Ok so I totally need to vent...

I'm working as a consultant at a large company for a couple weeks, working with both my powerbook and the company-issues laptop via a hub on my desk. Last night I took both computers home to work at the hotel, and when I tried to hook everything back up this morning, nothing was working. After wasting an hour msesing around, I finally call tech support. Some mousy, creepy guy comes over and explains that the ports are older and not standard ethernet, so if you don't plug exactly the right cord in in exactly the right direction nothing works. This explanation is interspersed with snide comments about the ethernet cables I brought not being standard length and a disgusted tossing aside of my hub.

About 15 minutes later, this creep comes back with a pissy network admin guy who proceeds to chew me out in the bitchiest way about how having a non-managed non-corporate issued computer on the network, or using my own personal hub/router is one of the biggest violations of corporate policy possible and grounds for immediate dismissal. This explanation is interspersed with disgusted nods toward my Powerbook, which is positively gleaming next to the miserable little Compaq labtop that is the "official" corporate computer. "All we need is for someone to bring in their dirty machine and one virus to get on the network." he says. I felt like saying "Um, yeah, but - this isn't a windows machine. It doesn't get viruses."

So basically, I'm totally screwed. My manager and everyone I worked with knew I had the Powerbook plugged in, and nobody cared. The network admin left with a veiled threat to monitor all the traffic to my cube, and "cut off my port completely" if he sees any unauthorized MAC address. So now I'm a marked man - a Mac user! I'm seriously so pissed right now. Corporate America and their virus-laden wintel world can go to hell. Someday I'm going to start my own company and use only macs!

I'm not in the least bit surprised by this. Large corporate companies/networks are very managed. Everything must be approved before connecting to the network. You must have company standard (and managed) versions of IE, AntiVirus etc. They don't care if it's a Mac, at the end of the day it is still a computer from an external source that for all you and they know could have anything on it.

Vent all you want, your network admins are right. You should not bring home computers in to work and plug them in on the LAN (well maybe small business allow it, but large ones will not).

Kinko's allowed it. I'd say they were a large company...

Never heard of them...but that's not the point. Corporate companies want control over their networks, most will not allow the use of anything other than their own image of Windows (or chosen OS, Linux, Solaris) near their LAN/WAN.

well, kinko's is a large american on-demand printing shop. they use a mix of macs and pcs in their environment and have outside disks and files coming in all the time, so it makes sense that they wouldn't have a hissy fit over something like this.

as for working in a large corporate environment and putting up with this sort of stuff...i really don't know why anyone would do that to themselves.

I wonder. I've got an Earthlink dial-up account. Do you think it woudl be "legal" if I connected to that over their phone line? I don't really care about being on their internal LAN, just getting onto the internet in general from in here...

My company (I cannot divulge the name for security reasons) has no problems with you using your own personal computer on the corporate network, they just don't help you set it up. Also if it runs Windows it has to have AntiVirus, and if it has XP in has to have a program that severs all communication between your XP box and M$. On a Mac they don't care, they just ask that you turn on the OSX Firewall.

It also helps that I have 3 Network Ports in my cube. Personally, I'd talk to your manager, and explain your possition. Your manager may help you out by telling the IT guy to allow the use of your PowerBook for a project. Also, I doubt that you could be fired without a warning from a Manager. The IT guy has no real power, and will probabily forget about it in a few days anyway.

TEG

im sure your company has a code of conduct/use of their IT/LAN. if you're in violation then tough. it doesnt matter if the admin is a retard, the fact is if u break the rules its your fault.

its too bad they dont support macs

Originally posted by RedMacMan
I wonder. I've got an Earthlink dial-up account. Do you think it woudl be "legal" if I connected to that over their phone line? I don't really care about being on their internal LAN, just getting onto the internet in general from in here...
I can't imagine that'd be a problem, as you wouldn't be putting them at any risk. It's just the cost of a phone call.

First of all, the network admin is an idiot to think that a mac can bring virus on the network. On the other hand it seems like he is doing a good job monitoring any potential treath and eliminating it even if there is no real danger (à la Bush...).

What you should do: talk to your manager. If he knew that you were using the PB I guess that you were not violating anything so he should be on your side. He could then call the netadmin and ask him to put you on the network after ensuring him that mac are virus free (tell him to do some research).

Admin guys always think that they are all powerfull because they 'control' the network, its a typical issue with them. They cultivate this by misleading the management of other divisions. You should not be scared of him, just show him that you understand his concern for his network and that you can provide him information on how secure your PB is compared to pcs.

Just dont over do it. PC zeallot are as bad as the mac ones!

Why don't you just install an antivirus programme on your PB to make them happy?

Originally posted by TEG
...if it has XP in has to have a program that severs all communication between your XP box and M$...

Why would you want that? Is it because only the company you work for should manage all the Windows updates on the corporate box?

Obviously I understnd the security issues and the challenges of maintaining security in a corporate network with thousands of machines, I just think this particular policy is bone-headed. Maybe I will follow up my manager.

Actually, what made me the most angry was what a jerk the admin guy was, ilke totally patronizing and sarcastic. Pretty much your typical a$$hole network admin. I'd feel a lot better about the whole thing if he'd just pulled me aside and say "Hey, Look man, don't mean to be a hardass but we really can't have 'wildcard' machines on the network here - you know how it is..."

Ugh. Somehow I ended up in my own little Dilbert cartoon today.

The admin was being an ***hole. But unfortunately I have to side with the admin here. You are plugging an unknown, untested computer on a LAN or maybe WAN. I too would go ape **** if someone decided to bring their personal computer into our network without asking. I don't care if OS X doesn't have a virus track record it's not your network that you are managing. Imagine what would happen if everyone on that network did the same thing? The guy can't make an exception for one Mac user. I've seen instances of where Appletalk had chattered enough on a network to effect network performance. You look at it from the perspective of a user vs an IT admin perspective. The two can differ drastically.

I guess that you should have asked first. I am working for a huge company as well and its definitly needed to ask first if its ok.

Originally posted by Mantat
First of all, the network admin is an idiot to think that a mac can bring virus on the network.

i don't think it's a part of his job to know about Macs.

if you had to manage a (windows) network as your job and had to make sure your network is secure because your bosses are being paranoid after seeing all sorts of M$ virus/worms, i can understand why he would get annoyed and downright nasty if anyone brings in their own laptop and has it on the network. if something was to happen to the network, he is the one who will be held liable, not you. he's paid to maintain it, "but that guy brought it in without asking me" is a very poor defense.

other managers and co-workers being ok is irrelevant - they have no stake in maintaining the network. so what do they care?

"But it's a Mac, there's not virus" sounds as convincing as "it's my personal PC, i maintain it and i know there's no virus on it." the laptop being a Mac is not the issue, the fact it was not under the admin's control is.

each company has its own policy - however boneheaded/retarded it may seem, it's there for a reason and someone is being paid to adhere to it. as long as you work there, it would be best for you to know what the policies are and adhere to them.

how would you feel if someone randomly started throwing in applications on your laptop? "oh, don't worry, none of them can do any harm" - would you take the guy's words? wouldn't you feel a bit uneasy about someone messing with your laptop? imagine worrying about that on a bigger scale as a job...

Never know so many windows network admins read these forums...

Sheesh.

Originally posted by Maritan
Why would you want that? Is it because only the company you work for should manage all the Windows updates on the corporate box?

precisely. the aim of the admin is to be the singular point (or an entity) of responsibility for maintenance.

btw, i'm not a windows admin. i was basically pointing out that you will encounter many more of these "boneheaded" policies like the one you mentioned; it's best to be "logical" and in general, mature, about them. it's not as easy as you're thinking when the number of people/machines involved increases.

if you think policies are boneheaded, make sure to heed the call and not make your policies boneheaded should you climb the ladder to the point of making them yourself.

The only thing I find weird is that M. Paranoia is not using MAC adress filtering to control computer presence on the network.

As I said before, these guys generaly have no social skill which is the reason why they started working on network in the first place! I maybe over exagerating but I have yet to find a network admin with social skills and I have met more than 15...

The point is, as some people have pointed, you should have asked first but at the same time you learned a valuable lesson.

Originally posted by Maritan
Why would you want that? Is it because only the company you work for should manage all the Windows updates on the corporate box?

We use it... It is aptly named "XP Nuter" to keep sensitive data from being sent from Windows to M$. Also, it keeps anything from comming into the computer, like a good firewall with out interfereing with Symantec's Firewall program (A required Install on a PC).

You can still run Windows Update, it just keeps Windows from being a liability to our system.

TEG

Well, just use your PC Laptop as a mini server. If it has a firewire port, you can network it and it will still be listed as the PC with all the traffic. Be sure to turn off Windows Networking though our you will show up. But I to agree with the Admin. How does he know that you have no intent of unleshing some virus on the network. With all the major viruses lately, I can see him wanting to put your head on a stake. His job and his family rely on his income, which depends on him keeping his network up and running.

Oh, if you do not have a firewire port, you can buy a network card to go in one of your pcmcia slots, or a usb one. It would probably be easier that way to setup then firewire.

i am the LAN admin, i can use my PowerBook all i want!! :D but seriously, a lot of LAN admins know windows and that's it because they are either ignorant or because that's all they learned in class... but big business is like that a lot although i think that those guys sounded like absolute snobs.

Originally posted by RedMacMan
Kinko's allowed it. I'd say they were a large company... It's the print/copy/mailing desk unit of a well known US-based international shipping company -- Fedex.

So they be really big now.

Originally posted by Mantat
The only thing I find weird is that M. Paranoia is not using MAC adress filtering to control computer presence on the network.

As I said before, these guys generaly have no social skill which is the reason why they started working on network in the first place! I maybe over exagerating but I have yet to find a network admin with social skills and I have met more than 15...

The point is, as some people have pointed, you should have asked first but at the same time you learned a valuable lesson.

Social skills aside, that would quite a chore to maintain 100,000 MAC addresses on some large networks.

I use my PB everyday here. In fact some of the people here want me to plug it in so they can play the songs from my iTunes list. The admin does have some reason to be mad, but I would think he would be ok with it. How does he know the laptop he gave you doesn't have anything on it. Shiat you took it home, you could have added a few things.

Originally posted by tomf87
Social skills aside, that would quite a chore to maintain 100,000 MAC addresses on some large networks.
They did it at my last work place, in order to get an IP from the DHCP server your MAC address had to be "Quiped" (registered with the server). It worked very well indeed, and this was a huge network (Windows, Linux, Solaris).

Originally posted by edesignuk
They did it at my last work place, in order to get an IP from the DHCP server your MAC address had to be "Quiped" (registered with the server). It worked very well indeed, and this was a huge network (Windows, Linux, Solaris).

I didn't say impossible, just that it would be a big overhead in terms of administration, especially with today's portable devices.

It's one thing to do it in a DHCP server, but if you had to do it on the switches to block someone from sniffing traffic, then you have additional overhead there.

Makes me sick thinking about that.. :)

As a former net admin, i'd have "talked" to you as well, with more tact of course. :D

Don't get too mad at the guy for being wanting to keep your Mac out, thats what IT proffesionals are for. I mean heck if they started letting Mac's in most of the would be out of jobs :-)

Is it possible that a Mac may pass along a Windows-targeted virus unknowingly? Perhaps obtained it from an email, but the user didn't know it since the virus didn't affect his/her machine.

This could be an area of concern.

You could pass along a Word virus or something similar, but nothing like MyDoom.

The network guy at the university was very polite when he wouldnt let me access iDisk from a PC. Gave me a workaround that would have involved me getting VPC for my Mac, installing some crappy plug-in and dialling in to a poxy storage drive from home. Really important guy being in charge of such up to the minute technology.:rolleyes:

"No one ever got fired for buying m$" might be the guy's motto.

Talk to your boss though, that's a good idea. The IT guy just controls the computer kingdom, not HR so there isn't much he can do.

You can infact spread windows viruses through a Mac. How would the admin know if you ran VPC or not?

This is a very common policy and a good one from the point of view of support. However this is an idiotic policy from the point of view of security, productivity and reliability. It is okay if your network can't handle an unknown computer running an OS other than Windows but that does not make it any more secure. Anybody with a floppy disk, USB flash drive, PDA, or personally owned computer of any kind can unintentionally introduce malicious code that could poke holes in your security without ever being aware that it happened. Any device that can access both a corporate computer and an outside nework such as a Palm Pilot is a potential security risk. Not allowing such devices into the building can reduce the frequency but not the severity of access violations. In other words, such a policy makes the network easier to support but that's all it does.

Network guys are generally justified in keeping a tight leash on what's on their network, particularly if there's a lot of secure internal information (though as yamabushi says, so long as the computers have disk drives and USB ports, and IT lets you use them, there's a huge hole there as well). And if a "no outside computers on the network" item is in the corporate IT policy, then that's the way it goes.

That said, being mean about it is just that, and it's far from impossible to have a large system with a fair amount of freedom. Aside from the examples listed here, I work at a university that has 5-10 thousand computers on a WAN spread out over a 20 mile area, with dozens of local hubs, a variety of locally located and managed servers, and just about every OS you can think of.

So long as you go to the IT guys and ask them to add your MAC address to the database, you can use absolutely anything you want on the network. So far, even with thousands of annoying students on it in addition to campus servers, labs, and individual workstations, it's run quite well. If you start an unpatched Windows box that is vulnerable to the Blaster worm, of course, they'll be on you in a heartbeat to fix it, but it can work.

Point being, it may be more of a hassle, but it can happen if the company is willing to accomodate, and most reasonable ones are--better to have productive employees than a homogeneous network.

Like everybody else says, talk to your manager; if the IT policy forbids anything from the outside, you may be out of luck, but if the manager has enough clout with managment or there's a loophole for special-purpose boxes, you could be in luck.

Rule #1 of giant, faceless network use: Ask first. Only get sneaky when you're desperate.

Yeah, thanks for all the interesting replies everyone. I guess the moral of this story is:

If you want the nice corporate paycheck,
You have to play by the crappy corporate rules.

It's too bad really, cause I'm a classic non-conformist. I Think Different in a big way and have a problem with authority.

So remind me again why I'm making a living in Corporate America... :D

It's a good thing you didn't have the guts or nerve (being a dirty consultant) saying that no virus on Mac line to the admin, he would've laughed his ass off.

Tell me something. If Macs don't have virus, why does Symantec make a Mac version of NAV? And why do a lot of people install NAV on their Macs? Hmmm?

When's the last time

1. You heard of a mac virus (OS X)
2. You heard of a mac virus infecting a windows network

I've never heard of either. If you can point me to some research on the topic I'm sure it'd be an interesting read.

Originally posted by FuzzyBallz
It's a good thing you didn't have the guts or nerve (being a dirty consultant) saying that no virus on Mac line to the admin, he would've laughed his ass off.

Tell me something. If Macs don't have virus, why does Symantec make a Mac version of NAV? And why do a lot of people install NAV on their Macs? Hmmm?

Mac users install NAV because a lot of mac users are ex-PC users who can't get over their (formerly justified) fear of viruses.

Symantec makes NAV for mac because people buy it. That doesn't mean they need it (see above)
:rolleyes:

Originally posted by RedMacMan
Yeah, thanks for all the interesting replies everyone. I guess the moral of this story is:

If you want the nice corporate paycheck,
You have to play by the crappy corporate rules.

It's too bad really, cause I'm a classic non-conformist. I Think Different in a big way and have a problem with authority.

So remind me again why I'm making a living in Corporate America... :D

Because in Corporate Canada you have to learn French? :D

Originally posted by RedMacMan
When's the last time

1. You heard of a mac virus (OS X)
2. You heard of a mac virus infecting a windows network

I've never heard of either. If you can point me to some research on the topic I'm sure it'd be an interesting read.
I think you're missing the point here. Network/System admins like to keep tight control of their networks, and they have every right to. It's their job, and their responsibility to ensure a secure, managed & stable enviroment. They would not want you to connect anything to it that they have not explicitly approved.

Originally posted by edesignuk
I think you're missing the point here. Network/System admins like to keep tight control of their networks, and they have every right to. It's their job, and their responsibility to ensure a secure, managed & stable enviroment. They would not want you to connect anything to it that they have to explicitly approved. Remember reading the article about the FBI and Mac use.

The agent refused to plug his Mac into a foreign network because it would compromise his machines security.

The chances of anything happening were remote, but the exposure for problems (ie, getting a trojan horse) is possible.

When you plug a foreign machine into a corporate network, you are compromising the security (even if it is a Mac).

If they have a policy of keeping foreign machines, camera phones, etc. out of the office and off the network -- they should can your ass for doing it.

Of course it sounds like it is a outdated PC ethernet system, so putting something new on the network could easily cause problems for others. You sneeze around some of those old networks and everything crashes.

Using a new print driver to print ... :eek:

Originally posted by Krizoitz
Don't get too mad at the guy for being wanting to keep your Mac out, thats what IT proffesionals are for. I mean heck if they started letting Mac's in most of the would be out of jobs :-)

HEY! :p :D

There is a big misunderstanding here. Macs can spread viruses to Pc's.
Macs cannot suffer from them, but they can certainly infect others.

Why do we have anti-virus software?
So that we do not spread viruses, sort of like being a good neighbor. It is really a good responsible thing to do, to have Anti-virus software on your Mac.

Originally posted by MacAficionado
There is a big misunderstanding here. Macs can spread viruses to Pc's.
Macs cannot suffer from them, but they can certainly infect others.

Why do we have anti-virus software?
So that we do not spread viruses, sort of like being a good neighbor. It is really a good responsible thing to do, to have Anti-virus software on your Mac.

This is sort of like saying a healthy person could spread chicken pox by injecting people with cultured varicalla zoster virus.

To spread a Windows virus, a Mac user would have to deliberately forward an infected eMail, or otherwise manually copy the executable. Not impossible, but it requires a deliberate act on the part of the Mac user. So long as the Mac user is not malicously minded (or monumentally stupid) --And you seem to be niether-- a Mac without virus software poses no threat to anyone.

Well, lets say that someone decides to plant a virus in an email that is sent to that person at work (i.e. 'what I did this weekend', or 'check out this funny joke' sort of thing. I know lots of people at work who get these and forward them to about 30 other people (literally).

You have to realize, he didn't want you off the network because of your Macintosh...using older hubs and cables can significantly slow down the network if you are in a bus-star topology...it would be like a big bottleneck,
especially if that hub of yours was only 10Mb. When this happens, and Admins get a 'network is slow' moan from the group down the line...well, they have to spend a lot of their time trying to find where it is.

Originally posted by xiliquiern
Well, lets say that someone decides to plant a virus in an email that is sent to that person at work (i.e. 'what I did this weekend', or 'check out this funny joke' sort of thing. I know lots of people at work who get these and forward them to about 30 other people (literally).


Yeah, I could see this happening, but wouldn't it reduce the effectiveness of the virus, from a social engineering perspective? The text of mass-mailed eMail viruses is usually something like "Look at this really cool attachment" to trick the user into opening the payload...putting in some kind of joke or story would probably distract the user from the virus part. It could be done, I suppose (don't want to give anyone any ideas) but it seems a little redundant.

You might try actually reading your companies policy. Could it be that this IT guy was just an I-hate-Apple/Macs-with-every-ounce-of-my-being kinda guy and he was really just bluffing you? He could just be lying because he doesn't like Macs (and obviously knows nothing about them). He's got to be bluffing about monitoring you. How could he possibly have time with all the Windows patches there is to install?...

If he wasn't lying and the policy is as he stated, then I suppose you could try reconciling with him and ask him what it would take to allow your Powerbook on the network. If it took AntiVirus software, or using your firewall, I think anything would be worth not having to use a crappy compaq.

The real moral of the story: Don't ever talk to the IT guys, because they aren't there to help you anyway. They could care less about what kind of problems you have.

Dukmeiser,
I know of only one problem that would possibly cause him to not want a Macintosh on the network. Otherwise, it would be like I stated before: someone is using hardware and programs that are not specified for use by the company. That can lead to tons of problems.

The only thing about Macs that I have ever heard, is that when configured on a Windows based network by someone who is not Macintosh Certified for Networking and is not Net+ or higher certified for Windows networking, the incorrectly configured Mac can cause packet death and cause throughput to be greatly lessened for everyone down the line from him.

First of all, hubs are not very good networking devices. Hubs send the data you send out on the network to everyone on it, including everyone who doesn't need to hear it. Switches, on the other hand, deliver the frame/packet to the most direct source (i.e. just the person it needs to go to). So, using the hub alone causes excess traffic on the Network, and that may have aggrivated him a bit.

Secondly, Macs make incredible hacking machines on a windows based network unless they have the correct software installed, etc, etc. Pressing the F8 key while booting logs you into a Unix Prompt, with supernode access. That means you can do, and look at, whatever you want to on a network; change admin passwords, turn off admin accounts, view confidential files, delete confidential files, play with the payroll database, anything. (I do not condone any of those activities, I gave them merely as an example as to why a Mac could be viewed as a huge security flaw hacker-wise on a Windows network.)

Thirdly, you were probably not running the required softwares the company purchased to allow 'better' networking and help keep the network secure. I highly doubt that if you just went and talked to your IT guy, he wouldn't set you up with what you needed to put on the Mac to make it 'suitable' for your company.

It is for those above reasons that any Admin could easily tell you that you needed to take a computer off the network, especially number two.

Originally posted by xiliquiern
Secondly, Macs make incredible hacking machines on a windows based network unless they have the correct software installed, etc, etc. Pressing the F8 key while booting logs you into a Unix Prompt, with supernode access. That means you can do, and look at, whatever you want to on a network; change admin passwords, turn off admin accounts, view confidential files, delete confidential files, play with the payroll database, anything. (I do not condone any of those activities, I gave them merely as an example as to why a Mac could be viewed as a huge security flaw hacker-wise on a Windows network.)

Whoa! Where did you get this idea? Unless the network in question has no security whatsoever, this statement is incredibly false.

Having local root privileges will not give you access to anything on the network unless those services are configured to somehow automatically trust that computer. For that to happen those services would have to be aware of the computer in question in the first place. Any network setup this way is inherently insecure no matter what type of client is plugged into it. It would mean that access to any physical port would give you access to all the critical on the network.

I seriously doubt that you will see any network setup this way, especially since it would take more effort than a standard setup.

I have heard of several incidences at schools and small businesses configured for windows. The network didn't even think about Macs and let them do whatever they wanted.

Yup, Corporate policy its a git. Here its a suspension offence to connect personal laptops or PCs to our network, infact anything without a 3com network card is a bloody offence :)

Hey but with a bit of bordem you can use netcat and listen mode to fake a windows machines ports, like i did on my linux box here until they realised the network card was in promisc mode :P

The bottom line is you're a consultant, you work for them, stop whining.

If you don't like it then get a job at a company that doesn't mind what you're doing.