PowerPoint punishment sent users into an infinite loop after lunch Welcome to another instalment of Who, Me? It's The Register's Monday column that shares your stories of mistakes, occasional malice, and how you came out the other side. This week, meet a reader we'll Regomize as "Marcus," who told us that in the early 2000s he toiled in a workplace that required workers to lock their Windows …
If a former colleague ever saw an unlocked computer, he would do a google image search for something very innappropriate but just safe enough to get through the filters, then hit Windows+L to lock the PC.
As we work in a school, and some of those computers were in classrooms, staff soon learnt to lock their computers, even if they were just stepping away for a few moments...
So, in other words, locking the PC was an essential protection against . . your own colleagues.
I had that happen to me once. I was finished eating a banana and went to the other side of the office to throw it into the bin. When I turned around, the dipshit sitting next to me was busy typing away on my keyboard.
I will spare you the verbal abuse that spewed at that point but, suffice to say, he never that shit again when I was discarding my banana peel.
Security is one thing. Bullshitting is entirely different.
I understand your frustration with said colleague. Then again, it did happen to me and I observed it several times with others: I just wanted to dispose of the banana peel or do something else in the vicinity of my desk, got somehow interrupted and distracted and walked off without locking the screen.
But your colleague's behaviour is the equivalent of getting a parking ticket while you walk to the parking meter to pay.
I once wrote a "Send All" suicide note on a colleagues PC who had wandered away without locking it. "I just wanted to let you all know that it isn't your fault." It ran to several paragraphs. I hit send, locked the machine and walked away.
That was a week of entertainment and it never came back on me. He never left his machine unlocked after that experience.
I did some work for a certain major company whose security bods would wander around the cube farm (OK, it was not quite as bad as that, but it came close) and remove any unlocked and unattended laptops they came across. They would leave a note inviting the owner of the laptop to come to security office to recover his equipment, but only after a serious conversation with the company's Security Manager. I'd like to say that it resulted in an atmosphere of paranoia, but paranoid people only think "they" are out to get you - we knew it as a certainty.
The amusing thing is that no-one was above being targeted - this included the CEO who has the subject of these little notes at least 4 or 5 times while I was there.
A former Headmaster where I work introduced a policy for forced password changes every half term.
IT pushed back saying frequent password changes reduced security because staff would just write them down.
One day when I was in the Head's office to drop off some paperwork I noticed a post-it on the bottom of his screen with his username and password. I swiped it and passed it to the IT manager, who immediately cancelled the forced password change policy and the Head never even noticed...
At a place I worked, the endorced policy was for IT staff to rotate passphrases every 30 days.
Every first of the month, I called up the Help Desk and had them reset the passwords to my various rarely-used host- and application-accounts, writing down the new passwords (there were a dozen or so).
Then I would log into each of those hosts and apps, and change the randomly-generated passwords to something strong, yet which I had at least a slim chance of remembering.
(My primary four accounts' passwords I could easily remember, since I used them so often.)
On the subject of memorable passwords and passphrases:
I very recently had a hilarious one auto-generate when I was doing either a rotation or a new account.
It was extremely memorable, but I was forced to not use it by my need to share and laugh about it it with some community members.
"Yonder-Wrinkly-Emu8" is pretty funny, when one of the moderators has an emu related handle.
It does get stupid, sometimes. At one place the policy was any account with elevated privileges was required have a 30 character password and it expired every 7 days, even though they all had 2FA in place already.
This was the point at which I reduced the required passwords to one - the pass phrase to the keepass repo that lived on the USB stick on my lanyard and damn the "security theatre"
I found one mobile app, I think it may have been and expenses system so had to be used, that had slightly shorter password requirements (I think it was 16 characters) but they'd disabled pasting. Given the near impossibility of swapping between the sign-in screen and the password app it was an open invitation to write the password down. Fortunately that particular app didn't last too long.
The worst one I ever saw was for a time-tracking web app. Besides the usual annoying complexity requirements and an onerous expiry schedule, it prohibited double letters.
I'm sure that rule was meant to prevent arrant stupidity like "aabbcc", but it also would have rejected "correct horse battery staple" -- and not because it's become a cliché. Among other fixes, amusingly, one would have had to deliberately misspell "corect".
I no longer have a problem with long randomized passwords, and even make then longer than the requirement provided I am the one that makes them up. When you type it in, the reason becomes clear - the passwords are actually a column of keys, top to bottom and back up again, with a specific keys used with caps lock. This gives me a special character and capital letters, plus numbers and lowercase. Come password change time, I shift the pattern one row to the side and when I've reached the end I need only start over changing which row is caps. By the time I cycle through all the permutations, either the first row should be past the "no repeat" counter. Either that or I'll be retired/walked out the door.
> IT pushed back saying frequent password changes reduced security because staff would just write them down.
...or you get something like Th1sIsMyP@sswORD, which then gets changed at each date thereafter to a sequence of Th1sIsMyP@sswORD1, Th1sIsMyP@sswORD2, Th1sIsMyP@sswORD3...
Security theatre.
The english phrase is “the exception proves the rule”. And even then that’s an old sense of the word proof meaning to put to the test i.e.: the exception tests the rule *not* proves as in a mathematical proof where it shows that something is true.
Icon reflects my obvious pedantry here.
I thought of a very similar perspective. The perceived existence of an exception demonstrates (proves) the existence of a general rule in one's mental model. (In considering a case exceptional, there must be some rule one considers generally true or being surprised by an outcome implies that accurate prediction was expected.)
Yet it seems that there is some truth to the concept that having known exceptions implies that the rule has been tested enough that the common cases abiding by the rule are actually likely to be common cases (at least within a testing/use context). I.e., having known exceptions implies that the rule has been tested and validated as a general rule (and not just a hypothesis), "proving" the rule.
The concept that exceptions probe the rule also makes sense.
(Even the context of proof/demonstration is significant. Legal or historical proof is not the same as mathematical/logical proof or even scientific/statistical proof.)
Legal proof allows for a corpse to practice law if a coroner does not prove death by checking pulse or respiration despite the corpse's brain residing in a jar on the coroner's desk.
"I did the required checks, m'lord. I used my mirror and did not detect his breath upon it." said Edvard. "That was quite unnecessary, Lord D'eath, as his head was several feet from hiw body at the time. And did you have to nail the dog to the ceiling?" "*I was worried it might bark, m'lord."
- Best I could do from memory
We had a division that mandated all laptops were to be secured by security cables to stop them wandering off. IT then decided everyone's computer was to be changed out for Surface laptops to run Win11.
Unfortunately the Surface is very deficient in nicities like ports and Kensington slots, so there was a scramble to find a solution... a 'locking frame' solution failed because it had bars that covered parts of the keyboard... last I heard they had managed to source some glue-on 'tags' that would work but invalidate any warranty...
Various pieces of industrial equipment running off Windows PCs, back in the naughties. I'd memorised the steps you needed to change the control software default language back from simplified, or traditional Chinese, Thai, etc after bored night shift staff had been at them.
YOU!!!!!!!!!!! IT WAS YOU!!!!! YOU UTTER UTTER UTTER B D !!!!
You know how long I spent learning chinese ideograms so i could switch them back? how much confusion it caused?... then having to learn Thai and 1/2 a dozen other languages?
how many reboots? how much being poked by the manglement? my life was hell back then and all because of one damn person!
If you left a machine unlocked then it was usually the undying love for a colleague email, copied to everyone in the department, or (better for the rest of us) I am buying cakes for everybody.
We did have some none-it people do snapshot desktop set as wallpaper and hide icons, even better was doing it and rotating the screenshot 180 degrees…
Next step is to set the screen rotation to 180 as well, and turn the mouse 180 (as in tail towards user, not ball up)
That way the screenshot is the right way up, and if they use the mouse upside down it'll all cancel out...
But if they return the mouse to the right way around the cursor will move upside down
This stuff went on even back thirty or more years, before the days of PCs. IBM's VM operating system*'s hypervisor, CP, has a command to set the terminal's line size to a value other than the hardware physical length (80 chars). It was fun to enter CP TERMINAL LINESIZE <n> (where <n> was something like 5, or better 1) which would cause responses from the computer to wrap after that number of characters. Most people didn't know about that obscure command, so they usually had to log off to recover.
*The best OS. :-)
"This stuff went on even back thirty or more years, before the days of PCs."
The IBM PC is almost 45 years old. The concept of the Personal Computer goes back before that ... I remember calling single-user home computers "PCs" over 50 years ago during early meetings of the Homebrew Computer Club in 1975. Microcomputers in general were being called Personal Computers by the early 1970s, with some sources suggesting it was as early as the late 1960s. It may go back before that, as the term was basically slang and slang generally is spread by word of mouth long before it gets written down.
And as I've pointed out before, my 1963 IBM 1401 could be called a PC ... It's technically a "small business system", but it only had a single user/operator, so if you squint it could be considered a PC ... This option takes us back to the late 1950s. I honestly don't know if anyone called it a PC before I did in around 1988 ::shrugs::
I've spent the majority of my career trying my hardest to avoid PowerPoint, so I'd never heard of this 'loop until ESC' function.
Now that I do, I'll be using on any computers I happen upon that have been left - against policy - unlocked and unattended.
Only issue I foresee is that PowerPoint puts the navigation icons in the bottom-left of the screen, but I'd imagine no-one is really going to notice if it's overlaying their taskbar.
Back on the Novell network at university, such "pranking" was the order of the day, and there was a period where it got really bad.
As a defense, one of the lab guys set up a "bin" dir in his path with all the common commands such as "cd", "dir", etc as batch scripts which just immediately logged you out. This meant miscreants usually immediately logged themselves out before causing any damage. He got work done by setting up other aliases beginning with "x" so the cost of his defenses was typing an extra character.
However, one of the "admins" (and I use the term VERY loosely here) was doing something requiring that she log into all the lab guys' accounts. I can't remember what, it's been nearly 40 years[1], but it was blessed from above.
For some reason, she flew into a full foam-at-the-mouth fury after getting continuously logged out, called the guy in, and absolutely chewed him a strip. He retaliated by going up the chain, and revealing the rather anarchic state of the labs, and the result was several almost-lost jobs, including the original "admin" who had some adverse paperwork filed. And needless to say, the pranking stopped.
[1] holy 'o f*ck. my bones.
I remember when the Blue Screen of Death screensaver first came out - long before Sysinternals became a Microsoft property.
We had a brand new server - over twenty grand's worth of equipment, destined to replace an existing SQL Server machine. When live, it would be the heart of the business and worth millions per year. So it absolutely, positively had to work.
It was being built by the boss's desk, before going into the server room. Load testing, checking networking configs, benchmarking storage, all of that kind of stuff.
Naturally, whilst the boss was out at lunch, we put the BSOD screensaver on it with a very long wait period. That afternoon, after 50 minutes of inactivity, the screensaver kicked in. The boss nearly had a heart attack as, out of the corner of his eye, this critical machine suddenly blue screened.
We did our best not to laugh too much. He was, when he discovered what had happened, distinctly unimpressed. But fortunately he did see the funny side of it eventually.
Actually wrote a Windows device driver which dumped a Linux boot log to the WindowsNT text mode boot screen. Freaked out a few people when they first saw it. Unfortunately, future versions of Windows just showed a logo on boot, rendering all my work null and void. So much for backward compatibility!
That powerpoint ruse would last seconds before increasingly panicky random key slaping hit escape or whatever .
I hardly need to say this as I'm sure most Reg readers know, the correct protocol is to screenshot a busy computer , minimise all and set pic as background.
Optionally also invert the pic and/or mouse
No, you do what the article suggested and then almost unplug the keyboard. Leave it at a point where the cable isn't noticeably loose but also not electrically connected.
Of course you'd have to be a real arsehole to also put some carefully trimmed sellotape over the contacts of the USB plug.
getting back to computer to see lightheated collegue shannagins is all good fun.
Where I worked it was a sacking offence , not because it it was top secret MI6 or anything , but because it was a civil service building the I.T. of which had been outsourced and the remaining couple of civil service managers whose job was to manage to contractors thought it was their god given destiny to pick fault with anything they could find no matter how small and demand either financial compensation or a sacking.
I had to buy an auto pc lock medallian to hang on my ID badge as an offering to ensure this disaster (unlocked pc inside locked I.T. office ) would never re-occur
:(
The prank that worked best was changing the user’s mouse cursor to the busy cursor. Reasonably subtle, PC still works, but user (IT colleague) thinks something has gone wrong/broken/crashed. Reboot follows after saving work. Log in and problem is back. Reboot again. No good. We told them just before they got through to the helpdesk. Response was on the lines of “didn’t even know you could do that!”
If a coworker leaves their machine unlocked, there is a decidedly non-zero, one may say near 100%, chance that a new incognito browser window gets opened to dotbun or owlsintowels, and either left front-and-center, or layered a few panes deep in the window stack.
I like to keep it funny, and there's nothing quite as funny as a random bunny or an owl burrito.
This "locking the PC when you stepped away" was not a thing back when I started working (dinosaurs roamed the earth and used 24x80 CRT terminals connected to an Eclipse S130). We were professionals, and respected each other's workspaces.
Only during my last few years of employment, did the "zero trust" policy become the general rule. I don't think it is a good thing when companies in the knowledge business treat their employees as potential adversaries. You get much further with trust and respect, but it does have to go both ways. I sense, as I get older, a slow but steady decrease in the quality of the workplace, from wages that don't keep up with prices, increasing number of CEOs with increasing numbers of houses and yachts, and the general enshittification of the workplace experience.
Eventually, this will not be my problem. But it will be for people who are just starting in the field.
It depends on the company, culture, facilities, and type of work
If you're working in a secured space (like using the console in the server room with badge access) it's quite different from a PC in a cow-orking space
If you're working on classified data for govt/military contracting, that's very different from working as an SEO monkey
If you're in a team of seniors who get along well, it's very different from if you have a bunch of vibecobers who steal tokens from each other
Once upon a time, IT security meant the locks on the server room door.
Now you have to assume every system is always under attack - because anything connected to teh intarwebs automatically is, and anything on your company network probably is every time someone (mostly non-IT, although IT folk can do it too) does something stupid (or occasionally malicious, but making an honest mistake is more common and very easy in security)
Was the colleague who opened up another I.T. person's PC, and connected a floppy disk drive inside the case with a disk in it. Then resealed the unit, and waited until the next time they rebooted - "non system disk or disk error" ad infinitum. Definite dedication to the craft.
On a Saturday, there was fun to be had in WHSmith with the C64 on display, by knocking up a quick BASIC program which showed the same as the power on display (memory and Ready prompt) RUN it, turn up the TV volume to 11 then wander off to skulk a safe distance to observer. As soon as a customer hit a key, then all hell would break loose - scrolling message, flashing screen and border and whoop whoop noise. Confused and flustered customer and possibly staff who had no idea how to resolve. Hahahaha!
Around 1986 I put together a "screensaver" image for Sun gear that made the screen look like it had a couple of bullet holes in it. I occasionally deployed it on workstations where the user (engineer) had walked away, leaving himself logged in. Quite realistic on the colo(u)r Trinitrons of the day ... realistic enough to draw many a scream of "What the FUCK‽‽‽‽" from people who should know better.
I never lock this one but then again I am at home on my own pc!
Different when with £work, the company laptops had quite an aggressive 1 minute delay before locking which was a pain at home, so I had a script running that detected WFH condition and set it to something more normal (30 mins if I remember). The script ran every few minutes as the group policies would keep on resetting it, but it saved having to keep on logging back in when there was no need to.
Back in the late 90s, early 2000s, we had lots of Windows boxes, mix of NT, 2k and 95 (for some old DOS apps that didn't like NT).
We also had a policy of lock-if-away, which was often ignored.
If it was my turn to hold the fort at lunch time, and had nothing better to do, I'd wander round the open plan office, although only in the bays for our team, maybe 30 desks, looking for any unlocked machines.
If I found one, I'd take a screen-shot of the desktop, create a new folder on the desktop and drop any other desktop icons into this new folder, then rename that new folder to something like My Documents, or to match something that had already been on the desktop.
I'd then set the wallpaper to the previously created screen-shot, set the task bar to auto-hide, and if needed move the previously created folder so it blended in with the new background.
On return, you'd have people plugging in a different mouse because clicking didn't work, rebooting, the occasional rude word etc. Before figuring out what was up.
Happy days.
Talking of plugging in different mice, it was hard to beat the old trick of plugging the mouse into the PC on the opposite desk and vice-versa, especially if those users tended to lunch or go to meetings together and would return at the same time.
A short engineering course on a range of HMI industrial control modules was run for a group of small companies, one of which was my employer at the time. Obviously the programming was done via software on linked computers. At the start of the very first session we were warned that anyone playing pranks would be immediately escorted out, permanently banned, and the company they were from would still have to pay the full cost of the course.
Nobody messed about.
So, basically, you were told from the start that the system(s) were not secure in any meaningful way?
Cool. Are these systems Internet connected? Should I be divesting part of my portfolio?
How much was your company paying to put a hole wide enough to drive a truck through in the corporate network?
Did you actually read what I wrote?
We were being instructed on how to program the HMIs.
The programming software was on conventional PCs running MSDOS - how are we supposed to be responsible for Microsoft security.
Once programmed the HMIs were only accessible to the users via a limited set of push buttons and the screen - short of digging them out of the machine there was no way to interfere with them.
Allegedly.
Not me, honest
We used to connect to colleague's machines and change the sound scheme for one with "specially selected 'sounds then lock the registry to prevent them changing it back.
If you create an AD group there's all sorts of fun things you can push and enforce via GPO as well...
Anonymous because I still know one or two of the colleagues who's PCs suddenly started playing bowchicka wah wah porn music with sound effects (or worse) and while I'm fairly sure they had a good idea it was me...
...laptops were not allowed to be left out overnight (we'd had quite a few stolen over the years).
So one night, the IT team went into every room and picked up every laptop left out (think it was around 40 or 50) then handed them to security.
Imagine the panic as they wandered in the next morning to find there laptop missing and "demanding a replacement urgently!"
We just told them we couldn't issue a replacement until it had been correctly reported as stolen to security. Security took great joy in taking all the details, lecturing them how they shouldn't have left them out and warning them it is a disciplinary offence....before handing them their laptop back.
We did this every few months, eventually they got the message.
The scenario:
Co-worker on the opposite coast running a hours-long process dependent upon a server on my coast.
The setup:
Ensured he was working at his system, copied the PowerToys BSOD screen saver to his computer, edited the registry to use it and set a short time-out.
The phone call:
Call him and keep him distracted from his system for the duration of the timeout, at the last second before the screen saver kicked in say "Hm, something just happened to the network"
The screen saver kicked in and the ensuing litany of expletives was uncharacteristic even for him and quite hilarious.
Then there was the time I made a screenshot of the desktop on a shared computer/login, moved all the icons off of it, set the image as wallpaper, moved the taskbar to the right side of the screen, set it on autohide and disabled the screen saver.
Then I grew up and pulled a terminator off a user Ethernet segment every so often.
Now, I sit at my desk, growing ever more rotund and entertain myself with setting random access switch ports to 10 half every now and again. It keeps my ticket count up.
I want to thank Simon Travaglia for his hand (horns?) in shaping me from a PFY to the senior BOFH I have become.
Reminds me of a nightmare migration I had years ago where the legacy output was riddled with random carriage returns that broke every script I wrote. Dealing with wonky formatting in old logs is the worst.
I actually keep this https://www.thetoolapp.com/extra-spaces-line-breaks-remover/ bookmarked for exactly that reason—it’s a lifesaver when you just need to flatten a block of text without fighting with regex for twenty minutes. Saves a lot of 'Who, Me?' moments before they happen!
I don't see the connection, but if you're proposing to send your logs or other data files to a public web site... maybe don't do that.
I have used a "hexadecimal and text file conversion" web site - very carefully - which apparently stored my file and identified it by something like a CRC signature or a simple byte checksum. Probably the latter - I think if I sent it a second file with the same checksum as the first file, I was shown the hexadecimal data of the first file, instead. And I assume it would show my data to you, as well. Perhaps it still will.
