Why 'Trustee' is an ironically bad word, pt. 2

[greatblondino.livejournal.com]

Some of you may have read my recent rant about trustee idiocy. Here's another prime example - the following conversation took place over a couple of weeks via e-mail, but you get the idea.



T is a trustee of the organisation. This does not necessarily mean she deserves any prestige, but she feels terribly important.
R is T's sister's boyfriend or something along those lines. He 'knows about computers'.

T and R like to cc each other when they e-mail me, so both of them can see what an idiot I am.

T: The internet is broken. I need to connect to the office and I can't.
Me: Umm, ok. Can you describe the problem?
T: I can't get on to the VPN.
Me: Ok, can you describe your network at home? Do you use wireless?
(Goes through the usual testing of internet connections, checking the VPN server logs etc)
R: Look, I set up this network at T's house and I know it works. Don't you dare change it.
Me: Really, I think there might be something wrong with the way your network is set up.
R: OK fine, change whatever you want but I know it's set up right. Whatever you do, I want to know about it so I can change it back when you f*ck it up.
Me: Umm, ok. Well, I think your network at home is using the same subnet as our one at work, so routing won't work properly.
Bear in mind R is ccing T on all of this, and T in turn is complaining to my boss about my incompetence
R: The IP here is 192.168.0.1. I REALLY doubt it's conflicting with your network (smug know-it-all grin)
Me: (getting really tired of this crap, goes into tech mode to make him shut up) OK that's what I thought, we use 192.168.0.0/24 here so your network at home won't route properly to ours. All our other VPN users have 192.168.1.0/24 and it works fine. I mention things like CIDR, subnetting, whatever, just to get him to admit he knows nothing.

A couple of days pass.

T: Right, R says he'll try to do what you said but he doesn't think it'll work. I'm away for a few days but he has my password so he can sort it out.
Me: Wait, what?
Background story: six months earlier, the company needed an IT/acceptable use policy. I wrote it, trustees didn't understand it but they signed it anyway *
Me: You gave him your password?
T: Yeah, so he can fix my network.
Me: Opens up Active Directory Users and Computers, finds T's account, right-click, Disable Account. I'm terribly sorry, but that violates our IT policy. As you're the trustee in charge of overseeing policies, I'd expect you to know this. I have removed your VPN access rights.

The grin on my face was so big you could see it from the moon.

(* Actually, I wrote the policy, submitted it to the board, they deleted most of it, copied-and-pasted verbatim a load of text from a 'things you should include when writing IT policies' document from about.com, then passed that. It was incoherent gibberish, but the bit about passwords was still in it.)

Comments

[omg-teh-funnay.livejournal.com]

I think you shouldn't work for them anymore. Let them crash and burn... ;)

Although I'll miss the "stupid trustee" stories, it can't be good for your internal organs or brainmeats

[pyrtolin.livejournal.com]

The standard policy for that is usually that you should have your own login that you can use for testing. At worst, the person that you're supporting should be on hand to type their password when needed, but there should only be a very narrow range of cases where that's necessary.

[lightforce.livejournal.com]

Hahaha! greatblondino, 1. T and R, 0.

Do let us know how this turns out.

[wxgeek.livejournal.com]

As an IT person, you should never, ever, EVER, EVAR, EEEEEVAAAR need to know anyone's passwords. It's as much for your own safety as theirs.

[wxgeek.livejournal.com]

Because as a superuser, you can run as / sudo just fine.

[greatblondino.livejournal.com]

I'm pretty much the only IT person employed by the company. I don't know people's passwords, and I don't have access to their accounts, but I have the power to gain access if needed. The general policy is not to share your password with *anyone*, including me, and especially non-employees.

There's a lot of sensitive/departmental information that shouldn't be shared, and more often than not, there's simply no need to swap passwords. If I need someone to type in their password I'll ask them to do it. It's very rare for me to ask for a password, and if I catch people sharing them they get a severe bollocking from yours truly.

[greatblondino.livejournal.com]

If I really, really need to know someone's password I'll just reset it to Password1 or something, and tell them to change it when they get a chance. I prefer not knowing, really. Like wxgeek said, it's as much for my own safety as theirs.

I constantly get people trying to catch me out, asking, "come on, you can tell me - when you're bored, you read our e-mails, don't you?". Seriously, I don't, because a) I'm not supposed to, b) I really don't care, and c) the only way for me to do so is to check through the journalling mailbox, which is supposed to be tamper-proof. You think I want to lose my job from being a bit nosey and bored?

[greatblondino.livejournal.com]

Oops, I forgot what the LJ code for "user" is. Someone wanna remind me?

[greatblondino.livejournal.com]

Oh, it turned out already :) This was months ago, and I subsequently revoked VPN access for all trustees for similar reasons. None of them got a chance to argue. They signed the policy without reading or understanding it so it's their own damn fault.

I am the law.

[sethb.livejournal.com]

"come on, you can tell me - when you're bored, you read our e-mails, don't you?"

Only if I want to get more bored.

[wibbble]

There's no hyphen.

Also, you could've edited the comment until you replied to it - that locks it.

[greatblondino.livejournal.com]

Bah, lame. I thought only paid accounts could edit.

Oh well, I'll know for next time :) Assumed lj-user because of lj-cut.

[wibbble]

Oh, maybe only paid accounts can - I got a permanent account years ago so I don't really pay attention to that stuff.

IIRC, the reason it's '<lj user=...>' is because <lj-user=...> isn't a valid XML/SGML tag, since you can't apply a parameter to the tag name, you need to specify an attribute and <lj-user user=...> looked too clunky.

I know there's no reason to make it properly valid since it's all parsed out, but back in the day they wanted to do things 'the right way'. Hence no adverts, no javascript, and so on.

Of course, times change. :o)

[spooforbrains.livejournal.com]

First rule of big business tech support. The rules never apply to execs.

[wibbble]

First rule of small business tech support. The rules never apply to the owners.

If only they hadn't told me what he uses his second computer for, I wouldn't've felt so dirty when I had to touch it.

*shudders*

[jecook]

Ding!

At my place, anyone sharing passwords for ANY reason is grounds for a writeup, or worse, as it's a violation of the gaming compact the tribe has with the state. The look on the bosses face the last time someone did that was priceless, and brought me to smile.

We either schedule time for the executives or other big wigs, or (usually with their permission as a courtesy) change their passwords if we really need to use their accounts for any reason..

[lightforce.livejournal.com]

Awesome!

Policy can be a real pain in the arse, but damn if it isn't useful (and satisfying!) every now and then.

[trixtah.livejournal.com]

Yep, as others have said, you either have a dummy test account with exactly the same rights and attributes as your problem user, or, as a last resort, you reset their password and get them to change it when you're done.

Anything else is incredibly unprofessional and exposes you to a schwag of liability.

[blkrabbitofinle.livejournal.com]

>> I constantly get people trying to catch me out, asking, "come on, you can tell me - when you're bored, you read our e-mails, don't you?" <<

Isn't it cute when users think we really give a shit about how totally shitfaced they got on the weekend or who their second cousin is sleeping around with. The times when I have had to read through emails (never for fun; but trying to restore a particular email, or this one patch of really stupid mail scanning a company had, etc) the snippets I've gleaned have been mundane and uninteresting.

I mean yeah, ultimately it's not worth getting into trouble for (like the one manager who thought he'd read a 'Confidential' mail in someone else's mailfile they'd been given access to, only it sent a read confirmation back to the sender from the snooping user's name - whoops, someone went straight from the manager's office and out the front door) and my personal morals stop me from even glancing at obvious chain letters that have something that looks vaguely amusing or cute or whatever. But in reality the majority of personal mail is so incredibly dull I avoid reading it anyway.

[blkrabbitofinle.livejournal.com]

It's funny how often I hear admins (almost always low-level admins without much experience) complaining about how 'stupid' Lotus Notes is because any old Joe with an admin account can't go in there resetting or recovering passwords to user accounts with complete ease. There's a bit of messing around involved in getting a password to a user's ID file, and for good reason, especially as many very large and very important and very secure companies use it - who don't want Joe Fucktard the Junior Database Administrator they employed last week just letting himself do whatever he pleases in there.

But no. Security is 'stupid'.

[jimbojones.livejournal.com]

You get many BOFH cookies for this. Too much whining in this community about bending over and taking it in the ass from users, not enough laying down of smack. Well done.

[mattcaron.livejournal.com]

(getting really tired of this crap, goes into tech mode to make him shut up) OK that's what I thought, we use 192.168.0.0/24 here so your network at home won't route properly to ours.

Where I work, we got tired of that, and we wanted to be able to chop things up a bit more, so we went to a 10.x.x.x network....

[mattcaron.livejournal.com]

when you're bored, you read our e-mails, don't you?

No, when I'm bored, I brush up on the BofH archives.