• A Nonny Mouse (cs)

    Ah the good old days... My interview at new media company about 7 years ago comprised being shown my desk and where the kitchen was :)

  • jgayhart (cs)

    Is it me, or is this a duplicate article?

    Unless your name requires a paper hat, who accepts a job within a few hours after the interview?

  • Christopher (unregistered)

    We had this at my last job.

    Normal workers all had the same email password, because the owner of the company insisted that he be able to read everyone's email. rolleyes

    Guess he didn't understand what an administrator is, for one, and why the F he must read through people's emails for the other (we figured that he didn't - he had neither the technical ability nor the time [due to other micromanaging] to do so)

    Company of about 20ish people.

  • Mike (unregistered)

    Having been part of several small start ups, I'm definitely familiar with this story. I am a bit disheartened that the reaction of the writer was to leave. To believe that a small shop would be implementing every aspect of their business (finance, HR, security, etc.) to the level that a large soulless company does is unreasonable. If you bring an ability that can could help (the ability to increase the security model or even the ability to help point it in the right direction) then I would think you would be well served to do so. There are a lot of minuses to working for a small company but they are usually outweighed by the pluses. To each their own.

    -cheese

  • NSCoder (cs)

    How did Henry know that Ernie had been arranging his desk, trying to remember his coworkers' names, and committing the food-marking policy for the company fridge to memory before showing up at Henry's desk?

  • akatherder (cs)

    While sharing a password is an extreme example, a lot of small companies can get away with lax security standards. I don't know if it's exactly "security by obscurity" but basically "no one really cares about us". An example would be giving admin rights to everyone. They just "know" what they should and should not do. Just to save time creating groups and administering that side of the fence.

    Whereas larger companies take security to the other extreme. At my former employer laptops are mandatory. They started encrypting everything on laptops. Smart idea... except they picked a crappy supplier and the encryption service blue screened everyone's laptops at least twice per day. Just imagine the lost work of 50,000 laptops getting blue screened every day.

  • gabba (cs)

    He quit a job at a startup just because they didn't yet have their IT policies fully set up? WTF? Hope he's having fun now at some large, soulless corporate conglomerate.

  • Michael (unregistered) in reply to Christopher
    Christopher:
    We had this at my last job.

    Normal workers all had the same email password, because the owner of the company insisted that he be able to read everyone's email. rolleyes

    Same here at my last job except that we only had ONE email address for everyone too, for the same stupid reason. What the boss somehow didn't knew was that everybody could read her mail this way too. Which was sometimes really funny =].

  • egon0119 (unregistered) in reply to gabba
    gabba:
    He quit a job at a startup just because they didn't yet have their IT policies fully set up? WTF? Hope he's having fun now at some large, soulless corporate conglomerate.

    It's more than an IT policy not being fully implemented, it is balls-out stupidity.

  • Kanzi (unregistered) in reply to NSCoder
    NSCoder:
    How did Henry know that Ernie had been arranging his desk, trying to remember his coworkers' names, and committing the food-marking policy for the company fridge to memory before showing up at Henry's desk?

    Oh you! :-)

    But I can't say anything, because the exact same thought sprang to my mind as I was reading it.

  • Kanzi (unregistered) in reply to gabba
    gabba:
    He quit a job at a startup just because they didn't yet have their IT policies fully set up? WTF? Hope he's having fun now at some large, soulless corporate conglomerate.

    Even more fun is working at a large soulless corporate conglomerate which still doesn't have its IT policies fully set up.

    It happens!

  • Lord Parity, Last Count of Register (unregistered) in reply to Mike

    I agree. Places like that are fun because one is free to make a difference.

    One of the best places I ever worked was started by two former coworkers who had become good friends over the years. They solicited me to become the third person and first employee. I built their entire product line from scratch, given only rough functional specs. Everything worked well, sold well, and needed minimal support.

    Alas, the company had a fundamental problem which brought the good times to an end after five years or so, but it was a great ride while it lasted.

  • Charlie (unregistered)

    One of my old companies clients is a national jewellery chain. The HQ is in a nondescript building, and they use thier company name on the buzzer (not the trading name). To get into the office you have to pass through an airlock style arrangement of multiple doors with security cameras and bulletproof glass. Once in, the main office is ringed with impressive looking man-sized safes (no Dick Cheney tho).

    Thier administrator password is blank, and is what everyone uses to login.

  • me (unregistered) in reply to gabba
    gabba:
    He quit a job at a startup just because they didn't yet have their IT policies fully set up? WTF? Hope he's having fun now at some large, soulless corporate conglomerate.

    No, sorry, insisting that all users share the same password (and impossible to remember at that) and for the reasons given is not "not having IT policies fully set up". The proper term is "idiots in charge" and that's why he ran away screaming, I bet.

  • alegr (cs) in reply to akatherder
    akatherder:
    At my former employer laptops are mandatory. They started encrypting everything on laptops. Smart idea... except they picked a crappy supplier and the encryption service blue screened everyone's laptops at least twice per day. Just imagine the lost work of 50,000 laptops getting blue screened every day.

    Windows 2000+ EFS was not good enough?

  • TheRider (cs) in reply to alegr
    alegr:
    Windows 2000+ EFS was not good enough?
    Oh, no -- Windows is never good enough. Got to have at least a hardware solution... How about using hard disk built-in encryption by setting a hard disk password?
  • Jozef (unregistered)

    I used to work for a company where the default e-mail password was the person's first name. Even though all were encouraged to change their passwords, I was the only one to have done so. To this day I can check the e-mails of my former coworkers...

  • ParkinT (cs)

    Hey. This beats being hired by the secretary!

  • Your Name (unregistered) in reply to me
    me:
    gabba:
    He quit a job at a startup just because they didn't yet have their IT policies fully set up? WTF? Hope he's having fun now at some large, soulless corporate conglomerate.

    No, sorry, insisting that all users share the same password (and impossible to remember at that) and for the reasons given is not "not having IT policies fully set up". The proper term is "idiots in charge" and that's why he ran away screaming, I bet.

    okay.

    believe it or not, in a really small company, the individual is important enough that his or her actions (or inaction) could destroy the company. This goes well beyond logins, but let's pursue this idea.

    Let's say somebody calls in sick, or gets hit by a bus. There's much work to be done, I need to get on that computer because the file we need (this minute) is stored on the desktop of that user. The network file server is in its infancy and people tend to forget to move the current revision over to it.

    Keep in mind that new computers come in "whenever" and they're all bargain of the month specials from "wherever". Setting up the administrator account with a password would involve the lucky person receiving the new computer typing it in personally. It's either everyone knows they have the same password login or everyone knows the administrator password for everything. What do you choose?

    If you like the fact that you can go postal at your faceless conglomerate, have a special "disaster recovery" crew dispatched to have the mess cleaned up in short order, and all the while not affect the stock price by more than a quarter of a percent, then I suggest you stay away from small companies.

  • FredSaw (cs) in reply to jgayhart
    jgayhart:
    Unless your name requires a paper hat, who accepts a job within a few hours after the interview?
    Hungry people?
  • Moo (unregistered) in reply to egon0119
    egon0119:
    It's more than an IT policy not being fully implemented, it is balls-out stupidity.
    Far more than that. It's the mother of all irony. Nazi-level monitoring in a small company.
  • Code Monkey (unregistered)

    Wow, this sounds exactly like the company I just started working for. My domain password, e-mail password, and intranet password (where all of the time sheets are done) are all exactly the same. Oh, and so is everyone else's.

    To be fair, not all of the e-mail passwords are the same (just most of them). Can't remember your password? That's cool, the head of the accounting office keeps it in a bright orange binder in his office (which doesn't get locked at night).

    Why? Because what if they need to access your e-mail when you're gone?

    Better still is that the administrator password for every single computer is nothing. There isn't one. Not that it matters, since all of our users have admin access to the machines.

    It's a head-slapper, really, but I'm working diligently to change the way things are done. Thankfully, some headway is being made.

  • Zecc (cs) in reply to NSCoder
    NSCoder:
    How did Henry know that Ernie had been arranging his desk, trying to remember his coworkers' names, and committing the food-marking policy for the company fridge to memory before showing up at Henry's desk?
    Small company. News travel fast.

    But yeah, I read it like that too.

  • Spike (unregistered)

    The security in such companies is based on "everyone knows everyone" and "we all have better things to do" I work in such a company since a few years and I implemented a few security principles over the years. If the reader needed some refreshing, he could as well give it a shot. I choose a small company 1000 times above a large multinational for not being a number and the diversity of the job. And if you think something is bad, you can change it in a small company! I think the writer was as soulless as those companies he used to worked for after all because of his decision to leave on this 1 thing and not giving it a fair shot. The accomplishment could only be bigger.

  • Heron (cs)

    I worked at a data management company last year, and because I needed to monitor (and start) some file processing stuff while I was at home I set up remote login permissions through ssh on the only server they had that was visible from outside the network.

    I'd guarantee that login info still there, and I doubt they've changed any of their passwords for the rest of the servers... if I really wanted to I could probably wipe their production databases, or worse, steal the valid credit card information they store. Fortunately for them I have a moral standard that does not permit me to do that to them (instead I'll be soon starting my own company to steal their clients).

    Yeah, their "security" policies are a joke.

  • Sean (unregistered)

    That's not the honor system. When you leave, they change the password.

    We used to have a few shared accounts just because of recurring permission problems of uploading files to a server. Whenever someone would quit, we'd change the password.

  • akatherder (cs) in reply to alegr
    alegr:
    Windows 2000+ EFS was not good enough?

    Considering the size of the organization, I was not a "stakeholder" or "decision maker". So I can only make assumptions. Everyone was administrators on their own laptops and you could login without logging into a domain so they couldn't force policies with 100% certainty. So I don't think the files in COMPUTER\USERNAME would be encrypted with EFS. I could be completely wrong.

    More likely, their thinking is that anything that can be done for "free" on Windows can be done much better if you pay a crapload of money for it.

  • Mr Mr (unregistered) in reply to Code Monkey
    Code Monkey:
    Why? Because what if they need to access your e-mail when you're gone?

    That's what ticket systems are for. All external (and perhaps internal too) should be routed through a ticket system.

  • Martin Dreier (cs) in reply to Your Name
    Your Name:
    me:
    gabba:
    He quit a job at a startup just because they didn't yet have their IT policies fully set up? WTF? Hope he's having fun now at some large, soulless corporate conglomerate.

    No, sorry, insisting that all users share the same password (and impossible to remember at that) and for the reasons given is not "not having IT policies fully set up". The proper term is "idiots in charge" and that's why he ran away screaming, I bet.

    okay.

    believe it or not, in a really small company, the individual is important enough that his or her actions (or inaction) could destroy the company. This goes well beyond logins, but let's pursue this idea.

    Let's say somebody calls in sick, or gets hit by a bus. There's much work to be done, I need to get on that computer because the file we need (this minute) is stored on the desktop of that user. The network file server is in its infancy and people tend to forget to move the current revision over to it.[...]

    Yea, you're right...oh, wait, there is this new-fancied thing ... what's it called again? ... oh, yes, "Domain Administrator". Like, you know, one or two trustworthy persons (not implying that everyone else is untrustworthy) who have access to everything, and not the guy who left three months ago after an argument with the boss and who works now for the main competitor.

    It's just as if somebody actually thought about that once...

  • PAG (unregistered)
    Comment held for moderation.
  • Zylon (cs) in reply to Spike
    Spike:
    I choose a small company 1000 times above a large multinational for not being a number and the diversity of the job.
    Wow, sounds like you have trouble holding down a job!
  • Tigger (cs) in reply to Mr Mr
    Mr Mr:
    Code Monkey:
    Why? Because what if they need to access your e-mail when you're gone?

    That's what ticket systems are for. All external (and perhaps internal too) should be routed through a ticket system.

    ...and in larger companies they are, but in smaller ones the license cost of a ticketing system could cripple the company, and if only one person ever answers the tickets then it's wasted money.

    Better would be to have a ticket@mycompany.com alias which redirects to fred@mycompany.com, so that if Fred leaves then myticket@ could be easily redirected to bill@mycompany.com. Zero extra cost, increased flexibility, each person gets their own password.

    Of course that only helps if the boss doesn't insist on everyone using the communal password...

  • luct (unregistered) in reply to Your Name
    Your Name:
    Let's say somebody calls in sick, or gets hit by a bus. There's much work to be done, I need to get on that computer because the file we need (this minute) is stored on the desktop of that user. The network file server is in its infancy and people tend to forget to move the current revision over to it. Setting up the administrator account with a password would involve the lucky person receiving the new computer typing it in personally. It's either everyone knows they have the same password login or everyone knows the administrator password for everything. What do you choose?
    Call in the administrator to open that computer (supposing you're so sick you can't speak)? And if he's the only adminizstrator you have... well, you have a problem.
  • Your Name (unregistered) in reply to luct
    luct:
    Your Name:
    Let's say somebody calls in sick, or gets hit by a bus. There's much work to be done, I need to get on that computer because the file we need (this minute) is stored on the desktop of that user. The network file server is in its infancy and people tend to forget to move the current revision over to it. Setting up the administrator account with a password would involve the lucky person receiving the new computer typing it in personally. It's either everyone knows they have the same password login or everyone knows the administrator password for everything. What do you choose?
    Call in the administrator to open that computer (supposing you're so sick you can't speak)? And if he's the only adminizstrator you have... well, you have a problem.
    Heh, it's even better than that-- Sometimes there's really no administrator at all.

    There's just a guy in a white van that occasionally shows up to pull new cabling through the wall or to fix the phone system.

    Or maybe this "administrator" is the one who is chosen this week to take the backups offsite (home).

  • Wyle_E (unregistered) in reply to Mike

    While you might expect a small, young company to be a lot less tight-assed than a megacorp, everyone sharing a password bespeaks a degree of cluelessness that shouts "Bail out now, before you find yourself trapped in the wreckage!"

  • Konrad (unregistered)

    I remember my first interview, It was with the managing director, and every so often he would remember that he hadn't made me a job offer yet and qualifiy a statment with ... that is ofcurse if we decide to hire you.

    If was for a small financial planning company who hadn't quite caught up with technology. there was a dialup modem which was used to chaeck the company email address once a day.

    When we first started sending things out by email we managed to get a total of 10 email addresses (at the time 1999 there where 100+ company representatives). When I left 7 years later at least one of them was still running an accountancy practice without a computer in the office.

  • fred (unregistered)

    I created a startup, and while we had passwords, almost everybody knew the password of everybody else. Because, you know, when it is 3AM and your co-worker have not committed the bit of source code that was needed for the build, well, you log in his account and commit it. Or sometimes you just sit down next to someone that is under some crunch to fix a bug for a customer, you work with him a few hours, and continue to work with his account while he is taking a nap. You don't want to be unable to work because of some pesky issue, like a need to reboot.

    In a small fast moving structure, any employee can destroy the company if he wants to. It is getting your priorities wrong to implement security in such an environment.

    The reporter should have gone working in at least a mid-sized company, as he was obviously not fit for a start-up...

    We had some employees like him, that really wanted to work for start-ups, but were unfit. They have a sort of holier-than-you attitude, complains about the lack of processes and generally have a low productivity and high maintenance cost in fast moving environments...

  • Ugh (unregistered) in reply to Mike

    that's an interesting idea, but I'm afraid there's no saving some companies... I've re-donce the IT for a reasonably-large factory. the WTF was not that they were usig a COBOL stock/shipping program (it was 32-bit COBOL!), but that they used a public-writable FTP, so outside companies could upload their data. Luckily, their (MS) FTP server (Also fileserver, domain controller, etc/) was behond a firewall which only allowed FTP traffic, so it was safe (or so the client assumed).

    I ripped out the FTP server, removed the french porn that had accumulated (PubFTP, anyone?), installed a Linux machine in the DMZ and made the Windows server retrieve the files afterward. ('find . -mmin +5 -exec mv {} /pub/out/ ;' in a queue runner for uploaded files) I had already set up password-protected FTP and scp, but no-one would use it. For good measure, I made the Linux machine into an e-mail scanner/gateway as well.

    Everything was documented and running smoothly when I left.

    As soon as I left the client, the original admins came in, jnked the Linux server and hooked the Windows server straight back to the internet, because they were having )unrelated) trouble with a client uploading files.

  • SomeGuy (unregistered) in reply to fred
    fred:
    I created a startup, and while we had passwords, almost everybody knew the password of everybody else. Because, you know, when it is 3AM and your co-worker have not committed the bit of source code that was needed for the build, well, you log in his account and commit it. Or sometimes you just sit down next to someone that is under some crunch to fix a bug for a customer, you work with him a few hours, and continue to work with his account while he is taking a nap. You don't want to be unable to work because of some pesky issue, like a need to reboot.

    In a small fast moving structure, any employee can destroy the company if he wants to. It is getting your priorities wrong to implement security in such an environment.

    The reporter should have gone working in at least a mid-sized company, as he was obviously not fit for a start-up...

    We had some employees like him, that really wanted to work for start-ups, but were unfit. They have a sort of holier-than-you attitude, complains about the lack of processes and generally have a low productivity and high maintenance cost in fast moving environments...

    I'm sorry but being small is no excuse for not having security. I worked for a small business for 4+ years and I implemented basically all of the network and email security they still have today. It's not hard to set up a domain, no user should have sole access to a computer and microsoft makes small business packages specifically for these kinds of setups.

    On top of that if you are putting out production builds that include a "bit of code" that is only on one guys machine, then you are an idiot. Source control is free, you should never be building a production release from a development machine. Every time you do you are asking for a customer to kick you in the crotch.

    The people who complain about infrastructure being too expensive and that they don't need it, and that they get by "just fine" with their cowboy environments are just lawsuits and lost money waiting to happen.

  • MrEs (unregistered)

    Yep my last work place was like this... I kind of miss it, being able to just SSH into anybody's box and take their known, well working SAMBA configuration for example made things really easy and everybody really honoured it.. oh well

  • the submitter (unregistered) in reply to me
    me:
    gabba:
    He quit a job at a startup just because they didn't yet have their IT policies fully set up? WTF? Hope he's having fun now at some large, soulless corporate conglomerate.

    No, sorry, insisting that all users share the same password (and impossible to remember at that) and for the reasons given is not "not having IT policies fully set up". The proper term is "idiots in charge" and that's why he ran away screaming, I bet.

    You got that right. That was the reason why I left, not the password thing itself, but the level of stupidity and micro-management I witnessed. The password thing was just the perfect way to illustrate it.

    Btw, they were not that small of a company, but rather a small branch. Also, I don't want to get into details but they worked with sensitive data, so they really don't have an excuse for their poor security policies.

    Cheers

  • dp.design (cs)

    I can one up this.

    At my last job, not only did everyone share the same password, but everyone logged into the same HP-UX NIS account.

  • TGV (cs) in reply to Mike
    Mike:
    To believe that a small shop would be implementing every aspect of their business (finance, HR, security, etc.) to the level that a large soulless company does is unreasonable.
    That might be unreasonable, but a bit of decorum can be expected. When I started at the smallest company possible, we had separate logins, mail-accounts, etc., for everybody, as well as an (external) accountant before we started working. It's not that difficult nor very expensive, especially when you think of the costs involved in a major f... mistake.
  • pscs (cs) in reply to Martin Dreier
    Martin Dreier:
    Yea, you're right...oh, wait, there is this new-fancied thing ... what's it called again? ... oh, yes, "Domain Administrator".

    There speaks someone who's obviously never worked in a non-IT small company..

    Say you're in a furniture company with 8 office employees. Who do you think is the domain administrator? Do you think they'll HAVE a domain? No, they'll have 8 or 9 XP computers networked (or, if you're unlucky, 8 Windows 95 computers with an XP computer acting as the server). The "administrator" will be the accountant who comes in once a week and knows a bit more than anyone else about those funny boxes which do things.

    They just won't have the spare money to get a proper Windows server, and either train up someone to know about it or employ a external IT company to look after it - after all, "everything works OK now".

    The proper reaction of our Henry would be to have taken advantage of the fact that this was a small company, and therefore, he COULD make a difference. It sounds like he came in with the mindset of being an ignorable bod from a large company, when you do need to change your mindset considerably going to a small company.

    I don't know what Ernie's real job was, but it's extremely possible he was the financial director, rather than the IT person (for some reason finance people seem to get 'promoted' to support the computers as well - possibly because most of them understand Excel, so are obviously computer experts).

    So, if Henry was a sucker for punishment he could well have had the oppportunity to take over from Ernie and put in place better procedures and maybe learn why the current "lax" procedures were actually in place (the 'someone being run over by a bus' problem is a big concern in small companies).

    Of course, if Henry HAD spoken to TPTB and expressed his concerns and put forward workable suggestions for improvements and they'd ignored him or told him to mind his own business, then leaving might be more appropriate - but that isn't mentioned in this article.

  • DC (unregistered)

    Had exactly the same experiences though I was fresh out of uni. By explaining why it was wrong and how we could still access emails when someone left they allowed me to "change" their policy.

    Sounds like the guy had no influencing skills.

  • Patrick (unregistered) in reply to Martin Dreier

    [quote user="Martin Dreier"] okay.

    believe it or not, in a really small company, the individual is important enough that his or her actions (or inaction) could destroy the company. This goes well beyond logins, but let's pursue this idea.

    Let's say somebody calls in sick, or gets hit by a bus. There's much work to be done, I need to get on that computer because the file we need (this minute) is stored on the desktop of that user. The network file server is in its infancy and people tend to forget to move the current revision over to it.[...][/quote]

    Yea, you're right...oh, wait, there is this new-fancied thing ... what's it called again? ... oh, yes, "Domain Administrator". Like, you know, one or two trustworthy persons (not implying that everyone else is untrustworthy) who have access to everything, and not the guy who left three months ago after an argument with the boss and who works now for the main competitor.

    It's just as if somebody actually thought about that once...[/quote]

    Exactly. There's no excuse for a software company not to have a domain configured. With everyone sharing the same password, all it takes is one disgruntled person to cause a lot of pain. With a domain configured and everyone using their own accounts and passwords, the damage that can be done is limited, and auditing will allow you to figure out who did the damage (assuming it's not done by one of the domain admins).

    Not having your IT systems configured properly is negligent, no matter how you look at it.

  • Amid (unregistered)

    I think it's usual situation for small companies.

    For example, i always give my password to chief when i leave on vacation. Sometimes he need PC's which are dedicated for me. And, frankly, we don't worried about security reasons a lot. Don't have any problems so far.

    So i understand it could be unaccustomed after big conglomerate but very handy. The main thing, the team would be friendly.

  • Amid (unregistered)

    I think it's usual situation for small companies.

    For example, i always give my password to chief when i leave on vacation. Sometimes he need PC's which are dedicated for me. And, frankly, we don't worried about security reasons a lot. Don't have any problems so far.

    So i understand it could be unaccustomed after big conglomerate but very handy. The main thing, the team would be friendly.

  • donniel (cs)

    You think this is bad?

    Check this out: Why do login forms have a "user" field?

    I had trouble believing that this was for real!

  • Sin Tax (unregistered) in reply to pscs
    pscs:
    The proper reaction of our Henry would be to have taken advantage of the fact that this was a small company, and therefore, he COULD make a difference. It sounds like he came in with the mindset of being an ignorable bod from a large company, when you do need to change your mindset considerably going to a small company.

    From the FS: "Since his skills were in high demand, [...]"

    Yet you suggest he should have stopped doing whatever it is he is skilled at, and become a bloody sysadmin? Demonstrating cluefulness about the issues seems to imply that Henry might have a sysadmin "career" behind him, from which he must have recovered. No sane former sysadmin would return to that job role, and definitely not in a situation like the one described, with silly policy, stupid management, and most likely stupid cow-orkers in abundance.

    -Sin Tax

Leave a comment on “The Honor System”

Log In or post as a guest

Replying to comment #:

« Return to Article