One chestnut from my history in lottery game development:
While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.
Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.
We cant run scripts on our work laptop because of domain policy. Thing is, I am a software developer. They also do not allow docker without some heavy approval process, nor VMs. So im just sitting here remoting into a machine for development…which is fine but the machine is super slow. Also their VPN keeps going down, so all the software developers have to reconnect periodically all at the same time.
At my prior jobs, it was all open so it was very easy to install the tools we needed or get approval fairly quickly. Its more frustrating than anything. At least they give us software development work marked months out.
I had a software developer job where they expected me to write code in Microsoft notepad, put it on a USB, and then plug it into airgapped computers to test it. Wasn’t allowed to even use notepad++.
Oh it felt so freaken good leaving that job after 6 weeks. It felt even better when I used my old manager’s personal phone number on a fake grinder profile I made. She kept a tally of my bathroom breaks.
Thought my work was bad. We at least can use VMs. I literally can’t do my job without one, Rockwell being what it is. Companies don’t like upgrading PLC software so I need to use old versions of windows occasionally to run old Rockwell stuff.
There was also a bug for a bit that would brick win11 PCs when trying to update PLC firmware, fun stuff.
Same boat. I use dedicated laptops. This is for my old Rockwell stuff, this is for my old Siemens stuff, this is my normal laptop with AD stuff, this one for Idec, and the last one for Schneider. Pretty much every laptop at the company gets retired it becomes mine.
Also works for on site access. Customer needs support? Mail them a laptop. I got one laptop that has been in Canada, both coastlines in America, Australia, and Vietnam.
I cannot remember the specifics because it’s going back almost 15 years now but at one point…crontab (edit and other various vital tools) was disabled by policy.
To get necessary processes/cleanup done at night, I used a scheduled task on a Windows PC to run a BAT that opened a macro program which opened a remote shell and “typed” the commands.
Fuuuuuuck.
I hate this stuff. When I had a more devops role I would just VM everything. Developers need their tools, here is a VM with root. Do what you want and backups run on Friday.
My dev pc isn’t allowed to be connected to the internet :D
Wait, I haven’t even started talking about the fact it’s a huge unstructured legacy project using SharePoint 2016 and…
Where did everyone go?
Jump systems are a good practice but they gotta have the resources you need… I hate to say it but it sounds like y’all need to just move to a cloud platform…