At this point I’d take the malicious compliance route. Make sure you have it documented in a form of writing that shows he is refusing to upgrade his system. Send him an email confirming you the new laptop on standby and would like to know when he’d like to swap it out, he’ll obviously tell you to pound sand. If anything happens, it’s not on you. If you’re worried about getting fired, then it’s not worth it to pursue.
Thanks for your advice. Just to clarify, this is about replacing a desktop, not a laptop. My boss got really angry and explicitly told me not to ask again, but I feel I need to get this in writing for my own protection. This job pays well for my age, and I am worried about getting fired, but I also know this is a matter of when, not if, a security issue will occur.
I’m planning on bringing up a 9020 Optiplex with Coreboot and TianoCore installed. I have already installed Coreboot on some of the other systems and made sure the chip is locked down. I have a fresh Windows 10 installed on it using our volume license USB. The 9020 is pretty standard at our location. It’s $50, but I’ll just do it for my job’s sake. This employee has been asking for a new computer for
28 months, and he really needs it.“hey boss, I know you told me not to ask again, so I am not, but in the event you change your mind, I have your upgrade ready to go.”
It sounds like their concern isn’t so much the boss feeling pestered, it’s who gets blamed when something bad inevitably happens because of the boss’ insistence on an insecure system.
That’s why you email them…
Tbh. Its highly unlikely that you will face anything that disrupts business and can prove it being from this machine.
Even if you get hit by a trojan that encrypts everything: if you have AV on clients and servers and update their databases regularely, noone could or would blame a dude thats 3 months in the job for it. I mean you have no prior experience. Thats also why i would not try to escelate it further. You will get fucked by management if you fall in the back of a higher ranking position. They dont appreciate people calling stuff like this out. Especially in small family owned businesses. Trust me. I’ve been there.
You will most likely find even more hazards in the future. If it gets worse, make a list. If you can, put in the CVE Codes and their explanation about the issue and the potential risks.
Put it in a monthly report-email regarding IT Topics. Also put different stuff in there, so you dont only appear to be whining about the system that they obviously have been taking care of in a lackluster way. This way you show that you are doing your job for the case that there might actually be a hazard and if they ask, you can simply point to your monthly report and say you did your best and did not get enough ressources/coworkers/ or the so very much needed new Firewall Appliance.
In terms of futur vision: write up your daily systems you work with. I’ll make some examples for your Resume:
- Config- and Patchmanagement of
- ~ 30 Windows 10 clients via WSUS and SCCM
- ~ 10 Windows Server 2019 Systems via WSUS
- ~ A Veeam/Synology/In-House Built Backup Solition
- Ubiquiti Firewall and AP Solitions
- Management of Microsoft SQL/Oracle/MariaDB Database Replications
- Management of an small scaled AD Environment with ~ 80 self created Objects
- GPO Policy Management
- Management of a Microsoft Exchange Sever Cluster
- …
And so on.
Also make a second list with projects, what your role in them was (most likely project lead), and what situation you had and the target. Also in which timeframe you are working on it (March/2024 - Today)
Don’t tell anybody that you are keeping your eyes out for a new job. Wait till you have landed a new job with administration work (dont do First-Layer Support Jobs. They get you stuck on your career ladder)
Also have a look at job portals like Kununu and check Ratings of companies. Since you are already in a kind of dispute with your boss I would suggest to not leave a review of your current workplace, whilst you still work there. Attention would be immediately brought to your end.
Also: if you are bad at creating a resume. Use an online builder. Job portals offer them. Be advised though, recruiters will already call the number that you type in there even before you are done typing your resume. rxResume is and FOSS Resume Builder. Can be selfhost or simply used by the Publicly hosted variant.
100% CYA, but also, follow the letter of the law. If you are disciplined - or face retaliation - for following documented processes, you bring it to his boss and HR.
Your boss is aware of the problem and doesn’t want you to leave a clear paper trail about it in writing. Think about that a little bit.
Welcome to IT.
Fellow IT guy here (welcome!). It’s like everyone else said: have some proof that your boss was informed of the situation. As someone who worked for a few years in IT: avoid verbal agreements; you won’t be able to prove they happened and they’ll make it your fault. As an example, I refuse to do any work that might have long-term consequences if I don’t have a ticket requesting as such or at the very least a mail in my mailbox. All agreements should be documented somewhere. Email is good, hard copies (paper) are even better.
Always, always, always document your requests. Bosses will not hesitate to throw you under the bus when something THEY fucked up goes wrong. Like southsamurai said: cover your ass, then follow orders. When shit inevitably hits the fan, you’ll have something to point to.
I would absolutely send him an email to the effect of
“Per our multiple verbal conversations, this is just to serve as notice that, in my professional opinion, your refusal to allow me to upgrade a system at risk of multiple security vulnerabilities on a platform that is no longer supported is a risk that you are choosing to accept against my advise.”
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can’t say “Well he never told me this was a problem!”
this is the correct response.
get it in writing that they accept the risk that comes with not upgrading so it can’t come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn’t just your word vs his.
Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he’s done his job. It’s his bosses problem, the one responsible.
And keep a copy off site
I disagree. That’s a consultant-style answer. OP is an idiot newb three months into his first job with zero responsibility, and not in any position to “serve notice” or have any meaningful “professional opinion”.
Cover your ass, then follow orders. The job is, whether anyone likes it or not, to do what a supervisor tells you. If the supervisor is an idiot like yours, that doesn’t change. Do the job, cover your ass, and hope for the best.
I appreciate the advice. My boss told me today not to ask again about upgrading the desktop and was visibly angry. I’m planning to email him saying I have a preconfigured Windows 10 replacement ready, but I haven’t touched the current setup as per his instructions. If the current computer breaks, we can swap it quickly. Is this a good approach?
“Per our discussion, you do not want to hear anything more about updating from a windows 7 machine that is no longer being updated, no longer receiving security fixes, and is end of support, to my recommended windows 10/11 machine. You’re aware that I have advised you that not updating is possibly a HIPPA violation.
This email confirms that I will no longer bring the subject up again.”
That’s it. CYA and print that Sent item out. Move on to the next issue.
This is the correct way to do it. Cover your ass.
Yes. And then polish up your resume. Work experience can trump age/even certs sometimes.
This is an awesome moment in interviews to let them know you try to head off problems before they start.
You said you were young, so you might not fully know your own worth yet. I’d rather hire someone who is forward thinking and preventing problems then someone who might have a cert or 2 more than you.
If you’ve covered your ass already, that’s pointless. Hell, if you’ve already got a record of his orders vs your recommendation, it’s more trouble than its worth.
If you don’t, then that’s perfect.
deleted by creator
Doesn’t sound like it needs web access to function. Block web and all other ports at switch/core/firewall etc.
Start looking for a new job. Don’t wait until you have certs, just look. And don’t describe this situation in any interview. Just say you’re looking for growth and new challenges
A couple additional thoughts:
-
You sent your boss an email using your company email server. You do not control this server. You cannot rely on this email as a paper trail, any email you send could be deleted by someone else with administrative access. In Outlook it’s possible to delete any email that was sent internally and the logs that it was sent.
-
You should write down the date(s) and time(s) that you sent emails about this to your boss, on paper. Keep it with your other work notes.
-
You should not include any specific technical information about your company’s systems in this paper record as this might expose you to liability in the future. Just record when you sent the emails and a general description of the subject (e.g. “email to boss about upgrading out-of-date operating system”), and a short description of any response (verbal or written).
-
You have offered to upgrade this system. Your boss said no. It’s not your responsibility anymore.
-
If I were in your position I would tell my boss explicitly that I won’t be responsible for the security of this system or anything connected to it, at least not without a signed risk acceptance statement. You might not feel comfortable doing that, it is potentially confrontational.
-
If you’ve been told that you’re responsible for this system (your employment is dependent on it) in spite of your objections, please take a look at this article about security hardening for Windows 7 and try to implement as much as you can. If you’re not responsible for it, don’t mess with it.
-
Windows 10 will be in the same boat again in about a year and a half when Microsoft drops support.
Do you really want to have this fight a second time trying to get him to upgrade to Windows 11?trying to get him to upgrade to Windows 11?
If it’s currently running Win7, it likely doesn’t have TPM 2.0, and in extreme circumstances may not even have the SSE 4.2 that 23H2 requires (Win11 will then fail to boot).
And while a RUFUS-modded installer can remove the TPM 2.0 requirement, the SSE 4.2 requirement is kinda baked into the pie; there is no avoiding that.
Win11 is already available… Just go to that.
That’s my point
You’re not employed to fix all the problems, you’re employed to fix the problems your boss wants you to. Save the emails where they deny your concerns for the inevitable subpoena but other than that shut your mouth on this topic and move along to other tasks.
Edit: further note since you’re new to IT. HIPPA requires that orgs keep patient data of children in an accessible manner until that child is around 25 iirc. When I first started in IT we still had a couple 3.1 and 95 machines running an old out of support EMR software until the patients in it were old enough we could pitch it. It’s entirely possible this is the reason your boss is keeping this machine, it may not be upgradeable because the software simply doesn’t work above windows 7. I will say there’s merit in moving that data local to the machine and getting it off the internet access though. But if your boss says leave it then leave it.
Yup, this. Cover your ass by putting shit in writing via email, (and bcc your personal email too, so they can’t just delete the emails off the mail server and pretend they never existed.) But besides that, if the boss wants to have a vulnerable system, then that’s their prerogative.
shit your mouth
Found the scatmannnnn! 🎶Ski-bi dibby dib yo da dub dub. Yo da dub dub.🎶
My boss didn’t exactly state the reason why. He said the machine cannot be down at all, yet when I visited yesterday, the computer was crashing all day. They had to turn it off over 10 times. I told him the software vendor confirmed compatibility with Windows 10, and I forwarded the upgrade guide. Still, he refuses to grant permission. I checked the Windows 7 system last month, and it’s only running this one program with no other software or files. It’s a default Windows 7 setup with just this program. The program can be set up the exact same way on the new computer.
Is there maybe a cost associated with the upgrade to windows 10 version for that software? I’ve had vendors quote me everything from 3k to 150k for the upgraded version and move assistance to go from server 08 to server 2012 compatibility (equivalent of 7-10 desktop)
There probably is a windows 10 and later compatible version, but you may need to upgrade and there’s a capital expense the business may be unwilling to do
There is no cost to upgrade it; they sent me a guide to download and install the software. The employee who must use this machine to do his work said he will call my boss and tell him directly. If my boss still refuses, he said he will call the VP, who is my boss’s superior. This employee has been with the company for a very long time, so it shouldn’t be a big deal. Should I still send the email?
For the love of god do not go above your bosses head to do something he told you to drop unless you want to be unemployed. Send the CYA email but be aware if that VP pressures the boss to do your idea you better hope he doesn’t say it’s because of you they’re forcing this. You’re green and want to do well, I get it, but you need to accept that sometimes you just need to do as your boss says even if it isn’t the best.
Just post the IP address and we can sort it out for you.
Back everything up first and you will be their hero.
It’s your first IT job and you’ve been there for a few months? While your safety concerns definitely can be relevant my advice is this
You should
- Don’t rock the boat as a new hire. Figure out what is going on first. Maybe there’s a reason to some of the madness you see.
- Do NOT contact the owners. Doing so will likely be seen as disloyalty by your boss and possibly the owners as well. Only go through your immediate superior.
- Don’t bring it up again with your boss. It’s not your responsibility.
- Leverage the user. Let the user be the one to push for a system switch.
You could
- Figure out if you can get the system on a separate VLAN and get it locked down in firewall rules.
- Research the system. Why don’t your boss want it replaced? Does it run some ancient software? We’ve got some machinery that is running windows 7 at work. When I got hired, in the days if windows 8, the controller was running windows XP. The setting up of drivers and archaic proprietary software, involved in upgrading, is immense. When we switched to 7 this €60k equipment was down for days, and it was a week before it operated properly.
I’d modify the 2nd one from “don’t do it” to “understand that doing this might burn bridges if they care more about the hierarchy than competence, so have at least one option that doesn’t rely on them before you do this”. That’s with the mindset that I wouldn’t want to stay long at a job like that unless this could be resolved and am willing to burn bridges in situations like that.
That’s with the mindset that I wouldn’t want to stay long at a job like that
Oh I concur, but elsewhere OP mentioned that the job pays a rather unskilled (OP mentioned having an A+) 20 year old 55k USD, and OP is getting certs as well. In that case I’d seriously be working on my STFU-skills, instead of meddling in something that my boss really wants me to stop meddling in. Maybe do a bit of CMA - but not to the extent of emailing my boss to get a paper trail.
When you’ve been in an organization for only three months, and it’s your first job in the industry, maybe just absorb what’s happening instead of trying to change stuff. Make up your own opinions, sure, but keep them to yourself. Maybe evaluate on how you perceived situations, and how they played out, and modify your views based on that.
Yeah, I have a piece of mission-critical gear that is controlled by a computer running Windows XP. Because the control program is written in Flash and modern systems won’t run it. Migrating to a modern system would require a complete rewrite in a new language, and would also likely kill a lot of functionality.
Soooo… Haven’t seen anyone ask this. Why DOESN’T he want it updated? Have you checked for running processes, keyloggers (hardware and software), hidden partitions, Veracrypt, etc?
There may be a reason that’s not being shared.
Otherwise I agree with the email routes that get it in writing (or the lack of response as such).
It’s a medical office, $100 says it’s running some outdated software no longer supported by the vendor but must be kept n in operating state because HIPPA requires you to keep patient data of children available until they’re like 25
This is my guess.
You’d think OPs boss would just tell him that though.
“We can’t upgrade because of <whatever software> I’m keen to hear what we can do to mitigate the security risk”.
Some IT bosses aren’t great at communicating why, they just want to stop the convo on things they can’t fix and resume working on progressing things they can
This probably applies to bosses in any role. That said, this boss is not an IT guy, he’s a manager in a “health” business employing an IT guy. Why wouldn’t you tell the IT guy you hired about your IT requirements?
Most IT managers are just techs that stayed long enough to be made manager
That doesn’t sound like what’s happening here. It’s a family business. I think OP is the entire IT department.
Walmart is also a family owned business, that term means nothing in regards to company size and org structure. In another comment OP says there are several leadership tiers including managers, directors, and VPs, those org charts don’t exist in mom&pop health clinics. If OP is a one man IT department then this company is grossly mismanaged and is being negligent with their data by hiring a singular kid straight of college to be their IT department, if he’s one of many like they should be then OP is just a new-hire that needs to pump the brakes and learn to follow direction
Dunno, worked in medical for years, and if there’s a system that can replace it and retain the data, no one I worked with would have pushed back.
Note, I think you are speaking of state medical law, which is typically data retention to 25 years post-minor (43), not HIPPA which is data privacy.
The most chaotic good thing to do would be to use the known security issues to hack into your boss’ computer in the most scarry looking but harmless way. That would possibly scare them into upgrading.
With that said, you should create a paper trail on how you warned your boss, and either wash your hands of the issue or kick it up the chain, depending on how much you care.
EDIT: since it seems some people didn’t get it, I meant the first option as a joke. My actual advice is the second paragraph
More like chaotic dumb. This is a good way to get fired and possibly end up with criminal charges depending on how petty the boss is. And based on how stubborn and tech illiterate they are it is likely.
I didn’t actually mean the fist option, it was meant as a joke. I clarified it in another comment, maybe I should just edit the original one.
Yes! There is a website somewhere that has a tonne of fake os screens - updating/upgrading windows, bsod loop etc.
Run a scary looking one of those, disconnect mouse/keyboard so it can’t be interrupted and let the boss discover it
Just be be clear, I wasn’t advising OP to do the first idea. It was more of a joke. It has potential to be traced back and get him into trouble.
As a user at a big company that needs to lock down its security, we get quarterly phishing emails that would tell you that you failed the test so to speak if you click the link. It shows how easy it is to everyday users of how easily an entire system can get compromised.
Having a “test” like this might not be bad if you run it by boss first?
As far as I understood the problem here is OP’s boss, so I don’t think that would be a feasible solution in this situation
deleted by creator
Do not for the love of God put your system on 11. There has already been too much hacking proof of concepts for the rewind feature.
Hold 10, pay for the updates if need be.
The rewind feature is only available officially on specialized hardware that has not hit the market yet. “Copilot ready” is the term.
The PoCs are using multiple workarounds to get it running. It is also entirely disable-able using standard Windows adminstration tools.
There’s also a simple toggle to turn Rewind off in the settings menu.
People are really going bonkers over Rewind, it’s almost a sort of mass hysteria at this point. Yes, it appears to be a very insecure and risky feature at this point. So just turn it off. There’s lots of features in any OS that you can set up in ways that will make your system insecure, this is just a particular one of those. Microsoft isn’t going to force it to be enabled, the ensuing legal shitstorm would be epic. I doubt they’ll roll it out to a large audience in its current state.
At the time I posted, Microsoft had officially planned on having it enabled by default on supported hardware, which was dumb as hell. They’ve since flipped on that, thank goodness.
an email I sent to my boss about upgrading was never responded to
Dear Boss, As per our recent discussion [blah blah] Thanks for allowing me to leave early on Friday for my appointment. HnK, -Staffy McStaffersonWhen you get a ‘brown M&M’ response …
Staffy, I don't remember the discussion about Friday. -Jefe JefenbaumThen you know you got 'im.
This is kinda genius, lol
