We’re pretty tight on security in this company. Not quite Pentagon tight, but tight to the point where some buildings have X-ray machines and walk-thru metal detectors (although thankfully they don’t make you take your shoes off…). Even so, every so often some bright spark in upper management decides to tighten things up a notch, seemingly just for their own perverse pleasure. For quite some years now we have had electronic badge-access to most of our buildings (at least in the United States). So now you can’t get into the car-park, let alone the actual building, without your badge. Hell, I can’t even take the shortcut to the neighboring park for my lunchtime constitutional without badging through the side gate (even though I could walk another 100 yards and walk through the un-(badge)locked front gate, along the street, and then into the park that way, if I wanted…).
A couple of years ago, we had one of these ‘bright spark’ moments when someone decided that we should use the same system for controlling access to our computer systems. The justification for this was that we would be able to implement ‘single sign-on’, so that once a user’s access to a PC had been validated (through the use of their smartcard) they would then be able to access all of the other systems to which they are authorized without having to enter separate Userids and passwords for these systems. This, it was argued, would be a huge saving both on the part of the individual user, and also on the part of the Helpdesks who would no longer have to handle password reset requests any more. As I had some 37 separate Userid/password combinations at the time, I was all for it.
Unfortunately, one of the systems I had access to was our Documentum content management system, which PC Support couldn’t get to work with smartcards, which meant that I couldn’t use a smartcard at all – for any of the 37 systems that I had access to. (I’m not sure why it wouldn’t at least work for the other 36, but that’s why I’m not in PC Support.) So for the past couple of years I’ve got by, using my pre-existing Userid/password, on an ‘exception’ basis. Until this week. My name was pulled on an annual access review (again), and I was asked to re-submit my smartcard exemption justification. But since I last submitted my exemption a year ago, I have changed jobs and no longer use Documentum, so no longer have the justification. Consequently, I was instructed to ‘get carded’ ASAP.
I’d actually ‘upgraded’ my card earlier this year to make accessing buildings at other locations easier (you just give them your smartcard number in advance and they add you to their security system so you aren’t sat waiting for entry approval with every other Joe Lunchpail when you get there) so all I needed to do was get my LAN profile updated to reflect that it should check my smartcard for credentials when I log on, instead of prompting for a Userid/password. I opened a ticket (Ticket #1 – keep track, now…) with the Helpdesk to get this done. The next day I received confirmation that this was done and was instructed to log onto my PC using my existing Userid and password – not the card – to complete the set-up. When I logged on this time, my PC correctly identified me as a ‘new smartcard user’ and set about trying to update my smartcard with my LAN credentials. Unfortunately the PC lacked the appropriate card reader drivers, and asked me to install them. But because I’m in the middle of setting up the smartcard access, I couldn’t properly log on – I could only click the CANCEL button on the smartcard setup screen, which just logged me off again. So I had to open another Helpdesk ticket (#2) to revoke my ‘new smartcard user’ status so I could log back on again using my old Userid/password, install the appropriate drivers, then open yet another ticket (#3) to set me back to being a ‘new smartcard user’ again. Once all of this was done, I could log on again (still with my Userid/password) and re-start the smartcard initialization process.
This time the PC found the drivers OK, but then I discovered that the smartcard reader itself is broken (apparently my PC needed the appropriate drivers just to be able to tell me this – ever get the feeling you’re being toyed with?). So I phoned up the Helpdesk again, and got a new ticket (#4) opened, for someone to come and repair my PC. Someone from PC Support duly phoned me back, and asked me to confirm the end date of the warranty period for my PC. “25 August 2008” I noted – almost exactly a month ago. Great. “Well, we can’t repair it, so we’ll have to give you a replacement”. “Excellent!” I replied, I’ll take one of the new models”. My current laptop is three years old (I checked the build date on dell.com), and I know that the new company-standard model is a slicker/faster model, so I thought this would be a good opportunity to upgrade. PC Support thought otherwise, however, and said that they would only replace my PC with a “refurbished” PC of the same (i.e. 3 years old) model. I politely turned down his ‘offer’ – I’ve seen some of these refurbs given to our ‘lower-tier’ contractors and they are all scuffed and crappy looking, and the keyboards are all full of dead skin and beard hair, and I’m not having any of that! I was told that if I insisted on having a new PC I would need to submit a ‘new PC’ request (even though we ‘rent’ the PCs from the IT group at the same flat price, regardless of make, model, or age of the PC, so my ‘upgrade’ would actually cost my department nothing). He then considered the issue addressed and closed my ticket. So I had to open another one (ticket #5) to request a ‘new’ PC (even though it is a replacement), and have this approved by my second-level supervisor (which he thankfully did without too much fuss). So far so good.
A couple of days later I hadn’t heard anything so I checked the status of this ticket in the system. It was still showing as “Approved” but not progressed, which seemed odd. So I phoned the Helpdesk again, they confirmed that something was “screwed up” with my request, and opened yet another ticket (#6) to have someone look into why ticket #5 hadn’t been processed (yeah, really – you can’t make this stuff up!). This they did, and the next day my request was pushed to the ‘second tier’ approval – which is my third-level manager, who was probably wondering why his time is being wasted in approving a zero-cost request, but at least he approved it.
However, his approval clearly wasn’t enough (he only has authority over a $40m project; apparently he can’t be trusted to approve a no-cost request for a $500 replacement PC…), and the request was then forwarded to a manager in the PC Support group who – I assume – is responsible for actually handing out PCs and making sure that departments/projects are charged for their use. As per the request process, an approver has 72 hours to respond to a request before the request is simply rejected (which is just stupid!). Chummy in PC Support left it until the 71st hour (really – online tracking is a wonderful thing), ignoring two auto-reminders and a polite follow-up from me, before processing it. And then he rejected it! Bastard!
The official reason given was cost. Apparently we can’t afford any more new PCs this year (we no longer have a budget – we have a stretchit). So instead of getting a new, working laptop, the warranty on my existing one is being extended for another two years. Which means that PC Support are just going to come round to my office and replace the sticker on my PC that says “End of Warranty 24 August 2008” with one that says “End of Warranty 24 August 2010” – as if this is magically going to make the PC all better again! “Well, the sticker says that it is within warranty, therefore it must work!” As technical solutions go this is right up there with their a couple of years back. The fact that PC Support still say that they can’t repair the smartcard reader is apparently neither here or there. They’ve given me an external (USB) card reader that I now have to remember to drag around with me as well as my laptop. And if I forget to take it home (as I did one night) I just can’t log on therefore can’t do any work. Well, what a great efficiency-measure that is!
Alright, so maybe I don’t need a new PC. My existing one is working. Kind of. It only crashes on me a couple of times a week, and if I time my coffee breaks around the frequent “Your system is running low on virtual memory…please wait whilst Windows fucks you up some more” messages, I don’t actually suffer too much downtime, but jeezus…this is a corporation that makes billions of Dollars in profits every second (probably – I can’t count as fast as they’re creaming it in), yet they’re expecting their workers to function efficiently using an entry-level PC that was made 3 years ago – and expect to get 5 years’ use out of a $500 asset. I bought my kids $500 laptops (which, incidentally, are much better than the one I have for work) last Christmas, and if they last more than two years I’ll be happy. I’m working on a $40 million dollar project that will take 3 years to complete, and the finished product will have a shelf-life of maybe 5 years before we upgrade it. And I’m supposed to be able to do this on a laptop that would probably fetch $50 on ebay. Now, if they gave each member of the project team new, $1,000 top-of-the-line laptops (and gave us a wi-fi network in the office (I have one at home – it cost me $100, for a wireless router, to set up) and videophones (I have a $50 webcam at home which works perfectly well)) we could probably do it in half the time, and build a better, longer-lasting product in the process. It’s just frustrating when the hugely wealthy company you work for can’t even provide you with the level of technology you can provide for yourself at home…
And to cap it all, this smartcard project, which was the original impetus for my PC replacement request, is a lie! Single sign-on doesn’t work! The only thing the smartcard gets me onto is the local LAN (and I still need both my smartcard and a separate PIN to do that). I still need to maintain separate Userids/passwords for all of the other systems that I have access to. So the smartcard actually saves me nothing; in fact, it’s a step backward as now I need to be in physical possession of something – in addition to remembering a password/PIN – in order to be able to work, and if I forget/lose that, I’m screwed. And it’s taken me two weeks and six Helpdesk tickets to learn this. In sheer wasted manpower cost alone (mine, the Helpdesk, PC Support, and two senior-level managers) they could have just bought me that damned PC and had done with it! Oh, to work for a company with an unlimited IT budget…
Update:
In a final twist (of the knife) my LAN password (you know, the one I don’t need any more now that I’m a smartcard user) expired today, and my PC wouldn’t let me log back on until I’d changed it – which I couldn’t do because I’m a smartcard user, now! So I had to power down, losing the work I was in the middle of (I’d just locked my PC – by removing the smartcard – to nip to the restroom) and then open yet another ticket with the Helpdesk to get my password deactivated (because for some reason they didn’t think to deactivate it when they activated my smartcard) and then sit around for a couple of hours waiting for my profile change to ripple through the network servers before I could get any more work done. I swear, someone’s deliberately defined the smartcard process to be this way just for their own sadistic pleasure!
Leave a Reply