back to article I just love your accent – please, have a new password

Welcome to On Call, The Register's weekly dive into the mailbag of woe from those faced with recalcitrant users or, occasionally, an overly helpful operator. Today's story comes from a reader that the Reg's patented pseudoriser has called "Nick" and could be regarded as somewhat of a riposte to last week's Asset Tag …

  1. Korev Silver badge
    Joke

    It sounds like the Service Desk manager got off pretty much Scot-free

    1. Wellyboot Silver badge
      Facepalm

      +1 just for the cringe level

    2. steviebuk Silver badge

      I like the joke but also sounds like the service desk manager couldn't be bothered to do their job properly the "We'll recognise the voice" excuse, what if someone new starts?

      1. Anonymous South African Coward Bronze badge

        Company is small enough, and I do recognize voices plus we have caller-ID to allow password reset requests this way for a forgotten/locked domain account.

        Password requests for other systems is done via email.

        1. Trygve Henriksen

          Caller ID = Your routines suck!

          Caller ID just means someone needs to walk into an empty office and place the call from the phone there...

          There's also usually a doorsign giving him the victim's name, and if you're lucky, IT haven't stopped Windows from showing the signature of the last person to log in...

          1. phuzz Silver badge
            Unhappy

            Re: Caller ID = Your routines suck!

            "if you're lucky, IT haven't stopped Windows from showing the signature of the last person to log in"

            You can try and disable this, but then you have to put up with everyone in the company complaining that they have to type their username in everyday, and you'll have to roll it back as soon as the MD starts complaining.

            It's the 777 rule of security, if you make a system secure but difficult to use, then the users will make it insecure and useable.

            1. Stevie

              Re: Caller ID = Your routines suck!

              Oi!

              The clever young things in our Unix SA department finally got round to mounting an NFS drive with secured directories for the other admins to use when doing the various jobs they do across our little universe all to stop the need for people to have the root password for things like scp etc.

              Of course, it doesn’t work for all sorts of use cases, but I can get by using ssh/scp under my own DB admin account and transferring the relevant public keys hither and yon (cleaning up when I’m done of course).

              Except that the DB user account can’t access a directory set up inside my NFS directory unless I “777” it.

              Then I build a shell script “wizard” to do a complex job that the other DBAs do, each a little differently, each a little eccentric and not according to Hoyle. I put this in the “777”ed directory and let it be known that itbis available, then go on to use it on a couple of servers I know have a particularly nasty dose of eccentricity.

              Except.

              I can’t execute the damned thing from another server.

              So I get busy in places I can see but get frowned at by the clever young things when I look.

              Whaddaya know? The DBA master account has been built under different numeric user and group ids.

              So in order to use the NFS directory for what it was avowedly put in place for, I must “777” a commonly used directory, and “777” any files that I need to read, write or execute.

              All on Solaris, AIX, and RH Linux.

              Why in the name of Seymour Cray are we not using LDAP in this day and age you ask?

              No words exist in the languages of man, elf or ent for the reason. I know. I asked.

              1. Anonymous Coward
                Anonymous Coward

                Re: Caller ID = Your routines suck!

                You can add one of more new unix groups for sharing, if your system doesn't have ACL's.

                As for NFS, you can do userid, or better still, use the nfsuserd daemon.

                There is no legitimate reason to '777' a directory unless you really do want to give access to everyone with access to the server (for the pedants, yes you can safely 777 a directory if the parent isn't accessable, but that would serve no purpose).

                1. Stevie

                  Re: Caller ID = Your routines suck!

                  No, *I* can't. I would have to persuade one of the clever young things to do all that.

                  And they, bless 'em, can do no wrong and assume the problem is the old guy who doesn't know how proper computers work, not their lack of process or keeping up with IT advances since 1995.

                  And I have exactly the situation you lay out in your final paragraph, and it is extremely useful in the face of unremitting densness in the SA layer. It would just be more useful if the various accounts had been deployed with, ooh I dunno, a perl script. Coulda written it myself in an afternoon if they'd asked.

                  Now they use puppet, but they obviously don't use it right or we wouldn't have this horseshirt going on.

                  This is the same crew who can "clone" a server and have the new one's file systems look nothing like the old one's, and once had a production server go offline midmorning because one of them couldn't believe my numerous reports of files "changing types" (this was a good one; the contact man had himself set up the server in question and was righteously indignant that some old fart would dare to question his competence, but it turned out he had omitted to fsck the file system before laying a veritas volume over it).

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Caller ID = Your routines suck!

                    OK, I apologise - I assumed you had root.

                    I feel your pain though, I think we've all been there.

                    1. VikiAi
                      Devil

                      Re: Caller ID = Your routines suck!

                      The word you want is likely available in the black speech of Mordor.

              2. A.P. Veening Silver badge

                Re: Caller ID = Your routines suck!

                No words exist in the languages of man, elf or ent for the reason. I know. I asked.

                Did you try dwarf?

                1. Stevie

                  Re: Caller ID = Your routines suck!

                  I only speak enough lowland dwarf to say "Rum, and hold the rocks".

                2. CrazyOldCatMan Silver badge

                  Re: Caller ID = Your routines suck!

                  Did you try dwarf?

                  No-one speaks Dwarvish. Not even the Dwarves. They just pretend to in order to annoy the Elves..

                  (And let's not get into what the Hobbitses do in their burrows..)

              3. ShadowDragon8685

                Re: Caller ID = Your routines suck!

                So it's the Black Speech and Mordor IT, eh?

                Well, it's not all bad. Doing tech support for Sauron, you can absolutely just BOfH your bosses without any repercussions if you fancy their job/reckon their gross incompetence is imperiling the Dark Lord's plans.

            2. Robert Carnegie Silver badge

              Re: Caller ID = Your routines suck!

              I imagine I could live with typing my user name if it was, say, two characters. That would be enough for many organisations. Althoug× there are some combinations that you might prefer to avoid. BO for instance. IS is a bit sticky recently, I try to avoid calling "The Improvement Service" that. I think you don't want to know what I do call them...

              1. Anonymous Coward
                Anonymous Coward

                Re: Caller ID = Your routines suck!

                Here we have four letter user name, made up from initials and part of surnames.

                I've seen a Boob, Turd and a beer as user names

                1. DavCrav

                  Re: Caller ID = Your routines suck!

                  "I've seen a Boob, Turd and a beer as user names"

                  My previous place used the first six letters of the surname, followed by the first initial. Except for one person, whose abbreviation became 'nickers'.

                  1. Soruk

                    Re: Caller ID = Your routines suck!

                    We use <initial><surname>, or morre than one initial if we need to disambiguate.

                    We have a shart.

            3. ZenCoder
              Mushroom

              Re: Caller ID = Your routines suck!

              <quote>It's the 777 rule of security, if you make a system secure but difficult to use, then the users will make it insecure and useable.</quote>

              "for 15 years during the Cold War, the code meant to prevent unauthorized launching of the United States’ arsenal of Minuteman nuclear missiles was apparently 00000000.”

              OK that wouldn't have armed the warhead but it could have still triggered a retaliatory repose from the USSR.

            4. wjake
              WTF?

              Re: Caller ID = Your routines suck!

              Windows showing the user name of the last person to log in? Have never seen it where I work! Every morning I have to enter user name and password on the computer that only I use! So do the lowliest staff and the Director. What nonsense is this? Leaving my computer Locked is the only time I have ever seen a username displayed.

              1. Terry 6 Silver badge

                Re: Caller ID = Your routines suck!

                User name fields are often able to show previously typed entries - whether they were correct or not.

                And that means that they will also display passwords- when the user has accidentally typed it into the wrong space.

                So if the username field shows something totally unlike a username/very like a password, it's almost certainly a password. And the username that goes with it will usually be in the same list, of course.

          2. rcxb Silver badge

            Re: Caller ID = Your routines suck!

            Caller ID just means someone needs to walk into an empty office and place the call from the phone there...

            No worries. The phone will recognize when the wrong person has picked it up...

        2. d3vy

          "Company is small enough, and I do recognize voices plus we have caller-ID to allow password reset requests this way for a forgotten/locked domain account."

          >> Caller ID just means that

          a. They're at the persons desk.

          b. They have access to the persons phone and have redirected the number to you.

          c. They have managed to get a phone on your network to identify as belonging to someone else.*

          * How often do your users change the pin number on their phones? Ill bet its never and its still set to the default (last four digits of their number)

          "Password requests for other systems is done via email."

          >> Good thing that email is 100% secure and you cant just change the headers to make it look like someone else sent it....

          Jesus.

        3. Christoph

          Caller-ID proves whose phone is being used, not who is using it. Easy option for 'pranks' for the person at the next desk.

          1. Sgt_Oddball

            Bollocks to all of that...

            Used to be able to change the call id on the old Samsung ipx phones I used to manage from time to time. So long as you knew how to get into the manager screen I could get it to do most of lazy work renaming an extension.

            Or you know I could just swap the ethernet lines around. That works too.

        4. Anonymous Coward
          Anonymous Coward

          Control of email will get you most places.

          (My email address is being used as the backup for at least one person (not me). I get notified when they ask for password resets. So I could get into that account, then any that have that as recovery address... I wouldn't mind but they use the same typo when registering for ****ing websites )

      2. Terry 6 Silver badge

        Note too the dissonance.

        On one had the company is to large and spread out for face to face reset requests, On the other hand the service desk were expecting to recognise the disembodied voices of those same remote individuals.

        And to spell this out, if they aren't available for face to face password requests they aren't available to get their voices recognised.

      3. keithpeter Silver badge
        Windows

        University

        In a university somewhere in England a decade ago, the procedure for resetting a password for staff was

        1) Set up conference call with staff member, a manager who knows staff member and help desk operative, manger to be on internal phone book number or work mobile

        2) Manager to confirm identity of staff member from voice

        3) Password reset to a generic one involving staff reference number and sent to manager by email and set to change on first login

        The logic was "good enough for armed services, good enough for us"

        I only had to use it once. Not sure what they do now in these times of management by email

    3. Anonymous Coward
      Anonymous Coward

      I work for a large-ish company (5-figure headcount), the vast majority of its staff being Americans - I'm one of a small number of staff they have based in the UK. I recently had to ring the US-based helpdesk for a password reset. Once I'd explained who I was and what I wanted, the conversation went something like this:

      "OK, just for security I need you to confirm your Social Security number to me"

      Me: "Err, I'm British, I don't have one"

      "Oh yeah, off course, sorry. So please tell me what you'd like me to set your password to"

      1. Alan Brown Silver badge

        Me: "Err, I'm British, I don't have one"

        Not to mention that SSN's aren't secret anyway.

        1. Yes Me Silver badge

          Who needs the whole SSN?

          I happen to have an American SSN because I was a US taxpayer for a while. And I had (past tense) some US shares held by a US bank. When I sold them (by on-line request) they phoned me to confirm the wire transfer. Good, I thought. "What's your social?" they said. As I was walking along the street, I didn't have that number with me. "I can only remember the last two digits" I said. "OK, tell me" they said. That worked fine and they sent the money. To me, fortunately.

          Should they really have taken a 1% risk that I was just guessing or that it wasn't me?

  2. Anonymous South African Coward Bronze badge
    Happy

    And the mention of Scottish accents reminds me of the voice-activated scottish elevator skit.

    1. S4qFBxkFFg
      1. Loyal Commenter Silver badge

        The same episode has the rather excellent skit with the two guys on the rowing machines.

        Arsepiece!

    2. Anonymous Coward
      Anonymous Coward

      I once had the fun of helping somebody hook their mobile phone up to the hands-free system in an Aston Martin DB9. This process involves pressing about 3 buttons (with tedious voice prompts) and then speaking a voice command, "pair phone".

      The two of us tried all sorts of pronunciations in our native Scots accents. Fast, slow, high-pitched, low-pitched, clear_gaps_between_words etc etc. We'd all but given up on the stupid thing when I put on my best Del-Boy Trotter for a quick "peyah phaown", to be greeted by the cut-glass woman in the recording replying "pairing phone".

      There was much sighing, shaking of heads, and mutterings of "eleven"...

      1. paulf
        Thumb Up

        Reminds me of Miranda Hart doing that joke on her show about 10 years ago:

        Miranda battles with the automated operator - Miranda, Series 2 Episode 6 - BBC Two

        "Tee-ewes-day" "Not recognised"

        "Choosday init" "Did you say, Tuesday?"

      2. Doctor Syntax Silver badge

        I'm always puzzled by the fact that the makers of the hands-free in my car think there are a lot of customers with contacts with the surname Home pronounced Hume but that none of them have homes to go to.

        1. WonkoTheSane

          Mine keeps trying to send me to Hulme in Manchester.

          1. joeW

            You should try asking Google maps for directions here in Ireland. It doesn't do well with place-names that have a silent GH, or a BH that's pronounced V.

      3. smudge

        I once had the fun of helping somebody hook their mobile phone up to the hands-free system in an Aston Martin DB9. ...

        The two of us tried all sorts of pronunciations in our native Scots accents.

        Shurely a Sean Connery impershonishation would have done the trick?

        1. Anonymous Coward
          Anonymous Coward

          Sean Connery

          Believe it or not, we tried that too. Didn't work.

          I suspect Sir Sean has a cockney lackey specially to do his in-car phone pairing.

          I also suspect Aston Martin do a roaring trade with London City boys spending their bonuses...

        2. This post has been deleted by its author

      4. Anonymous Coward
        Anonymous Coward

        When using voice commands on Apple TV I sometimes, in desperation, use a schlock American accent.

        1. Anonymous Coward
          Anonymous Coward

          Dorset accent here - but John Wayne for dealing with Yankee waitresses!

      5. Dave314159ggggdffsdds Silver badge

        For some reason the best accent for speech recognition is comedy Bulga-Russian.

    3. Anonymous Coward
      Anonymous Coward

      Reminds me more of the Monty Python sketch where "Louis XIV" has a rather suspicious Glasgow accent.

  3. Anonymous Coward
    Anonymous Coward

    Stealing data

    A company I once worked for switched to GSuite as it will be "Cheaper than MS", it's not. "We want the business to go digital and use less onsite servers. Enjoy GSuite, upload all your documents to Google Drive and yes, as long as you've signed the paper that states your home PC has a password and anti-virus, then yes, you can access GSuite from home on your own PC". Ignoring the fact people would just claim their PC had a password and anti-virus even when not. And ignoring the point that "Some people don't keep their kit secure. This is a disaster waiting to happen when their unencrypted kit gets stolen".

    Warned them time and time again that there was no proper audit for GSuite when uploading documents to Google Drive. You could upload loads of docs you want to steal to Google Drive, then on your own PC install Google Drive for desktop. Connect that to your work Google Drive account and it would now sync and download all those documents, with no audit trail. No audit trail because in Googles notes, they stated they don't audit Google Drive for desktop.

    Warned over and over again about this MASSIVE flaw. All ignored. A director started in a certain section and only stayed for about a year, maybe not even that. All this time this person had enough time to steal loads of data via the way above. This is an assumption, I had no evidence (due to no audit) but it's a bit of a coincidence that once this person left, they started up a company in the very area that they used to work in at our company. I wonder if they used any stolen documents for that. Hmmm.

    1. macjules

      Re: Stealing data

      ITV perhaps? I was there when they decided that everyone should switch to G-Suite ... a complete and utter fiasco which resulted in the director responsible being escorted from the Grays Inn Road building.

      1. keithpeter Silver badge
        Windows

        Re: Stealing data

        What went wrong?

        I'm a clueless end user, just interested

        1. Anonymous South African Coward Bronze badge

          Re: Stealing data

          What went wrong?

          I'm a clueless end user, just interested

          Let's present you with a plausible scenario.

          Suppose my company manufacture some military-grade CPU's/hardware/aeroplanes/whatever and said documentation is on GSuite without any audit, then I can just download what I want, walk over to the enemy and sell it to them.

          A court of law will toss the evidence as there's absolutely no audit trial (they can't prove beyond any reasonable doubt that it was I who copied the data) and I won't get any free porridge.

          Ergo the same for IP theft, especially when it involves certain processes, methods etc that was researched at high expense in an R&D lab...

          1. Test Man

            Re: Stealing data

            Wow. My company switched to G Suite around 2012/2013 "cos it was cheaper than paying Microsoft for upgrades to the latest version of Office" (paraphrasing).

            We're still on it. But good point about the audit (lack of) of Google Drive (I'm assuming Backup and Sync is the same? Although it doesn't work with G Suite accounts, so I suppose I'm wondering if actually the same applies to Google Drive Sync).

            1. Anonymous Coward
              Anonymous Coward

              Re: Stealing data

              They've changed the name of it. I believe its Google Drive Sync and has same issue, but I could be wrong as I haven't checked in a while.

              What makes it worse is said director was involved in selling off certain bits of land under his control while there. Then when said director left to start up his own company, said bits of land he'd been involved in originally selling, he was now involved with developing via a 3rd party buyer. If that isn't bent as fuck, then I'm Jesus.

              1. JJKing
                Angel

                Re: Stealing data

                If that isn't bent as fuck, then I'm Jesus.

                I for one welcome our new Anonymous Coward Messiah.

              2. Slef

                Re: Stealing data

                That sounds like the Cabinet!

  4. Evil Harry
    Pint

    My last place introduced one of those automated password reset systems where you phoned up and spoke to a robot rather than a real person in order to save some cash. Before you used the facility, you had to calibrate it to your voice so for a few weeks, the office was full of people shouting "1 2 3 4 5 6" into their phones.

    The amusing thing was that the company had a large Scottish contingent with very heavy accents. The poor robot didn't really have much of chance of understanding them in the first place and even less so when the Scots got frustrated and started shouting at it.

    I wonder if there is a therapy centre somewhere for stressed out IVRs :D

    1. dak
      Headmaster

      Scottish accents are not "heavy" - they're just not the same as yours.

      In Scotland only the beer is heavy.

      And the rain.

      1. Anonymous Coward
        Coat

        heavy

        ... and perhaps the offence, when Sassenach prejudice is detected? Or indeed when ignorant forriners confuse you with the English?

        1. dak

          Re: heavy

          I can assure you that no-one has ever taken me for an English person. Irish, perhaps, and occasionally Australian, but never English.

          1. Franco Bronze badge

            Re: heavy

            I'm from Lanarkshire myself, and when I worked in Dundee was frequently asked what part of Ireland I'm from. Some of the Irish contingent even thought I was Irish.

        2. Chris G

          Re: heavy

          If voice recognition has problems with a Scottish accent, what does it do with Geordie?

          I worked with a Geordie mate for a couple of years and never fully understood him, his wife was a Brummie, when I told I had trouble understanding his accent she told me to just let him mumble on as that's what she did.

          1. veti Silver badge

            Re: heavy

            It's not necessarily the accent. Some people just mumble.

          2. ICPurvis47
            Boffin

            Re: heavy

            My eldest daughter has a very strong Rugby accent (eg I'll tek it oopstairs and mek it work). When she was at University in Bradford, she was always being accused of being a Brummie, which annoyed her intensely.

            1. Anonymous Coward
              Anonymous Coward

              Re: heavy

              Knew a guy in a supermarket I used to work at many moons ago. He was white & new (very relevant to the story). He was on the deli counter with a British black guy (Also very relevant to the story). I knew the British guys wife as she worked on same section and shift as me.

              She said (I've changed names) "Tim said he is going to put a complaint in about Luke. He said "he keeps doing a Caribbean accent. It's just because I'm black and he's being a racist dick"" She said to him "Tim do you know where Luke is from?. He said "No" I said Barbados, THAT'S why he's talking like that"

              :)

        3. Anonymous Coward
          Anonymous Coward

          Re: heavy

          Or a Pict mistaken for a Scot.

        4. Kiwi
          Terminator

          Re: heavy

          ... and perhaps the offence, when Sassenach prejudice is detected? Or indeed when ignorant forriners confuse you with the English?

          I learned that the hard way once. A very Bulshie woman whom I accidentally called "English".

          I think it took about a year before the casts came off.....

          Icon coz closest we have to Darth Vader - I nearly ended up "more machine than man" by the time she'd finished teaching me that you do NOT call Scots "English".

      2. Cederic Silver badge

        Scottish accents aren't all the same. There are light Scottish accents, lilting Scottish accents, soft Scottish accents and, trust me, some very heavy Scottish accents.

        I like the soft lilting ones myself, but that's a personal thing.

        1. jmch Silver badge
          Thumb Up

          Our science teacher had a lovely lilting Scottish accent, just the type you would expect from a very kind grandma

          1. Alien8n

            Still surprises a few people when I ask if they're from certain areas of Scotland or the North East. Lost my Geordie accent a very long time ago but can still pick out regional Geordie and metropolitan Scottish accents. To be fair it's not that hard to differentiate between Edinburgh and Glasgow.

            (Born in the North East with family from Motherwell, does wonders for being able to understand some of the accents from around there)

            1. Anonymous Coward
              Anonymous Coward

              Morningside accent is particularly identifiable :)

              (Born in SE England but with enough Scottish relatives from Glasgow, Fife, Aberdeen, Dundee and Forfar that my accent detector has fine tuning!)

            2. Anonymous Coward
              Anonymous Coward

              Well, I can go one better (or worse?) — I was born and bred in the south-west of England, and I live here once again. My own accent is, at best, a mush of southern English. However, my wife is Scottish, from Edinburgh (although the accent only shows when she's angry!). I now absolutely can tell Edinburgh from Glasgow (and from Aberdeen) accents because I value my life...

              A/C for blindingly obvious reasons, ye ken?

          2. Anonymous Coward
            Anonymous Coward

            Regional accents

            When I was at school, we had a Chemistry teacher who had a very strong southern welsh accent. His name was Mr. Tambini, apparently his parents had come over just before WW11 and settled in Swansea, where he grew up. We cruel bastards called him Wop Bach (but not to his face).

          3. MonkeyCee

            Scottish accent

            "Our science teacher had a lovely lilting Scottish accent, just the type you would expect from a very kind grandma"

            I had a lovely Scottish grandmother who was my statistics teacher in high school. This is in New Zealand, in a school with a lot of pacific island students (Samoan, Tongan etc). It was my second day there, so I didn't know everyone's name.

            Halfway through the stats class, one of the island boys was clowning around, and the teacher sighed, and said "Please sit down, fucker".

            Took me until the end of the week to find out the chaps name was Phuka.

            1. Unoriginal Handle

              Re: Scottish accent

              Gratuitous Billy Connolly sketch, because it mentions "effers" and it relies on a Scottish accent. Well, at least BC does...

              https://www.youtube.com/watch?reload=9&v=TmB170f4BR0

            2. Anonymous Coward
              Anonymous Coward

              Re: Scottish accent

              On a visit to NZ, I was informed that "wh" is pronounced "f", so Whakatane is spoken as " fuckatarny", and that movie they made a few years back would have to be referred to as "Fail Rider"..

              Juvenile humour, but hey.

              1. Kiwi
                Pint

                Re: Scottish accent

                On a visit to NZ, I was informed that "wh" is pronounced "f", so Whakatane is spoken as " fuckatarny", and that movie they made a few years back would have to be referred to as "Fail Rider"..

                Juvenile humour, but hey.

                Perhaps anyone here can help me? Is there anywhere else in the English language where "WH" is given a "F" or even "PH" sound?

                Years back one of the lady Maori MP's, when such debates were up a bit (possibly over Wanganui - not "Thong-a-newie" - in the case of that city it has always been W not F) commented "If the white man had meant 'F' then the white man would've written 'F'".

                From what I know of English pronunciation rules there is no other case where "WH=F" (we do have PH kinda=F etc). When the explorers/early settlers started writing down Maori, they wrote it using the English rules for pronunciation of the day (so that the Queen and others could learn how to pronounce the words correctly). I have been keeping an eye out for an answer for more than 20 years.

                So, in all honesty and desire for learning I ask - does anyone know of such an example, with citations?

                Thanks.

        2. Christoph

          And three possible languages - English, Scots, Gaelic.

        3. JJKing
          Coat

          Mmmm

          Scottish accents aren't all the same. There are light Scottish accents, lilting Scottish accents, soft Scottish accents and, trust me, some very heavy Scottish accents.

          Does that mean the ones working in the distilleries have a Scotch accent?

          Mine's the one with a bottle of the finest in each pocket.

        4. Anonymous Coward
          Anonymous Coward

          Staying at a pub in Thurso on a holiday to the UK...

          The landlord said he didnt trust the people from John O'Groats (maybe 25 km away?), because they "talked funny".

          I seem to recall a line from Good Omens (the book, havent seen the TV series yet) about the Scots, and their ancient and implacable enemies... the Scots...

      3. Kiwi

        In Scotland only the beer is heavy.

        And the rain.

        What? WHAT????

        Only a prissy little Englander would call that "heavy"! Over here (Kiwiland) it's a 'light drizzle' at most! Are you sure you're Scots?

    2. Cuddles
      Coat

      "Before you used the facility, you had to calibrate it to your voice so for a few weeks, the office was full of people shouting "1 2 3 4 5 6" into their phones."

      And that was after the calibration!

      1. John 110
        Facepalm

        That's the same as the password on my luggage!

        1. Alien8n

          The Luggage doesn't need a password, it's more than willing to eat anyone who tries to open it without permission...

    3. The Boojum

      It's in the same building in the Sirius system where they counsel redundant lifts thrown out of work when Gogrilla Mincefriend reinvented the staircase.

  5. macjules
    Paris Hilton

    A small MSP?

    ... he was working for a small MSP, which looked after a number of businesses

    Given the Scottish theme of the article I thought that might be a Member of the Scottish Parliament, Alex Salmond perhaps?

    1. Dabooka
      Pint

      Re: A small MSP?

      Very good sir!

    2. lybad

      Re: A small MSP?

      My daughter used to call him the fish man.

      Not helped by being replaced by a Sturgeon as leader of the party.

    3. dak

      Re: A small MSP?

      I reckoned Nicola Sturgeon - she's tiny!

      1. OssianScotland

        Re: A small MSP?

        They don't call her the Short Pretender for nothing....

        1. John 110

          Re: A small MSP?

          ...or at all

      2. Anonymous Coward
        Anonymous Coward

        Re: A small MSP?

        Apparently she hates being referred to as Wee Jimmy Crankie. Can't think why.

  6. chivo243 Silver badge
    Coat

    We're all friends here, aren't we?

    See title!

  7. Pascal Monett Silver badge

    I've been in small companies

    Obviously, if you have less than a dozen colleagues, yes, you do recognize their voice and password management is a rather informal thing. However, when you get to around fifty people, even if they are in the same building, any IT manager worth the name will have put a procedure in place and just voice recognition will not be considered enough.

    If you have enough employees to necessitate two or more buildings, then trusting a voice is simply insane. I now do consulting for several 1000+ sized companies and I can vouch for the fact that resetting passwords is a tad more secure then just accepting anyone's request.

    1. Anonymous Coward
      Anonymous Coward

      Re: I've been in small companies

      AC.. because of this tbh!

      We've thousands of employees. Our helpdesk does the basics of checks but even worse will hand out passwords to line managers to pass on if they can't get staff directly. This came up during a disciplinary when a line manager had been bullying someone and had accessed their e-mail to remove incriminating evidence.

      Our helpdesk manager said it was "standard practice, as per policy". Problem is it has never been in my policy for them to do that and I'd pointed this out to them repeatedly every time I consulted IT on the policy.

      Sometimes managers are so use to following a process that's been around historically that they assume it's backed up by policy, senior management etc. Particularly if that had been the case when they first started. You need to review these things regularly and do a sanity check on them.

      1. Evil Auditor Silver badge

        Re: I've been in small companies

        You need to review these things regularly and do a sanity check on them

        And run an (effective) awareness programme, I'd like to add.

        1. Anonymous Coward
          Anonymous Coward

          Re: I've been in small companies

          Personally I prefer awareness campaigns to online training, we create number posters, videos etc staff will see during their normal day, seems to sink in better than 1 hour a year on a specific topic.

          Also allows you to update it.

          1. Evil Auditor Silver badge

            Re: I've been in small companies

            AC, I couldn't agree more. On other subject matters we do such yearly online trainings to fulfil regulatory requirements. Done that, tick the box, and forgotten.

            Also with topics such as phishing, malware, you can have quite some fun with your target audience. And they're not going to forget anytime soon...

      2. Doctor Syntax Silver badge

        Re: I've been in small companies

        "You need to review these things regularly and do a sanity check on them."

        It's my view that a policy should include the statement of its rationale. It has the advantages of leading to a better understanding of its significance by those who have to follow it (senior management, is that you?) and aids periodic review.

  8. Inventor of the Marmite Laser Silver badge

    Reminds me of a repeated instances with my Human Remains idiots at my former employer, a very large French multinational offering everything from cable ties to data centres.

    Every so often we'd get emails requesting personal data. The requests all came out of the blue, always from some kind of outsourcing company specialising in that kind of activity (think managing driver licence ID records, etc). Every time the request email came through its header showed the originating email address fo an outside company, made no reference to my employer, and the only links presented for response or more information were to the websites of outside companies.

    The email address and each of the more info etc links were all via different URLs, so different in fact that they could each have been to separate organisations. The emails were often written by someone whose first language was obvously not English. All the indicators of a potential phishing trip, in fact.

    I raised the issue with our HR people and IT security people as if it was indeed an outright phishing scam and left it there.

    Took ages for anyone to come back to say it was kosher and then only to me.

    Nothing ever changed. There was never any corporate announcement to expect these emails and there was no change to the emails themselves

    Time after time after time.

    The irony was that pretty much each time this happened we'd have had the mandatory IT security refresher not long before.

    Glad I'm not there any more

    1. Doctor Syntax Silver badge

      "The irony was that pretty much each time this happened we'd have had the mandatory IT security refresher not long before."

      Was it irony or a test of the refresher training?

      1. Anonymous Coward
        Anonymous Coward

        I get emails at work asking to fill out surveys, log into websites, etc. Typically they're written in perfect English (no spelling or grammar mistakes). Which is how I know they're actually from my employer. I once researched the company and website that an emailed link went to, confirmed they were a legitimate company that hired itself out to try to trick employees into giving info to (fake) phishers, and thus reassured it was perfectly safe, clicked the link to see what the destination looked like. Got a talking to about "poor Information Security practices". I pointed out I knew it was safe, that I hadn't provided ANY information aside from the validity of my email address, and that if simply visiting a website was enough to compromise my computer, we had bigger problems than phishing. My response was not well received.

        I very rarely receive any phishing emails that AREN'T from my employer - and they're easily identified by the lack of proper English. The fake phishing emails are FAR more convincing than the real ones.

        1. Anonymous Coward
          Anonymous Coward

          You've never received any...... ?

          ... that you know of.

        2. Stevie

          phishing emails from my employer

          Agree.

          I get one almost every week demanding "status reports".

          I never answer them.

        3. Doctor Syntax Silver badge

          "I pointed out I knew it was safe, that I hadn't provided ANY information aside from the validity of my email address"

          And you see no problem in confirming it to a potential attacker?

      2. Imhotep

        Our company HR used to send out announcements along the line of: We have four free tickets to the <insert drug fueled band name> concert this Friday. Respond if you would like tickets.

        I'm convinced that's how they selected candidates for the random drug tests.

      3. Inventor of the Marmite Laser Silver badge

        I did check. The emails were definitely genuine. Human Remains simply couldn't be that subtle

        1. Doctor Syntax Silver badge

          I had a client who took security very seriously. At one stage they did use a business as described above to test staff although by means of phone calls. I fielded a few of those and replied pointing out that the first word of the company name was "Security" and that it meant what it said. AFAIK the staff came out of the test very well.

  9. Anonymous Coward
    Anonymous Coward

    Someone once raided my bank account by phoning them up and posing as me. Somehow they managed to get thru the "security" questions and made off with a fair bit of cash.

    I asked the fraud bod investigating if he'd heard the call recording and if the voice matched mine. I asked if it sounded like it came from "someone of a non-reflective disposition" and was completely unsurprised when he confirmed it did.

    The refund was pretty immediate.

    1. dak

      "a non-reflective disposition" ??

      1. UncleNick

        Consider how seeing an object depends on light being reflected from it's surface. Consider how its appearance would be altered as its level of reflectivity of incident light reduces...

        1. dak

          If what I think is being alluded to in the OP is what is actually being alluded to in the OP, then emissivity would probably be a better measure than reflectivity, although I do understand that it may not be easily understood by a helldesk operator.

        2. Anonymous Coward
          Anonymous Coward

          A dull person?

      2. Ochib

        A colour that doesn't reflect light.

        1. dak

          Anything that doesn't reflect light is invisible - I don't think that was what was meant.

          1. tony2heads

            doesn't reflect light

            vantablack is close

          2. Loyal Commenter Silver badge
            Boffin

            Anything that doesn't reflect light is invisible

            Only against a background that also doesn't reflect light.

            Only things that don't absorb, reflect or refract light are invisible, the closest you're likley to get are certain gel plastics that have a refractive index of almost exactly one, and seem to disappear when placed in water.

          3. HorseflySteve

            Not so. It would be visible against a reflective background. Light itself is invisble until it strikes a receiver...

      3. Doctor Syntax Silver badge

        "a non-reflective disposition"

        Salesman?

        1. Ken Hagan Gold badge

          I guessed "vampire" but perhaps that's just a different spelling.

          (And a big "Hi, there" to all my friends in sales...)

      4. imanidiot Silver badge

        He's using big words to say "shady person".

        1. lglethal Silver badge
          Trollface

          a shady person? Who makes phishing phone calls while standing in direct sunlight???

        2. Insert sadsack pun here

          No. He's using big words to say "dark-skinned person".

      5. shedied

        A nonreflective dis-whatever

        As in take a dim view of?

    2. Anonymous Coward
      Anonymous Coward

      From the original OP

      The expression being questiooned here dates back about 30 years to a company I once worked for.

      One of our field sales guys had dropped in to see a client. As well as his initial contact, who he knew well, he'd been given another name of someone, who might be useful, to see. He mentioned said name to his host, who was a litttle puzzled, as he didn't recognise the name. By way of winnowing down the likely suspects he asked the simple question: "Is he a reflector or a non-reflector?" apparently giving a necessaty nod to the then growing regime of political correctness.

      Said rep was somewhat amoused by the incident and remained sufficiently amused to recount the tale to us when he was next back in the office.

      Sadly the rep is no longer on this corporeal plane. His joviality and sense of humour is greatly missed.

  10. Anonymous Coward
    Anonymous Coward

    Training worked..

    Shortly after starting in Infosec I was punted to a training course at a large city with lots of bank HQs. Our training suite was directly across the road from the back entrance to one of these banks.

    Our instructor was a ballsy type, casually dressed, knew it all etc. He was a fantastic trainer and kept your attention even on long days at a whiteboard with intermittent demos. Each day he'd put a number up on the top left of the board.

    On the last day of our training he turned up wearing a suit, around 3PM he wrote another number up on the board, asked us to go to the window and promptly walked out. He crossed the road, approached the back door for the the bank and chatted to some staff who were outside smoking.

    He then went inside with one of them and turned up back in our room about 20 minutes later.

    He then wrote an 6th digit on the whiteboard and proclaimed - that's the code for that bank backdoor if anyone is interested. Apparently he'd been watching the staff enter the door all week and on the last day pretended to be a new start and rhymed off the first few digits - the staff told him the last one.

    1. DJO Silver badge

      Re: Training worked..

      There's a type of door lock with 5 vertical buttons, they all come out of the factory with the same default code and clear instuctions on how to change the code. When I see these in the wild I'll sometimes try the default and about 20% of the time it works.

  11. Anonymous Coward
    Anonymous Coward

    The best solution is getting people to email the request when they are locked out.

    1. I ain't Spartacus Gold badge

      My Mum works for a charity that I shall not name, to protect the guilty. Brought in as an outside consultant initially, after she'd retired. So works from home, but on a secure system.

      This requires VPN access. Which they couldn't set up for her unless she came into an office for it. Fair enough. However to be able to come into the office and have her pooter set up she'd need a network login (obviously). In order to have a network login she had to do three or four of those God-awful online training thingamijigs. The ones where the video crashes in between video bollocks and multiple-guess bollocks - and then makes you watch the whole pissing thing again before it will let you answer the stupidly easy questions you could have answered before you'd even seen it.

      In order to have access to the training vidoes she required, you've guessed it, VPN access.

      In order to get VPN access you had to...

      Now it's time to refer to either Catch 22 or Flanders & Swann

    2. Anonymous Coward
      Anonymous Coward

      "The best solution is getting people to email the request when they are locked out."

      Interesting alternative is for the new password to arrive only via email while user is locked out.

      Last year, some utter shitdesk moron did that to me. And I work for a big IT outsourcing company !

      1. MiguelC Silver badge
        Facepalm

        A colleague of mine had an helpdesk ticket about his phone not working closed because "they had called multiple times but he never answered"

        1. Stevie

          Closing tickets

          I had a ticket that kept getting closed.

          It was for a printer that had epicly paper jammed, then has some well-meaning person dismantle it to unjam it, but fail and then be unable to get the bits back together.

          The ticket would be closed with "user reports paper jam cleared" and I would re-open it with "*I* am the user and I reported no such thing. Send a technician to repair it". This went on for about three months.

          The ticket was closed with "Technician visited and could find no problem". I took photos of the dismantled printer, along with a close-up of the monumental paper jam still visible deep inside the printer's bowels, and attached them to the next re-opening along with "Here are some pictures of the printer as it was ten minutes ago. No technician visit has been logged to this floor in weeks. Please send real technician with working eyeballs to fix the printer".

          When the tech finally did get to look at it, he had to replace substantial amounts of the printer innards as they had worn out to the point that he was amazed it had managed two good sheets before trying to make a tree from the next one by compressing it into the fuser.

        2. TSM

          One time when I was away on leave but still logging in from time to time, I emailed the helpdesk saying "I can send email OK, but I'm not receiving any new email." They emailed me the description of the cause (which was that they'd migrated my mailbox to Office 365 while I was away) and the steps I needed to do to fix it, and were somewhat surprised when I sent in a text message a few days later saying "has anything been done about this? I'm still not getting my emails".

      2. Anonymous Coward
        Anonymous Coward

        ‘Last year, some utter shitdesk moron did that to me. And I work for a big IT outsourcing company !’. said the person who locked them selves out.

    3. vulture65537

      https://dilbert.com/strip/1995-11-27

    4. Anonymous Coward
      Anonymous Coward

      <it> The best solution is getting people to email the request when they are locked out. </it>

      You seem to work at my organisation. HR came up with a new process. The password recovery request had to be made via an Outlook form and it could only be done for oneself.

      My collegue was tasked to feed exchange with the new form and fell giigling from her chair.

      Abolutely no oxygene wasted on this process by HR.

      But the form was pleasing to the eye.

  12. That was MY joke

    Blossom Dearie

    New Scientist carried this report back in 1992:

    Blossom Dearie was in Australia and needed to transfer some money from her account at a London bank. She telephoned the bank from Australia and

    spoke with a clerk who said he could authorise the transaction only if she could name and describe at least one member of the London bank staff.

    She racked her brains but could not remember enough to satisfy the clerk. ‘But I can sing you eight bars of Sweet Georgie Fame,’ she offered. All

    right, said the clerk, who still had a battered copy of the song Blossom Dearie first recorded 25 years ago. She sang eight bars of the chorus down

    the line and the transaction sailed through.

    1. naylorjs

      Re: Blossom Dearie

      Bank security up until 2000 was quite lax in many ways. I had to transfer a sizeable amount of money (in the £1000s) from my UK account to my new Swiss account for the deposit on a flat.

      I phoned my UK bank, a major high street brand which still exists, and only had to confirm my name, UK address and account number and of course my Swiss account number for it to be transferred. I would sincerely hope that this wouldn't be possible now.

      The biggest issue was that my Swiss account number had a letter in it and full stops which caused no end of fun entering it into the system at the UK end.

    2. dak
      Joke

      Re: Blossom Dearie

      She was lucky when she called she didn't get a brrr, brrr, brrr, brrr busy line.

      (If puzzled, YouTube.)

  13. BigSLitleP

    Not just an expired password

    So while helping out on a service desk, a gent called up saying he was locked out of his account. I ran through a few verifications to make sure he was who he said he was. I took a look at his account and noticed the account hadn't locked out, it had expired. That was standard practice for time limited contractors, which this fellow was. Before activating, standard practice was to contact their manager to get a new expiry date.

    I called the guys manager and got told not to activate the account. The guys contract had come to an end and we weren't renewing it. The manager asked if i could "be a good chap and let him know". This was an internal service desk and I'd been with the company for quite some time. I was no mere hell desk monkey so I drew on my years of experience at the company and gave the HR approved response of "How about grow a backbone and tell him yourself?".

    The manager got put on my list of "low priority response".

  14. This post has been deleted by its author

  15. Giovani Tapini

    One place I worked used actors

    From time to time "social engineers" would be called into to phone staff and try to get information divulged. This was to ensure that sensitive information wasn't leaked by staff to people they shouldn't be. The idea being that for the most part, at least in the technical teams, we would know who was likely to be providing or asking for information and from which teams, and to do a bit of due diligence if you didn't know them. Leaking of information in some cases can cost a lot of fines or lives in some cases.

  16. Mog_X

    As seen (heard?) in Sneakers....

    “Hi, my name is Werner Brandes. My voice is my passport. Verify Me.”

    1. Stevie

      Re: As seen (heard?) in Sneakers....

      "Hello Vernon. You want to order a passport. Your passport has been ordered."

      As heard in Werner's office from his Alexa device.

  17. Anonymous Coward
    Anonymous Coward

    In the early days of the Internet access was hard to come by. Military, commercial and education could get in but personal access wasn't so easy.

    Luckily my employer had a connection and they also had a dial-in modem so I could dial from my remote office to the comms centre at the HQ and get internet access.

    When I left the company I continued to use it for quite a while until one day the dial-in modem didn't answer. I phoned the company's helpdesk and said "Hello! It's <name> here! The dial-in modem isn't answering and I can't get on the internet!"

    The helpdesk bod explained that they'd started to suspect that an ex-employee was dialing in and using it so they'd moved it to a new number. Then he very helpfully gave me the new number.

  18. SVV
    Happy

    Totally insecure

    In order to confirm the identity of the caller, the service desk should have insisted that they give their old password over the phone first. Once this had been checked against the username in the database, the new password should then have been delivered to the user on a piece of paper, so that they could keep it in their desk drawer in case they forgot it again in the future. This also prevents "hackers" from intercepting the link to the new password in an email.

    1. Terry 6 Silver badge
      Coat

      Re: Totally insecure

      or better, on a post-it note so that it can be placed straight on to the monitor.

      1. Alumoi Silver badge

        Re: Totally insecure

        That's not secure! Taped to the underside of the keyboard is much more secure.

  19. LateAgain

    Recorded helpdesk calls?

    In so many films the recording of a voice gets played back.

    I spot a flaw.

  20. LateAgain

    Voice recognition in a lift in Scotland

    https://www.youtube.com/watch?v=sAz_UvnUeuU

    (If the link doesna work just search for it)

  21. aregross
    Thumb Up

    Back when I was an IT Manager (an Army of One!) the COO and I came up with a rule that Password/Logon Moves/Adds/Changes could only come from HR (also and Army of One).

    Fixt!

  22. dnicholas

    I'm sorry, do I know you?

    My favourite line for this sort of thing

  23. JohnGrantNineTiles

    The last few paragraphs remind me of a friend who ran a B&B. Guest turns up on the doorstep expecting to stay. "But your secretary rang and cancelled the booking." "Oh. She doesn't work for us any more."

  24. kernelpickle

    I've absolutely refused sketchy requests

    Back when I provided support to folks in the medical field, I received an odd call one day that I almost performed the password reset for--but didn't quite pass the sniff test.

    The user that had called in asked me to reset his password, I verified the user by having him provide all the requisite information (month/day of birth, last 4 of SSN, etc...) but during the conversation, it came up that he was annoyed about having to reset his password while he was on vacation on the opposite coast. I assumed that he probably needed access to his email or something, and when I asked him to pull up the login screen from his device so that I could read off the temporary password and make sure he was able to login and reset--I found out that he didn't have his laptop, or any corporate (or even personal) device capable of reaching the login page which required Citrix to be installed.

    It was at that point, I was confused enough that I started asking follow-up questions while digging through the guy's previous tickets. The caller was a medical technician that had zero reason to log into anything remotely, since his job required direct contact with patients and a giant machine located at his work site. Upon investigation of the guy's previous tickets, I saw a previous call for a password reset and when I read the notes from the last agent that took the call, I saw the reason that nothing added up.

    The guy's manager had called up pretending to be the user, and thankfully my colleague refused to reset the guy's password, and when that happened the caller then owned up to the fact that he was the manager in hopes he could demand the reset from a position of authority--which the other agent didn't, and had informed the guy that only the actual user could initiate a reset and be provided with a temporary password.

    So, this guy's jerk of a boss decided that instead of following proper security protocols, and requesting access for each user that needed to perform this guy's job--that they'd all just use his credentials. Well, the guy apparently changed his password recently enough that the account got locked and when he called to reset the password, and we refused (because THAT was the right thing to do) he woke this poor guy up on his Honeymoon to annoy him with problems that weren't his--on top of that, the time he called was early morning 8:00 AM eastern time so the user on the opposite coast was being harassed at 5:00 AM with the time zone difference!

    After learning the truth about the whole situation, and confirming with management that if it didn't feel right to do it, that I shouldn't--and that they would back me when this guy complained. I told the user that given the circumstances, I can't knowingly reset his password when I know that it was being done to circumvent the security policy, and told him that his manager could suck it up and request access for himself or another user and we'd be happy to expedite it--but we wouldn't be resetting his password before he returned from his trip. I even made sure to reset the guys password to something random (that I made sure I couldn't remember and didn't write it down anywhere) and re-locked his account to make sure nobody could login. Made sure to leave notes for the next agent if the boss tried again, and instructed them not to do it either.

    I made sure to congratulate the guy on his nuptials, and told him to enjoy the rest of his vacation, because he was under no obligation to put up with his manager's nonsense, and that if his boss persisted, that he could instruct him to contact the Help Desk for assistance requesting his own access, and an in depth explanation of the security policy. When I told the caller that if someone screwed up, or did something shady while logged into his account, that he was the one liable--at which point he thanked me, and went on his merry way.

    Technically, the corporate policy said that I needed to reset that user's password, because he was able to verify his identity as the correct user--but I just couldn't do it in good conscience, because I didn't want to be the one in front of the firing squad if that manager did something stupid and I knowingly enabled it. Sure the employee would probably be the one fired for giving his credentials to his manager, but he was following orders, and I knew it was wrong--even if he didn't.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like