1

So DST hit (the stupidest idea ever. We should just stay on it all year so it doesn’t get dark at 4pm mid winter. but I digress)

Our door system software was last updated in 2011. for that reason, it is kept as an independent system. not allowed to touch our LAN or the WWW in any form. Also old enough that I need to change the time manually twice a year. So Monday morning no one could get in because the door thought it was outside of normal business hours.

I get the twice a year call that no one can get in where I politely respond:

  • The system is 14 years out of date and there is NO WAY I am allowing it to connect anywhere but the doors themselves, so I cannot remote in and fix it.
  • They pay me for 14 hours a week which gets me onsite 2 days only. Today is not one of those scheduled days. I will update the doors tomorrow.

They just cannot run on outdated software and pay me less than I’d make at Wawa while at the same time expecting me to drop everything every time they need me. Luckily, I am semi-retired and pensioned so I do not need a lot of hours or money from them. But respect. I do need respect and an appreciation that I can in fact keep their entire business running on just 14 hours a week. I’m that kinda good. :wink:

22 Spice ups
2

I applaud you for standing your ground and not allowing the system to be connected, but I do wonder if you couldn’t have compromised and changed your days onsite, since you knew this would be an issue? Although, perhaps a situation like this might finally convince them it’s time to do something about their software!

19 Spice ups
3

If someone had realized it would be an issue (including me), then maybe. Although I have a thriving repair business out of my house as well and had 2 clients scheduled yesterday. Changing the day would’ve cost me a couple hundred dollars and the good will of my clients as I backed out of promised work. Not sure what the upside of that is for me. “you get what you pay for” as they say. All things being equal, I’d have driven in… but all things were not. I had other clients.

8 Spice ups
4

Would a networked KVM connected to this system help resolve this issue? That is, assuming they’d be willing to spend a bit of money on a KVM of some sort. :joy:

The way I have stuff like this setup at my house is via a KVM that is only accessible if you’re on the “secure” (non-guest) network, so if I need to, I can VPN into my lab, then connect to the KVM and adjust what I need to, so that gear is configurable remotely without needing to touch the internet itself.

6 Spice ups
5

Ahhh, that definitely makes sense. I thought “semi-retired” meant you had more flexibility. Here’s hoping this is an eye-opener for the company!

7 Spice ups
6

I don’t have a story, but we used to have a system like this that I managed. Luckily for them I was still working in the office.
Oh, the fun I had with this access card system. Can you hear the disdain in my voice?

4 Spice ups
7

I kinda whince internally when a number of our peers want to “stand their ground” on some philisophical “best practice” in IT that the business/management just isn’t interested in. I feel like sometimes we get on a high horse and forget our job is to serve & enable the business and if the business wants to do something dumb, that’s on them (as long as you’ve clearly communicated the risks and effects).

Although I’m a fan of not giving companies freebies like your case; stand your ground on that stuff! Although DST is kinda a predictable event =)

4 Spice ups
8

I’d argue that our job is to facilitate business needs, which includes protecting it from active threats, and staying on the right side of the law.

3 Spice ups
9

There are things I could do no doubt. And it would make them even more certain “we only need to pay him for 14 hours.” That is their thinking right now. and sadly, they are not wrong. I am so good that I can in fact do it all in 14 hours. Remember, no good deed goes unpunished. LOL

3 Spice ups
10

I work only 14 hours because I do whatever needed whenever needed 99% of the time anyway (I had a private client that prevented me from driving in Monday as an exception) so the feeling is that is all they need to pay me for. If I keep “taking one for the team,” how exactly will that ever change?

1 Spice up
11

yup, the door was an inconvenience at worst. Someone had to open it for them for a day. Risk aversion and putting the company first is why I could not help them remotely. :slight_smile:

2 Spice ups
12

We literally changed our door system late last year and it’s on an isolated network. Same deal with our camera system.

P.S. I have the solution for DST: change the clock a half hour.

Compromise :slight_smile:

4 Spice ups
13

Sometimes it is just frustration of the silliness.
I have conveniently ‘forgotten’ the building alarm code, because I happen to live
closest to the building, so guess who kept getting called on the alarm company list first
every time some goober set the alarm with a window open…
(We managed to convince the owner of the company that he should be first on the list,
oddly, we have had very few ‘stupid’ alarms the last few years)
It could have something to do with who was most likely to set the alarm off
by accident…pure speculation there…

6 Spice ups
14

3 Spice ups
15

TLDR, I stood up to a doctor wanting to make an insecure connection and won.

In a previous life, I worked at a hospital holding company. I received a call from a doctor wanting a connection from the hospital to the Electronic Medical Records (EMR) system at his clinic. Ok, I was good with that until he told me the connection was over telnet. I twitched and told him I could not make the connection over telnet due to HIPAA regulations, but I could do it over SSH. The doc said it had to be over telnet. I told the doc no. Thus starts the rant:

Doc “I will tell your manager.”

Me “My manager will tell you no.”

D “I will tell your director.”

M “You can contact the CIO and she will tell you no.”

D “I will have your job.”

(by this time, I had looked the guy up, he was a neurosurgeon)

M “You can have my job, but it will be a drastic reduction in pay”

(10 seconds of silence. Not sure if the doc is stunned, laughing or furious at me)

D “You can make the connection work over SSH?”

M “Yes sir.”

D “I will not know the difference?”

M “No sir.”

D “It will be secure?”

M “Yes sir”

D “Ok call me back when it is done.”

M “No sir, you will stay on the line and test it when I am done.”

D “How long will it take?

M “In the time we have been arguing, I could have done it 10 times over.”

I created the access, modified his client, and he tested.

D “You are right, I don’t know the difference.”

M “Yes Sir.”

D “Thank you”

In dealing with physicians this was the first time:

  • One challenged me
  • I had a witty response
  • Received a thank you
16 Spice ups
16

Nicely done! I didn’t have quite the same luck when a nurse called to request a password reset for “her” physician. I refused to give it to her and required the doc be on the line, and that doc spent well over 10 minutes insisting I give his password to the nurse. He escalated to my manager and director, and my director caved (despite numerous written policies that stated we must verify identity and provide passwords only to the named person). At that point, I couldn’t even be mad at the physician. He had just proven that if he “throws his weight” around, he’d get what he was after, so what’s to stop him in the future??

4 Spice ups
17

At least you did not cave. It is your director on the hook for the violation. not you.

3 Spice ups
18

Most times when I have a user that wants to do something dumb, I explain why that is a “Very Bad Idea :copyright:” and most of them realise that what they are asking for is outside of good security practice. When I suggest an alternative that will give them what they want with added security most users are fine.
I have had a couple insist that I do what they are asking for, so when I say that I need an email to confirm that they accept the risk that this may entail, most of them back down.

Now I work for a MSP where our clients are paying us to ensure that the risks are minimised, so rarely do we get users that want to circumvent our security precautions and will listen when we tell them that the process they want to implement is against security best practice.

If they say that they insist and will not confirm in writing, I forward them to the boss, who can be an obstinate B*st4rd. When a client wants to break security, he has told a client that we will no longer do their support if they insist on ignoring our security advice.

5 Spice ups
19

Long time ago, but I had to stand up to The Owner of the company. He wanted me to simply install the one copy of XXXX Software on all our machines. He was trying to save a couple of bucks on software licenses. This was a small, 10-person company. I was brand new as the first full-time IT guy.

I told him that I would not. He wanted to know why. I explained that it was illegal, to start, and that programmers depend on the license revenue to keep making the software that you enjoy using! (This was long before subscription models were in place.)

Definitely a “swallow hard and tell the truth” moment. Thankfully, he relented and let me buy enough licenses for the needed machines.

6 Spice ups
20

I don’t have to say “no that violates acceptable use policies” often, or “If I do that for you , I have to do that for everyone and I’m not doing that” but I do have to say it every now and then. My boss has my back so I don’t have to worry about it, in fact SOMETIMES I enjoy saying it!
:slight_smile:

4 Spice ups