Tuesday, July 11, 2006

Yesterday I got an email. I've gotten emails like it from time to time. I've grown to dread them.
Normally, I like email. It provides a quick way to communicate with as many or as few people as you like.
Sometimes, however, other parties get added to replies. Often, these additional people are uncool.
I noticed that our web monitoring server wasn't getting Microsoft security patches automatically and that it was left out of all the fun our patching software causes. As a result it is vulnerable to a few month's worth of exploit and, as a web monitoring server, is exposed to the internet and every hacker and information terrorist in the world.
I asked my manager if I could patch and reboot it.
"Not without an Emergency Outage Notification," he replied.
"It isn't really an 'emergency' so much. It is important, but 'emergency' carries a connotation with it I'd rather avoid."
"No problem," he offered,"Schedule it two weeks out and then it is just an Outage Notification."
So I did that.
I wrote to the "Notification" person and requested a one-hour outage. I know it won't take an hour, but it seems dumb to ask for 10 minutes.
She replied with a form for me to fill out, assessing risk and outlining the benefits of each update and the rollback process for each. So much for a vague "bad stuff may happen but it probably won't" answer.
I hit the paperwork at full speed, but it was like running through a two ton brick of processed cheese. Each of the twenty five patches needed a description. Microsoft doesn't care enough about most of them to describe them in any language but clinical, and I know that no matter how "official" this form is, clinical is just too scary.
I did the reasonable thing. I made stuff up that was easier to understand.
The fact is, if the server stopped working and we called Microsoft, they would refuse to help us unless these patches are applied.
So it shouldn't matter that the kb911280 fixes a vulnerability in Routing and Remote Access. Just saying that prompts questions like, "Why do we have Routing and Remote Access turned on?"
The answer is, "We don't have Routing and Remote Access turned on."
"Then why do we need the patch for it?"
And then I'd have to say something like, "Because it is less than a Meg, costs us nothing, Microsoft recommends it, and if we don't install it they won't support our Operating System version. Plus, most importantly, I'd have to add it to a list to make it stop telling me that it needs to be installed and is critical every freaking time I log in forever."
To avoid this, most patches magically became "Addresses Core OS Vulnerability" with a note about how our competition lost $100k because of an exploit or, my favorite, "
modulates the activation circuitry of the replication system to randomize the frequency and halt illegal access attempts." Who wouldn't want either of those?
No one. Unfortunately, that isn't the issue. The problem now is that the person I got the form from, copied her non-technical boss, and he found an issue.
I suggested the change happen at 6am on a Thursday. Here's why:
1. I'm here anyway.
2. If something does happen to break, I'm onsite to fix it.
3. No one else on the planet cares what happens at 6am.
This guy still wants it done at 8pm on a Saturday. If the server doesn't come back after a reboot, I have to drive over and fix it. Also, that trashes a Saturday. Even if it takes ten minutes, I have to be near a computer with an internet connection before, during and after. I have to spend my own time writing the "everything is fine" emails and I have to wait for responses from all the customers impacted, even though none of them are around on a Saturday.
Why do I even get here at 6am if I can't use the time?
And yesterday this guy sent an email asking why. The kind of email I dread.
I like words. Words are my friends.
But I knew that there is no way to respond to an email like this --

"I still don't understand why this work won't be done on a weekend instead of two hours before business hours on a week day."

-- and maintain any type of employment. I wrote several drafts:

"Your lack of understanding has never had an effect on what we do." -- delete

"Are you volunteering to give up a Saturday for free?" -- delete

"I've filled out thirty pages of paperwork to make you feel better, but until I have to tell my family I have to work on a Saturday you feel all empty inside?" -- delete

"Don't take this the wrong way, but what the hell is wrong with you?" -- delete

See? My only choice was to ignore the original sender and flag future emails from him as spam.

No comments: