It’s not more secure, it’s so they can offload blame and have people to sue if/when something ugly happens. Liability control, essentially.
We had to pay for fucking Docker container licenses at my last job because we needed an escalation to the vendor in case our SMEs couldnt handle things (they could), and so we had a vendor to blame if something out of our control happened. And that happened: we sued Mirantis when shit broke.
Everyday my misnathropy is justified
Every day I wake up I thank God I’m not an MBA 🙏
Sometimes I wish I was a piece of shit so I didn’t need to worry about money.
“This fucking paycheck! What am I going to do with all this money?”
MBAs would just buy an LLM software subscription to fix it
“If you’re not paying for the product, then you are the product.”
The phrase has its uses, but shit like this is what happens when it’s taken to the extreme.
Often times when you pay for the product, you are still the product.
I’m the product in the sense that poo is the product of the intestines.
The simple exception is free software (free as in freedom). It’s really not that complicated.
My previous employer was bought by a huge company. I liked it in the small company, because I had freedom to do what was needed without much questions, and I was trusted to make the relevant decisions and purchases. Kind of a “Costs be damned, get it done in a reasonable amount of time” kind of arrangement.
When we came under the big corpo, we got an email instructing us to list all the software we used/needed, so that it could be added to the whitelist that big corpo worked with. Anything not in the whitelist simply couldn’t run.
I gave them the list, but spoke to my on-shore It guy that out in the field we often needed to install something that we didn’t need before on short notice, and waiting for a ticket to be resolved for an administrative matter had the potential to stop production.
They found it easier just to make an exception for my work PC. I just had to promise not to VPN in to the office while running “weird” stuff, otherwise the higher ups would get upset.
That’s fine. I had my own VPN for only the stuff I needed anyway. I VPNed into offshore production systems on a daily basis. I needed to VPN I to the office once or twice. Plus in my book, the “main” VPN client is what I consider weird software. My shit was basically a wrapper around openvpn.
EDIT: To be fair, the huge corpo employer wasn’t unreasonable. It was just so large with so many employees that strct security implementations were needed for IT to have some sort of control. I was technically also IT, but I only dealt with field equipment, so that IT could focus on “normal” stuff. They trusted me to handle my end, they handled theirs, and we usually cooperated fairly well when our systems “met”.
“we need this NOW”
> Package I install is immediately black listed by IT, I submit a high priority ticket and I don’t hear from them for days, maybe weeks
Like what the fuck can I do
“Yes, but does one of the existing whitelisted executables fulfill the same function?”
“Have you tried using MS Excel instead?”
*Looks at industrial robotics with a proprietary TPU that needs a firmware update.*
“Yes”
Worked for a company that had a similar policy against free software, but simultaneously encouraged employees to use open-source software to save money. I don’t think upper management was talking to the IT department.
My last boss got rid of the pfSense routers because “open source is not secure”. I argued that pfSense has been vetted over and over and over again. Nope. “Everyone can see the source code.” That’s the fucking point!
TBF, pfSense isn’t the fastest routing, but at our small company is was more than sufficient.
Anon works for my company? Because they did exactly this with the same excuse.
how thoroughly was it followed through? how was ensured that no free beer software was used?
That’s a great question. In my experience (15 years at MSPs and several years as a freelance consultant where I’m mostly in house one place but take side jobs) I’ve been the one who had to make this change.
Some companies are very serious about it. Laptops end up on some device management solution that can tell every program you’ve got installed and flag anything not pre-approved. Then take away everyone’s ability to install outside of device management.
Some companies want to scare the users into compliance but want IT to be able to do their own thing. So they’ll install some easily bypassed thing or enroll everyone but not keep an eye on their network to find rogue devices.
Some companies threaten it, pay money for a consultant to put together a plan, don’t like the price, threaten to go elsewhere, and the exec who championed it finds a new job while nothing of note was done, but they’re sitting on a handful of licenses for software no one is using.
I used to carry a toolkit of free software in portable format on a thumb drive and another thumb drive with a full Linux environment in case I had to do something at the first kind of company.
I’ve had some workplaces where they instituted overly heavy-handed crackdowns through IT Policy then rolled them back after a couple of weeks because someone in upper-manglement needed to see the impacts in the real world that they already were already warned of before they could be convinced that their genius new policy wasn’t such a good idea
