After a certain point, it stops being a clever prank and becomes much more of "my coworker is a jerk". The author of the article got lucky that upper management decided to put up with his antics rather than fire him for them.
I forbade my team from doing that, your teammates should have your back, not being hostile or publicly shaming each others. I want them to trust their co-worker, to be able to leave each other on their machine to go to the bathroom even if Facebook and mail are logged in.
Plus if you don't know who is entering your room you don't have a problem with the keyboard but with your door lock. And if one team member is going rogue, well, he already has the passwords.
This mentality is patently wrong to me. You have to realize that maintenance, house keeping, and any manner of other people may enter your area(either legitimate people, or people in disguise). Additionaly, if I were to "go rogue" you better believe I would take advantage of being able to frame someone else and remove attributation from my shoulders. The in-office risk asside, you are also training terrible habits. These habits could lead to your employees leaving their computers unlocked in coffeee shops, at conferences, in their hotel rooms, etc. You have to instill the habit of if you are leaving your computer, you lock you computer into people and make sure they understand why that is.
The author is obviously smart and dedicated - and I’d probably be forced to terminate him.
He is an non-supervisory employee, who has not been given administrative access to these computers. He created and deployed a program to other computers without permission that actively thwarted attempts to be shutdown, and modified it get around a GPO that was more than likely pushed out because of what he was doing. This is malware - for a good purpose but still an undesirable application being run without permission.
If the company has decided that computers need to be locked when away from keyboard there will be a policy and procedure for reporting and dealing infractions. This won’t be it. While in this case the program might have been mostly harmless, one never knows when a programming error might spin things out of control. It’s clever, funny to some, but if it accidentally resulted in downtime the stuff the flows downhill would come fast and be unpleasant in some organizations. Plus, annoying your teammates isn’t the best idea long term. I know this may seem harsh, but from my experience organizations with the most need for this security would be the least likely to approve of this method.
My coment is not at all talking about what the OP was doing. I think that he went beyond what he ought to have. I am specifically referring to the mentality of "employees should trust their coworkers and can therefore leave their computers unlocked".
I didn't say they have to keep their computer unlocked, some of them did lock, but I did not enforce a locking policy because I don't think it was necessary in the context. And if I did have to enforce screen locking in other places, it would be out of question to use any passive aggressive behavior or public shaming towards a teammate, if you need trust from your employees, you treat them well. My first reflex would be to look at technology, because locking the computer is a stupid and consistent task and technology is for stupid consistent things.
I think people are too focused on working for military and paranoïa, we need a range of behaviors, from the paranoid to the welcoming, that guy watching your screen could start an interesting discussion about your project, and give you the contact to the right person to help you. You don't want that in a military context, you highly desire it when you're building a vegan pet food marketplace for hipsters.
Not everyone needs to develop like in Aerospace, not everyone needs to develop like in video games, not everyone needs de behave like a NSA agent, and not everyone needs to behave like a farmer's market salesman, we need a range of behaviors.
And whatever the policy, you never, ever, let co-workers be dicks to each others, no "pranks", no public shaming, no sending a prank email from each other's computer. If security is really an big issue, then not locking a computer is a strike, it goes between the boss, the offender and HR, not a matter of joke.
Still, if the team is not really tight, this kind of prank is dangerous for the team. I can see the situation deteriorate pretty fast. If he was chief of security or something, I'd understand that. I understand the manager too, but a co-worker? No.
That said, I use padlock[1] on my laptop, especially in 'hostile' environments and I'm pretty happy with it.
Yes but some companies have strict policies, and access control.
Maybe you have a new hire in the office building, or a visitor, or the janitor.
It is good practice to always lock your machine. But yes i do agree that he is very lucky that upper management was awesome in this scenario.
--
At my last office job we would just flip the mouse buttons, and rotate the display screen. This proved to be very effective, and didn't cause issues with the team.
Yeah, there are other ways to get the point across. Such as changing the password and leaving a post-it with contact details to get another one. This works specially well if the person in question is a sysadmin, or otherwise empowered, as then the employee can receive proper instructions on how to secure his machine.
In this instance, the coworkers don't seem to be particularly clever, or even worried about security. They were terminating the powershell process, which was obviously doing unauthorized actions, then proceeding as usual? Who does that?!
Aren't there better ways to ensure "desktop protection" than relying on conscious actions of employees?
For the company in question, security seems to be very important as shown by the fact that each computer sits on its own VLAN. Maybe they should consider using something like wireless tokens that lock the workstation if the token is too far away (e.g. http://www.gkchain.com).
I've also worked in companies where lots of doors require a key card, which also unlocks the computer (by means of a card reader at the workstation). So if you leave the room, you take the card with you anyway and the computer gets locked automatically.
Certainly. But I think then one has to factor in issues of cost and complexity. Technological tools can take care of "low-hanging" fruit, but can't be so strict as to prevent flexibility when needed.
I like this story in that it's a bit of coworkers policing themselves a bit. We have a similar situation in my workplace, where smartcard authentication is used. We're all taught to pull our cards when we get up from our desks, and this is followed pretty well. The odd email has gone out under someone else's name (usually with accompanying embarrassing text) but more often than not, we'll simply pull that person's card, hold onto it, and then enjoy the few minutes of panic as they try to determine if they lost it or not. Both the customer and the security officer are none too pleased when cards go missing, so it serves as a good reminder.
Long story short, watch and remind one another frequently of good security practices, and encourage others to as well. You may think you're being a jerk at first, but as more catch on and not only adhere, but help encourage those rules, it'll be less uncool to call them out and more uncool to deviate from them.
back in 2006ish I used bluetooth proximity of my Mac running 10.4 and a Sony Ericsson cellphone to auto-lock my machine. It'd kick in around 10 metres away, which was about the size of my team's area. Quite handy, but the feature was removed.
Having bluetooth enabled on your cellphone might ultimately be the method used to crack in to your network though .. so there's a tradeoff of security in such a scenario.
This is cool and it's one of my favourite types of projects - where you have to hack your way through security to pull off a prank. However, I think it would be better and more impressive if the author limited the collateral damage. Spawnkilling other programs is an effective way of protection, but I think it disturbs people too much by interfering with normal (for a technical person) computer use.
Interestingly, the author pretty much delivered half of a Malware Writer 101 here. I had to deal with methods like these when removing crap from non-tech computer users more time than I would like.
The CTO of a company I worked for had a solution for this problem that, while crass, was effective.
Any time he saw an unlocked and unattended workstation he would set the home page of the browser to a hard core porn site.
Then later after the person was back at the desk he would claim to need to check on something real quick. He'd fire up the web browser, and up comes the porn site.
Then he'd pretend to be all pissed off and start yelling at the person for browsing porn at work.
Eventually, he'd explain what happened and made his point.
If you want to get employees to lock their workstations, make it a policy and fire the ones who repeatedly break it. If you have to get their attention via childish pranks it's a waste of everyones time.
Also, the IT provider has put a lot effort into security for a reason. The second any employee starts shell coding of any type, it becomes a risk to the company. Management, as always, is blind to this and is probably why they rewarded the author. What they should have done is fire the person for breaching the company's User Access policy. (You do have one, right?)
It may be the employees lunch hour, but it's not their right to abuse company property.
> the IT provider has put a lot effort into security for a reason
It really depends. All too often the reason for various restrictions IT set up is to limit their own workload. It sometimes goes to the point of making everyone else's work harder. It's especially irritating in schools and universities, where I could swear IT departments often live by the idea of "if we make a system X completely unusable, nobody will use it, so we won't have people breaking things".
I can safely say that it's never to limit our own workload. Considering we'd get paid less if we had nothing to do, it would be pretty dumb to work towards that goal. It's to save the company from going bankrupt with explosive costs of maintaining infrastructure in a hostile environment.
Any and all restrictions are there to prevent risk, to both data security and operational costs. There's nothing worse than allowing a user to do as they please because as Bruce Schneier once said, "A user will choose dancing pigs over security every time."
This is why we work with management to show them the costs of allowing users the ability to roam free. Management makes the decisions, IT implement it.
Security is hard. It is highly invasive to usability. It's not your IT department's fault, it's actually yours.
Posting this using a throwaway as I don't want to be associated with this one.
I did a demonstrator a couple of years ago of why we should be using 2FA for everything. We added a single binary to the post-build event in Visual Studio and checked it and the binary into the VCS. The binary grabbed the person who did the build's Chrome password database and used powershell to POST it to a private address. Then we chucked it through some shareware that reads the file and mailed the password back to the engineer we were demonstrating it to.
It's pretty easy to backdoor a machine without even having console access.
Maybe a dumb question: who exactly is locking your desktop supposed to protect against? Do some offices have untrusted people running around with access to workstations?
I can see the necessity of locking when you go home, so the maintenance staff does not have access, but presumably this happened during the day.
Rouge employees happen. Or an attacker may be posing as cleaning staff (in my company we have cleaning during business hours, and every few days we all leave our room while the cleaning lady vacuums).
But primarily, it's not about distrust towards your cow-orkers - it's because not locking your workstation leaves you (and the company) vulnerable to external attackers that made their way to the office via acting confident. Social engineering is extremely effective and quite easy to perform, if you can keep your cool.
Cleaners seem like a huge way in. They often come at night and have unrestricted access. What's stopping them from keylogging or worse? How tight of security can the cleaning crew even run? It's not like you're paying a ton extra to vet folks, and it can't be that desirable a job.
Indeed. Add to that the fact that many cleaning companies employs their crews as "contractors", pay them almost nothing and treat them like human trash (ditto for security personel in relatively safe areas), and you have a perfect attack vector - it won't be hard to find someone who will plug that little stick behind a computer in exchange for some cash and you being nice to them.
> who exactly is locking your desktop supposed to protect against? Do some offices have untrusted people running around with access to workstations?
Yes, exactly this. Why is that surprising? Why bother with user accounts with audit trails; why not just use user:GUEST pass:GUESS for everything?
There's a bunch of places where you want to make sure that trusted employees are not gaining access to things they shouldn't. EG health care providers.
heh, as a pen tester, please leave your computer unlocked 24/7. It makes it so much easier to take over your entire network after I've gotten into your office by cloning a RFID badge, or heck, just tailing someone through the door.
I quite enjoyed the technical solution, but I think the author is a bit of a dick. And I have to ask myself why group policy wasn't setup to lock automatically after 10-15 minutes of inactivity?
> Everybody would laugh about it but still wasn’t giving the needed outcome
It's scary how many people don't take their machine's (or their network) security seriously.
I used to run reverse shells on machines that my coworkers left unlocked (easier as our network is more relaxed) - after launching annoying things they got the point very quickly and now nobody leaves their machines unlocked.
I originally commented and was perhaps too harsh, so I deleted it shortly after submission.
This really shouldn't be considered a prank. He might have deserved it, I have no idea. I wasn't there. But that's playing with someone's personal life.
The most misogynistic thing in this story was you thinking that the said woman was not capable of figuring what's going on on her own.
You've stepped over quite a few lines there.
