Oct 19, 2007

By Request: Friday Edition of Comment of the Week

A plea for help came in today in the form of a comment:

Pinky and the Brain, is there any chance we can have a thread about how Lab operations and the technical workforce have been negatively impacted by the Hagengruber mandate? I know that files have been corrupted and permanently ruined, foreign nationals have been excluded from instrumentation, and finally, LANCE's computer system is on the line. Maybe we should discuss?

Now, I realize that I'm not Pinky or the Brain, but the Pink One asked me to help on this; so here's what I suggest: this Hagengruber fellow seems bent on imposing a "one size fits all" solution to desktop computing at LANL. From past experience, I know that the only result from mandating these types of restrictions on an organization's computing infrastructure will have one single effect: a huge loss in productivity.

Now, I suspect Mssr. Hagengruber has received feedback to this effect on his plan. Yet, he still seems committed to imposing his will. I submit, therefore, that his intent is to further damage productivity at LANL. This downside to efficiency loss will be offset by the benefit (his perspective, of course) of him being able to claim to have 'standardized' desktop computing at LANL. 'Standardized' for 'security' reasons.

This post is now open to comments on this subject. The discussion will be more meaningful if someone can first send us a copy of the Hagengruber Manifesto for posting here.

Update, 10/22/2007: The Hagengruber Manifesto (pdf) can be viewed here.

--Gussie

79 comments:

Anonymous said...

I left the lab some time ago, but I can't tear myself away from the continuing trainwreck.

Who is this hagengruber guy? Where's he from? What's his background? Is he ex-military? Has he ever used a computer? What's his full name (useful for a serious google background investigation -- otherwise known as a GBI).

Finally, is this new rule driven by a stupid LANL directive, or a stupid NNSA directive?

He sounds like one in a series of complete incompetents that have filled this position, similar to the CIO drones.

Anonymous said...

He came from Sandia.

Anonymous said...

Part of his plan is to improve computer security by reducing the number of desktop workstations at LANL by about 2,500. Mike is helping him to implement this goal.

Anonymous said...

I spent some time in DC working with a "one size fits all" PC. Every time I needed something, it was a 3 day wait. For instance, when one installs EXCEL, you need to request VBA and some toolpacks. Otherwise, you will need to wait for someone to come and "add" them for you. If you need some custom software (e.g., OCR) that is not on their list - forget it! Productivity just goes to zero! We couldn't even use Mozilla.

Anonymous said...

Name sounds like a gestapo guy on Hogan's Heroes. Description of competence sounds the same.

Anonymous said...

Major Hochsetter: Heads will roll!

Anonymous said...

How can one possibly think that allowing foreign nationals to install computer programs and possibly spyware at a US nuclear facility could possibly be a good idea.

Predicted replies:
1. Comparisons to Fermi et al - but there are few foreign nationals at LANL of that caliber.
2. Productivity arguments - which might hold more water if starbucks wasn't full of LANL people from 9-5.

Anonymous said...

Wrong approach. Any IT department worth its pay will have packet sniffers that can quickly detect any malware operating on its corporate network.

I realize that the 'worth its pay' part does not exactly fit LANL's "IT Professionals" nor its IT managers, which explains why Hagengruber has chosen his intrusive, disruptive, draconian approach that is guaranteed to send productivity further into the shitter.

Every day, in every way, LANL is a better place...

to be gone from.

Frank Young said...

11:14 AM,

1. How many people of Fermi's caliber of any nationality are left at LANL?

2. Good point.

On the other hand, have you ever asked Microsoft what portion of its operating systems or applications were coded by foreign nationals?

And if you've ever called Microsoft for support, did you notice that the person helping you often sounds like he may be a foreign national?

While in some circumstances it makes sense to exclude foreign nationals, in general the abilities (or lack thereof) of the person administering the computer have more to do with security than what country they were born in.

Anonymous said...

I'm not a foreign national. I'm a Q-cleared engineer. This mandate affects me.

Given the vulnerabilities associated with networked computers these days, I can understand the desire to "standardize" on a common desktop computing platform. This, however, is misguided, because not every "desktop" computer is used for mere general desktop type tasks, such as spreadsheets, word processing, etc. There's also science and engineering going on with these machines, and that often requires something other than "the standard."

It may come as a surprise to our Information Overlords, but many computers are used for purposes that far surpass general desktop usage, and one size DOESN'T fit all.

Also, the new edict seems very Windows-centric, like there was no consideration given at all to the possibility that some computer users may use anything but.

If computer security is what's driving this, then the standard, one-size-fits-all solution should absolutely exclude Microsoft products from consideration.

The requirement that every computer have an administrator that's not the user is OK, I guess. After all, we want to protect against data lost if the user gets run over by a beer truck or something. It's probably also a good way to discourage us from hiding our porn on our work computers...

Anonymous said...

Your comment about excluding Microsoft products and the earlier comment about "couldn't even use Mozilla" are right on the money.

Is the issue having secure, stable, and useful computing platforms?

Or is the issue having a big corporation to shoulder some of the responsibility for timid or inept system administrators?

Anonymous said...

Like it or not this is the new way of doing things. If LANL scientists and engineers didn't have propensity to screw up security of their systems, then we wouldn't be in this situation.

Don't be sad though, this is a common problem at any organization with over 10 people. It just doesn't make any sense to have you use your bullshit operating system with poor enterprise support.

Suck it up and move on.

11:51 You are naive to think that its simply a plug and play process to stop that. Those that say stopping malware is simple just have good PR so that no news gets out to report the contrary.

Anonymous said...

It's always sad to see the security staff pick Windows as their system of choice. They don't seem to realize how badly they are compromising their own organization's security by choosing Windows.

What's hagengruber's first name? What's his background? It's hard to believe he knows much about real computer security.

Anonymous said...

"Suck it up and move on."

Brilliant! You have a bright future here with our Bechtel overlords.

Oh, by the way, if you are into writing device drivers to control complicated laboratory equipment with Linux systems, we don't really do that anymore. Now get to your Windows station and do something in Microsoft Office, that's all you really need to become a do-nothing boneheaded Bechtel/NNSA/DOE/LASO manager type. That scientific research stuff has too much potential for accidents, and you want to cover your ass, don't you?

Anonymous said...

You guys (5;10, 5:38) still don't get it, do you...

You don't need anything other than Windows to make pits.

Got it now?

Anonymous said...

Alls I can say to 5:10 is that Mac fanatics tend to be as insane as Ayn Rand readers (as noted a few threads ago).

3:38 had it right.

Anonymous said...

Why do we need computers at all? We could hire monkeys with bean counters. Oh... wait a minute...

Anonymous said...

Roger Hagengruber is a long-time highly-respected NNSA and DOE resource on seurity, and he has a technical background. He is ex-SNL, and has served on several high-level DOE panels, since the "hard drive" days. He is new to LANL having been brought in by LANS, actually used as a high-profile "draw" during the contract competition. He is completely out of his league, however, in questions of technical computer security (as are most, but not all, LANL computer security people). With the incredible pressure on Hagengruber since the JQ debacle, you can be sure he is only reacting to mandates from the DOE and NNSA CIOs, among others, including Congress. These ridiculous new requirements are not LANL-, or LANS- generated.

Anonymous said...

Who said anything about Macs? I doubt the consumer grade systems you see at Circuit City are what 12:23 or 5:10 were referring to. Are you one of those people that thinks AOL is the internet?

And 3:38 does not have it right. What he means to say is, "We can't even support the dumbed down systems we want you to use, so we need 'enterprise support'. I'm going to cover my backside no matter what it does to your productivity."

Anonymous said...

Hagengruber is a really old fart that cut his teeth on a slide rule. He doesn't know a compiler from piles. But what does he care? He's going to retire soon after he totally screws up computing at LANL.

Anonymous said...

He (Dr. Roger L. Hagengruber) is also responsible for the enforcing of the DOE Polygraph Program to LANL Employees. (Please see The Polygraph Post on this blog, also as DOE Polygraph Program, Wednesday, May 16, 2007.)

Anonymous said...

3:38 is dead wrong. I doubt he realizes just how much of LANLS or DOEs (or the US Government's or the world's) computing needs are tied into non-Windows systems. Hint: look at the TOP 500 supercomputers. No Windows there, notice? LANL can never be all-Windows, and pretending anything else is dishonest.

Somehow, other operations (IBM and Google comes to mind) manage to keep things tight, in an environment full of Windows, Mac, Linux, and other systems. I wonder why 3;38 and his compadres aren't up to the task?

I like this one: "If LANL scientists and engineers didn't have propensity to screw up security of their systems, then we wouldn't be in this situation.".

Translation: "We can't figure out how to support it, so it's your fault". What a great attitude.

Anonymous said...

Some elementary looking around shows that if this guy Roger H. ever did anything in computers, there is no record of it.

Just what we need, another clueless near-retirement ignoramus trying to make decisions about computing.

Too bad for LANL. Too bad!

Anonymous said...

We are quickly moving to a system where only CTN allowed software can be installed and only CTN staff will be allowed to install it for you.

This is the model that is used at most government work places these days. It won't matter that some obscure software is badly needed to complete your project. You'll only be given what they have to offer. If it is not on the approved list then you can forget about it. Getting your work done is not part of their concern.

In some high security government offices, you can't even install a compiler without having all sorts of exception paperwork that allows it on your PC. Compilers are seen as "dangerous" as they might allow staff to write code that could do "bad things" to the network.

You'll also see a trend towards requiring exception paperwork if you wish to use any OS other than Windows. The pressure will be enormous to encourage you to only use Windows. Again, this is now common throughout the government.

Learn to live with it, because this is where we are headed, whether you like it or not.

Anonymous said...

Here's a hammer, go cut us some firewood. And when your done with it give it to the surgeon so he can make an incision. When he's done with it give it to the guard so he can protect us. What a great tool, it works for anything!

Anonymous said...

This sounds similar to my experiences with HPC division. Most of them don't know how to program in anything but scripting languages, so you get a deer-in-the-headlights look from them when you hand them software written in languages used by everyday programmers who aren't sys-admins. I wanted to punch one of those little HPC twerps in the face when they claimed software was broken, but the cause of this "broken" diagnosis was simply the fact that they didn't know how to read C code... Computing at LANL is largely a disgrace -- made worse with the steady exodus of people with a clue ever since the Nanos shutdown. It's funny that someone earlier mentioned the top500 list. LANL has been slowly but surely vanishing from that over the last few years, while LLNL, SNL, ANL, and ORNL continue to keep respectable positions on it. We just don't have any machines that are competitive anymore, and the best bet we had was the current cell-based quagmire.

Speaking of that, has anyone heard how roadrunner scored in it's review?

Anonymous said...

"Roger Hagengruber is a long-time highly-respected NNSA and DOE resource on seurity, and he has a technical background."

Gee, should have known. One more of the best and brightest? "Technical background" says it all. Now I feel safe. Thanks.

Anonymous said...

"I wanted to punch one of those little HPC twerps in the face when they claimed software was broken,"

Nanos is not the only reason good people are leaving. People like you are part of it too. Do you think those who are really good want to stay at LANL and work with someone who thinks and talks as you do?

Anonymous said...

"Do you think those who are really good want to stay at LANL and work with someone who thinks and talks as you do?"

That's exactly his point. They don't want to stay when they are surrounded by people unqualified for the positions they hold. It's a familiar theme for those who have experienced LANL.

Anonymous said...

Well, the deployed computer support people from CTN already provide worthless service (2 weeks to get an IP, 2 months to get a broken network figured out, for example) and now we're going to standard PCs where only an IT administrator can install software. Oyyyy.....

Good thing I switched to a Mac :-)

Anonymous said...

My experience shows that LANL will buy a software package to to a task for $5K then buy the source code for $1M so we can rewrite it to make our broken processes work rather than modify our processes.

That's not the way to do business either.

Anonymous said...

Which people are unqualified for the positions they hold?

Computer support or prima donna scientists.

Or both.

Anonymous said...

I'm more familiar with the scientists, but from what I'm seeing here - both.

Anonymous said...

"We are quickly moving to a system where only CTN allowed software can be installed and only CTN staff will be allowed to install it for you."

"Moving to"? Hello? Let's do the math:

1) CTN convinces the Director that desktop computing should be part of the Infrastructure Tax. For every labor dollar you spend, CTN now gets 3 cents. No negotiations with Divisions, no chance to opt out.

2) Every machine that "can be" (note, not "is") connected to the yellow network must have a Sys Admin that is not the User.

3) CTN management regularly instructs its employees to rat out any Sys Admin's that may be present in the host organization to which they are deployed. In some parts of the lab, the CTN Sys Admins have already been quietly deleting administrative authority of all the non-CTN employees, even if those employees have been supporting specialized technical software that CTN is not trained on.

4) The new Hagengruber directive allows Users to have administrative access to their own computers ONLY via exemption signed by Line Management and the Sys Admin.

Anonymous said...

You Linux cluster guys had better figure out how to do MicroSoft HPC.

Oh, and plan on having CTN administer it.

And for you other Linux developers: I only have one word -- WinSock

*Snicker*


Every day, in every way,
LANL is a better place...

to be gone from.

Anonymous said...

LANS has a plan for making LANL bland.

Anonymous said...

For those of you so inclined, Administrative access to your Windows computer is easily restored, if you dare...

Anonymous said...

I think most people would prefer to say, "My computer won't let me do [insert task]. I'm waiting for enterprise support (and so are you)!"

Anonymous said...

Did SNL "standardize" on HP hardware under Hagengruber?

LANS has a plan for making LANL nonexistent, not just bland.

Anonymous said...

As someone responsible for end-user computer support, I'm amazed at the attitude that IT people know better than scientists what computer support is needed to do science. What field besides IT has the inmates running the asylum?

Anonymous said...

If you look at the CTN "services" that are offered for the new 3% overhead tax, you'll find out it's mostly trivial Help Desk type stuff. No help at all with hardware problems, for example.

And if you need help with special software programs such as Matlab, you'll have to pony up for a recharge service. Same goes for all classified computing service. Same goes for most server administrative services.

Finally, don't expect to get any OSCR support for your 3% tax. That is not allowed under this new overhead system.

All in all, that new 3% overhead tax buys very little in the way of CTN "service". It will, however, keep everyone in CTN employed during this next year... at the expense of lost jobs in other divisions to help pay for the new CTN tax.

It's time for the managers of the direct funded divisions to start doing some push-back activity on all this insanity.

Anonymous said...

CTN, and its former incantations, are the worst of all empire builders. LANL staff who do not push back deserve what they get. Of course LANL staff has not pushed back at much else so in a few years the little that gets done will get done on HPs running vista.

Remember, the bottom line is profit, not accomplishment.

Anonymous said...

"Remember, the bottom line is profit, not accomplishment."

What was the bottom line before, since it wasn't accomplishment then either.

Junkets? Computer solitaire?

Anonymous said...

4:26 pm: "Did SNL "standardize" on HP hardware under Hagengruber?"

At Sandia, Hagengruber was not "Chief Security Officer", the title he now holds at LANL (and which he was tagged for in the LANS contract proposal). So, he had no such power. I believe at SNL, Hagengruber was a non-proliferation, counterintelligence type.

Anonymous said...

8:19 PM -
At Sandia, Hagengruber was not "Chief Security Officer", the title he now holds at LANL (and which he was tagged for in the LANS contract proposal). So, he had no such power. I believe at SNL, Hagengruber was a non-proliferation, counterintelligence type.

Oh good, another example of LANS hiring a has-been and promoting him/her beyond their competence level. I believe this is what LANS calls a win-win to justify the hire ...

Anonymous said...

You all are complaining about the poor service CTN will provide us. Not to worry. It's still possible to do what we normally do while waiting for for tech support to fix us up.

Anonymous said...

Which people are unqualified for the positions they hold?

Apparently the scientists. Getting a PhD and doing the work they do is an extreme accomplishment, but at LANL it is soon replaced with the fact that they know better than anybody else, and because they have a PhD no one should disagree (especially if they do not have PhD)

It is well known at LANL that is you d o not have a PhD you are of a lesser intelligence.

Arrogance is the best definition. Take an objective look. Disagree?

Anonymous said...

10/20/07 8:58 PM and 10/22/07 8:32 AM are both pointing out, in their own way, that the LANL of today is but a leech on the legacy of the LANL the world remembers.

Thank you both. Especially for the "incompetant" remark. Priceless!

Anonymous said...

I see frequent references to loss of "productivity." I submit that no one dares define the term for fear that
it would result in a judgment
of unsatisfactory or worse.
Does anyone remember Bell labs? We should reflect on their disappearance.

Anonymous said...

Should we talk about the nobel peace price ( ie farce)

I bet all previous winners are rolling over in their graves

Anonymous said...

8:37AM
8:54AM

Here you go again with your nonsense of how you hate the scientists at the lab. You never provide any facts only baseless allegations. Please get a life and leave the rest of the world alone.

Anonymous said...

Say, what about that Proofpoint Spam filter that CTN has thrust upon us? This morining, my list of quarantined emails is 80% false positives, and the server is not responding when I ask for them to be released.

I sure hope none of my quarantined email is important...

Anonymous said...

The change in CTN finances was punitive in nature to CTN, who had been charging a lot more than required for support, especially on the yellow.

This place is going to hades in a handcart.

Anonymous said...

Shouldn't that be "pricelass", 8:54 am?

;)

Eric said...

Pinky and the Brain,
Thanks for the Hagengruber memo.

It was interesting to me that nowhere in the memo was there any talk about meeting deliverables for funded projects, about where these extra IT people might come from or what qualifications they might have, or about how they would be paid.

Anonymous said...

It's afternoon now, and the Proofpoint server is still not responding.

What do I need to do to get my email? Perhaps set up an SSH tunnel to an outside server to bypass the institutional nonsense?

Anonymous said...

Easier yet, 1:02, is to just use

https://mail.google.com/

Of course, either method will likely get you added to that already-well-populated RIF list.

Anonymous said...

Eric, we won't need any additional sysadmins. We'll just further overload the already overloaded ones we already have.

Deliverables? There is only one: Compliance, right now.

Anonymous said...

Eric - you are too cute for words!!!

You still believe in deliverables.

Do you still believe in the Easter Bunny?

Anonymous said...

Eric (along with about 96% of the staff who actually work at LANL -- Eric doesn't) never did grasp that the whole purpose of the contract change-over was to pare down both the number of staff at LANL, and LANL's mission.

The mission, of course, will be pit production. All other DOE programmatic work will be migrated to the other NNSA and DOE labs. WFO will simply not be given support (that is, any WFO that chooses to pay LANS's new exorbitant FTE costs). The target for a pared-down staffing will be around 4,300.

There's your 'deliverable'.

Anonymous said...

1:02pm: The software is probably still confused. You see, the rest of us think that the v1agr4 email is spam, not a false positive. It's just not used to being asked to unquarantine those.

Anonymous said...

Just got back from vacation and saw this shit storm. In typically stupid LANS fashion the referenced memo is dated October 11. The crap listed in the memo needs to be implemented by October 16 or you need a exception. Hagengruber must be on crack.

Anonymous said...

I'd like to point out a few subtleties of the "Hagengruber Plan":

1. There will be no exceptions to that bit of the plan having to do with who may administer a workstation.

2. Macs are history.

3. Linux is history.

4 (This one is key, so pay attention): Windows, MicroSoft Word, Microsoft Excel, and Microsoft Project are all you will need to do your jobs at LANL.

There, that wasn't so hard, was it?

Anonymous said...

RE: The so-called "Hagengruber Manifesto"

Is there some other document out there (other than the one that you have posted) that might shed more light on this "manifesto" that is supposedly going to wreck LANL computing?

All I see in the .pdf that was posted are things like:
* Have an administrator that is not the user (but the user can still be an administrator)
* Have a couple of cyber security positions filled w/ different people, rather than one person serving dual roles (useful to prevent COI)
* Useful rules for passwords, and
* a rule about foreign nationals, which isn't unreasonable, given that we work for a national security laboratory.

All of those policies have been in place at parts of the lab for months to years now; I'm surprised there are pockets that aren't in compliance.

I didn't see anything in that memo about "all Windows" or "one size fits all" computing. Where was the Linux business.

Honestly, if you think that your computing capability will be derailed because of some simple guidance such as password protection or having an additional adminstrator, then ...

Get a life.

Anonymous said...

7:52 forgot Powerpoint, the most important piece of S/W that enables management...

Anonymous said...

Well, if the standard suite of productivity software doesn't include Lotus Notes, it can't be all that bad, can it?

Anonymous said...

8:27pm: My thoughts exactly. The memo that is in that PDF didn't say anything about macs, windows, etc... FUD: Fear, Uncertainty, and Doubt -- filter it out when reading comments here. Most of the posters seem to enjoy spewing FUD to get people all fired up for some bizarre reason.

Anonymous said...

Please identify, by name, the invididual in CTN who knows how to service a Mac.

Anonymous said...

"Most of the posters seem to enjoy spewing FUD to get people all fired up for some bizarre reason."

Because in the absence of any control, influence or even information in our own worklives, the FUD is the only tool available.

Anonymous said...

Please identify, by name, the individual in CTN who knows how to service a Mac.

10/23/07 12:14 AM

I can't even think of anyone that can properly service PC's let alone Macs. If its not in the cookbook and someone in CTN needs to think outside the box, forget it. I have a CTN desktop support tech that works for me (independent) that I need to help and advise as what to do its unbelievable. Even the simple shit. The person is Microsoft certified to boot.

Anonymous said...

8:22,

But, but...

I thought we were the best and the brightest!

Oh, wait. Maybe your CTN support Tech was the Best and the Brightest of all of the Microsoft Certified techs. Yeah, that's gotta be it.

Anonymous said...

I'd love to be a fly on the wall the first time CTN received a Linux support question.

"Whut? Linucks? Is that a program? I don't see it on my list. Try rebooting your computer."

Anonymous said...

I was about to ask if any had linux certs. Guess not.

Anonymous said...

Linux is supported.

...as long as it's the official Lab-blessed RHEL distribution.

Some of the CTN folk even have RHCE certs to prove their competency!

Doug Roberts said...

That's nice to hear, 10:11. I was on the committee that selected RHEL as the LANL "officially supported" Linux distro, roughly 4 years ago.

I'll be interested to see if Linux is still a supported OS at LANL by this time next year.

Doug Roberts
LANL, Retired

Anonymous said...

I do direct-funded science at LANL. How can I modify this so that I can charge my time as overhead and continue with my research?

Also, I would like to use the same greatly reduced FTE rates that the staff in the overhead orgs use so that I can do more work with each research dollar.

Who do you have to talk to at LANL to see about getting a ride on the gravy train? It seems like almost every one at LANL is using overhead taxes to fund their job these days. Why stop with CTN and the new 3% tax?

Let's institute a new 90% tax on all management and support funds to help pay for science at LANL! If overhead taxation seems like such a swell idea for management and support, then let's spread the goodness all around LANL. Voila, instant prosperity for everyone!

Anonymous said...

"Windows, MicroSoft Word, Microsoft Excel, and Microsoft Project are all you will need to do your jobs at LANL."

Hey, you left off PowerPoint. How can the Laboratory function without that?

Well, come to think of it, I haven't seen too many pit production drawings, specs, and procedures on PowerPoint. Forget my comment.

Anonymous said...

Well shoot, 77 comments and the only problem with overhead at LANL is CTN.
If that were all that was wrong we could fix it. Give me a break, how about a pie chart of where the other 68% of my dollar goes. In the absence of knowing how the overhead money is spent then the best I can tell I pay for safety reps like 3 times over (as well as 4 times over for cyber support). There is no arguments to be made until we can say where it all goes.

Anonymous said...

Where does the rest of the overhead go? How about management salaries?