In this day and age this is like sending out a memo saying people can only use Bic pens in the office and anyone bringing a Parker in will be fired.
It is, frankly, ridiculous. This is doubly true as the people who want to install these browsers are obviously more computer literate than those without it.
You talk about a corporate network as if the people who have these draconian policies are competent, in my experience the very opposite is true, the more incompetent the IT department is, the stricter the policies will be.
I love your incredibly naive and arrogant attitude. Everyone has personality flaws and that is what the policies are there to insure against i.e. people like yourself.
I used to work in the defence and health sectors in the UK and now work in the financial sector. Everything is locked down for a reason.
It's about controlling and partitioning data, not bic vs parker. The tools are entirely irrelevant.
If someone sticks a copy of SkyDrive or Dropbox on a PC (both of which do their best to work around your firewall) and uploads some financial or classified documents, then you are simply fucked. Here in the UK, it carries a £30,000 GPB fine at average in the financial sector or 25 years in prison in the defence sector.
This is serious stuff and the policies are there for a reason.
Most of these places don't even have Internet access on site other than a couple of dedicated machines in the IT department.
Enthusiasts are so detached from corporate reality.
Firstly, I meant FF and Chrome, not sharing apps. Regardless, I would understand, vaguely understand, that limitation in the DoD, well not really actually, but 99.99% of us aren't working in the DoD or health are we? 99.99% of us are working in situations where the data is highly specific and only useful in an incredibly targeted intrusion that fairly trivial social engineering could access and a much greater attack vector is being exposed in poorly written web apps exposing entire DBs to the world if only anyone could be bothered to hack your local estate agent. But they can't be bothered.
Stopping people installing Chrome's not going to change that and you're utterly delusional to think otherwise.
Pretending otherwise is pandering to the security theatre that is gripping our country at the moment. If someone wanted into your DB, they will get in. Deep down you know that. And Chrome's not going to be how they do it. No, an employee, someone, somewhere, will give them access. People are you weak point, not the systems. Couple that with massively weak internal controls usually exposing your data to everyone in your company. They might have to sleep with them, they might have to hire a prostitute or something crazy like that, but they'll get in. Sneakers style! China's recent spate of 0-day's has also proven that a determined attacker will get in.
Or maybe you'll 'lose' another laptop.
Secondly, I am a professional programmer. Not an enthusiast. Grow up with your childish name calling.
Thirdly, I have also worked for a wide variety of companies as a drone, a lot, as I temped my way through Uni. At the time in 2000-2003 I didn't realise that being able to program was special. If only I could go back and tell me I would be far richer. Almost in their entirety the IT departments have been incompetent. This was before they even thought of blocking websites. I could regale you with tales of negative gas readings due to estimated bills not resulting in credits to customers at one of the largest energy suppliers in the UK. I could tell you of being given the entire delivery DB of schedules of one of the three collection cash delivery agencies in the UK 3 months before they were hit by a series of robberies just after those deliveries and never, ever getting an interview by the police.
Fourth, I have been in contact with hundreds of client IT departments the majority of which couldn't tell their ass from their elbow IT-wise, who didn't know that their servers had become zombies mailers or that something as simple as installing SQL server on a DC was a big no-no. One company I worked had the bright idea of making their programmers first-line support. Eye-opening.
Fifth, I have met hundreds of programmers in my time, there are only about 5 I would actually trust to program my toaster, let alone my heart monitor. Most programmers will only have a vague clue who Linus Torvals is. And the sysadmins I've met are often people not good enough to become programmers. Those rare other kind are like finding a diamond! I was chatting to a programmer friend I occasionally go for a pint and a curry with yesterday who works for a 100 person IT department in the NHS and no-one there knows what Github is. Or who Scott Hansleman or Scott Gu were, even though they work entirely in .Net, mainly with web apps.
There are a lot of people in IT at the moment who just do not belong here. We're still in the crazy "quack" phrase of our profession where it's hard to tell someone good from someone espousing nonsense.
In here, in HN, there's a solace, so many people actually know what they're talking about. It was refreshing when I first found it 4 years ago, and sometimes I forget.
Don't forget. Never forget that at the moment most IT people suck. If there's someone detached from reality, it's you.
tl;dr Letting your users install Chrome or FF is froody. You're talking to a battle hardened veteran, n00b.
My conclusions are unchanged. Some replies to confirm my position on the matter:
1. People are the weak point. Yes. Anticipating their actions and protecting against them is the task at hand. This is not security theatre - it's simply sensible considering human nature. People will not get at our production database if they try (we get regular attempts but our properly designed tiered security architecture and mandatory access control system prevent it every time and will as we adapt and re-evaluate regularly).
2. Losing laptops. Not a problem. We've lost a couple. We plan for that. They are fully encrypted TPM equipped laptops and there is no data on them anyway as our methods from (1) are applied. If someone got one, cracked the encryption or decapped the TPM chip and got in, they'd get nothing of value. We actually paid a rather well known ex-black hat a lot of money to steal one from one of our staff and try and get in and they couldn't.
3. I'm a professional programmer (red brick MEng, EE for 6 years embedded and VLSI, 15 years programming and architecure). So are my colleagues. We don't employ run of the mill guys. We start at the high end and have qualification requirements that would scare the shit out of a Google candidate. We don't employ the sort of people who can't tell arse from elbow. We know they exist but the agents don't dare send us their CVs. We're not interested in rock stars or ninjas or any of that crap - just people who know what they are doing.
4. I've worked for asshats too. In the corporate world, these aren't actually that common these days. I deal with a lot of large corporate financial customers for our product (FTSE100 types) and they know what they are doing.
5. I worked for the NHS for 3 years. No-one in the NHS needs to know what or who the hell Github or Hanselman or Gu are. It has precisely no bearing on the NHS. Does celebrity tech culture really matter there? No. That just undermines your entire argument.
6. As for quackery: it's easy to separate wheat from chaff, unless you are chaff.
There are very few people on HN who live in the "real world" i.e. outside startup culture. There is a consensus of opinion, but it's not all right. In fact a lot of it is plain wrong and driven purely by irrational worship rather than realistic well-thought-out and tested arguments (37signals, Elon Musk, JGC, Atwood, Spolsky to name a few)
As for the froodyness of FF or Chrome, froodyness is IE and Group Policy for the foreseeable future (not Chrome's piss poor implementation and unpredictable support lifecycle).
The fact you mention n00b implies that you still suffer from a childish mentality as well, therefore backing up my points again.
As for the time here - I've lurked in HN through many fads, phases etc for about 4 years. I decided recently to exercise my opinion a bit as there are some seriously bad ideas being promoted and I do not want the next generation of people to be terribly influenced by them.
Some people who have these policies are just lazy and incompetent.
But some of us work hard to ensure that we can support all the software our company needs, and this means limiting access to other software that might break things.
In this day and age this is like sending out a memo saying people can only use Bic pens in the office and anyone bringing a Parker in will be fired.
Well, no, for a few reasons.
Firstly, bringing in a different pen doesn't cause someone in IT to spend half a day finding you a Bic when your fancy Parker runs out of ink. However, since IT are usually responsible for keeping everyone's systems running properly, if you install unsupported software and something breaks, you probably will be wasting some unfortunate IT guy's time cleaning up your mess.
Secondly, it doesn't cost $100,000 of downtime while everyone in the department has their pens collected and destroyed and new pens issued just because your ink spilled. On the other hand, if you install software that actively circumvents the usual security measures (like Chrome, for example) and wind up with malware as a result, it's entirely possible that your machine and any other machines close enough to it to be infected will need to be nuked and reinstalled from scratch.
Finally, it doesn't cost millions in fines for breaches of regulatory compliance and/or put the executives responsible for your organisation personally on the hook if you bring in the wrong kind of pen. If you install something unsupported and wind up tripping someone's data leakage protection in an organisation that deals with things like healthcare, financial records, or military/law enforcement/security matters, an administrative nightmare the likes of which you have probably never seen is likely to descend on you and everyone around you.
And if you were half as computer literate as you seem to think you are, that would all have been blindingly obvious to you. Since it apparently wasn't, you might like to consider that you are exactly the reason that the IT departments responsible for keeping organisations' systems running tend to have these "draconian" rules.
It is, frankly, ridiculous. This is doubly true as the people who want to install these browsers are obviously more computer literate than those without it.
You talk about a corporate network as if the people who have these draconian policies are competent, in my experience the very opposite is true, the more incompetent the IT department is, the stricter the policies will be.