access their own personal programs and utilities -- hence the laptops.

So my role -- when these users descend en masse -- to stop developement of the useful tools with which many of them do their job, and to go babysit them. To make sure they can hook up to the network, can access the printers, don't bring their nasty virus-infected laptop in and fucking everyone. Why do we do it? Because we were asked for 24/7 support during these events for issues regarding our particular toolset, and it was felt that as long as we were sitting on our asses anyways, we might as well help out with other things.

I much prefer development. I get to learn all that nifty ASP.NET 2.0 stuff AND get to write complex data miners for my Master's. I even manage to do that while on support sometimes. I wrote three papers last time I was stuck there.

[Chimpy]

I'm not saying stupidity should be a capital crime, but why don't we just take all the warning labels off everything and let the problem solve itself?

Because most the really dangerous stuff that can kill you doesn't have warning labels that, in being removed, would make it any easier for people to kill or maim themselves.

[Hutch]

I'm not saying stupidity should be a capital crime, but why don't we just take all the warning labels off everything and let the problem solve itself?

Survivors would sue.

If you're going to stick an appendage into the maw of a running lawn mower, there isn't a warning label in the world that can stop you.
Those labels are there to keep you from suing the manufacturer winning your lawsuit.

[Morat20]

As far as it goes, warning labels are cheap CYA. I suspect many of them are there because one tiny bit is mandated, and the rest is tacked on just for CYA purposes.

For instance, the "Toxic/poisonous substances" label on stuff like cleaning supplies, or toner. Or "eye irritant, flush your eyes with water" stuff. That's really there for quick first-aid in case of accident (if I find my kid eating bleach, it's nice to have a nice label right there indicating what to do -- not that I'm stupid enough to keep bleach where toddlers can get to it, but you see the point).

After that, they just started adding more shit since they already had the label.

In that vein, some blogger was talking about ridiculous government specifications for contracts -- like 10 pages to define "toothpick" and speculating that the reason the government spends ten pages defining "toothpick" is because they learned (probably the hard way) that without it, some fucker will low-bid and show up with shit he calls toothpicks (like jagged splinters off 2x4s from condemned houses) and claim he fufilled his contract because no one defined toothpick. I know that's common enough out in private businesses -- you specify to a T because if you don't (Especially if you deal in large numbers of such contracts) someone's going to try to fuck you, and even if you win in court, it'll still cost time and money. Better to be painstakingly detailed and forego much of the pain and cost when some idiot gives in to human nature.

[Sky]

some fucker will low-bid and show up with shit he calls toothpicks (like jagged splinters off 2x4s from condemned houses) and claim he fufilled his contract because no one defined toothpick. I know that's common enough out in private businesses -- you specify to a T because if you don't (Especially if you deal in large numbers of such contracts) someone's going to try to fuck you, and even if you win in court, it'll still cost time and money. Better to be painstakingly detailed and forego much of the pain and cost when some idiot gives in to human nature.

This is why I'm in favor of the death penalty. Hang those fuckers high.

[bhodi]

Morat20 is so right. I've seen the ugly world of government contracting up close and personal.

[Yegolev]

I'm not going to pretend I'm fluent in tort law, but when it comes to being successfully sued due to someone doing something dumb, they have to show that they did not understand that there was a risk.  Definitions of what a reasonable person would think aside, companies put labels on things so that they can point to them and say "Obviously any reasonable person would have read this warning label and known about the risk of X".  This will keep them from being sued most of the time.

[Roac]

In that vein, some blogger was talking about ridiculous government specifications for contracts -- like 10 pages to define "toothpick" and speculating that the reason the government spends ten pages defining "toothpick" is because they learned (probably the hard way) that without it, some fucker will low-bid and show up with shit he calls toothpicks (like jagged splinters off 2x4s from condemned houses) and claim he fufilled his contract because no one defined toothpick. I know that's common enough out in private businesses -- you specify to a T because if you don't (Especially if you deal in large numbers of such contracts) someone's going to try to fuck you, and even if you win in court, it'll still cost time and money. Better to be painstakingly detailed and forego much of the pain and cost when some idiot gives in to human nature

Yes.  I had to writeup a definition of "webservice" because of worry that some fucker would define it however they liked, regardless of its use in IT jargon.  And it's a somewhat real fear; the real issue are numerous small companies looking to get a slice of the pie, and who will do damn near anything to get what they see as easy money.  Most legitimate contracts aren't easy - unless you word-lawyer your way through a contract to cut every functional requirement out you can.  Oh, and the small fries that don't win contracts?  They start pulling every damn political string they can to leave bruises.  It sucks ass when a state legislator calls you up and asks why so-and-so joe startup was declined a contract.  They're in your state, you know, and the company you went with is in another state.  You know we're interested in keeping state money in-state where possible, right?