I spent about four years of my life working in a datacenter, administering a system comprised of about 200 computers supporting 20,000 users. I have some stories.
The facility had a lot of rules, some of them extremely petty. One of them involved telephones.
There was a specific model of telephone you could use. There was a specific color it could be, a specific length the cable could be, and a specific path you had to route it. At the end of your rows, you had to have a file cabinet of a specific color, and the phone had to sit on the file cabinet, and only on that file cabinet.
A couple of people paid attention to the rule.
We had some Cisco VOIP phones in our racks. The idea was that we could use them to call people at our other facilities while we were working together to troubleshoot. It never happened; our network guy never configured them, so they just sat there looking pretty. No one ever paid any attention to them. Until one day, that is.
The facility manager was a guy named Larry. You always knew when he was upset, because his voice got really high and squeaky. One afternoon, Larry charged into the room, red as a beet and about ready to have a stroke. He demanded, in no uncertain terms, that those illegal phones be removed from his facility immediately.
My boss calmly explained to him that they aren’t conventional telephones, that they’re VOIP phones.
Larry came unglued. We knew the rules about what phones were allowed.
My boss then tried to explain VOIP to Larry. They aren’t really phones. They’re a computer.
Larry came unglued again. He knew a phone when he saw it. He gave an ultimatum and left the room.
My boss turned to the rest of us and wondered aloud if he should have mentioned the phones weren’t plugged in. Then he told us we heard him, so we needed to go remove those illegal unplugged Cisco phones.
I’m sure I had more important things to do–there was always a patch that needed to be deployed, or staged, or something–but we heard the man. Those phones needed to be removed.
Speaking as a CISSP, there’s actually a reason for the rule. Theoretically, data can leak from the servers or the cabling onto the phone line and be reconstructed on the other end. Of course, with these VOIP phones, that wasn’t a concern since we’d only be calling phones at our other locations, which all would have all the same data. But the people who enforce the rules don’t always know the reason behind them. People like Larry–an electrician by trade who barely knew how to check his e-mail.
So we removed the phones.
As we finished up, I had an idea. “You know those toy Fisher-Price phones we had when we were kids?” I asked. “I wonder what Larry would do if we put one of those in our racks?”
I never did it, so I never found out.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.