Some years ago I replaced the IT manager at a large motor manufacturer in Birmingham.
He left on a Friday.
The following Monday I noticed he was loged in over a modem that he curiously had forgotten to mention.
I unplugged it.
It's every sysadmin's worst nightmare: discovering that someone has planted a device in your network, among all your servers, and you have no idea where it came from nor what it does. What do you do? Well, one IT manager at a college in Austria decided the best bet was to get on Reddit and see what the tech hive mind could …
Some places I've left my corporate email etc accounts on my phone and been able to receive mail for months after I've left, others I get prompted for the password before I've gone through the door (ie account disabled).
My point being some companies have better exit processes than others.
Happens at the NHS. One trust I was at, I could pick up my e-mails for months after I'd left. I'm AC because the tech who was supervising us, who I'm friends with still works for the NHS, but at another trust. She said, quite rightly, "It's not my problem as I told them and filled in the forms informing them you'd left, the day you left. If they can't be bothered to then lock and close your account despite me giving them several warnings, that's their fault".
Quite right.
I do enjoy thinking of ways to get back in to places I've left though. Not because I'd ever do it, but to find out if it would be possible without being noticed. Sadly, it being highly illegal, you can't test your ideas out :)
When I left a couple of previous emplyoers, I ended up telling them to change their damned passwords after a couple of months, because i accidentally logged onto my old OWA instead of the new one and it was still active.
Or the Amazon or Also account etc. Web hosting? CMS system? Corporate Facebook page? Still Xing or LinkedIn corporate presence administrator... And that was an IT company!
In that case, I told them quickly, because I didn't want them blaming me for anything! I sent it registered post.
I left a small IT company about ten years ago, and went back about three years ago for a short term contract.
My email (username) and password still worked. Worse still, the network manager at the time had enforced the use of the company name as password because he was fed up of dealing with reset / forgotten password attempts by the peasants.
I went to one company, their previous sysadmin also found a standard password easier than individual passwords for all users. Apart from the CEO, every user had the password 123456 and wasn't allowed to change it...
Then, the best thing was, every user's email was available over OWA!
My first day there, I disabled OWA for everybody and set all the accounts to change the password at next login.,
My email (username) and password still worked.
Wow. At the other end of things, when a downsizing caught me my access was cut-off mid-email the morning I was booted out the door. While I was getting the bad news from HR (over the phone, because the local HR rep had been laid off before me), I had been trying to email coworkers to pick up my remaining tasks and notify customers. But IT had deadlines to cut access and happened in the middle of the call.
Since the company had been shriveling for some time they had apparently dealt with a number of emails from terminated employees that contained less-than-professional departing comments, hence the hurry to cut access.
Subsequent emails from the company, such as for termination benefits, went to my personal email address.
"Since the company had been shriveling for some time they had apparently dealt with a number of emails from terminated employees that contained less-than-professional departing comments, hence the hurry to cut access."
They would have done better to have sacked you through your immediate local supervisor and offered to pay you a premium (hefty) if you would spend a day with them detailing tasks that needed to be delegated to those that much remain behind. It would be well worth £1,000 or more for them to do that and that sort of dosh can sooth the fury enough to be civil. Multiples might make it possible to at least act friendly. Many companies handle terminations very poorly. It sucks, but any company of more than one is going to have to deal with it.
I left an engineering job and the COO didn't take my notice seriously. I was pissed at the whole train wreck of a shop and they had finally placed the last straw so I was out of there. 3 days before my final day I got an email asking me about following up on a project. I replied that Friday was my last day and I was currently making sure that all of files were backed up on SVN, my desk was tidy and I would be packing up my computer (BYOC) and personal items on Thursday so I would only have final check out to do on Friday. They did understand, belatedly, that having me spend some time on a hand over would be worth a premium, but they then went on to insist on all sorts of other things I would have to agree to be eligible for the payment. I had to go to the labor board to be paid for unused leave that I could never take. They failed to notice that every time I scheduled some time off, they would book testing that I had to be on-site for and didn't actually get to take that time. It's a damn good thing I keep a journal at work. If your work is independent or isn't subject to continuous supervision, keep a simple daily journal of what you did that day and the times. If you ever get an inquiry about where you were on a particular day and what you were doing, you can page back and tell somebody with some accuracy.
"I left a small IT company about ten years ago, and went back about three years ago for a short term contract.
My email (username) and password still worked."
Been in a similar situation with old client. Some development tools bought by my company and installed on the PC I used still installed....
This was only after a few months so it might have got cleaned off later.
I once had a work colleague who had previously worked for the same organisation, and then left for another job somewhere else, before finally later returning to a different job in the first organisation again.
They were not reallocated their old username (despite it still being in the system), because:
"That username has already been issued to someone else."
"Yes, that was me."
"Well, we've set up a new username for you now, we can't change it."
And one of the reasons that old usernames remained in the system was because the nature of the business meant that a reasonable number of employees were sometimes on temporary contracts and it was not unusual for them to work a number of temporary contracts in various organisations before finding themselves back again (and the people responsible for issuing usernames were supposed to check whether someone already existed in the system before doing so!).
After leaving, and maybe even returning again, it would be a rare company that always thought to remove email and phone numbers systematically and immediately from every previous application's configuration in all environments: test and dev as well as prod. So it is hardly surprising if some previous applications continue to send support mail or ticket updates to a reused internal email address, or even occasional SMS messages to a phone, which could be confusing or a nuisance if the address or phone number had a new owner. Content sent out of the app should have been vetted to ensure that it is not sensitive, but it would still be better to watch out for this contact lifetime issue in future and try to think of a way to manage it correctly.
"I left a small IT company about ten years ago, and went back about three years ago for a short term contract.
My email (username) and password still worked."
Many years ago, I had set up the company network, servers etc and the last few weeks I was there I did some documentation.
About five years later I was working there again, but with lower rights than before, as it was a question of trust. Until the network went pearshaped, and no one else to look at it, I was given ..... the same documentation that I created five years earlier, with my hand written notes and passwords....
Another company wanted all the admin passwords written down, put in sealed envelopes and placed in a safe, just in case of emergency. My colleague did so, I was too busy and never got round to it.
A few weeks later, there was a meeting about a management buyout, staff will be laid off. While the meeting was going on, some weaselly PHB had opened the safe, took the envelope and changed passwords. My colleague was locked out of his systems and mine still worked.
The BOFH law of password insecurity: all IT Manglers\\\\\agers choose relatively weak passwords for shared resources, because they are too lazy to remember (or record) stronger ones, no matter how often the BOFH attempts to advise that this is not exactly a very good practice.
(Unfortunately, the lifts in my workplace are not sufficiently reliable for this problem to yet have been rectified. It would be rather unfair if an unexpected object were to fall on an entirely innocent lift engineer.)
"In that case, I told them quickly, because I didn't want them blaming me for anything! I sent it registered post."
Wise move. When you leave a company, you want to make sure that your have given up all of your keys, codes and accounts on their computers. You also want to be receipted on that as well. Be sure to insist on that if before you agree to an exit interview, if they do that, or sign any documents.
If you don't need access to something as a part of your job, don't get keys/codes for it. It can be very unpleasant to have to answer a bunch of questions regarding a crime or breach in an area that isn't part of your normal activities. Get one time or temp access when you need it. If it's a secure area, get somebody responsible to walk you in and check you out or even sit there while you do your work. Even if they deactivate a key card or company ID, make sure you give it back and get a receipt.
"That's exactly what I would've done with this. Unplugged it, put it in my desk (locked of course) and waited to see who claimed it."
And that's exactly what I have done. Mind you, it wasn't anything quite as sophisticated as this. Mine was an old netbook plugged into an open wall socket and tucked behind a filing cabinet. Its sheepish owner got a lecture about professional behaviour, followed by how to throttle a torrent client so it doesn't cause trouble on the network (because no one in IT over the age of 35 hasn't done something similar and incompetence offends me).
"And then given them a talking to about putting things in MY server room that I don't know about."
I've also heard that argument from a network manager when organising sanctioned traffic monitoring. My answer was it wasn't "his" server room, it belonged to his employer. Turns out he had good reason to not want us snooping (or should that be snorting?) around "his" network.
We only allow signed code, which can only be done on a single computer in the IT department.
Nothing unusual about that.
The IT staff can develop on their own test VMs, but the code can only run on those devices, to run it on the core infrastructure, it first needs to be approved and signed.
This post has been deleted by its author
Just recounting this for someone I might have worked with.
He apparently knew someone who worked at some company that was moving to a new location. That someone asked a neighboring business if he could run a TP through the dropped ceiling over the dividing wall for his router to get access to power and LAN. Friendly neighbor said "sure". As far as someone knows, that router is still blinking lights happily. (The credentials might be admin$ad...)
Another bloke actually left a second modem and phone line in a house that he sold. The purpose was to be able to do remote call forwarding without paying some crazy long-distance charges. The buyers happened to work for some spooky agency but it took a few months for a security scan to find out the leaky bits.
Or, this may just be hearsay.
A pet hate of mine is the enthusiasm with which pointy haired bosses and sundry HR rejects, oxygen thieves etc. enthuse about things like Yammer, Tibbr and similar in-house Faecebook lookalikes and how we can get Answers To All Our Problems(TM) by posting on the hallowed turf
If I'm feeling particularly awkward I ask about the quality implications of relying on advice from complete strangers (it's a large organisation) and point out that it is largely the same as saying "some bloke down the pub told me". The follow-up question is along the lines of how does that square with ISO9000 etc., certification.
Oi, that's effectively the modus operandi of StackExchange (and in a former era, usenet), or even this forum, that you're dissing there!
For every random nutter complete stranger out there on the internet, there is at least one kind, helpful stranger willing to offer (hopefully) sensible advice, partly because they are a decent human being, and partly because they hope that someone might return the favour to them one day if need be.
Sometimes the nutter:angel ratio is even better than that.
Oh... The arguments I've had with people on Yammer.
Them "Does anyone know how to resolve issue x on my work laptop"
Stranger #1 : "just download this thing from www.totallynotmalware.com and install it, fixed my issue"
Stranger #2 : "I had the same thing and fixed it by deleting files x,y,z"
Me : "FFS, we have a massive service desk with tonnes of people who do this for a living, why are you trusting Frank the janitors cousin to tell you how to fix your corporate laptop?!?"
Yep, I got paid an extra month's salary and various accounts were still available to me after I resigned. I wemailed, then wrote, asking to whom I should pay back the salary, etc., but heard nothing. The money sits in my account earning whole pennies of interest until they finally get a clue.
Never been fortunate enough (although the last employer didn't tell HMRC that I'd left and they weren't paying me any longer, with the result that HMRC then changed my tax code to reflect that my salary had doubled....) but about 15 years ago, several employers ago, the Head of IT was let go (following a vile takeover for him to be replaced by a useless PHB). Nine months later, he turned up on site for a service - in his company car. Turns out that, although he'd been let go (and paid a settlement figure to avoid a tribunal) HR hadn't stopping paying his salary (and new PHB hadn't spotted the cost), providing medical cover or asked him to return the car, his laptop, his security pass, etc, etc He'd been putting all the money into a specific savings account so he could return it if asked.
So what we have is a former employee who for some reason had access to a secure server room in the heart of the organization, without the IT manager being informed, and who installed a fairly sophisticated bit of kit
It's lucky this isn't some high-value target or very private industry otherwise this could end in a messy kashogghi or a vatican-bank-style suicide.
Better watch out regardless, it's good that a heads-up has been posted on El Reg already. IT peons are not valued highly.
Thankfully we have here The Register's army of commentards, who are sure to remain universally calm and rational!
One would have hoped there were enough clues in the article but not for the first time something like this has clearly gone "whoosh!" straight over the heads of many commentards.
Seriously, a commodity USB wifi/Bluetooth combo is a "pretty powerful IoT device", and obviously a program called "logger" is automatically suspicious on a Unix system. You expect that on Reddit but you'd expect at least enough nous to recognise satire here.
"Seriously, a commodity USB wifi/Bluetooth combo is a "pretty powerful IoT device", and obviously a program called "logger" is automatically suspicious on a Unix system. You expect that on Reddit but you'd expect at least enough nous to recognise satire here."
Not only that, but there's no further info on the ex-employee. We don't know if he was sacked or just moved to a new job. For all we know, he left to be a pen tester and was doing the college a favour :-)
This post has been deleted by its author
"but before you can raise the CR to remove it, you first would have to get it added to the CMDB before you can raise the change"
If it's not on the CMDB it doesn't exist so it was never removed when you unplugged it. Just following CR logic.
Following BOFH* logic, just unplug it to see who screams.
Remove the SD, plug it into a Unix/Linux box, edit the shadow password file to ensure you can log in, replace SD, add monitor and keyboard and find out what it's trying to do.
*I'm worried. BOFH not been seen for some time. Did a boss finally get him?
"just unplug it to see who screams"
Ahh memories...
Many years (decades!!) ago I was working at a site which was an old factory 're-purposed' as offices. Nobody had a wiring plan.
We had some Vaxes and VT100 / VT220 terminals dotted around the place.
One day I was chatting to one of the operators (remember when operating a Vax was a full time career?) who casually pulled a plug from the patch panel, saying "hold on a mo...".
Sure enough the phone rand and his side of the call went "suddenly stopped? oh dear I'll see if I can fix it.... where are you located? and which terminal is that? third from the left? great" then he'd write out a sticky label and put it on the cable and plug it back in. He reckoned nine times out of ten there'd be a pathetically grateful call-back.
Doing once cable every 20 minutes or so from widely different parts of the patch panel reduced the risks of any user cottoning onto what was happening.
He saved the company thousands compared with getting contractors in to do the wire tracing.
On the BOFH absence front -- where is Simon? we need to know - has the PFY launched a successful putsch at last?
If it's not on the CMDB it doesn't exist
At a previous job we had a relatively nice (compared to the normal corporate crud) pooled MBP that was used for video editing. But despite being asset tagged it somehow never ended up in the CMDB.
A year or two and a few role changes later, our team were no longer using it and getting tired of hauling it to new locations in the estate every time we got moved. The call went into desktop support to come and pick it up. But they had no record of its existence. And I got the distinct impression that asking them to pick up a theoretically non-existent asset was akin to suddenly shifting into reverse while doing 70 down the motorway.
Eventually we got moved again. Left the MBP on a spare desk at the end of the row and after a few weeks it disappeared. I assume IT did pick it up, but honestly couldn't be sure.
I'm slightly off topic, or at least the point is tangential ... but I suspect I'm not the only one who's noticed that people in corporate infosec jobs seem to vary wildly in their abilities. IT remains generally infested with cowboys and all-purpose oxygen thieves, but sometimes I wonder whether infosec is the secondary magnet (after management roles, of course) for those who talk a good game while knowing basically nothing.
I have some tragic familiarity with a major British airline whose infosec team seems to have no clue about risk, prioritisation, mitigation etc and therefore resorts to absolutist dogma whenever challenged, usually because after some probing it turns out they don't really understand the technology or the ramifications of their "policy". It may, for example, seem like a good idea to look tough and competent by blocking all admin-level access to all machines, but have you thought how that might affect agile*¹ development teams? Do you know how many man-months of work are wasted because you didn't think to enquire before implementing such a draconian policy?
And are you really insisting on 2FA via SMS for 'extra security' ...? Cue, howls of laughter.
*¹ That's 'agile' with the silent 'FR'.
>I have some tragic familiarity with a major British airline whose infosec team seems to have no clue about risk, prioritisation, mitigation etc
Just wondering if it is the same lot who had some "improvements" made to the javascript on their page recently meaning some customers' credit cards got "borrowed"...
<quote>I have some tragic familiarity with a major British airline whose infosec team seems to have no clue about risk, prioritisation, mitigation etc and therefore resorts to absolutist dogma whenever challenged, usually because after some probing it turns out they don't really understand the technology or the ramifications of their "policy"</quote>
That will be BA then? I can't imagine any other British airline with a worse grasp of IT generally!
Infosec bod here.
Yes I too know of this dogmatic mentality. However that can stem from corporate culture. If it is the culture of that airline to use the infosec team as blamehounds whenever a project goes wrong then it's not really a surprise. But it can also stem from a lack of confidence.
I get quizzed every day all day with 'is this ok?'. This will be on every IT subject from server setup (Windows, Unix, Linux and propriatory), cloud architecture, software development, web development, databases, legal and compliance ramification GDPR, PCI, SOX etc etc. I'm expected to be an expert in them all at the moment the question is asked and my answer makes me responsible for the outcome.
So I have become good at asking questions and mostly all I do is guide the subject matter experts who are asking the questions to the reasonable answer they probably knew in the first place. And I learn a little bit more in the conversation.
I might identify risks and take them to the right person to sign off but it is not in my authority to say no or yes to anything. Getting is across that the risk is never mine can be quite hard. Speaking to an infosec bod is not outsourcing the risk.
This is something that the group I work with actually has worked out. We're part of a fairly large org, with security people in many roles. Ours is essentially internal consulting, where projects come to us for review. Sometimes even before they've done what they wanted.
PMs are still used to the idea that we approve things, but we don't. We identify risk, document it, and there is a process (still evolving) where this risk is formalized. If needed, the business people are responsible for fixing the problem identified, or accepting the risk.
there wasn't an saffron-clad, vaguely oriental-looking, elderly man with a broom named Lu-Tse involved.
Or maybe there was!! Nobody ever notices a sweeper!!!
Ah-hah!!!!
I can feel an extra exclamation mark coming up right now!!!!!
OK, I'll get out of here. The one with "Thief of Time" in the pocket please
vgrig_us, I will break it to you gently, no-one apart from you is talking about the US, this happened in Austria.
Austria is a country in Europe, so the US Computer Fraud and Abuse Act and the FBI have no relevance here.
Comments like yours are why Americans (and by that I mean US citizens, as people from South/Central America and Canada are actually Americans) get a bad name for thinking that world revolves around them
Best thing I ever did was stop driving and start exercising. We moved house and I was faced with a 60 minute drive plus pay for parking, or a 60 minute bike ride, or a 90 min bus ride.
The burst of exersise wakes me up and I'm effective much more - the excuse of "haven't had coffee" is unneeded. Even using the recent Lime scooters is a step up in the personal exercise area.
And as IT wallahs we all run the risk of chair-sized bums, so adding some blood stirring moments is the best thing you can do for yourself and your work.
The Reddit angle is interesting - for its abject failure. As a social platform it is supposed to elevate the good comments as it builds the credibility of the posters. Being rated by your peers does not work if your peers are all clowns, at which point you should take a closer look in your mirror.
Taking it to 4chan would not have made a difference but it might have been more entertaining at least.
When Ive found myself cursing at a useless/crooked 'professional' business - lawyers, EAs amainly - Ive sat here brooding about ways I could fuck roaylly fuck them over.
It used to be stink bombs/hidden sardines.
These days, a small wireless ARM device deve - those gur plug things, or smething hanging off a USB dongle for power would do.
IT security? Why have expensive consultants when you a payd an agency cleaner NMW and they work out of office hours.
"These days, a small wireless ARM device deve - those gur plug things, or smething hanging off a USB dongle for power would do."
Like one of those powerline networking thingies. Just glue a small glass bottle on it with some yellow liquid in and slap an Airwick[1] logo on it.
[1] other plug-in air fresheners are available.
While on the subject of bugs (of the listening kind), it's always worth taking the time to appreciate the genius of Léon Theremin's "Thing" https://en.wikipedia.org/wiki/The_Thing_(listening_device) (presumably it has a better name in Russian).
Reminds me of working in security for a large corporate and came in one day to server room to get console on one of our test/monitoring servers as it had no remote access means by design, noticed our dedicated to security machines 47u rack in the lab dc had a linksys wifi ap plugged into the switch.
Asked the duty sysadmins what that was, and nobody knew, no asset tags, no records, not even racked properly just plonked on top of one of our boxes so promptly unplugged it and put it in desk drawer after a quick poke about revealed it had default creds and was allowing open wifi access to our isolated dc management network inside a security zone which required elevated access to do some of the things it did. Also alarming because even though we didn't have a route out for it to call home, its range easily reached to the break rooms and across site to the tech park diner with the right kit.
I heard nothing for ages then suddenly our "security penetration test expert" team sent their boss to sheepishly ask for their access point back as they needed it for another job. It wasn't my place to, but I did suggest to him that perhaps he might want to apply some config in case the next client wasn't asleep at the wheel and spotted it too...
Look, it's very simple:
The FBI is a domestic law enforcement organization with no legal powers outside the USA, so stop recommending people in Europe call them.
The people you need to talk to are the CIA.
Who already know because they put the Pi in your closet in the first place.
Allegedly.
I was working on a secure project and was sat in a caged data centre with access to some secure racks - and was working away. My colleague was remarking on how secure the place was - several locked/key/biometric doors, cages, etc and the fact we had to get clearence when he was interrupted mid-flow by a cleaner walking in to empty the bin..
I've never laughed so hard.
> when he was interrupted mid-flow by a cleaner walking in to empty the bin..
Pharmaceutical plants require both security and extreme hygiene. So when management of such a plant showed prospective buyers the plant, they were in a special corridor and only looking in through sealed and air tight windows, extolling the security and hygiene where people were wearing clean room suits. That is, until a security dude in security uniform walked in - with a guard dog.
There are many "invisible" people that somehow escape all clearances. Cleaners, security guards and electricians are in my experience regularly overlooked in these respects.
Some of cousins are cleaners. The ones who have proper security clearances* get paid a hell of a lot more than the ones who don't, and they tend to actually be security conscious.
If you're running a site, and you don't know the names of your cleaners, security guards, secretaries or EAs (and ideally their partners, kids etc) then you're doing it wrong. A kind word here and there, couple of gifts a year, and you'll be on top of all the company gossip.
I liked to slip it into the budget under "IT team building". Occasionally I'd get asked why I was buying whisky and gift vouchers with company funds....
* I'm not sure exactly what level they have, but the PTB did talk to pretty much every school teacher they had and every ex boyfriend...
This post has been deleted by its author
I thought at the start of the article that perhaps we were being called on to solve this mystery...
I'd got as far as:
* The perp. is probably > 6 years old.
And that's based on the fact that the Pi in question is one of the early ones that still has the single row of header pins near the yellow composite connector and has polly-fuses (that caused USB power problems) near the LEDs. And those ones only had 256MB of RAM too. These Pis were AFAIK only sold for a few months in 2012. Of those, some had Hynix RAM, and some (I believe most), like the one in the picture, had Samsung RAM.
I am wearing a deerstalker and smoking a pipe by the way!
Once upon a time we had two RasPi providing NTP at a CoLo as a fudge until we got some proper time appliances sorted. They worked much better than I expected. Once decommed I re-used one as my remote access solution from home using the Raspberry Pi Thin Client Project (Linky).
I expect I will still have log in details and remote access, hopefully still the phone number. might even keep the key.
There is a way to leave a job but still have access.
Especially as I may need to help.
11 years to go then I will finally have time to do the important things.
Especially when it's an IT person that's left. A place I was based in London used GSuite. Despite 2FA being on and set to "ask for your login credentials every 30 days" on whatever device you were on (their policy was poor, so you could login to GSuite on any device because they didn't enforce their policy). Despite that 2FA option being on, for some reason, on my account and the device I was using, it never asked for the 2FA again (I'm sure it's a bug in GSuite's 2FA system & cookie related). So for over a year I was still able to access my e-mail. By mistake of course due to Chrome remembering sessions.
Carried on until I cleared out the cookies on that machine. Now I get prompted for the password and I'm sure, if I tried, it would let me login.
...or a real pen test, I think in one of Kevin Mitnick's books, where they did actually apply to be a cleaner just to gain access to the building to get to the server room.
Server cabinets always have piss poor locks. They are easy to pick so I don't know why they even have locks.
Did some work on a power station some years back. It wasn't IT related, just temperature converters in cabinets.
The customer had been having trouble with people nicking the internal lamps, presumably for garages, lofts, etc. He insisted we fit padlocks to the enclosure doors, which was all very well and good but it did nothing to stop people unscrewing the bolts on the side panels and getting to the lamps that way.
Waves at Aberthaw power station
I came back to an old company to do some updates to an old app and noticed the database password was still the same. After 6 years.
Application passwords should probably also be regularly rotated, and software should therefore never hardcode them.
An ex employee who breaches your network (like in the article), might be able to siphon off complete databases otherwise.
Just tried my DDI desktop number for the company I left in 2004. It still works, and my company voicemail account still exists.
Like an earlier poster, I was downsized with no warning. When escorted to my desk to collect personal items prior to 'garden leave', I had intended to setup email auto-responses, email a few colleagues bye, and allocate responsibilities, instead I found I had been locked out of my corporate /desktop/ user account.
Bless, they had tried following 'best practice' of removing access (a little hasty, given the legal requirement to conduct 30/90 day discussion periods prior to redundancies). IT only managed IT... they didn't manage the 30,000+ devices present in the core... Or the telephones. I ported my company mobile to personal use, and for weeks after was getting customer calls demanding updates on outages, service issues, etc.
Its not just physical objects one can find.
Netware's NDS had a 'feature' that allowed one to create hidden superuser admin accounts. Ok, you needed to have admin rights to the root object to do so (but that was trivial enough if you didn't). First task in any role in a Netware shop at the time was to trawl the NDS for hidden objects, and hidden Admin-level accounts. And kill them.
I worked for a major bank that was until recently owned by the taxpayer (but not at the time of the incident). They had a policy that all on-call 3rd line support staff had an ISDN line installed despite the fact both I and the web published support apps were was quite happy to function through my own broadband. I tried the ISDN connection once then stuck to my home broadband.
I'm betting readers can see where this is going
I changed companies, leaving said financial institution. I then moved house, actually emailing my old boss to remind him that three months after I had left the company I still apparently had a working ISDN connection straight into their relatively insecure remote access solution (SFA but also for some insane reason had a web browser you could use without authenticating to browse t'internet) and that I was moving home.
About another three months after moving I got a panicky phone call from the new owners of the house.
"Did I know I'd left a working phone line that connected in to some financial institution?"
"Why yes I did, and I no longer worked there. Don't worry about it. I've already told them, it's not your problem nor is it mine. Feel free to rip it out."
Which I presume they did, as I then got a redirected mail to my old address informing me a BT engineer would be coming out to fix my company ISDN line.
I never did find out what happened after that.
Except said financial institution nearly went out of business. Presumably due to all the sub-prime ISDN lines they were still paying BT for.....