It sounds like the Service Desk manager got off pretty much Scot-free
I just love your accent – please, have a new password
Welcome to On Call, The Register's weekly dive into the mailbag of woe from those faced with recalcitrant users or, occasionally, an overly helpful operator. Today's story comes from a reader that the Reg's patented pseudoriser has called "Nick" and could be regarded as somewhat of a riposte to last week's Asset Tag …
COMMENTS
-
-
-
-
Friday 30th August 2019 11:25 GMT Trygve Henriksen
Caller ID = Your routines suck!
Caller ID just means someone needs to walk into an empty office and place the call from the phone there...
There's also usually a doorsign giving him the victim's name, and if you're lucky, IT haven't stopped Windows from showing the signature of the last person to log in...
-
Friday 30th August 2019 12:27 GMT phuzz
Re: Caller ID = Your routines suck!
"if you're lucky, IT haven't stopped Windows from showing the signature of the last person to log in"
You can try and disable this, but then you have to put up with everyone in the company complaining that they have to type their username in everyday, and you'll have to roll it back as soon as the MD starts complaining.
It's the 777 rule of security, if you make a system secure but difficult to use, then the users will make it insecure and useable.
-
Friday 30th August 2019 13:07 GMT Stevie
Re: Caller ID = Your routines suck!
Oi!
The clever young things in our Unix SA department finally got round to mounting an NFS drive with secured directories for the other admins to use when doing the various jobs they do across our little universe all to stop the need for people to have the root password for things like scp etc.
Of course, it doesn’t work for all sorts of use cases, but I can get by using ssh/scp under my own DB admin account and transferring the relevant public keys hither and yon (cleaning up when I’m done of course).
Except that the DB user account can’t access a directory set up inside my NFS directory unless I “777” it.
Then I build a shell script “wizard” to do a complex job that the other DBAs do, each a little differently, each a little eccentric and not according to Hoyle. I put this in the “777”ed directory and let it be known that itbis available, then go on to use it on a couple of servers I know have a particularly nasty dose of eccentricity.
Except.
I can’t execute the damned thing from another server.
So I get busy in places I can see but get frowned at by the clever young things when I look.
Whaddaya know? The DBA master account has been built under different numeric user and group ids.
So in order to use the NFS directory for what it was avowedly put in place for, I must “777” a commonly used directory, and “777” any files that I need to read, write or execute.
All on Solaris, AIX, and RH Linux.
Why in the name of Seymour Cray are we not using LDAP in this day and age you ask?
No words exist in the languages of man, elf or ent for the reason. I know. I asked.
-
Friday 30th August 2019 14:05 GMT Anonymous Coward
Re: Caller ID = Your routines suck!
You can add one of more new unix groups for sharing, if your system doesn't have ACL's.
As for NFS, you can do userid, or better still, use the nfsuserd daemon.
There is no legitimate reason to '777' a directory unless you really do want to give access to everyone with access to the server (for the pedants, yes you can safely 777 a directory if the parent isn't accessable, but that would serve no purpose).
-
Friday 30th August 2019 14:52 GMT Stevie
Re: Caller ID = Your routines suck!
No, *I* can't. I would have to persuade one of the clever young things to do all that.
And they, bless 'em, can do no wrong and assume the problem is the old guy who doesn't know how proper computers work, not their lack of process or keeping up with IT advances since 1995.
And I have exactly the situation you lay out in your final paragraph, and it is extremely useful in the face of unremitting densness in the SA layer. It would just be more useful if the various accounts had been deployed with, ooh I dunno, a perl script. Coulda written it myself in an afternoon if they'd asked.
Now they use puppet, but they obviously don't use it right or we wouldn't have this horseshirt going on.
This is the same crew who can "clone" a server and have the new one's file systems look nothing like the old one's, and once had a production server go offline midmorning because one of them couldn't believe my numerous reports of files "changing types" (this was a good one; the contact man had himself set up the server in question and was righteously indignant that some old fart would dare to question his competence, but it turned out he had omitted to fsck the file system before laying a veritas volume over it).
-
-
Monday 2nd September 2019 12:49 GMT ShadowDragon8685
Re: Caller ID = Your routines suck!
So it's the Black Speech and Mordor IT, eh?
Well, it's not all bad. Doing tech support for Sauron, you can absolutely just BOfH your bosses without any repercussions if you fancy their job/reckon their gross incompetence is imperiling the Dark Lord's plans.
-
-
Friday 30th August 2019 17:40 GMT Robert Carnegie
Re: Caller ID = Your routines suck!
I imagine I could live with typing my user name if it was, say, two characters. That would be enough for many organisations. Althoug× there are some combinations that you might prefer to avoid. BO for instance. IS is a bit sticky recently, I try to avoid calling "The Improvement Service" that. I think you don't want to know what I do call them...
-
Saturday 31st August 2019 18:13 GMT ZenCoder
Re: Caller ID = Your routines suck!
<quote>It's the 777 rule of security, if you make a system secure but difficult to use, then the users will make it insecure and useable.</quote>
"for 15 years during the Cold War, the code meant to prevent unauthorized launching of the United States’ arsenal of Minuteman nuclear missiles was apparently 00000000.”
OK that wouldn't have armed the warhead but it could have still triggered a retaliatory repose from the USSR.
-
Sunday 1st September 2019 11:24 GMT wjake
Re: Caller ID = Your routines suck!
Windows showing the user name of the last person to log in? Have never seen it where I work! Every morning I have to enter user name and password on the computer that only I use! So do the lowliest staff and the Director. What nonsense is this? Leaving my computer Locked is the only time I have ever seen a username displayed.
-
Sunday 1st September 2019 19:23 GMT Terry 6
Re: Caller ID = Your routines suck!
User name fields are often able to show previously typed entries - whether they were correct or not.
And that means that they will also display passwords- when the user has accidentally typed it into the wrong space.
So if the username field shows something totally unlike a username/very like a password, it's almost certainly a password. And the username that goes with it will usually be in the same list, of course.
-
-
-
-
Friday 30th August 2019 13:44 GMT d3vy
"Company is small enough, and I do recognize voices plus we have caller-ID to allow password reset requests this way for a forgotten/locked domain account."
>> Caller ID just means that
a. They're at the persons desk.
b. They have access to the persons phone and have redirected the number to you.
c. They have managed to get a phone on your network to identify as belonging to someone else.*
* How often do your users change the pin number on their phones? Ill bet its never and its still set to the default (last four digits of their number)
"Password requests for other systems is done via email."
>> Good thing that email is 100% secure and you cant just change the headers to make it look like someone else sent it....
Jesus.
-
-
Saturday 31st August 2019 09:07 GMT Sgt_Oddball
Bollocks to all of that...
Used to be able to change the call id on the old Samsung ipx phones I used to manage from time to time. So long as you knew how to get into the manager screen I could get it to do most of lazy work renaming an extension.
Or you know I could just swap the ethernet lines around. That works too.
-
-
Friday 30th August 2019 22:20 GMT Anonymous Coward
Control of email will get you most places.
(My email address is being used as the backup for at least one person (not me). I get notified when they ask for password resets. So I could get into that account, then any that have that as recovery address... I wouldn't mind but they use the same typo when registering for ****ing websites )
-
-
Friday 30th August 2019 09:25 GMT Terry 6
Note too the dissonance.
On one had the company is to large and spread out for face to face reset requests, On the other hand the service desk were expecting to recognise the disembodied voices of those same remote individuals.
And to spell this out, if they aren't available for face to face password requests they aren't available to get their voices recognised.
-
Friday 30th August 2019 10:48 GMT keithpeter
University
In a university somewhere in England a decade ago, the procedure for resetting a password for staff was
1) Set up conference call with staff member, a manager who knows staff member and help desk operative, manger to be on internal phone book number or work mobile
2) Manager to confirm identity of staff member from voice
3) Password reset to a generic one involving staff reference number and sent to manager by email and set to change on first login
The logic was "good enough for armed services, good enough for us"
I only had to use it once. Not sure what they do now in these times of management by email
-
-
Friday 30th August 2019 15:10 GMT Anonymous Coward
I work for a large-ish company (5-figure headcount), the vast majority of its staff being Americans - I'm one of a small number of staff they have based in the UK. I recently had to ring the US-based helpdesk for a password reset. Once I'd explained who I was and what I wanted, the conversation went something like this:
"OK, just for security I need you to confirm your Social Security number to me"
Me: "Err, I'm British, I don't have one"
"Oh yeah, off course, sorry. So please tell me what you'd like me to set your password to"
-
-
Friday 30th August 2019 22:55 GMT Yes Me
Who needs the whole SSN?
I happen to have an American SSN because I was a US taxpayer for a while. And I had (past tense) some US shares held by a US bank. When I sold them (by on-line request) they phoned me to confirm the wire transfer. Good, I thought. "What's your social?" they said. As I was walking along the street, I didn't have that number with me. "I can only remember the last two digits" I said. "OK, tell me" they said. That worked fine and they sent the money. To me, fortunately.
Should they really have taken a 1% risk that I was just guessing or that it wasn't me?
-
-
-
-
Friday 30th August 2019 08:44 GMT S4qFBxkFFg
For those unfamiliar: https://www.google.com/search?q=burnistoun+eleven
-
Friday 30th August 2019 10:06 GMT Anonymous Coward
I once had the fun of helping somebody hook their mobile phone up to the hands-free system in an Aston Martin DB9. This process involves pressing about 3 buttons (with tedious voice prompts) and then speaking a voice command, "pair phone".
The two of us tried all sorts of pronunciations in our native Scots accents. Fast, slow, high-pitched, low-pitched, clear_gaps_between_words etc etc. We'd all but given up on the stupid thing when I put on my best Del-Boy Trotter for a quick "peyah phaown", to be greeted by the cut-glass woman in the recording replying "pairing phone".
There was much sighing, shaking of heads, and mutterings of "eleven"...
-
Friday 30th August 2019 10:57 GMT paulf
Reminds me of Miranda Hart doing that joke on her show about 10 years ago:
Miranda battles with the automated operator - Miranda, Series 2 Episode 6 - BBC Two
"Tee-ewes-day" "Not recognised"
"Choosday init" "Did you say, Tuesday?"
-
-
This post has been deleted by its author
-
-
-
Friday 30th August 2019 08:15 GMT Anonymous Coward
Stealing data
A company I once worked for switched to GSuite as it will be "Cheaper than MS", it's not. "We want the business to go digital and use less onsite servers. Enjoy GSuite, upload all your documents to Google Drive and yes, as long as you've signed the paper that states your home PC has a password and anti-virus, then yes, you can access GSuite from home on your own PC". Ignoring the fact people would just claim their PC had a password and anti-virus even when not. And ignoring the point that "Some people don't keep their kit secure. This is a disaster waiting to happen when their unencrypted kit gets stolen".
Warned them time and time again that there was no proper audit for GSuite when uploading documents to Google Drive. You could upload loads of docs you want to steal to Google Drive, then on your own PC install Google Drive for desktop. Connect that to your work Google Drive account and it would now sync and download all those documents, with no audit trail. No audit trail because in Googles notes, they stated they don't audit Google Drive for desktop.
Warned over and over again about this MASSIVE flaw. All ignored. A director started in a certain section and only stayed for about a year, maybe not even that. All this time this person had enough time to steal loads of data via the way above. This is an assumption, I had no evidence (due to no audit) but it's a bit of a coincidence that once this person left, they started up a company in the very area that they used to work in at our company. I wonder if they used any stolen documents for that. Hmmm.
-
-
-
Friday 30th August 2019 12:00 GMT Anonymous South African Coward
Re: Stealing data
What went wrong?
I'm a clueless end user, just interested
Let's present you with a plausible scenario.
Suppose my company manufacture some military-grade CPU's/hardware/aeroplanes/whatever and said documentation is on GSuite without any audit, then I can just download what I want, walk over to the enemy and sell it to them.
A court of law will toss the evidence as there's absolutely no audit trial (they can't prove beyond any reasonable doubt that it was I who copied the data) and I won't get any free porridge.
Ergo the same for IP theft, especially when it involves certain processes, methods etc that was researched at high expense in an R&D lab...
-
Friday 30th August 2019 20:22 GMT Test Man
Re: Stealing data
Wow. My company switched to G Suite around 2012/2013 "cos it was cheaper than paying Microsoft for upgrades to the latest version of Office" (paraphrasing).
We're still on it. But good point about the audit (lack of) of Google Drive (I'm assuming Backup and Sync is the same? Although it doesn't work with G Suite accounts, so I suppose I'm wondering if actually the same applies to Google Drive Sync).
-
Saturday 31st August 2019 06:24 GMT Anonymous Coward
Re: Stealing data
They've changed the name of it. I believe its Google Drive Sync and has same issue, but I could be wrong as I haven't checked in a while.
What makes it worse is said director was involved in selling off certain bits of land under his control while there. Then when said director left to start up his own company, said bits of land he'd been involved in originally selling, he was now involved with developing via a 3rd party buyer. If that isn't bent as fuck, then I'm Jesus.
-
-
-
-
-
-
Friday 30th August 2019 08:18 GMT Evil Harry
My last place introduced one of those automated password reset systems where you phoned up and spoke to a robot rather than a real person in order to save some cash. Before you used the facility, you had to calibrate it to your voice so for a few weeks, the office was full of people shouting "1 2 3 4 5 6" into their phones.
The amusing thing was that the company had a large Scottish contingent with very heavy accents. The poor robot didn't really have much of chance of understanding them in the first place and even less so when the Scots got frustrated and started shouting at it.
I wonder if there is a therapy centre somewhere for stressed out IVRs :D
-
-
-
Friday 30th August 2019 18:16 GMT Chris G
Re: heavy
If voice recognition has problems with a Scottish accent, what does it do with Geordie?
I worked with a Geordie mate for a couple of years and never fully understood him, his wife was a Brummie, when I told I had trouble understanding his accent she told me to just let him mumble on as that's what she did.
-
-
Monday 2nd September 2019 12:34 GMT Anonymous Coward
Re: heavy
Knew a guy in a supermarket I used to work at many moons ago. He was white & new (very relevant to the story). He was on the deli counter with a British black guy (Also very relevant to the story). I knew the British guys wife as she worked on same section and shift as me.
She said (I've changed names) "Tim said he is going to put a complaint in about Luke. He said "he keeps doing a Caribbean accent. It's just because I'm black and he's being a racist dick"" She said to him "Tim do you know where Luke is from?. He said "No" I said Barbados, THAT'S why he's talking like that"
:)
-
-
Saturday 31st August 2019 07:26 GMT Kiwi
Re: heavy
... and perhaps the offence, when Sassenach prejudice is detected? Or indeed when ignorant forriners confuse you with the English?
I learned that the hard way once. A very Bulshie woman whom I accidentally called "English".
I think it took about a year before the casts came off.....
Icon coz closest we have to Darth Vader - I nearly ended up "more machine than man" by the time she'd finished teaching me that you do NOT call Scots "English".
-
-
-
Friday 30th August 2019 11:16 GMT Alien8n
Still surprises a few people when I ask if they're from certain areas of Scotland or the North East. Lost my Geordie accent a very long time ago but can still pick out regional Geordie and metropolitan Scottish accents. To be fair it's not that hard to differentiate between Edinburgh and Glasgow.
(Born in the North East with family from Motherwell, does wonders for being able to understand some of the accents from around there)
-
Saturday 31st August 2019 14:35 GMT Anonymous Coward
Well, I can go one better (or worse?) — I was born and bred in the south-west of England, and I live here once again. My own accent is, at best, a mush of southern English. However, my wife is Scottish, from Edinburgh (although the accent only shows when she's angry!). I now absolutely can tell Edinburgh from Glasgow (and from Aberdeen) accents because I value my life...
A/C for blindingly obvious reasons, ye ken?
-
Sunday 1st September 2019 10:16 GMT Anonymous Coward
Regional accents
When I was at school, we had a Chemistry teacher who had a very strong southern welsh accent. His name was Mr. Tambini, apparently his parents had come over just before WW11 and settled in Swansea, where he grew up. We cruel bastards called him Wop Bach (but not to his face).
-
Monday 2nd September 2019 05:32 GMT MonkeyCee
Scottish accent
"Our science teacher had a lovely lilting Scottish accent, just the type you would expect from a very kind grandma"
I had a lovely Scottish grandmother who was my statistics teacher in high school. This is in New Zealand, in a school with a lot of pacific island students (Samoan, Tongan etc). It was my second day there, so I didn't know everyone's name.
Halfway through the stats class, one of the island boys was clowning around, and the teacher sighed, and said "Please sit down, fucker".
Took me until the end of the week to find out the chaps name was Phuka.
-
-
Saturday 7th September 2019 01:57 GMT Kiwi
Re: Scottish accent
On a visit to NZ, I was informed that "wh" is pronounced "f", so Whakatane is spoken as " fuckatarny", and that movie they made a few years back would have to be referred to as "Fail Rider"..
Juvenile humour, but hey.
Perhaps anyone here can help me? Is there anywhere else in the English language where "WH" is given a "F" or even "PH" sound?
Years back one of the lady Maori MP's, when such debates were up a bit (possibly over Wanganui - not "Thong-a-newie" - in the case of that city it has always been W not F) commented "If the white man had meant 'F' then the white man would've written 'F'".
From what I know of English pronunciation rules there is no other case where "WH=F" (we do have PH kinda=F etc). When the explorers/early settlers started writing down Maori, they wrote it using the English rules for pronunciation of the day (so that the Queen and others could learn how to pronounce the words correctly). I have been keeping an eye out for an answer for more than 20 years.
So, in all honesty and desire for learning I ask - does anyone know of such an example, with citations?
Thanks.
-
-
-
Sunday 1st September 2019 16:25 GMT JJKing
Mmmm
Scottish accents aren't all the same. There are light Scottish accents, lilting Scottish accents, soft Scottish accents and, trust me, some very heavy Scottish accents.
Does that mean the ones working in the distilleries have a Scotch accent?
Mine's the one with a bottle of the finest in each pocket.
-
Wednesday 4th September 2019 03:53 GMT Anonymous Coward
Staying at a pub in Thurso on a holiday to the UK...
The landlord said he didnt trust the people from John O'Groats (maybe 25 km away?), because they "talked funny".
I seem to recall a line from Good Omens (the book, havent seen the TV series yet) about the Scots, and their ancient and implacable enemies... the Scots...
-
-
-
-
Friday 30th August 2019 08:28 GMT Pascal Monett
I've been in small companies
Obviously, if you have less than a dozen colleagues, yes, you do recognize their voice and password management is a rather informal thing. However, when you get to around fifty people, even if they are in the same building, any IT manager worth the name will have put a procedure in place and just voice recognition will not be considered enough.
If you have enough employees to necessitate two or more buildings, then trusting a voice is simply insane. I now do consulting for several 1000+ sized companies and I can vouch for the fact that resetting passwords is a tad more secure then just accepting anyone's request.
-
Friday 30th August 2019 10:09 GMT Anonymous Coward
Re: I've been in small companies
AC.. because of this tbh!
We've thousands of employees. Our helpdesk does the basics of checks but even worse will hand out passwords to line managers to pass on if they can't get staff directly. This came up during a disciplinary when a line manager had been bullying someone and had accessed their e-mail to remove incriminating evidence.
Our helpdesk manager said it was "standard practice, as per policy". Problem is it has never been in my policy for them to do that and I'd pointed this out to them repeatedly every time I consulted IT on the policy.
Sometimes managers are so use to following a process that's been around historically that they assume it's backed up by policy, senior management etc. Particularly if that had been the case when they first started. You need to review these things regularly and do a sanity check on them.
-
-
-
Friday 30th August 2019 19:45 GMT Evil Auditor
Re: I've been in small companies
AC, I couldn't agree more. On other subject matters we do such yearly online trainings to fulfil regulatory requirements. Done that, tick the box, and forgotten.
Also with topics such as phishing, malware, you can have quite some fun with your target audience. And they're not going to forget anytime soon...
-
-
-
Friday 30th August 2019 11:55 GMT Doctor Syntax
Re: I've been in small companies
"You need to review these things regularly and do a sanity check on them."
It's my view that a policy should include the statement of its rationale. It has the advantages of leading to a better understanding of its significance by those who have to follow it (senior management, is that you?) and aids periodic review.
-
-
-
Friday 30th August 2019 08:38 GMT Inventor of the Marmite Laser
Reminds me of a repeated instances with my Human Remains idiots at my former employer, a very large French multinational offering everything from cable ties to data centres.
Every so often we'd get emails requesting personal data. The requests all came out of the blue, always from some kind of outsourcing company specialising in that kind of activity (think managing driver licence ID records, etc). Every time the request email came through its header showed the originating email address fo an outside company, made no reference to my employer, and the only links presented for response or more information were to the websites of outside companies.
The email address and each of the more info etc links were all via different URLs, so different in fact that they could each have been to separate organisations. The emails were often written by someone whose first language was obvously not English. All the indicators of a potential phishing trip, in fact.
I raised the issue with our HR people and IT security people as if it was indeed an outright phishing scam and left it there.
Took ages for anyone to come back to say it was kosher and then only to me.
Nothing ever changed. There was never any corporate announcement to expect these emails and there was no change to the emails themselves
Time after time after time.
The irony was that pretty much each time this happened we'd have had the mandatory IT security refresher not long before.
Glad I'm not there any more
-
-
Friday 30th August 2019 12:37 GMT Anonymous Coward
I get emails at work asking to fill out surveys, log into websites, etc. Typically they're written in perfect English (no spelling or grammar mistakes). Which is how I know they're actually from my employer. I once researched the company and website that an emailed link went to, confirmed they were a legitimate company that hired itself out to try to trick employees into giving info to (fake) phishers, and thus reassured it was perfectly safe, clicked the link to see what the destination looked like. Got a talking to about "poor Information Security practices". I pointed out I knew it was safe, that I hadn't provided ANY information aside from the validity of my email address, and that if simply visiting a website was enough to compromise my computer, we had bigger problems than phishing. My response was not well received.
I very rarely receive any phishing emails that AREN'T from my employer - and they're easily identified by the lack of proper English. The fake phishing emails are FAR more convincing than the real ones.
-
-
Saturday 31st August 2019 09:47 GMT Doctor Syntax
I had a client who took security very seriously. At one stage they did use a business as described above to test staff although by means of phone calls. I fielded a few of those and replied pointing out that the first word of the company name was "Security" and that it meant what it said. AFAIK the staff came out of the test very well.
-
-
-
-
Friday 30th August 2019 08:47 GMT Anonymous Coward
Someone once raided my bank account by phoning them up and posing as me. Somehow they managed to get thru the "security" questions and made off with a fair bit of cash.
I asked the fraud bod investigating if he'd heard the call recording and if the voice matched mine. I asked if it sounded like it came from "someone of a non-reflective disposition" and was completely unsurprised when he confirmed it did.
The refund was pretty immediate.
-
-
-
-
Friday 30th August 2019 11:49 GMT Loyal Commenter
Anything that doesn't reflect light is invisible
Only against a background that also doesn't reflect light.
Only things that don't absorb, reflect or refract light are invisible, the closest you're likley to get are certain gel plastics that have a refractive index of almost exactly one, and seem to disappear when placed in water.
-
-
Friday 30th August 2019 14:26 GMT Anonymous Coward
From the original OP
The expression being questiooned here dates back about 30 years to a company I once worked for.
One of our field sales guys had dropped in to see a client. As well as his initial contact, who he knew well, he'd been given another name of someone, who might be useful, to see. He mentioned said name to his host, who was a litttle puzzled, as he didn't recognise the name. By way of winnowing down the likely suspects he asked the simple question: "Is he a reflector or a non-reflector?" apparently giving a necessaty nod to the then growing regime of political correctness.
Said rep was somewhat amoused by the incident and remained sufficiently amused to recount the tale to us when he was next back in the office.
Sadly the rep is no longer on this corporeal plane. His joviality and sense of humour is greatly missed.
-
-
Friday 30th August 2019 09:22 GMT Anonymous Coward
Training worked..
Shortly after starting in Infosec I was punted to a training course at a large city with lots of bank HQs. Our training suite was directly across the road from the back entrance to one of these banks.
Our instructor was a ballsy type, casually dressed, knew it all etc. He was a fantastic trainer and kept your attention even on long days at a whiteboard with intermittent demos. Each day he'd put a number up on the top left of the board.
On the last day of our training he turned up wearing a suit, around 3PM he wrote another number up on the board, asked us to go to the window and promptly walked out. He crossed the road, approached the back door for the the bank and chatted to some staff who were outside smoking.
He then went inside with one of them and turned up back in our room about 20 minutes later.
He then wrote an 6th digit on the whiteboard and proclaimed - that's the code for that bank backdoor if anyone is interested. Apparently he'd been watching the staff enter the door all week and on the last day pretended to be a new start and rhymed off the first few digits - the staff told him the last one.
-
-
Friday 30th August 2019 10:38 GMT I ain't Spartacus
My Mum works for a charity that I shall not name, to protect the guilty. Brought in as an outside consultant initially, after she'd retired. So works from home, but on a secure system.
This requires VPN access. Which they couldn't set up for her unless she came into an office for it. Fair enough. However to be able to come into the office and have her pooter set up she'd need a network login (obviously). In order to have a network login she had to do three or four of those God-awful online training thingamijigs. The ones where the video crashes in between video bollocks and multiple-guess bollocks - and then makes you watch the whole pissing thing again before it will let you answer the stupidly easy questions you could have answered before you'd even seen it.
In order to have access to the training vidoes she required, you've guessed it, VPN access.
In order to get VPN access you had to...
Now it's time to refer to either Catch 22 or Flanders & Swann
-
-
-
Friday 30th August 2019 15:07 GMT Stevie
Closing tickets
I had a ticket that kept getting closed.
It was for a printer that had epicly paper jammed, then has some well-meaning person dismantle it to unjam it, but fail and then be unable to get the bits back together.
The ticket would be closed with "user reports paper jam cleared" and I would re-open it with "*I* am the user and I reported no such thing. Send a technician to repair it". This went on for about three months.
The ticket was closed with "Technician visited and could find no problem". I took photos of the dismantled printer, along with a close-up of the monumental paper jam still visible deep inside the printer's bowels, and attached them to the next re-opening along with "Here are some pictures of the printer as it was ten minutes ago. No technician visit has been logged to this floor in weeks. Please send real technician with working eyeballs to fix the printer".
When the tech finally did get to look at it, he had to replace substantial amounts of the printer innards as they had worn out to the point that he was amazed it had managed two good sheets before trying to make a tree from the next one by compressing it into the fuser.
-
Thursday 19th September 2019 14:01 GMT TSM
One time when I was away on leave but still logging in from time to time, I emailed the helpdesk saying "I can send email OK, but I'm not receiving any new email." They emailed me the description of the cause (which was that they'd migrated my mailbox to Office 365 while I was away) and the steps I needed to do to fix it, and were somewhat surprised when I sent in a text message a few days later saying "has anything been done about this? I'm still not getting my emails".
-
-
-
Friday 30th August 2019 21:36 GMT Anonymous Coward
<it> The best solution is getting people to email the request when they are locked out. </it>
You seem to work at my organisation. HR came up with a new process. The password recovery request had to be made via an Outlook form and it could only be done for oneself.
My collegue was tasked to feed exchange with the new form and fell giigling from her chair.
Abolutely no oxygene wasted on this process by HR.
But the form was pleasing to the eye.
-
-
Friday 30th August 2019 10:09 GMT That was MY joke
Blossom Dearie
New Scientist carried this report back in 1992:
Blossom Dearie was in Australia and needed to transfer some money from her account at a London bank. She telephoned the bank from Australia and
spoke with a clerk who said he could authorise the transaction only if she could name and describe at least one member of the London bank staff.
She racked her brains but could not remember enough to satisfy the clerk. ‘But I can sing you eight bars of Sweet Georgie Fame,’ she offered. All
right, said the clerk, who still had a battered copy of the song Blossom Dearie first recorded 25 years ago. She sang eight bars of the chorus down
the line and the transaction sailed through.
-
Friday 30th August 2019 15:38 GMT naylorjs
Re: Blossom Dearie
Bank security up until 2000 was quite lax in many ways. I had to transfer a sizeable amount of money (in the £1000s) from my UK account to my new Swiss account for the deposit on a flat.
I phoned my UK bank, a major high street brand which still exists, and only had to confirm my name, UK address and account number and of course my Swiss account number for it to be transferred. I would sincerely hope that this wouldn't be possible now.
The biggest issue was that my Swiss account number had a letter in it and full stops which caused no end of fun entering it into the system at the UK end.
-
-
Friday 30th August 2019 10:29 GMT BigSLitleP
Not just an expired password
So while helping out on a service desk, a gent called up saying he was locked out of his account. I ran through a few verifications to make sure he was who he said he was. I took a look at his account and noticed the account hadn't locked out, it had expired. That was standard practice for time limited contractors, which this fellow was. Before activating, standard practice was to contact their manager to get a new expiry date.
I called the guys manager and got told not to activate the account. The guys contract had come to an end and we weren't renewing it. The manager asked if i could "be a good chap and let him know". This was an internal service desk and I'd been with the company for quite some time. I was no mere hell desk monkey so I drew on my years of experience at the company and gave the HR approved response of "How about grow a backbone and tell him yourself?".
The manager got put on my list of "low priority response".
-
This post has been deleted by its author
-
Friday 30th August 2019 11:43 GMT Giovani Tapini
One place I worked used actors
From time to time "social engineers" would be called into to phone staff and try to get information divulged. This was to ensure that sensitive information wasn't leaked by staff to people they shouldn't be. The idea being that for the most part, at least in the technical teams, we would know who was likely to be providing or asking for information and from which teams, and to do a bit of due diligence if you didn't know them. Leaking of information in some cases can cost a lot of fines or lives in some cases.
-
Friday 30th August 2019 13:14 GMT Anonymous Coward
In the early days of the Internet access was hard to come by. Military, commercial and education could get in but personal access wasn't so easy.
Luckily my employer had a connection and they also had a dial-in modem so I could dial from my remote office to the comms centre at the HQ and get internet access.
When I left the company I continued to use it for quite a while until one day the dial-in modem didn't answer. I phoned the company's helpdesk and said "Hello! It's <name> here! The dial-in modem isn't answering and I can't get on the internet!"
The helpdesk bod explained that they'd started to suspect that an ex-employee was dialing in and using it so they'd moved it to a new number. Then he very helpfully gave me the new number.
-
Friday 30th August 2019 14:28 GMT SVV
Totally insecure
In order to confirm the identity of the caller, the service desk should have insisted that they give their old password over the phone first. Once this had been checked against the username in the database, the new password should then have been delivered to the user on a piece of paper, so that they could keep it in their desk drawer in case they forgot it again in the future. This also prevents "hackers" from intercepting the link to the new password in an email.
-
Monday 16th December 2019 21:36 GMT kernelpickle
I've absolutely refused sketchy requests
Back when I provided support to folks in the medical field, I received an odd call one day that I almost performed the password reset for--but didn't quite pass the sniff test.
The user that had called in asked me to reset his password, I verified the user by having him provide all the requisite information (month/day of birth, last 4 of SSN, etc...) but during the conversation, it came up that he was annoyed about having to reset his password while he was on vacation on the opposite coast. I assumed that he probably needed access to his email or something, and when I asked him to pull up the login screen from his device so that I could read off the temporary password and make sure he was able to login and reset--I found out that he didn't have his laptop, or any corporate (or even personal) device capable of reaching the login page which required Citrix to be installed.
It was at that point, I was confused enough that I started asking follow-up questions while digging through the guy's previous tickets. The caller was a medical technician that had zero reason to log into anything remotely, since his job required direct contact with patients and a giant machine located at his work site. Upon investigation of the guy's previous tickets, I saw a previous call for a password reset and when I read the notes from the last agent that took the call, I saw the reason that nothing added up.
The guy's manager had called up pretending to be the user, and thankfully my colleague refused to reset the guy's password, and when that happened the caller then owned up to the fact that he was the manager in hopes he could demand the reset from a position of authority--which the other agent didn't, and had informed the guy that only the actual user could initiate a reset and be provided with a temporary password.
So, this guy's jerk of a boss decided that instead of following proper security protocols, and requesting access for each user that needed to perform this guy's job--that they'd all just use his credentials. Well, the guy apparently changed his password recently enough that the account got locked and when he called to reset the password, and we refused (because THAT was the right thing to do) he woke this poor guy up on his Honeymoon to annoy him with problems that weren't his--on top of that, the time he called was early morning 8:00 AM eastern time so the user on the opposite coast was being harassed at 5:00 AM with the time zone difference!
After learning the truth about the whole situation, and confirming with management that if it didn't feel right to do it, that I shouldn't--and that they would back me when this guy complained. I told the user that given the circumstances, I can't knowingly reset his password when I know that it was being done to circumvent the security policy, and told him that his manager could suck it up and request access for himself or another user and we'd be happy to expedite it--but we wouldn't be resetting his password before he returned from his trip. I even made sure to reset the guys password to something random (that I made sure I couldn't remember and didn't write it down anywhere) and re-locked his account to make sure nobody could login. Made sure to leave notes for the next agent if the boss tried again, and instructed them not to do it either.
I made sure to congratulate the guy on his nuptials, and told him to enjoy the rest of his vacation, because he was under no obligation to put up with his manager's nonsense, and that if his boss persisted, that he could instruct him to contact the Help Desk for assistance requesting his own access, and an in depth explanation of the security policy. When I told the caller that if someone screwed up, or did something shady while logged into his account, that he was the one liable--at which point he thanked me, and went on his merry way.
Technically, the corporate policy said that I needed to reset that user's password, because he was able to verify his identity as the correct user--but I just couldn't do it in good conscience, because I didn't want to be the one in front of the firing squad if that manager did something stupid and I knowingly enabled it. Sure the employee would probably be the one fired for giving his credentials to his manager, but he was following orders, and I knew it was wrong--even if he didn't.