Just post the IP address and we can sort it out for you.
Back everything up first and you will be their hero.
this post was submitted on 07 Jun 2024
200 points (96.7% liked)
Asklemmy
43897 readers
1068 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy π
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
founded 5 years ago
MODERATORS
CYA at this point. Email the relevant info to your boss, bcc a non-company personal email, or print out and store a copy of the email for reference. When shit goes tits up, it probably won't save your job (big IT event like that usually kills a family business), but it will save you from getting sued or smeared for the catastrophe.
I grew up as the "IT guy" in small town America.
This guy, and the people here (not you) sound like a lot of people I know. I'd look for a different job and grow your passion somewhere else. It isn't worth it. You won't change them, and they're just going to make you feel like you're wrong, even though you're right. It's like the movie Idiocracy.
There should be no issues as long as he doesn't access the internet directly. If you have a terminal server you should be able to set up any web browser and let him use it in a remoteapp mode.
It's your first IT job and you've been there for a few months? While your safety concerns definitely can be relevant my advice is this
You should
- Don't rock the boat as a new hire. Figure out what is going on first. Maybe there's a reason to some of the madness you see.
- Do NOT contact the owners. Doing so will likely be seen as disloyalty by your boss and possibly the owners as well. Only go through your immediate superior.
- Don't bring it up again with your boss. It's not your responsibility.
- Leverage the user. Let the user be the one to push for a system switch.
You could
- Figure out if you can get the system on a separate VLAN and get it locked down in firewall rules.
- Research the system. Why don't your boss want it replaced? Does it run some ancient software? We've got some machinery that is running windows 7 at work. When I got hired, in the days if windows 8, the controller was running windows XP. The setting up of drivers and archaic proprietary software, involved in upgrading, is immense. When we switched to 7 this β¬60k equipment was down for days, and it was a week before it operated properly.
load more comments
(3 replies)
Soooo.. Haven't seen anyone ask this. Why DOESN'T he want it updated? Have you checked for running processes, keyloggers (hardware and software), hidden partitions, Veracrypt, etc?
There may be a reason that's not being shared.
Otherwise I agree with the email routes that get it in writing (or the lack of response as such).
load more comments
(10 replies)
Just curious, what are his reasons for not wanting to upgrade?
Leave it until the system fails then when things go tits up you can tell the owner that you knew the problem was coming and gave multiple warnings to your boss about it and he shut it down.
Ah yeah just like the other post, make sure there is evidence.
100%. Send emails to your personal address, CYA.
I would absolutely send him an email to the effect of
"Per our multiple verbal conversations, this is just to serve as notice that, in my professional opinion, your refusal to allow me to upgrade a system at risk of multiple security vulnerabilities on a platform that is no longer supported is a risk that you are choosing to accept against my advise."
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can't say "Well he never told me this was a problem!"
And keep a copy off site
this is the correct response.
get it in writing that they accept the risk that comes with not upgrading so it can't come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn't just your word vs his.
Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he's done his job. It's his bosses problem, the one responsible.
load more comments
(1 replies)
The most chaotic good thing to do would be to use the known security issues to hack into your boss' computer in the most scarry looking but harmless way. That would possibly scare them into upgrading.
With that said, you should create a paper trail on how you warned your boss, and either wash your hands of the issue or kick it up the chain, depending on how much you care.
EDIT: since it seems some people didn't get it, I meant the first option as a joke. My actual advice is the second paragraph
More like chaotic dumb. This is a good way to get fired and possibly end up with criminal charges depending on how petty the boss is. And based on how stubborn and tech illiterate they are it is likely.
load more comments
(1 replies)
Yes! There is a website somewhere that has a tonne of fake os screens - updating/upgrading windows, bsod loop etc.
Run a scary looking one of those, disconnect mouse/keyboard so it can't be interrupted and let the boss discover it
Just be be clear, I wasn't advising OP to do the first idea. It was more of a joke. It has potential to be traced back and get him into trouble.
load more comments
(2 replies)
What a disaster. Post IP and system information on 4chan. He will switch after being compromised.
This is (presumably) people's personal health care information. Please don't fucking do this, Jesus Christ.
If not just because it's a really shitty thing to do, I'm pretty sure it's also at least one felony.
Then compromise the machine yourself without stealing personal data from unrelated people.
You understand that legally speaking this is approximately the same thing as telling your boss that the front door isn't strong and thieves could easily kick it in, and then when they refuse to fix it, the response you're suggesting is "show up at 3 am and take a sledgehammer to the door, but just dont steal anything from inside" right?
The point is to cover your ass, not pull your pants down.
load more comments
(10 replies)
Then he gets fired for hacking. And possibly winds up arrested for illegal activity.
It's a stupid idea.
Just send the boss an email that says what they spoke about verbally. That way if the system does get hacked, the guy has a paper trail to cover his own ass to show he told the boss.
load more comments
(3 replies)
an email I sent to my boss about upgrading was never responded to
Dear Boss,
As per our recent discussion [blah blah]
Thanks for allowing me to leave early on Friday for my appointment.
HnK,
-Staffy McStafferson
When you get a 'brown M&M' response ...
Staffy,
I don't remember the discussion about Friday.
-Jefe Jefenbaum
Then you know you got 'im.
This is kinda genius, lol
I don't have advice, just a worthless anecdote.
I work at a large tech company. We had a Windows XP system on our network get hacked. They used that to jump to our servers. IT had to quarantine off the whole lab, because they didn't know where the hacker had hopped next. So then IT had to do a post-mortem and figure out how they got in and what was affected. That process took 3 months. In the meantime, any team with servers in that lab couldn't use them. The team directly responsible for this couldn't work at all for the full 3 months.
We lost 2 months of local Windows servers in a smash and grab ransomware. we were lucky that our PROD servers were Linux. And this was a place with an active Windows 10 upgrade plan, gateways and air gapping for non-compliant systems. Our luck/planning was the backups system allow for two months of roll back to remove the malware. For the sysadmins, the character limit on the file paths meant we lost a bit of deep dive information 8/10 folders deep. (Over 64 characters or something like that.)
Something I haven't seen mentioned yet - who is the company's HIPAA "Compliance Officer"? If it's anyone other than your boss, you could document the situation to them in an e-mail. If you want to be slick about it, ask them if there is "still any compliance need to keep the replacement machine ready or if it would be OK to repurpose it, given [your boss's name here]'s decision not to move forward with the upgrade." They're on the hook for compliance violations, so they'll likely see to it.
I would also suggest making a habit from now on of documenting verbal conversations that result in actionable decisions in short e-mails to the other party: " To recap our discussion, [bullet point list]"
You can excuse this as being for your own reference so you don't forget any to-do items or so that they can correct any misunderstanding on your part, but it makes for a fantastic CYA if that ever becomes necessary. For really important items likely to bite someone later, print a paper copy if you don't fully own and control the machine AND the e-mail local archive. Only bring those out if absolutely necessary, as in when SOMEBODY will be fired or you're about to be legally scapegoated. They'll save your butt once, but it will probably be time to start looking for another job because the boss will think either that you should have pushed harder earlier to fix the issue or be worried about their inability to scapegoat you in the future.
Fellow IT guy here (welcome!). It's like everyone else said: have some proof that your boss was informed of the situation. As someone who worked for a few years in IT: avoid verbal agreements; you won't be able to prove they happened and they'll make it your fault. As an example, I refuse to do any work that might have long-term consequences if I don't have a ticket requesting as such or at the very least a mail in my mailbox. All agreements should be documented somewhere. Email is good, hard copies (paper) are even better.
Always, always, always document your requests. Bosses will not hesitate to throw you under the bus when something THEY fucked up goes wrong. Like southsamurai said: cover your ass, then follow orders. When shit inevitably hits the fan, you'll have something to point to.
Windows 10 will be in the same boat again in about a year and a half when Microsoft drops support.
Do you really want to have this fight a second time trying to get him to upgrade to Windows 11?
trying to get him to upgrade to Windows 11?
If itβs currently running Win7, it likely doesnβt have TPM 2.0, and in extreme circumstances may not even have the SSE 4.2 that 23H2 requires (Win11 will then fail to boot).
And while a RUFUS-modded installer can remove the TPM 2.0 requirement, the SSE 4.2 requirement is kinda baked into the pie; there is no avoiding that.
Win11 is already available... Just go to that.
That's my point
First few months in IT? Welcome to hell...
I'm kidding (mostly), I'm in IT also and if you're in for even a few years, you'll start to build a collection of horror stories like this one. We've all seen things you wouldn't believe.
So you need to have full buy-in from the owners. If you're able to talk directly to them, then it sounds like this isn't a huge company. If you clearly explain in a professional way to the owners the situation with documentation and they don't fully support you, leave the company asap.
As somebody who has been involved in multiple ransomware recoveries, trust me...you don't ever want to deal with a rogue unsecured machine on the network. And owners that don't care or take that risk seriously are absolute fools and this will only be the tip of the iceberg of stupidity.
That computer is a ticking time bomb. Please for the love of God tell me that your boss doesn't have local admin rights on his system.
If the only thing your boss uses that system for is to connect to a web app to manage inventory, why is he mad about switching from windows 7? Does he just like how windows 7 looks visually?
I guess it doesn't really matter. Also, windows 10 isn't a long term solution because it also goes EoL next year in October, so you'll be in this same position in less than 2 years.
You can either go to Windows 11, or if you wanna be a little wild, install a Linux distro like Mint on there and theme it like Windows 7. You solve the security problem and he gets to pretend he's still in the early 2010's.
Honestly though, start looking for another job if the owners don't support you 100%. IT is already a stressful and intense enough job, you don't need stubborn idiots like your boss to add flavor.
A couple additional thoughts:
-
You sent your boss an email using your company email server. You do not control this server. You cannot rely on this email as a paper trail, any email you send could be deleted by someone else with administrative access. In Outlook it's possible to delete any email that was sent internally and the logs that it was sent.
-
You should write down the date(s) and time(s) that you sent emails about this to your boss, on paper. Keep it with your other work notes.
-
You should not include any specific technical information about your company's systems in this paper record as this might expose you to liability in the future. Just record when you sent the emails and a general description of the subject (e.g. "email to boss about upgrading out-of-date operating system"), and a short description of any response (verbal or written).
-
You have offered to upgrade this system. Your boss said no. It's not your responsibility anymore.
-
If I were in your position I would tell my boss explicitly that I won't be responsible for the security of this system or anything connected to it, at least not without a signed risk acceptance statement. You might not feel comfortable doing that, it is potentially confrontational.
-
If you've been told that you're responsible for this system (your employment is dependent on it) in spite of your objections, please take a look at this article about security hardening for Windows 7 and try to implement as much as you can. If you're not responsible for it, don't mess with it.
Doesnβt sound like it needs web access to function. Block web and all other ports at switch/core/firewall etc.
Start looking for a new job. Donβt wait until you have certs, just look. And donβt describe this situation in any interview. Just say youβre looking for growth and new challenges