BOFH: Can't you just ... NO, I JUST CAN'T
Taking exception to exceptional exceptions
Episode 11 "EVERYONE IS A F**KING EXCEPTION!" the PFY snarls - beating me to the very same exclamation by nanoseconds.
"What do you mean everyone is an exception?" the Boss asks.
"It's the life of a bloody systems admin, people want you to make exceptions for them!" the PFY shouts. "Passwords, web filters, extra file space. People want us to bend the rules."
"But it's just some letters!" the Boss replies, feigning reasonableness, if there is such a word - and as if it could be applied to the Boss anyway.
"And there's the tell-tale sign!" I snap, beating the PFY to THAT exclamation by nanoseconds.
"The.. tell-tale sign?"
"Yep. The word 'JUST'. By using it you assume that what you're asking for is a reasonable request - a couple of simple clicks of the mouse, a tap on the keyboard, and everything's hunky-dory. But it's bloody not!"
"But look, isn't changing the password strength rules for one chap just a couple of clicks?" the Boss asks.
"Of course it is, but that's not the point," I say. "You do that and it affects the security of the entire domain. A longer password makes it unlikely that someone will use their initials twice. Forcing them to use at least one number stops them from just using a plain password, and forcing them to use at least one letter stops them from using their home phone number. But it's not about the password, it's about domain security."
"Could you just make an exception for them?" the Boss asks.
"You did it again," the PFY observes.
"Used the word 'just'. Remember, if the word 'just' is in a sentence it's an unreasonable request. And we don't make exceptions."
"BECAUSE EVERYONE'S A BLOODY EXCEPTION!"
"You said that, but what does it mean?"
"Look, I change one guy's password complexity and the next thing I know someone else will want me to change their password complexity."
"But this is a special case!"
"THEY'RE ALL SPECIAL CASES!" the PFY SHOUTS.
"What my assistant is trying to communicate," I say in calm tones, "is that if I make an exception for this bloke some other basket case will want me to change their password complexity - for a reason they think is a special case too - like they're allergic to using number keys or they've got some special-needs keyboard that makes it harder to use the shift key. Then the next person will come in saying that they can't mix upper and lower case on religious grounds and before we know it the only password people will be able to use is 'A'."
"Or Enter," the PFY says.
"I don't.." starts the Boss.
"Then we'll get some dorky bean counter who wants us to increase the size limit on email messages - JUST for a day - to 50MB so he can send some work home. Only he'll want it again next month and the month after that, and twice in March and April, and then comes the inevitable question: why don't we just leave it at 50MB because he needs it after hours too?"
"Is it that unreasonable?" the Boss asks quietly.
"Yes, it is. It never sounds unreasonable at first, but the mess it causes is."
"I still don.."
"Let me tell you about access control. We have divisional groups, departmental groups and project groups. We have folders on our file-share machine with hierarchical access control based on those groups. And then we have someone who isn't in any group because he's a contractor. And he's only supposed to have access to one file buried in the hierarchy of files.
"Then there's another file in a completely different location. And another. Then he leaves, but he might come back, but no one knows when and so we make an exception for that special case and leave his account open without disabling or expiring it.
"The department head concerned says he'll let me know when the access can stop. Then the guy doesn't come back but another contractor does, and he needs access to different files, all in different places - but not the same files.
"Then the original guy comes back - but now he needs write access to files. And web access to our internal portal - but only certain parts. And he's using an iPad with a shite implementation of Excel, and they need him to be able to synchronise his spreadsheet with the data in one of those files he has access to... through Dropbox - but only on the day before the close of accounts for the month.
"And then the second guy needs the same thing, but he can't use Dropbox because his firewall won't let him because, oh I don't know, it's green and not a black firewall. And he's got three cables coming out of his box, so anyway if we could just give him FTP access to the server then that would be grand. The department head who originally authorised this left six months ago and no one really knows if the first guy's still working for us or not, but he should probably still have access just in case. THAT IS WHAT EXCEPTIONS ARE!"
"Yes, yes, I see your point, but really this is just about one person's password-" >kzerrt!<
"That was just a bit of voltage," I say. "This is just a roll of old carpet. This is just a spade and those are just bags of lime. This is just a map of abandoned forest trails with vehicle access. Ordinarily I would treat this like every stupid and uninformed request and just ignore it - BUT IF YOU WANT - I can make an exception in this case. Is that what you'd like?" ®
Re: F***ing brilliant @Ian Johnston
Yes, because if doctors simply succumbed to the whim of every patient, nobody would be addicted to any medication or suffer from any side effects or ...
Procedures are in place for a king reason. Password complexity helps keep hackers out etc. We don't do it for fun you know.
Yes we support people, but that is because those people need our support.
Re: F***ing brilliant
"Supporting people is your job. Stop fucking whinging and start fucking supporting"
- Dealing with encyption is hard. Support us by removing the need to encrypt data being taken off the premises.
- Having remote access to the company systems is so useful that everyone should have it by default. Please support us by making this happen.
- Password complexity and reuse limits are onerous. Please let us use whatever passwords we like.
- Virus scanners slow our computers down. Please remove them from our systems.
- I want to be able to install my own software on my work PC. Please make me an admin.
I tell you what. Please stake your career on the fact that the requests you make to circumvent company policy will not cause anyone any problems. In the event of these problems I'm expecting you to state clearly that these changes were your idea, that any resulting security catastrophes should be laid at your feet, and that the support staff were obliged to support you and rightly had no power to veto your decisions. I'd like this in writing, please, and signed by your line manager.
TL;DR: I'm not willing to sacrifice my job for your temporary convenience. Stop fucking whinging and start taking some fucking responsibility.
Re: F***ing brilliant
Missing the point much?
This isn't about support staff not wanting to actually provide support.
It's about support staff providing support, within the boundaries of company policies and legal requirements, and without compromising the security or functionality of the very systems they want to use.
User asks me for a password change, or access to a file share, reasonable requests they get done.
"Can you let me individually encrypt a file on a file share, because we only want 4 of the 10 people who can access the share to see it?"
The answer is no.
Encrypted files can't be backed up by the backup system because it can't read them which causes the entire backup job to halt. Does the user understand that backing up all the companies files is more important than him encrypting one file? Of course not he wants us to "just make an exception this once".
Agreeing to this "simple" request for one user compromises a service provided for everyone else.
Giving the user what they want because it makes their life easier, is all well and good. But not when it causes other problems.
Personally I'm usually quite happy to find an alternative solution for the user. But I often find in many cases the user refuses to accept the alternative simply because they don't understand why they can't have it their own way.