
So many questions…..
I guess this was quite some time back, but really? No four eyes check of the work, disk allowed to walk off site etc etc? But also large IT contractor induction and training procedures need a good looking at.
If it's Friday, it's time for another edition of On Call, our reader-contributed column in which you tell tales of crimes against tech support. This week, meet a reader we'll Regomize as "Dean" who once worked for a very large IT services provider and was assigned to a contract for a law enforcement agency. Dean got the gig …
If "Colin" had initially responded along the lines of "the computer is there, but I've removed the disk for secure destruction" I could understand it. Albeit counter to procedures. But trying to cover up the lack of disk to a colleague who is clearly going to find out? No, that's just sheer stupidity.
Once I've been told ( by the customer no less ) to go fetch all the the HDD on the pre-production system ( at the pre-production site obviously ) and to bring them to the production system ( at the production site some 50ish kms away )... On a January the first. ( yes it was an On Call that might be worthy of being here )
Another time I spent lots of time ( again during a bank holiday, November 11th ) hunting down the guy that replaced a supposedly pair of failed HDD from a server... he got a nice dressing down the following monday as we didn't manage to get him. ( and the HDD were probably fine, it was the fiber channel card that had failed. ) Again it's probably worthy of an On Call as I ended up using a database dump that was "taken away for test purpose" several month before to recover the database. [to the cheers of the customer, as they didn't have any uncorrupted db dumps for various reasons.
That was when I was working for a $TELCO equipment builder...
There's procedures and procedures... and On Call people tends to forget some of them, unless the stuff is really sensitive. ( like a criminal database )
Nowadays, with my current set of customers, I wouldn't try to remove anything ( physical or not ) from a site unless it's been allowed, in written form with the reason why it's going out of the site, by the IT security Officer. But I'm not On Call anymore.
I'm not "on call", but as a field tech have worked at a variety of secure sites over the years, just going in to fix stuff. Things have changed over the years, especially regarding warranty or maintenance replacements. None of the secure sites, military, law enforcement, prisons etc will allow *any* parts to be removed from site that could possibly contain data. Which nowadays, means anything electronic. Even DIMMS have an EEPROM (SPD) that could be used to exfiltrate data. Mostly, they just get charged for replacement parts instead of "free, in-warranty" replacements. Many are very restrictive on what you can take in too, sometime making the job difficult. Professionally, it's best to simply not "hear" or "see" anything other than the task at hand and not even talk about the task afterwards, and especially not where you've been that day when down the pub. Thankfully, no longer an issue for me :-)
On a previous contract at a mobile telco the people on our team had to take turns each week of going to all the OpCos' Data Centres in the region with a spindle of blank DVD-Rs in order to do optical backups of their billing systems - for some political (with a small "p") reasons they had never gotten around to setting up data links to these DCs for backup purposes (i.e. so they could use a central backup system).
Once I finally had enough of this customer (it was the worst contract I've ever been involved with) and notified them 1 month in advance of my finishing the contract the team leader was annoyed and so decided only I would do these backups for my final month...so I basically spent the whole of that month just trudging (well trains, buses, and walking) between 4 DCs carrying a DVD spindle, spending at least 4 hours at each location, waiting for backups to write to the DVDs (typically 3 or 4 discs per server, 3 or 4 servers per DC). In one of their DCs we didn't even have console access and so I had to phone colleagues to run the backups every time I changed DVDs.
Customers have request it many times. They are ex-customers!
Those of us with professional qualifications, or chartered status, have standards that we may be held against. I do work across multiple jurisdictions, but the chartered status standards are always (in my experience) higher than those of the laws of the land.
It's like asking a chartered accountant to cook the books.
I'm not doing it - never!
In a past life I have been asked several times by clients to "fix" a certain piece of test equipment to either pass or fail more test subjects, on every occasion I have responded in the negative and, if pestered, suggested I might considering a complaint to the relevant government authority that mandates the testing.
Once, under a specific circumstance (datacenter move, active/active load balancers we could normally have half of down in order to move kit, but only under 50% load, and ... the actual load was way above), it turned up the kit had to travel between countries in Europe with customs processes.
Once the truck left, my then (indian) manager was literally screaming "call back the truck !!!) since there was now a service outage.
After I explained him it would take more time to abort the move than to carry on, he calmed down and agreed.
He then told something I could not immediately understand: "follow the truck to the customs office and give them something to speed it up".
Yep yep, my mgr asked me to bribe customs of 2 european countries, the kind where it is a VERY bad idea ! Of course I knew better and all went ok ...
But in India, it is another story ...
>> Those of us with professional qualifications, or chartered status, have standards that we may be held against. I do work across multiple jurisdictions, but the chartered status standards are always (in my experience) higher than those of the laws of the land.
Here in the US, the accountant test is "What is 2+2?" The winning answer is "What do you want it to be?". My accounting teacher (a minor for me) said to check your ethics at the door. It is OUR job to lie in behalf of the customer.
>” It's like asking a chartered accountant to cook the books.”
Shortly before Christmas I did get a chartered accountant to agree to my scheme to “cook the books” so that the client would be able to reclaim circa £10k Pa of VAT going forward and dating back ~3 years; It vindicated I had read and (correctly) understood the VAT code.
Your customers are not your private shopping center.
Dean was a very, very nice guy.
I would not have fudged the problem, I would have called my manager and escalated, and if Colin got fired (or worse), too bad for him.
You're a professional. Act professional.
I can cover someone having made a mistake. God knows I've made my share.
But stealing ? I draw the line there. You're done.
I can understand why Dean would be worried about revealing what seems to have been a very serious crime which could have serious consequences for his employer and staff, but he's basically covered-up that crime.
I am not even convinced his concerns were legitimate. After any immediate outrage most people will recognise that employers are not usually responsible for the crimes of those they employ.
And how much worse is it going to be if they discover there had been a crime which was covered up?
And it may have enabled further crimes if the disk had been copied and used for nefarious purposes.
I don't believe Dean made the right call. And I don't think he's been particularly bright in telling the world his tale.
I was part of a curious conversation many moons ago where a colleague was 'idly discussing' the thought of theft in the workplace. He apparently was linking this to a film he had recently seen but some of the details were wrong and struck very close to home, he was unaware I had seen the same film.
I laid out how much anyone would need to clear in financial terms to be sure they could have enough money to never need to work again and the likelihood that with that big a theft the chance of being tracked down were very very high. Oh yes, and that I was at the time a Special Constable and on top of my responsibilities to my (and their) employer any evidence of impropriety or laws being broken would be reported very promptly. Not that I have ever reported people for the odd pen or pad of paper which migrated from work to home and I have seen the reverse happen often enough where stationery/tea/coffee is in low supply or low quality or when people are 'expected' to work unpaid overtime to treat this as a balanced book.
I know we're not supposed to mention him anymore, but Scott Adams' "Build a Better Life Stealing Office Supplies" came out around the same time I got my first office job and it's always made me chuckle.
How was it possible that he could know this new group of strangers that I'd only just been introduced to so well?
Go back to the last millenia. The fact that the PC in question had five data drives, however not even as RAID(-like) configuration where two or more drives can fail, suggests that it MUST have been before the year 2000. The sensitivity for data value was a completely different game back then. As for the drive(s) themselves: That is not a problem if the PC would have been thrown away. But he should have gone the official way instead of simply nabbing a drive. Maybe he would have gotten the whole machine for free or the symbolic 1 dollar, once the data was cleaned.
I think Dean did the right thing, would not be surprised if Colin and Dean then got along fine, with Colin now being more professional and overseeing others when previously he would have turned a blind eye, not fully understanding the risk…
Given Dean and Colin worked for a large organisation, Deam would also have been looking out for himself, if he had dumped Colin in it because that was easy, Dean may have had some backlash and get a “not a team player” reputation.
He doesn't say, but I think he would have said if he had. I agree that it would be a dereliction of duty if he didn't, as either alternative (stealing because it was valuable or stealing because of what it contained) means he's not someone you want to have as a co-worker. Unless Colin was his brother in law or something covering up for him would be a terrible decision. Not that covering up for your brother in law would be a good decision, but it would at least be understandable in some circumstances.
I mean, what happens if he does this again (maybe when you aren't around because he knows you're onto him) and shit blows up and it comes out that you knew he'd done this before but said nothing? If you were my employee you'd be fired too.
I would agree to hang Colin out to dry -- except that, in that situation, by far the most important things are to secure the data and restore it. Had Dean gone to the law, COlin would have wiped/destroyed the dink to cover his tracks. At least this way, the data restore is done, it is confirmed that the data have not leaked, and Colin hopefully learns a Very Valuable Lesson.
Well anyway, I've left hard drives in my car.
I've left them in the bed of the pickup, too. In fact, I left a whole small HP computer in the bed of the truck (along with a separate hard drive or two), driven around Denver, stopped and stayed places over night -- probably totaling weeks of time in downtown / suburbs of Denver for restaurants, wedding venues, street parking in friends' neighborhoods, hotels -- and other large cities, with a small HP portable computer in the bed of my truck.
They worked when it went in. They were never stolen, in a couple years' time. It was really a test, just to see, with hardware that I'd gotten and didn't need.
(Where I actually stayed the majority of the time, it was cold enough for a beer bottle to bust its cap in my car in winter. (Luckily I found out the next day before the ice crystals thawed -- but some of the beer had filtered through the water crystals.) No drinking-and-driving, just leaving beer in my car, too. Sometimes you miss things when you clear everything out, or it's just less important to clear the whole vehicle than resting after a long day.)
We used to buy a lot of genuine IBM XT and ATs. One day I was told that several XTs in a large office were not working. One was showing the well known message "Keyboard not found, Press F1 to continue" - No keyboard. Another wouldn't boot - No HDD. A few days later another room had a PC that didn't work - No motherboard. A few days later one had no screen and Hercules graphics card. About the only thing that didn't go missing was a case - Perhaps they already had one? I, too, had a "dodgy" co-worker, and wondered about him. A few months later similar things happened to several ATs, the co-worker was then working at a different site over 100 miles away. Perhaps he was innocent, and it was a cleaner, or security.
In the end we decided that whoever it was, took them out that way thinking the bits wouldn't be recognised. The irony was that if the whole device was taken, we probably wouldn't have noticed until an audit; as we moved equipment all of the time. I suspect that routinely moving a PC and its monitor by carrying it with the keyboard held down on the top of the monitor with my chin may have contributed to my knackered back.
That reminds me of a story my father told me from his days in the army. One of the REME guys at his camp had been routinely posting Land Rover parts back home to England...he'd got more than half-way to a complete vehicle before he got rumbled and sent to the glasshouse.
That was storyline in M*A*SH. Radar sent a jeep home that way.
Of course, it's extremely unlikely to succeed too. The big bits are BIG and heavy. Even fully stripped down to no other attached parts, the engine block alone is going to be a bit of an ask. Not to mention the diff housing and the chassis, body parts etc. It could only really work with an accomplice at the receiving end (ie home base) as I doubt you could send stuff like that to a private home address without someone noticing, even in the army!
In the mid 80s a mate was doing an engineering apprenticeship at Jaguar in Coventry. It was an open secret that one member of staff was building himself a brand new XJS in his garage at home. The bodies were assembled & painted in a remote site & then taken to the assembly site on wheeled dollys on transporters. He'd bribed a driver to leave one of these in a lay by for him. Apparently the car was well on the way to completion, but the one thing that he'd not been able to acquire out of the back door was the leather interior. That was the only thing that seemed to have proper security & inventory.
Obviously this being the 80s "the Jag" was a government ship, with a militant workforce, & so wastage was tolerated as someone else (us, the taxpayers) was paying for it, & management chose their fights with the workforce carefully.
Back in the late-1990's, a couple of men in white lab coats walked into one of the computer labs at my local further-education college, and began to transfer the 486 computers off the desks and onto trolleys, before wheeling them out of the lab. None of the students or staff batted an eyelid.
Shortly afterwards, a local police car found itself following a white transit van that had just left the college's premises. By the greatest stroke of luck imaginable, the officers decided to pull the vehicle over and discovered two men in white lab coats with a van full of 486 computers...
A brief Pharma tale....
Huge chunks of the site site were being shut down, figures in white coats trundled a pill pressing machine on a trolley down the hill to the gate that lead to the North Site (Across a public road), Security helpfully opened the main gate & went back to reading The Sun, while the miscreants loaded it into a car in the unsecured car park instead of taking it into the North Site.
It's Friday, I still miss the Friday morning team meetings in the cafeteria (I could kill for a full English right now).
At an employer long ago we had somebody stealing RAM out of various 486 (I think) PCs. It likely wouldn't have been noticed for a while except that the modules were paired and they only took one mdoule from one of the pairs in each PC so the set of machines which had their RAM stolen (from the IT department) wouldn't boot the next morning and the cause was hence soon discovered.
Inspector Knacker was called and the plod in question "interviewed" the entire IT department (interview solely consisted of asking "Did you steal the RAM?"). Unsurprisingly the thief was never found.
Once about half the department was missing RAM. They booted, but barely.
The head of IT organized a witch hunt, and several hours later, it was found.
There was a customer bug that only happened if you had Tons O'RAM. (How much O'keefe? Miles O'Keefe!)
He'd cleared borrowing the RAM with his boss, his boss' boss, and their boss too... who was the head of IT.
(yeah, I need a face palm icon here...)
Mouse balls were popular with the oiks thanks to their steel cores, they were capable of severe damage if thrown at an unwitting target
Many schools resorted to gluing the port closed, the more sensible ones used a small screw so the balls could still be removed and cleaned
Disconnecting the thinnet cable was a different story, only done to be deliberately disruptive. a dab of loctite stopped most of that
Reminds me of the time I was asked by the site security guard "has anyone said people can take stuff out the disposal pile in the loading bay?"
It turned out that for the past month or two one of the programmers had been turning up at 6 in the morning, once a week and promptly filling a large shopping bag with PC's and other things. He'd made off with over 7 tower PC's from the pile and a handful of SFF desktops....suffice it to say he was firmly instructed to bring everything back.
This also unfortunately put the kibosh on the "we'll flog it to you for a fiver or so" that IT were happily doing not long before this.
How he didn't think he was going to get caught was a mystery given a CCTV camera watches the loading bay, plus he made it all rather obvious by turning up when no-one else was on site.
I was very surprised to find he kept his job!
I threw a couple of PC cases in the mixed metal scrap bin at work, having removed the drives and anything that might prove useful.
Three days later we were asked if we could "get those old computers working?" They got a very short answer, and it was pointed out they shouldn't have been taking metal out of the bins anyway (at various times even the the really grotty stuff had a value).
One of my former users* became one of my good friends, he brought chocolate regularly, and after one grueling support call, he brought beer! He would also buy the whole team lunch from time to time.
*the most demanding user, but he knew what he wanted to achieve, and would spend time explaining his needs.
A company I worked for had a junior IT guy fired because he was physically threatening the senior IT guy. We then noticed a number of missing machines, and started wondering whether there was a connection. A few weeks later, a co-worker was looking at a most wanted posting and spotted the former junior IT as one of the people on the posting.
A few years ago I was doing some consultancy for a major supermarket. I worked across three sites, often within the same week, so sometimes took documents with me. At the exit they had a spot check inspection - push a button and it randomly says check or no-check. If you were to be checked a security guard went through any bags you were carrying. I got checked while carrying a folder marked 'highly confidential', the internal highest level. I was fully entitled to have it, and had even written some of it, but the guard didn't even question it. The office had a mock shop on site for scenario testing, and they were looking for people stealing the confectionary.
.... just when dual speed CD writers came down to about the £500 mark I was one of the first to lay my hands on one. At this time many software manufacturers didn't 'protect' their software because there was no easy way for it to be copied. Of course cheap CD writers were just about to arrive on the scene to change all that. But there was a short period when copying was easy as longer as you could lay your hands on one of these (not so cheap) writers.
I then had a cow-orker seriously trying to persuade me to go into the business of software copying. His plan was to 'borrow' copies of software from work, make many copies, and then flog them. He was mainly thinking of M$ Orifice copies being sold down the pub, but could have included some of the VERY expensive and VERY specialist software that the company had purchased.
I ran the numbers for him ..... the cost of writeable CDs at that time ..... taking about an hour (it was only dual speed write) to burn and check a CD ..... getting a few quid for them down the pub (or wherever) ..... to (maybe) pad my salary by about 10% (if I spent every evening slaving over a hot CD writer).
Then I talked about the clause in my contract whereby I would lose my job, get a police record, lose my security clearance, and effectively be black-balled from ever working in the industry that I was working in for the rest of my life.
In the end I had to tell him to 'depart with extreme fornication', and that if he wished to follow this plan himself I'd gladly sit back and watch the shit show.
In the late 80's, a friend of mine followed that path and all went well... for a time, until a knock at the door at 7AM brought the police with it.
As he was just 17 at the time, beyond losing his computers he only got a rap in the knuckles, but it scared him enough to not repeat it.
Almost 40 years later he is the owner of a successful software house he founded, and not a fan of piracy.
In the early 80's the company I was working for moved me from doing mechanical repairing to start reviewing the electronics data collected as a result of my mechanical work and I was taught that I must always think twice - the instruction was related to the EKG data that we were collecting "Never assume that data that looks good is good, always verify that the data is accurate because if it's not accurate than you must review your work to fix it"
Learning to always think twice, after working to fix occasional Holter monitor heart rate data problems, in the early days has helped me ever since.
I think I've mentioned this before. Someone made a big play about how his computer couldn't be pinched bercause he'd bought an expensive cable lock to attach it to his desk. One night the inevitable happened and all the computers in the office were stolen apart from his. He was less impressed when everyone else got new 486s while he was stuck with his old 286.
The last company IT refresh meant that the majority of the Lenovo and ThinkPad PCs and laptop were being swapped out for dinky Surface laptops (not the tablets).
One dept had mandated that all their PCs and laptops needed to be secured... for, erm, security.
Unfortunately the Surface doesn't come with an industry-standard Kensington slot or any equivalent. A search of the 'net turned up a few locking bars and frames, but unfortunately they were useless as they all obscured something vital like the power button, keys or part of the screen. The only solution involved super gluing a loop to the case, which would be bound to invalidate any warranty.
They finally were persuaded to add a Lenovo to the company portfolio, which not only came with a Kensington slot but also had a reasonable size screen and came with more than the single USB-C port that the Surface had.
I couldn't possibly give any details, but "close enough" is probably the best answer I can give.
It's the mid 1980's, and the stock control system falls under my administration because I decided to connect all the PCs together with a 1M 10-BaseT LAN, and the now multiuser system was sitting on my (Tandon 286) server. Long story short, the MD had his fingers in the till, the corporate credit card funded his house extension, and he regularly revalued stock items to pretend that we were making money to the company owners. He even managed to invoice customers before we'd even started purchasing components. Needless to say, he used to get the external auditor very drunk on his annual visits.
Apart from being the only engineer in the business, I was given a directorship which suddenly made me liable for any tax implications of the MD's misdemeanours. I decided to have the conversation with him to mend his ways, and crafted a way of revaluing the stock each month, with the aim of correcting the stock valuation by the year end. This involved low-level editing of the database, leaving no audit trail of what I was up to (The 1980's were far simpler times ...).
It nearly worked. We got to month 10, but the call of the dark-side got to him and he committed more fraud to fund his wife's demands. There was no choice but to ring up the owners and present the facts on a Sunday afternoon - the MD was gone before Monday. I deleted the last few transactions, and no-one was any the wiser to my part in the scandal.
Was that a crime? Probably, although the people it was committed against were grateful that I put a stop to the rogue MD's actions. I even got another promotion higher up the chain of command, so no real damage was done. It will come as no surprise to learn that all the companies involved went bust decades ago, many years after my departure.
so a long time ago I worked for an IT outsourcing compnay, one of the gigs was an secret lol gov chemical weapons testing facility *allegedly. Anyway it was boring stuff plonking new very expesive laptops on scientists desks.
As you'd expect security was VERY tight, you were watched everywhere at all times, all doors needed your key card, high walls , razor wire you get the idea.
Que new guy, young, cocky, a bit of an idiot, we get a delivery or about 20 or so new laptops in (laptops at the time where 4k+ which I guess would be well over 10k in modern prices) they went in the cupboard ready to be distibuted out the next day.
New guy decides to visit the site at 10pm that evening, with his mate, security are watching and recording him from the second his car pulled off the main road, to when he parked, to when him and his mate squeeze though the door his key card opened, track him though the corridoors, to our office and catch and arrest him as him and his mate leave site arms loaded with brand new laptops.
To this day I have no idea how he thought he would ever get away with it, it was drummed into us before we were allowed on site exactly what the situation was, would we be ok seeing certain things and we of course had security clearance, his excuse was he was taking them to install software on, which was just the icing on the cake really.
Never heard from him again, no idea what happened to him, surprisingly we kept the contract
another funny story from the same site
I had to install some pc's into a lab that had a cyanide warning alarm, it had 3 'space' suits hanging up and warning signs telling you to put on a suit incase of alarm, but, there were at least 4 people in this lab, plus me so 5, if that alarm went off (and the doors would have sealed) I do wonder what hell would have broken loose.
Told this story before, but deploying new PC's into a new state of the art micro-biology lap offices, that had a glass wall & door looking into the main lab itself.
The lab was pressure controlled to prevent contamination & an alarm would sound if the door wasn't closed to maintain that pressure, air quality whatever......
Deploying the kit, the alarm starts going off despite the door closure. Network cabling tech had drilled very carefully & slowly through the glass wall to run a cable.
Story Two: MIA (Missing In Audit).
Delivered & received signatures on docket for 10 laptops delivered to RMTC at Lympstone, that were placed in a secure locked office\data room.
Left RMTC halfway back (15 minute drive tops) I get a phone call.
"Did you deliver the ten laptops?"
"Yes"
"Got the delivery note signed for?"
"Yes"
"Good, bring it straight to me when you get back"
"OK.......Why what's the urgency"
"At least four of them have gone for a unauthorised yomp".
Are they not normally on both sides? The inside ones for securing people in case of emergencies, the outer ones for rescue?
Sorry, it's been a while. Last time I was near a cyanide gas leak was about 3 decades ago, and that was in a factory with a proper full oxygen mask and tank and between four water screens kept up by similarly equipped firemen (wind kept changing so there was no option but to box it in). Not as exciting as it sounds, other than that a few hours ago someone who had not followed the clearly posted and ad nauseam repeated safety instruction had just left a wife and 3 kids behind by taking off his emergency mask without being cleared. Sigh.
Rule one of dangerous places: get safety instructions and follow them to the letter. They're not optional.
Had this a while back, was scavenging broken electronics and repairing it for personal use.
Seems that 'skip fishing' was a thing until the early 2012 era before GDPR got its teeth in.
I did once find a 2TB drive in a broken Sky+ box but it didn't work alas.
These days just trawl the bay instead, waiting on a SFF PC sans strorage, processor and memory.
Please do not snipe me!!
I'm not sure how criminal this was, but AC for obvious reasons.
Once upon a time a previous employer got "FOIA requested" - or at least that's what us lowly IT technicians were told - for all data held about an employee who had left the company a few months earlier under slightly mysterious circumstances. One day he just... wasn't here any more and no one seemed to know why. No one could remember what he actually did or where his office was he was just one of those people you saw about the office occasionally. He hadn't worked there very long and we all assumed he had failed probation and was now kicking off a fuss for not being kept on, and it was probably him that raised the FOIA request in the hope he'd find something he could use in a wrongful dismissal action or something.
IT was first asked to pull all this person's email and any data they had stored on the company servers and hand them over to our legal team who were looking into the FOIA. Nothing terribly strange there, this had happened before. We handed it all over to our legal department on Friday.
What had never happened before was that on Monday we were told that this had all been a mistake, that all data related to this person should be deleted. They did not work here. They had never worked here. We were not to answer any questions about them and refer all such to the company legal team.
I was never sure if this was because said individual had done something terrible and the company was trying to distance themselves and hope not to be implicated in whatever it was, or if the "FOIA request" was actually some sort of criminal investigation we weren't supposed to know about.
Whole thing was very odd and none of us ever did find out what it was about.
For non-USA like me, who cannot know all typical USA abbreviations:
FOIA requested = Freedom Of Information Act request, normally used to retrieve information related to government which was yet not available.
Now I understand why AC find this suspicious enough to "not ask questions" if such an excuse (?) pops up at a private company (was it a private company? I simply assume, else this would not be worth telling)
Oh, they exist here in DE too, but named IFG, Informationsfreiheitsgesetz. The action is a "Antrag nach dem Informatinsfreiheitsgesetz" (request by the statue of information freedom law). There is an equivalent law on EU level too.
Germans are generally less abbreviation users than US. We dislike the ambiguity causes by abbreviations. US looooove them in contrast, especially deliberately misleading abbreviations which sounds like a positive word, but are actually very very bad. That is just a cultural difference you have to get used to...
"Germans are generally less abbreviation users than US. We dislike the ambiguity causes by abbreviations."
From my own experiences I'd disagree about that, though maybe it is a case that as German is not my native language I'm more aware of German abbreviations.
After all it's certainly easier to write "RkReÜAÜG" (though perhaps not much easier to say) rather than "Rinderkennzeichnungs- und Rindfleischetikettierungsüberwachungsaufgabenübertragungsgesetz" (German law, no longer in effect, dealing with Mad Cow Disease), https://en.wikipedia.org/wiki/Rinderkennzeichnungs-_und_Rindfleischetikettierungs%C3%BCberwachungsaufgaben%C3%BCbertragungsgesetz
I could not compare (current) Germany with the United States, but I can tell you that, in Mexico, all government departments and agencies, as well as most other organizations, are always referred to by initials. Also, in Mexico, I never see the style that I have learned to employ: always spell out all acronyms the first time any is introduced. I know that I am not the only one left in the dark when people chatter on about their new favorite acronym, so I make it a point to ask in meetings. I found out yesterday that there was a "UPS" that is a (federal?) grant. Did not see that coming.
UK based - Apologies if I got the acronym wrong, but yes, Freedom of Information Act. It was one of those odd edge cases where we were effectively a public body because of how we were funded and did have to respond to the things, but not really part of the government.
> where we were effectively a public body because of how we were funded and did have to respond to the things, but not really part of the government.
It is not anything to do with being "part of the government", the FOI Act in the UK is regarding Public Authorities and the definition of Public Authorities covers not only central & local government agencies etc but also some private organisations, i.e. GP Practices are typically run by Partnerships (though occasionally by individual GPs or Limited Companies) who have a General Medical Services contract with the local NHS and are therefore considered Public Authorities (for the work they do for the NHS). Likewise for Dentists doing NHS work, and many High street Opticians.
A private company that does some types of work for the government may still be required to respond. The responsible government agency will receive the request and collect needed information from whoever has it in order to send it through. Then again, it sounds like this might have been a little different.
I was once around for the vanishing employee routine. One day someone was there, the next they were gone. Rumour had it that their personal laptop went into a tech chain store for repair ..... then law enforcement were knocking on their door asking about the contents of the hard drive!
The employer had an 'ethical' clause in their employee contracts, and the contract that we were on also required security clearance that would be revoked. Apart from the rumour I never heard anything about that person ever again.
No, is normal. Technically, ALL data held on company resources such as a laptop is the company's property, provided that has been made clear from the outsel, usually in policies or even in the contract. Private use may be allowed between the lines (to, say, buy something at Amazon), but allowed <> officially permitted, and no sane legal department wil ever put the 'allowed' in writing.
That said, investigative laws may deem anything in email and in storage in a folder clearly marked 'private' as out of scope, but I'm not sure if that is EU law of local, it's something I picked up during the unpleasant task of accesing such storage for evidence (still needed two directors to confirm in writing).
"The employer had an 'ethical' clause in their employee contracts, and the contract that we were on also required security clearance that would be revoked. Apart from the rumour I never heard anything about that person ever again."
Many years ago, a computer of some sort was received into our workshop for repair. The guy working on it noticed "odd looking" filenames. Manager decided at least one should be viewed "for our legal protection". One was enough. Plod were called. The case made the local press and the computer owner was convicted and so, presumably also lost his job. Not sure how the laws stood back then but nowadays he'd be on the sex offenders register for life with court mandated notifications of any address change and regular reporting to local plod after a long stay in pokey. It was definitely at the higher end of the scale.
I was offered a redundant reel-to-reel VCR and a load of tapes by an organisation which was a medical research establishment - I left the tapes behind.
I had a few customers who used DataEase and if I needed a copy of the database I exported and deleted credit card details first, although I retained names and addresses. This about was 40 years ago, I'm not sure if that would be OK today.
I'll take pause to not outright convict the accused. There was a window of time where this was perfectly acceptable.
Roll back to the days before dumpster divers and previously used drives on eBay. Often old computers simply went in "the bin" as the concept of "e-waste" wasn't created yet. But also at a time current enough where the "everything must be under warranty" equipment policy was in place.
There was a lot of good serviceable kit that got replaced before its time, and no one cared where the old stuff went. It was actually pretty common to re-purpose old kit in to non-critical systems. Yes, sometimes that was home systems. Often it was on-site test systems. Think of the next big software or OS upgrade. What better way to test in non-prod than by using the previous prod systems? Especially in a budget tight IT environment where funding for non-prod testing is non-existent.
It is entirely possible, if not probable, that someone said to junk the old system. No one understood the security risks in doing so. Computers were mysterious widgets to a lot of people. From their perspective, taking the hard drive out of an old computer was no different than a janitor taking the electric motor out of the old vacuum cleaner they just replaced.
Certainly in the context of our modern data security & privacy arena this is a heinous act worthy of termination & criminal action. But there was a time a few decades back where it was just normal good practice for IT techs to reclaim & repurpose old kit that still had some service life left.
I certainly "adopted"** a few unwanted 80Gb HDDs before taking old computers to the recycling centre/dump. The PCs were literally dropped into a recycling skip*. But I'd remove the HDDs and either mangle them as best I could first or,sometimes "repurpose" them for home-after several wipe/reformat/overwrite sequences. Not enough to prevent data being salvaged by anyone determined enough I'm sure. But certainly plenty for making sure nothing was readily recoverable by normal means.
*A few years later there was a recycle/reuse place for such stuff and the staff were puzzled why they received so many PCs without HDDs- but the other organisations dumping old kit probably also had staff sufficiently aware that you don't leave data on the machines you dump).
**AC because it was at best a grey area.
> 80Gb HDDs ... several wipe/reformat/overwrite sequences. Not enough to prevent data being salvaged..."
Somewhere around the 1 GB range for 3.5" quarter height (standard PC size today), and around the 2 GB range for the 3.5" half height writing zeroes once was enough to safe erase it, simply 'cause the data density and encoding made reconstruction impossible. Write a random number, or format and full-encrypt, would be enough to get the really paranoid people.
So you don't need to worry here, a simple DOS or Windows "non-quick" format is enough. As long as you use the options where it actually writes zeroes and not only performs a read test (look up how Windows XP and Windows Vista/7 differ there, for example).
A long time ago, but anon anyway.
Back when if you had internet access you needed it for your job role & no blocking of any websites / protocols as you were expected to do your job & not visit adult web sites etc.
Colleague was sacked for downloading lots of adult content (not sure if it was via usenet, or from web sites, just got overall summary from the boss).
This was not "manually" during the day, but overnight with some software he had written.
In those days corporate internet was slow, low bandwidth and expensive compared to today.
As no proscribed sites etc. he was not caught that way.
He was caught due to unusual, unexpected and expensive bandwidth use out of hours traced to a developer machine that was not expected to do much (bar maybe the occasional automated download of something work related) but his kit was consistently doing this nightly so red flags raised after a few weeks when it was obviously not just a new starter getting all his required software / data sorted at a quieter time of day & the traffic then got investigated & the brown stuff hit the fan.
He had not been working at the company long so must have got his dodgy downloads up & running shortly after starting
He was instantly dismissed (it was well beyond Page 3 style content & not accidental so he had no excuses) though AFAIK police not involved, more to protect reputation of company than him would be my guess, though although it was hard core & so would have violated a few UK laws back then, to best of my knowledge nothing nasty such as CSAM, bestiality etc..
Absolutely stupid, he had wife & kid, was a good coder, potentially ruined his career*. No idea why he did it - an awful lot of content for personal use (he was caught with CDs on him so mist have burned it to disk & then freed up space on his machine), whether he then burnt CDs at home to sell who knows.
* Didn't find out what happened to him - the local IT community area was quite close knit, and it was made clear to us by bosses he was persona non grata in / out of work & would be regarded as a disciplinary offence to contact him (as likely word would get out). Heard a (unverified) rumour he moved away from the sticks to London. Maybe I should make use of people oversharing on the internet & track him down out of interest (though given he had a relatively common name, really CBA)
Hmm. Distant relation lost a promising career when he and some colleagues were found do be downloading NSFW stuff on HMG computers. Not that many years ago.
I don 't think it was anything criminal- no prosecutions and they were still allowed to practice their profession. But a really stupid unnecessary way to wreck a career.
I was ask by a friend how to get rid of 2 PC from their deceased spouse.
Ran DBAN on the one but the second really old PC only had a 5 1/4" floppy drive and I only had a 3 1/2" disk with DBAN on it. No CD drive either and definitely no USB ports. So I took the hard drive out to erase it at home. Then we took the PC's to the landfill that collected electronic waste to keep it out of the landfill.
Only when I got home did I realized I had made a mistake. I should have known as soon as I saw it was a 5 1/4" hard drive that it wasn't an IDE drive. I should have taken the drive controller card to.
This post has been deleted by its author
Back in the day before dumped a server off a bridge containing some sensitive local government data but not law enforcement or national security. My employer gave it to me as they were for replacement and I didn't want to take it the recycling place as it might be accessed. Realised I could get into trouble for having it. Asked my employer about it and they said they'll link to format etc before disposal. That wasn't secure back then so formatted them all and dumped it off a high bridge over deep wide river at the dead of night. Its probably still there. That's bad on so many levels and polluting the river. Couldn't return it to the client as it would get my company into trouble loss of business with other government departments. Thinking back should have took the patters out and put an angle grinder to it.
I worked for a UK clothes and home retailer (defunct quite recently actually) in early 90s, and one morning we arrived at HO to find, on one floor, monitors disconnected and placed on the floor (15inc crt so some effort required), little piles of screws neatly beside the Elonex desktops, lids lifted and the 4MB/8MB sticks of RAM gone. Probably about 40 machines. Hey ho, we’d heard it was going on and we were a victim. You’d think a lesson would have been learned. Except that 2 weeks later, a different gang (maybe) returned and this time were not so civil, and a number of the monitor signal wires (fixed connection, not plugged) had been cut to speed relocation, the lids of the pcs wrenched off with some kind of pry tool and again, the RAM nicked. Just for good measure, they didn’t bin the remains of their sustenance; crumpled sandwich packages, crisp packets and coke cans.
Working in IT we can do sometimes see stuff incidentally which we shouldn't be able to sometimes. Officially we shouldn't have seen it and can get into trouble if we admit we have especially if we've taken an extra click out of curiosity.
One I saw was an email from a corrupt government director lining up a job he'd created himself in a government agency. Was extremely conflicted and didn't tell anyone except someone I knew who worked for a government intelligence agency. They made their own investigation and obtained their own evidence and he was booted out eventually.
The worst is seeing data that different parties can't use/join up because of data protection regs etc. Can be stuff related to child protection. They all need data sharing agreements which are jealously guarded by different government departments. This was decades ago and I hope it's improved. In that case was written some cross domain remote SQL scripts between multiple sites and data became visible. Didn't report it but asked about whether end users knew the capabilities if things were opened up. Was told sorry you can't, "Data protection"
> The worst is seeing data that different parties can't use/join up because of data protection regs etc. Can be stuff related to child protection. They all need data sharing agreements which are jealously guarded by different government departments. This was decades ago and I hope it's improved.
Maybe you'll be surprised to hear about the particular Northern Ireland Electronic Care Record data sharing which *began* in June 2013 (yes almost 12 years ago) without *any* Data Sharing Agreement (DSA) in place between the 300+ organisations initially involved - a Version 1.0 DSA was prepared about 1 month after launch but none of the Joint Data Controllers ever got around to signing it; a Version 2.0 DSA was also prepared in Nov 2016 but only a handful of the (then "rebranded" as Data Controllers-in-Common) Data Controllers ever got around to signing that one; a newer DSA (in which some of the previous Data Controllers were mysteriously reclassified as Data Processors) was produced in August 2023 and the 5 hospital trusts did sign that around Oct 2023 but it only started to be signed by GP Practices from May 2024 onwards (and only 2/3rds of them had signed by July 2024).
That all is separate from the non-existent Data Processing Agreements (DPAs) for the various Data Processors using the NIECR - there were NO DPAs in place at all for any Processors until August 2023 yet numerous Processors used the NIECR system for several years before then.
Side note/question, how can Processors have validly signed DPAs in Aug 2023 with the NIECR Data Controllers who were engaging them as Processors if none of those alleged NIECR Data Controllers organisations had signed a DSA between themselves to actually legally become valid NIECR Data Controllers in the 1st place before Oct 2023?
So health data of the entire NI population was shared for more than 11 years between an ever growing list of hundreds of organisation with NO DSAs or DPAs of any sort in place (and the DSA that was recently signed does not comply with UK GDPR requirements and so it is not a legally valid DSA).
I don't consider it an improvement that people's health data has been *unlawfully* shared rather than not shared at all.