• (cs) in reply to snoofle
    snoofle:
    Chikpee:
    I hope you've found another great job since then and not one where they kill the messenger for trying to make the org more secure.
    Do jobs like that actually exist?

    My company has a pretty well advertised no retaliation policy. It might be one of a kind.

  • slau (unregistered) in reply to chubertdev

    Not the only one. I've disclosed a number of major security issues in our production systems, going as far as to demonstrate how easy to exploit some of them were. I'm a technical manager (company uses dual track management), and sometimes my resources will come to me to discuss security issues.

    On a number of occasions, one my guys found a security issue, but didn't feel comfortable "owning" it. In one case, the code was written by the now-CEO's father. When that happens, I present the issue to the company as something "the team" found. Depending on how paranoid the resource is, not even the team knows who among them discovered it.

    Thing is, never in the company's history has anyone been fired for reporting a security issue. Some have been fired for being intentionally malicious, but that's a completely different story altogether.

  • chris thomas (unregistered) in reply to Egon

    although still a pity they fired you for making it obvious that it was insecure, perhaps you uncovered a nice ruse they already knew about and now they would have to change it, the game was up, so you got the chop for exposing the game.

  • Zilch (unregistered)

    Yes, altering credit cards for fun and profit is a fun exercise. If you have the proper equipment, making up a stripe on a card that is the same as your ex-wife's ATM card is a wonderful exercise. It becomes even better when you "recover" some payoff money you had to give her and use it for a sailboat day trip with you new friend (who is now your wife 2.0). Some of these things give you a wonderful feeling at the end of the day.

    Not that I did anything like that, as it might not be too lawful, but the $100 really did feel good.

  • Beta (unregistered) in reply to chubertdev
    chubertdev:
    My company has a pretty well advertised no retaliation policy. It might be one of a kind.

    No, I used to work at a company with a no-retaliation policy. It's an easy policy to write, and it makes for good PR. Less well-publicized was the ubiquitous retaliatory practice.

  • alvatrus (unregistered)

    Never, ever disclose a security flaw before having a written statement from management that it is ok to look for them. Even (especially) if you've found such a flaw.

    Then mention that you found such a flaw, and its consequences, but still don't disclose the method. (So they can't quickly fix it.) Let them worry. Only when it is firmly established (in writing) that it is your job to discover such vulnerabilities, and you negotiated a raise, you disclose the method.

    Management never takes something serious until is costs them.

  • JJ (unregistered) in reply to belgariontheking
    belgariontheking:
    Even the Ghostbusters started somewhere.
    Egon, your mucus.
  • (cs) in reply to snoofle
    snoofle:
    Chikpee:
    I hope you've found another great job since then and not one where they kill the messenger for trying to make the org more secure.
    Do jobs like that actually exist?

    Yeah, you turned it down... remember? He asked you about hiring snoofle.

  • (cs) in reply to Beta
    Beta:
    chubertdev:
    My company has a pretty well advertised no retaliation policy. It might be one of a kind.

    No, I used to work at a company with a no-retaliation policy. It's an easy policy to write, and it makes for good PR. Less well-publicized was the ubiquitous retaliatory practice.

    Sounds Like you screwed the pooch.

  • s73v3r (unregistered) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    It's always amusing that when somebody thinks they're doing a good deed to expose a flaw, they get punished instead. I really wonder what thought process is going on in the management's heads when this goes on. It should be:

    Boss #1: This guy found out that it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: Good on that guy for finding that, we never would have known!

    and instead it's:

    Boss #1: This guy found out it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: He must have found out because he was trying to sabotage us, because he's thinking OUTSIDE THE BOX! We can't have that, can we? OFF WITH HIS HEAD (thinking: Shit, I left that flaw in...)

    Stupid every single time, yet this behavior continues. So the question becomes, how do we fix it?

    Instead of disclosing to management, you publicize it to the world. For a while people might continue to get fired, but after enough of these, companies will realize it's much better for their employees to disclose problems internally than it is to tell the world about them

  • (cs) in reply to s73v3r
    s73v3r:
    ObiWayneKenobi:
    It's always amusing that when somebody thinks they're doing a good deed to expose a flaw, they get punished instead. I really wonder what thought process is going on in the management's heads when this goes on. It should be:

    Boss #1: This guy found out that it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: Good on that guy for finding that, we never would have known!

    and instead it's:

    Boss #1: This guy found out it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: He must have found out because he was trying to sabotage us, because he's thinking OUTSIDE THE BOX! We can't have that, can we? OFF WITH HIS HEAD (thinking: Shit, I left that flaw in...)

    Stupid every single time, yet this behavior continues. So the question becomes, how do we fix it?

    Instead of disclosing to management, you publicize it to the world. For a while people might continue to get fired, but after enough of these, companies will realize it's much better for their employees to disclose problems internally than it is to tell the world about them

    Do it anonymously. Plus you get the benefit of them actually fixing the problem.

  • s73v3r (unregistered)

    Why was the boss and the employer in this story anonymized? These dumbasses should be named and shamed, so that, not only will anyone with half a brain refuse to work for them, but that everyone on the underbelly of the internet knows that they don't like having their problems pointed out to them, and so they have their systems attacked time and again until they realize they need to change their ways.

  • farquat (unregistered) in reply to Ned

    Fortunately, I work in Tech support for a software where I get kudos for reporting problems. I've found a few security bugs, and they get fixed. True story.

  • Jazz (unregistered) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    Stupid every single time, yet this behavior continues. So the question becomes, how do we fix it?

    It seems to be management policy (in almost all organizations, in almost all industries) to shoot the messenger.

    Theory: Given the ubiquity of this approach, and the fact that ostensibly-educated people continue to promulgate it, I think it's reasonable to conclude that Shooting The Messenger is being taught to management students as the correct approach.

    Solution: Instead, shoot the managers.

  • (cs) in reply to slau
    slau:
    I'm a technical manager (company uses dual track management), and sometimes my resources will come to me to discuss security issues.
    They're PEOPLE, you bastard.
  • (cs) in reply to It'sMeMario

    When I was in grade school, we had a punch card for lunch -- you paid your money, and got a punch card that was good for 2 weeks. Well, punching the card took too long, so they switched to a rubber stamp. It turns out that if you tear your punch card and tape it back up, that the ink just rubs off the tape. I got lots of free lunches that way, until the tape got too black and the lunch lady moved on to the next punch.

    And don't ping on me; that was like 35 years ago and I was just a little kid back then.

  • EsotericNonsense (unregistered)

    This article makes me sad.

  • (cs) in reply to Zylon
    Zylon:
    slau:
    I'm a technical manager (company uses dual track management), and sometimes my resources will come to me to discuss security issues.
    They're PEOPLE, you bastard.

    Human Resources?

    We have a whole department that has betrayed you.

  • the beholder (unregistered)

    Bruce Schneier on the subject.

    Too bad Egon didn't read it before he attempted to do the right thing. When I was younger I probably would have naively tried that too, but not anymore.

    Whistleblowing doesn't work because companies don't care for security, except in appearances. They care, however, for PR and that's why the best aproach is turning the flaw into a matter of PR. If they have to decide between receiving bad press or paying the cost of patching they'll always chose the latter.

  • BillR (unregistered) in reply to Egon

    This wasn't at a university in Southern California, was it?

  • Herp (unregistered) in reply to s73v3r
    s73v3r:
    Why was the boss and the employer in this story anonymized? These dumbasses should be named and shamed, so that, not only will anyone with half a brain refuse to work for them, but that everyone on the underbelly of the internet knows that they don't like having their problems pointed out to them, and so they have their systems attacked time and again until they realize they need to change their ways.

    Believe it or not, it's actually somewhat damaging to be labeled as a whistle blower publically. I'm sure we wouldn't be doing "egon" any favors to expose his former employer publically for them to do the same in kind.

    My company has a lot of critical infrastructure products. If we had a problem that was publicly exposed before we could fix it, it could have serious consequences for our customers. For security reasons we would -not- hire anyone who has a history of sharing internal issues of previous employers.

  • Chelloveck (unregistered)

    I wish I could say this was an isolated, extreme case, but I know several people who were fired (mostly from universities) for the same type of "attack" on computer security.

    I was almost fired from a corporate position for such a thing. I showed the network admin just what could be done with an ssh tunnel and VNC. She showed her boss, and they had a discussion regarding what should be done about me. They decided that they'd rather have me on their side than against them, so they didn't get HR to show me the door. They just decided to keep an eye on me. Double-secret probation, as it were; I didn't find out I was on a watch list until much later.

    It just doesn't pay to point out security holes. Especially when you're right. If you find a hole it can't be their fault; they're professionals and their security is obviously air-tight. No, you must be... A HACKER! Duh-duh-DUUUHNN!

  • George (unregistered) in reply to Not-that-alex
    Not-that-alex:
    Some university (I don't tell you which one) uses RFID chips nowadays. But for additional fun, they hand out RFID readers to students, if the students need them for some fancy project. Just write a proposal.

    Additional fun: There are three universities very close to each other (not as close as Harvard and MIT, but close). They bought there security system from the same vendor, so they have the same system. The student-ID-cards even look the same (except for the logo). The system obviously was configured the same way at all three universities. So my student ID is 123456789. "123" obviously is some code for the year in which I started my studies, "45" is a code for computer science, the rest is random (or I didn't get the system yet, I figured that out by comparing to other student's IDs). Naturally the ID is stored in ASCII...I can't think of a more convenient and less space-consuming format to store a number < 2^32...

    At the neighbouring university, 123456789 was given to someone who started the same year and has the same term of studies, so my card opens the software lab at my university, it also opens the software lab at the other university (which is pretty much known to everyone). Probably this one is by design, as the universities co-operate.

    I am writing my thesis in software engineering, so my card also opens the software engineering chair at my university. Besides the main entrance that is the student work room, the seminar room (which is boring), the chair's library and the chair's server room. When one of the phD students lost his card, I found out that I can open his office. I did not try the professor's office yet, but I guess it does work.

    I don't know that guy, but probably 123456789 at the neighbouring university is related to the concurrent systems chair somehow. I figured that out one day late in the night. They do have HP Blade servers. I met the guard at my way out, but he thought it probably is okay, because I had a key card and the photo on the card was in fact me.

    PS: Yes, hacking the universities security was a fancy project, so we got RFID readers for it. The proposal was titled "Pen-testing the software lab entrance system". We even got a good grade for this, but they did not change it.

    Wow - that's one hell of a coincidence that you got the sequence 123456789

  • (cs) in reply to Mike B
    Mike B:
    So instead of openly exposing this deficiency fire the guy to create a diversion of wrong doing to silence the issue then fix it quietly.

    In my experience, the last step seldom happens.

  • hobbes (unregistered)

    An alternative explanation; Management found out well after the fact of all the crap he WAS doing, but given the time delay, were disinclined to initiate disciplinary proceedings.

    Then along comes this excuse. Not a good excuse, mind you, but an excuse none the less.

    That the previous tech up and went on a "mission", despite this being a dream job, suggests the lax supervision was a temporary state of affairs.

  • Lane (unregistered)

    How you know they changed the design of the security badges suggests you might need to update us with another WTF.

  • (cs)

    And I expected he tried to sell the smallpox virus over eBay!

    Instead of making flaws in the system public it is always way better to use them. Because then a) you remain anonymous and b) you profit from it and c) because of that it might actually get fixed.

  • (cs) in reply to Egon
    Egon:
    To be fair they did at least fix it a few months down the line, all the stripe readers where changed to enabled reading of the second track and all the ID cards where re-issued to include a random number on the second track.
    I've seen worse. Uni I went to, they also stored the balance for students' WTFPay accounts on the ID card. Clever entrepreneurs armed with mag-readers and netbooks would charge a flat $20 fee to put any balance you wanted on those cards. It took them a surprising amount of time to catch on to this.
  • Jonathan Wilson (unregistered) in reply to ObiWayneKenobi

    I suspect a lot of the time the thinking is this: Boss #1: This guy found out it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: How much is it gonna cost to fix this? Boss #1: (big sum of money) Boss #2: Ok, lets not fix this since the money to fix it would probably come from our executive bonuses, lets find a way to blame it on the guy instead.

    In this case fixing it would mean replacing all the cards, the back end systems and software and possibly all the readers too.

  • Ironside (unregistered)

    the real WTF is he didn't clone people's cards and get free parking and lunches. What's the point in having that knowledge if you don't benefit from it?

  • (cs)

    If I were Bill, the exit conversation would have gone "I've been told to fire you, and so I must. However, I happen to know that there will soon be a urgent vacancy in this very department, and they haven't told me I can't hire you again. Might be more money in it with for someone with relevant experience".

    HR could probably be made to play ball if approached in the right way (cough (lawsuit)).

  • (cs)

    So, let us just recap:

    (1) Person A is wearing a pair of trousers, unaware they have a large hole in the crotch.

    (2) Person B notices hole in crotch, and politely informs Person A that they may wish to do something about it.

    (3) Person A responds by blaming Person B for the hole, slapping him around the face, AND THEN... CRUCIALLY... LEAVES BALLS HANGING OUT.

    (4) Person B now, apparently, has Person A by the balls.

    ...

    (5) Profit. <--- Why hasn't this bit happened?

  • Herr Otto Flick (unregistered) in reply to DrPepper
    DrPepper:
    When I was in *grade* school, we had a punch card for lunch -- you paid your money, and got a punch card that was good for 2 weeks. Well, punching the card took too long, so they switched to a rubber stamp. It turns out that if you tear your punch card and tape it back up, that the ink just rubs off the tape. I got lots of free lunches that way, until the tape got too black and the lunch lady moved on to the next punch.

    And don't ping on me; that was like 35 years ago and I was just a little fat kid back then.

    FTFY

  • Xaverian (unregistered)

    I was once threatened with expulsion from university for using net send *.

    Walked into the deans office, told him exactly what I thought of their poor response, told him I'd show the "TSG" (incompetent tech people) how to block it if they dropped the "community code charges" (huge fines and expulsion, very vague "offenses". I "acted contrary to the standards of a $uni citizen" or some such crap) otherwise I was filing a lawsuit for future lost income over the wrongful dismissal.

    The told him I didn't have all day and to make up his mind. Took the old fuck off guard and won.

  • belzebub (unregistered)

    Yeah... that's so outrageous.. only.. is it the whole story?

    I suspect, maybe Egon did a little more.. eh? Maybe he actually MADE a fake dean's card.. and then, after he showed off before all his friends and colleagues, only then he told the management about "security flaw".

    ..I'm just suspicisous because I've seen a lot of guys fired because of some serious security breaking who then claimed that all they did was they pointed out the problem and they shoul've been rewarded..

    Nothing personal Egon, maybe you are the victim here.. but I know some of the TDWTF stories contains a fair share of bullsh*t..

  • Ben Jammin (unregistered) in reply to snoofle
    snoofle:
    Chikpee:
    I hope you've found another great job since then and not one where they kill the messenger for trying to make the org more secure.
    Do jobs like that actually exist?
    I actually was in a company that, every once in a while, spent a week doing a "security off" where everyone competed to find flaws. Winner gets lunch. Sounds like some of these companies, winner gets canned.
  • Cloy McTrure (unregistered)

    Most companies I've worked, management'll struggle to raise an eyebrow if you point out a security flaw. Most likely ignore you and continue on their way. If you're lucky you might get an enquiry as to how much to fix it. Then told to fuck off and do some work.

  • Mike (unregistered)

    cf. Richard Feinman's lock-picking adventures during Manhattan project from "Surely You're Joking, Mr. Feynman!"

  • jay (unregistered) in reply to belzebub
    belzebub:
    Yeah... that's so outrageous.. only.. is it the whole story?

    I suspect, maybe Egon did a little more.. eh? Maybe he actually MADE a fake dean's card.. and then, after he showed off before all his friends and colleagues, only then he told the management about "security flaw".

    ..I'm just suspicisous because I've seen a lot of guys fired because of some serious security breaking who then claimed that all they did was they pointed out the problem and they shoul've been rewarded..

    Nothing personal Egon, maybe you are the victim here.. but I know some of the TDWTF stories contains a fair share of bullsh*t..

    That's a good point. One simple, practical rule I've learned in life is: If someone tells you of a conflict he had with another person, it will almost always be phrased to make the speaker sound like the completely innocent and rational party and the other person the foolish or evil one. And of course sometimes that's the reality. But sometimes it isn't.

    I recall one time a co-worker telling me about an argument he had with another person in the organization, and I walked away thinking, "Wow, the other guy was really a jerk about this." Then later I heard the other guy's side. And it really struck me: He did not at any point contradict anything that the first guy had said. There was no need to suppose that one was lying and the other was telling the truth. It was quite possible that everything that each of them said was 100% true. But the first guy just didn't mention some things that the second guy brought up, and vice versa. It wasn't even like one of them left out something obviously crucial, like "Well, yes, I did punch him in the face before he started cursing at me, didn't I mention that?, but he had no right to speak to me that way anyway." They each just had their own perspective.

    (Not saying that the person in this story DID do something questionable. I have no idea.)

  • Legal Weasel (unregistered) in reply to QJo
    QJo:
    Way back in the very early 1980s a couple of old schholfriends of mine found themselves on a university course at a certain uni in the south of England. This was of course the days before cheap personal computers, although the first micros were out, and my age-group had the opportunity to make obscene amounts of money getting in at the ground floor on the sharp end, so to speak.

    These friends, being particularly intellectually able, soon found that their course work was insufficient to occupy their minds and imaginations, so took it upon themselves to see how easy it was to crack open the security on the university computer (see, told you it was a long time ago)

    The upshot was that soon they knew more about that damn computer than anybody else in the university, and their lecturers and other assorted staff members basically gave them free rein to explore and exploit every single loophole in the security they could find, as long as they reported back at the end of the day where that particular flaw law.

    Thirty plus years later, one of those friends is still working in the field of computer security.

    By way of comparison: Fast forward to a private US high school in 1998 or so, with a fresh T1 and some shiny newish NT machines for student use. I was one of the small (and by small, I mean 3) class of CS students at the time, having been mostly a DOS user, minimal experience with the horrors of Win 3.x, then 'happily' puttering with trying to get OS/2 Warp to run on anything. The one and only unclean trick I knew was how to get an unencumbered Netscape running on the NT boxes and that was about all I cared about.

    I think the CS teacher, along with much of the ad-hoc IT staff, was a Mac beard. Anyhey, after about 6 months or so, the more Windows-familiar kids had started poking at the library machines and for some reason I was drafted to 'secretly' "keep an eye on them, okay?" Sort of an 'unofficial' hall monitor status, and I didn't mind the idea of keeping things running smoothly and learning something, so why not?

    Well, that lasted about a week. The Troubled Mac Addict of the class bumped into me and advised that he could easily drop to root (or Administrator, or whatever the NT/Windows-sphere calls it). Mindful of my 'duties' and not sure if he was full of crap (just another Mac user, right?), I did the obvious and asked him to demonstrate. Which he promptly did - probably leveraging rundll32 although memory is hazy now - and setting the screensaver marquee to "Welcome to the Hell library!" [So if any of you are reading this - hey, A.K., I salute you, and a big belated GFY to the administrative parties who pulled what happened next.]

    There I am, having just collected 'useful' info on the exploit to report, waiting around for him to leave so I can change it back without 'blowing my cover' or being a spoilsport - after all, the goal is to secure the network, and nobody seriously expects me to rat out friends or frenemies in a total graduating class of two dozen kids, right? - and the librarian [who generally didn't mind us nerds] pulls up: "HEY, WHAT'S THIS? L.W., FOR SHAME, YOU'RE SUPPOSED TO BE 'IN CHARGE OF SECURITY!' AND A.K., RUN ALONG, EVERYONE KNOWS YOU'RE JUST A MAC USER SO YOU COULDN'T BE INVOLVED IN THIS."

    Thus began the discussion of my expulsion, beginning with an intimidating screamdown from the football coach / disciplinarian for "abusing my power" that left me in tears - hey, 15 year old kid, trying to do the right thing, surely everyone knew me well enough... and once the CS teach came around this would be sorted out, right? Nope, it was the '90s, and suddenly the whole administration had found a witch to burn. Either I'd done it, or I'd Allowed It To Happen, and people I'd previously respected as sane educators / mentors were ready to kick me to the curb.

    As I later found out from Troubled Mac Kid, who may or may not have had his own good reasons to be troubled [P.S. A.K.: I dunno what was up with you, but if it somehow wasn't blatantly obvious, I was and still am a total furfag!], the school was under audit by whoever sets the rankings for private schools, and so potential future tuitions and everyone's job was on the line. Nobody wanted the suits to see any evidence that anything was less than spit-and-polish plus full-student-satisfaction, because there's never any drama or tomfoolery in a brick box full of teenagers, right? And/or nobody wanted to be the one to have The Conversation about who messes with the screensaver ... and while I ended up leaving for an early admissions program before anything hit the fan, there could've been other reasons why it was Important that someone else's name not be attached to this horrible "IT security breach."

    So, I'd gotten a pretty good education there up until that point, and thence learned that The Stories were true and people would go totally batshit whenever 'normal teenage behavior' met 'computers', as held for much of the ensuing decade - things seem to slowly be simmering down now that this generation's teachers are realizing they never figured out how to delete their old bonghit photos from Facebook and they should probably pay more attention to that one kid who tortures cats.

    Unfortunately, while my interest in security (from the boring whitehat direction - a job's a job and work to live, right?) persisted, the lesson that it's a high-risk game and people will turn on you as soon as they need a scapeweasel did too, and I'll just say the whole shenanigans (which probably blew over in less than a week) was one of dozens of contributing factors in the demise of my academic career. No sweet security job, or IT job, or any job for me (thanks, economy from 2001 to 2006 or so!) - That Other Guy I Knew who went all the way to jail for defacing a website made out better, since it legitimized his resume as soon as he was out.

    Moral: Eh, whatever's the same one as for the OP's story.

  • Romojo (unregistered)

    They fired the whistleblower. Tut, when will we learn. if you see a possible exploit and report it, then you're the one making them work, worry, sweat and lose sleep. Best always to keep quiet until a 3rd party (maybe an auditor) finds it. Of course you can suggest to the auditor that they look at <thing> first.

    Captcha... tristique - the small island near Mustique but only big enough for two...

  • Stu (unregistered) in reply to Zylon

    I was about to write that, buy you got there first. Only utter arseholes refer to their employees as resources.

  • Kat (unregistered)

    I did that, too. I determined the same thing: school put ID numbers in the clear encoded on the cards and it wasn't too hard to find the ID numbers either. I alerted the proper authorities and explained the flaw.

    Because I'm at a State university, the campus PD are sworn state police officers. Well... turns out behind my back I was then arrested for "felony possession of a forgery device" for explaining a simple flaw and how to fix it. Court system found me to have had no malicious intent and dropped the case to a misdemeanor and a sealed record (hooray mandatory 'youthful offender' status!).

    The kicker? I'm out $2800 (lawyer, $100 fine, $200 surcharge) and all they've done is just slapped a crappy hologram that says "SECURE" on the card.

  • polanski (unregistered) in reply to Egon
    Egon:
    To be fair they did at least fix it a few months down the line, all the stripe readers where changed to enabled reading of the second track and all the ID cards where re-issued to include a random number on the second track.

    This way you did at least have to be in possession of a card in order to clone it, where as before, you only had to know someone's staff/student ID number... which is printed on the card, and wage slips, and their mail etc..

    Doesn't change the fact that it was a dick move. I learned two things observing such cases in the news and my own experience: 1. The Powers That Be are morons. Either they don't see the problem, or they see the problem from a wrong angle, or propose wrong solution to the problem, or are terminally incapable of rewarding discoveries like this. 2. The less people know the exploits, the better. The exact number should be kept as close to 1 as possible. Also, in case the exploit is discovered by someone else, feign ignorance. Patching it out will be their problem. Reaction of The Powers That Be (who are, as a rule, ungrateful idiots) will be their problem as well. As for using the exploits, it's fair game as long as you're not greedy.
  • Your Name (unregistered) in reply to Bob
    Bob:
    I took his advice, but I still wonder if it was correct.

    Are you kidding?? They make LAW books. You seriously do not think they would not sue for everything you have ever owned, and do their best to ruin your life ala Aaron Swartz?

  • James McNeill (unregistered) in reply to Rob R
    Rob R:
    Egon - can I ask what country this happened in? So many of these WTF firing stories would be easily classed as wrongful dismissal in some places - it would be good to know where to avoid looking for work. :)
    I don't think you have a good chance of winning a wrongful dismissal suit when evidence can be produced that you did things like play pirated games on the 18core workstation and store your beer inside the enviro test chamber. It starts off with a legitimate gripe but it ends with a smear campaign to ruin you.
  • anon. (unregistered)

    A lot of people treat hackers (any kind of hacker) as a complete criminal and are highly prejudiced against hackers lile they are the scum of the community. Forget that the jailbreak on their phone was created by hackers, saying something as innocent as "that looks hackable" or "I can hack" completely blacklists you from being their friend, acquiantance or anything remotely related to them.

    And most people in high positions think like that.

    Sort of like how suggesting cheat codes to some gamers make them give you the dirtiest look in the world and lose all respect for you.

    Also, its like reporting a fault with the bank's security vault (i.e. you can open it without authorization, outside the allowed hours). You will be investigated and charged with stuff... they can't tell what you stole, and why the hell were you snooping on how to open their vault (nevermind that you are for example an expert locksmith hobbyist i.e. lock hacker, and you found it by accident).

    Things like this can never go well. Its really sad though, jobs with virtually no workload, that allowed you to drink beer during lunch and weed too... and seemed like it paid well and was a secure job if he didn't get fired for that.... you could look for several lifetimes but I doubt you'll ever have it that good.

  • dta (unregistered)

    Wow, that's much like how I was once (almost) fired for pointing out a POS gift card bug. I pointed it out to a coworker, whipped up a couple of gift cards out of thin air, deleted them and went on my way. She, on the other hand, thought I was embezzling or something and I ended up doing some fancy talking to keep my job. At least for a while: they brought it up again when they fired me for "insubordination" a few months later.

  • YellowOnline (unregistered)

    I once demonstrated that you could easily get the stored login/password combos out of Firefox (if not using a Master Password). In my enthousiasm I had written a script that would look for computers in a certain subnet and show the plain-text result on-screen. With the same enthousiasm, I took quite a big range and exposed all information for about 180 users.

    Imagine the management looking at 100s of lines showing user/website/login/password all in plain text. Imagine that some of these website were... funny. Imagine as well that the management was part of those users.

    They thanked me for my demonstration and took measures, but I was kindly but firmly asked not to ever do this again or I would risk my job :)

    Captcha: I wasn't OPTO something, really.

  • Decius (unregistered) in reply to Egon
    Egon:
    To be fair they did at least fix it a few months down the line, all the stripe readers where changed to enabled reading of the second track and all the ID cards where re-issued to include a random number on the second track.

    This way you did at least have to be in possession of a card in order to clone it, where as before, you only had to know someone's staff/student ID number... which is printed on the card, and wage slips, and their mail etc..

    A different random number for each card, I hope...

Leave a comment on “The Firing Offense”

Log In or post as a guest

Replying to comment #408559:

« Return to Article