Microspeak: FMLA


If you leave your computer unattended and logged in, especially if you work on the security team, you may come back to your office to find that somebody used your computer to sent email out to the entire team with the subject line FMLA.

FMLA stands for "Fire my lame anterior" (except with another word for anterior).

The implication is that somebody who left their computer unattended and logged in has left themselves open to an identity theft attack, for the person who sent the email could very well have just sent the email to Bill Gates demanding to be fired. (The victim of this prank is typically somebody new to the team.)

Comments (78)
  1. Nathan says:

    HR implications aside, FMLA does have a legitimate and widely used meaning.. Family Medical Leave Act.. The Clinton passed legislation of mandatory 12 weeks time off (unpaid, paid at discretion of company) for companies over a certain size, for having a child, caring for sick spouse/child, etc.

    I’d think the person who sent the email, rather than the computer owner would be in substantially more trouble. Then again, I went through this in the early 90s with CC:Mail and HR quickly stomped it out. (There, the content of the message was "I think you’re really hot, wanna go get some drinks after work?", CC’d to every woman in the office.)

  2. S says:

    And did anyone go for a drink with you?

  3. BryanK says:

    "The affected user will come back to find a post from them on internal newsgroups discussing exactly how baggy their pants are…"

    http://catb.org/jargon/html/B/baggy-pantsing.html

    In other words: Georgia Tech has the same type of thing.  :-)

  4. I trust the people I work with and never log-off. It must be a very different environment there at Microsoft :) I do get the prank, still I don’t like it.

  5. Karellen says:

    Where a friend of mine works, the protocol is to send an email to the team with text along the lines of:

    "Hey everyone, I’ll be buying the mid-morning donuts & cookies tomorrow!"

    Mmmmm….. donuts. :)

  6. ERock says:

    @Nathan:

    That’s why you use Bcc for that sort of thing. >:D

  7. Karellen says:

    Burak > It’s not how much you trust the people you work with, it’s how much you trust the social engineer who has just pretexted his way past your receptionist (or just taken advantage of a door politely held open for him) and into the building. If he finds an unlocked terminal he doesn’t even need to get someone to tell them their password.

    Defense in depth. Lock your terminal when you step away from it.

  8. Nitpicker says:

    Shouldn’t it actually be "FMLP"? Presumably one would mean "Fire My Lame Posterior", where the posterior is the tail of one’s body (as opposed to the anterior which is the head).

  9. Stephen Jones says:

    Windows key + L

  10. It’s not how much you trust the people you work with, it’s how much you trust the social engineer who has just pretexted his way past your receptionist…

    If the environment is open, I can understand the security issue, but then I don’t think it should be taken lightly if this is seen as a serious treat. Is the user logged-off after sending the email? What happens if this repeats? Is there a company procedure about leaving computers unattended while logged-in?

    And what are the odds of someone sneaking into Microsoft looking for an unlocked terminal, sending Bill Gates an email demanding to be fired? :)

    If the issue is serious, I don’t make pranks, jokes about it. If not, I feel this prank is inherently wrong in some way.

  11. What bugs me about this “attack” (as a one-time mail server administrator) is you DON’T NEED ACCESS TO SOMEONE ‘S MACHINE to send mail “From” them.  You don’t even need access to corpnet.  You can just connect to the incoming SMTP server and type your own From: / To: headers (note these don’t need to match the RCPT TO or MAIL FROM commands.)

    So a mail from Mary to Mary’s team which reads “FMLA” doesn’t necessarily mean Mary did anything wrong.

    [But the IP address in the headers of the spoofed mail won’t match Mary’s machine. -Raymond]
  12. "And what are the odds of someone sneaking into Microsoft looking for an unlocked terminal, sending Bill Gates an email demanding to be fired? "

    If it happens once, the odds don’t matter anymore.

    I’ve been a v-dash inside of Microsoft before, and I’ve tailgated from one building to another to get to the cafeteria. That meant I was essentially an untrusted entity roaming the buildings. If I had been the nasty type, I could have done what Raymond’s talking about without the need of a pretext to get past the receptionist.

    And if you need further convincing about how dangerous this stuff is, I highly recommend the books "The Art of Deception" and "The Art of Intrusion" by Kevin Mitnick. Scary.

    PMP

  13. Dan McCarty says:

    In college we did this thing frequently and it was funny.  It doesn’t seem like it would be so funny these days, maybe because I’m older and/or wiser?  (Not that those two go hand in hand…)

    Let’s assume I’m not on the IT security team or responsible for sensitive information.  To put the "attack" in reference, what if we weren’t talking about email?  If someone came into my office while I had stepped out (which is usually unlocked) and use my letterhead to type up a letter and give it to other people, claiming that it was from me, is that my fault for not locking my letterhead away?  I don’t think so.

    If I leave my house unlocked and someone comes in and takes my stuff, well, I should’ve locked the door but that doesn’t excuse the fact that they’re still braking the law by stealing.  The same goes with email.  It’s better to lock your workstation while you’re away but that doesn’t excuse the perpetrator who is illegally using your account.

    Granted, this is a little off-topic.  FMLA.

  14. Karellen says:

    Raymond: "[I couldn’t think of a good synonym that began with "A", so I went for an antonym. I’m sorry if this confused you. -Raymond]"

    No, I got what you meant perfectly. I was just trying to head off "Nitpicker" for you. Sorry if my reply to him wasn’t clear on that.

  15. But the IP address in the headers of the spoofed mail won’t match Mary’s machine

    True, you can tell MAPI-sent mail by the headers.

  16. Austin Spafford says:

    We have a similar thing among the programmers where I work. However, there’s no standard template, only a standard name for the act that came about after this email: "I sharted my pants, so I’m going home to change them."

    Some other sharts include:

    "I’m playing a game where I’m hiding underneath someone’s desk. Can anyone find me?"

    "Elves are great, they can be noble, cute, short, tall, magical, [hundreds of words removed]. In short, they’re my best pals."

    "I just wanted to say, I love you guys. Free hugs to anyone who comes by!"

  17. PMP > And if you need further convincing about how dangerous this stuff is…

    I had a smiley after that question meaning it wasn’t really a serious question. It was referring to Raymond’s words, taken at face value: "for the person who sent the email could very well have just sent the email to Bill Gates demanding to be fired." Obviously, the main reason you need to log-off is not because some imposter can email Bill Gates and demand to be fired… But taken at face value, IMO, this sounds like the issue is not that serious and is suited as a playground for pranks.

    My point is: If this is serious, you should act accordingly (no pranks). If this is not serious, then the prank looks wrong to me as it may hurt team members trust.

  18. Stupid jokes says:

    Considering using another one workstation is a crime, while leaving it unattended is not, I would not be the one who writes the mail.

  19. "If this is serious, you should act accordingly (no pranks)."

    Apologies for the misunderstanding.

    Pranks tend to be a good way to get someone’s attention on the first offense. The second time around, things might get a little nastier.

    For my part, I tend to do things like changing the password on insecurely-passworded shared servers and leaving my e-mail on a note for the poor sap that’s denied access later.

    PMP

  20. > a good synonym that began with “A”

    Aft end? No, two words…

    Appendage? Not quite synonymous…

    I’d go with “Article”.

    [I considered “appendage” but realized that it probably made the phrase even more offensive! -Raymond]
  21. Or in true "Spy Kids" fashion, Asafoetida.

  22. Patrick says:

    I was never comfortable enough to actually do this when I noticed that someone had left their computer unlocked at Microsoft. I usually just added an appointment to their outlook calendar to "Lock Me" at around 9:00AM.

  23. macbirdie says:

    At my work the prank is "mid-morning donuts for everyone tomorrow" too. :>

  24. swautier says:

    You mean Bill is still around?

  25. We used to do this back in college when I was a computer lab consultant.  We had a different word for it… that I can’t seem to remember.  But it was childish then and seems the same when somebody else does it.

  26. Ryan Bemrose says:

    For even more defense in depth, learn to type on an esoteric or unknown keyboard layout.  People who try to type up anything on my machine find that they can only input unintelligible garbage.  Thank you, August Dvorak.

  27. Cam Soper says:

    "At my work the prank is "mid-morning donuts for everyone tomorrow" too. :>"

    Somehow, at my last job, it ended up being "I love pizza" or some other non-sequitur.

  28. You can’t enforce, via group policy, that the "screen saver" be left on with password required checked?

  29. Bob King says:

    Back in college, we used to edit their login script to open and close the CD trays for 10 or so times before continuing.

  30. Kasprzol says:

    In my company, we change the victim’s desktop background to some funny picture, often with a offensive (in a sarcastic way) tagline :)

  31. Gene says:

    I work near the large airport in Orlando, and our building is near the local FAA HQ.

    One day an airline pilot ended up on the 5th floor of what’s supposedly a secure building and the fecal matter really hit the rotary impeller.

  32. Smackfu says:

    "I’d think the person who sent the email, "

    How exactly do you find them to punish them?

  33. Pascal says:

    In my university, leaving an unlocked Desktop could result in a e-mail sent to all students, informing the whole school of your mother sexual activity with bears ("ours" in French), therefore, it was commonly could an "oursage".

    Your post reminded me of these old days.

    It is a nice way to educate freshmen to basic computer security.

  34. Mack says:

    For one client I installed a bunch of pcProx Sonar modules (USB KB wedge). They come configured to ‘press’ Ctl-Alt-Del "L" (or the logoff command of your choice) if you step outside their field. It makes security automatic — step away from the desk for even a second, and you’re logged out. When you come back, it brings up the login screen for you. Neat!

  35. Jens says:

    Maybe I’m just boring and without a sense of humor, but I’ve worked at a place where people often forgot to logout/lock their machines, and I got so sick and tired of people trying to send "funny" mails from peoples unlocked computers to everyone in the company. It’s funny once, then it gets annoying. The exact same thing happened at a school I was at once, only there were 10 times more of those mails.

    Whenever I walk by someones unlocked machine, I just Win+L it. Mostly to avoid more of those emails, but also because of the aforementioned security reasons.

    "You should ask yourself – with every decision you make – is this good for the company? Am I helping the company?"

  36. Fred says:

    In my group instead of FMLA we use some variation of "I’m a little teapot…", often addressed to an alias that includes our VP.

    This variation wasn’t started by us but it sure makes the FMLA mails amusing.

  37. MadQ says:

    I once changed a co-worker’s color scheme after he stepped out of his cube and left his PC unlocked. He was laughing his anterior off trying to undo the white text on white background theme.

    Ah, good times. Good times.

  38. JenK says:

    You can’t enforce, via group policy, that the "screen saver" be left on with password required checked?

    Not in the OS group, which installs new builds for testing rather frequently. I used to annoy the IT group because I wasn’t running Windows on all my machines.  

    Tech: "Look, I have to install Windows on here for networking."

    Me: Oh, I have a DOS boot floppy with net drivers for that machine…"

    Tech: "Oh no, we don’t support that anymore. Only Windows." Pause. "What do you DO on this machine, anyway?"  

    Me: "Oh, that’s the machine I test FDisk and the auto-partition and format version of setup."

    Tech: "Setup?"

    Me: "DOS setup. This is the MS-DOS team."

    Tech: "Oh." Pause. "Well, do you mind if I install Windows…?"

    Me: "Nope."

    Then there was the era where the Windows test team’s screen saver was a distributed stress-test launcher. Nobody had their screen saver start in less than 20 minutes!

  39. Another prankster says:

    I do this (send mails when machines are left unlocked) all the time in my office – and mine usually go like

    "I’m bringing chocolates to work tomorrow. Celebrating my birthday!"

    or

    "I must be such a dope. I just left my machine unlocked and see what happened! <grin>"

    It sure annoys a lot of colleagues but drives the point straight across.

  40. Get Serious says:

    At one friend’s college, the freshman prank was sending nasty mail to president @ whitehouse.gov from unlocked terminals. My friend was interviewed by the Secret Service as a result.

    Supposedly, the story goes, the secret service agent had a stack of print-outs of all the prank e-mails from that college. He knew it was the same routine every year but he had to follow up in case there was a real nut out to assinate the president.

  41. Anony Moose says:

    Yep, sooner or later people will understand exactly what mature and intelligent adults they work with, and realise that they need to spend more time protecting themselves.

    My "favourite" pranskters (they’re just really funny guys, not jerks at all, only people without a sense of humor ever fail to laugh themselves into a coma over the cerative jokes) do this sort of stuff at customer’s sites as well. It’s amazing they don’t get highly paid jobs in the stand-up comedy business.

  42. KenW says:

    Burak: "But taken at face value, IMO, this sounds like the issue is not that serious and is suited as a playground for pranks.

    My point is: If this is serious, you should act accordingly (no pranks). If this is not serious, then the prank looks wrong to me as it may hurt team members trust."

    And you’re the pedantic type that causes Raymond to get frustrated and do the "Nitpickers Corner" stuff. Seriously, you’d take that post at FACE VALUE? Are you just seriously without a sense of humor (or any type of comprehension)? Jeez!

    Jens: "Whenever I walk by someones unlocked machine, I just Win+L it. Mostly to avoid more of those emails, but also because of the aforementioned security reasons.

    "You should ask yourself – with every decision you make – is this good for the company? Am I helping the company?""

    First, sending the emails from the person’s machine is more than just a prank. It gets their attention to their forgetfulness/lack of security awareness (because of the ribbing they receive). Therefore, it’s more of a training exercise than a prank.

    And in what way is just Win+L as you walk by helping the company? It does nothing to help the person who left their workstation unlocked understand that they’re creating a security weakness, or to point out how much of a security hole they’ve left. It just allows them to continue to be careless and unaware that they’re doing so. That can’t be good for the company.

  43. Duncan says:

    Perhaps it would be possible to rig a push-to-break switch into every chair so that standing up fired the WIN+L combination?

    We had a presentation from the IT risk team where the presenter popped out for a comfort break leaving the presentation machine logged in to the corporate network.  *sigh*

  44. poochner says:

    @KenW: First, sending the emails from the person’s machine is more than just a prank. It gets their attention to their forgetfulness/lack of security awareness (because of the ribbing they receive). Therefore, it’s more of a training exercise than a prank.

    Indeed.  Like the stickers that say, "If I was a thief, this would be gone."

  45. Karellen says:

    Nitpicker> *sigh* No. FLMA is the acronym used, as the word it stands for is not actually “Anterior”.

    If you’d bothered to actually read Raymond’s post, you might have realised that he was just trying to make it a bit more family friendly by not actually using the word it does stand for.

    Yes, there might theoretically be a better replacement than “anterior”, but who cares? Even you understood the meaning.

    [I couldn’t think of a good synonym that began with “A”, so I went for an antonym. I’m sorry if this confused you. -Raymond]
  46. I’ve got a noddy application which is a system-modal window with a message saying "This machine was left unlocked. Please don’t leave your machine locked", with an OK button which moves when you mouse-over it. If someone leaves their machine unlocked, it’s but a moment to run it. Annoying, indeed, but no-one’s ever been caught twice; an object lesson, as long as it’s not too disproportionate, seems to be worth fifty lectures…

  47. madd0 says:

    We’ve got the same here in France, except that the victim doesn’t ask to be fired, but instead he or she, stereotypically, offers to bring croissants for everybody the next day.

    You do have to be careful with this prank though. Just the other day, someone "offered" to bring croissants and run naked down the street (OK, so the story varies sometimes), but the person actually performing the prank messed up the mailing lists and sent the e-mail to about 1700 people instead of just our team :

  48. James Schend says:

    > We had a presentation from the IT risk team

    > where the presenter popped out for a comfort

    > break leaving the presentation machine logged

    > in to the corporate network.  *sigh*

    A "comfort break?" He left a meeting to go find a prostitute?

    Wow, where do you work!?

  49. AndyC says:

    @Nathan:

    If the mail comes from your machine, whilst you are logged in to it, you sent that mail. Doesn’t matter who actually typed it into the keyboard, because the audit trail won’t ever be able to show that.

    That’s *why* leaving a machine unlocked is such a big deal in the first place.

  50. Correction to my previous post:

    In the last part, I thought KenW was talking about the automatic log-off posted by Mack. Apologies for the error.

  51. John says:

    At college, my friend changed his freshman brother (1 yr behind us)’s background to a picture of an unattractive naked older lady. Poor guy couldn’t change it away but quickly learnt to turn off the monitor and use the keyboard to log in, run and maximize something and only then turn the monitor back on. Went on for months, as I remember.

  52. Dean Harding says:

    Tell me my kid is dead, or my wife is in a hospital, as a prank,

    exploit my trust for you as a friend, and you’ll find out indeed I have no sense of humor

    The world is not black & white, serious & not serious. Clearly there are "levels" of seriousness. Leaving your computer unlocked is serious, but OBVIOUSLY not as serious as you kid dying. I can’t believe I had to write that.

    On another note, I’m pretty sure this is the raison d’être for the "Hot Dog Stand" colour scheme :-)

  53. Jens says:

    KenW: You should watch more "Office Space". I’m surprised no one got the reference. I even quoted it. For shame!

  54. poochner says:

    In cut-throat environments (e.g. grad school or one vs. all evaluation companies*), I could see leaving yourself unlocked as being dangerous to your future.  Just because causing you damage is illegal, and likely grounds for expulsion / firing doesn’t mean it can’t happen.  Lock your keyboard.

    *Employees are ranked in order for raises, and so on.   It makes for a hideously competitive environment because the best way for you to get ahead is to torpedo someone else at about your level.

  55. dbt says:

    echo ‘echo sleep 1 >> .login’ > .login

  56. TraumaPony says:

    Usually, we just set the victim’s background picture to Goatse or something similiar nature.

  57. KenW> And you’re the pedantic type that causes Raymond to get frustrated and do the "Nitpickers Corner" stuff. Seriously, you’d take that post at FACE VALUE? Are you just seriously without a sense of humor (or any type of comprehension)?

    I wasn’t nitpicking at all. But I see that I’m not able to communicate my thoughts effectively. I stopped apologizing for my English, for it’s not my native language, a while ago, I’ll consider restarting the practice :(

    Tell me my kid is dead, or my wife is in a hospital, as a prank, exploit my trust for you as a friend, and you’ll find out indeed I have no sense of humor, for these kinds of pranks. Serious issues are serious in my book.

    As for the *face value* expression, I wasn’t nitpicking, just underlining the way the issue is presented, as a response to people who said this is ‘serious’. It wasn’t directed to what Raymond wrote and was not criticizing it.

    > it’s more of a training exercise than a prank.

    I’d learn to never trust my fellow team members if one of them did that to me, so, yes, it can be considered as a training exercise.

    > It just allows them to continue to be careless and unaware that they’re doing so.

    It solves the security problem, without being a hassle to the user. It’s an ideal solution, sounds almost too good to be true. I do have difficulty comprehending your point.

    [Sorry for my English, I’m not a native speaker]

  58. Igor says:

    If it is not corporate policy to lock workstations when you leave them unattended, then I would report the prankster to the superior. He should not touch my workstation for any reason unless I approve it ;-)

  59. Puckdropper says:

    The world is N+1 bit greyscale… (and usually only N are allocated…)

    Hey that could be a new .sig!

  60. Garry Trinder says:

    Um, so saying the "a-word" is considered to be offensive in the US? If I ever come to work over there I’ll be in a lot of trouble… ;)

  61. Luis says:

    "If a person has physical access to your computer, your computer has been compromised"

    Most probably if somebody starts opening a computer in the office he will be noticed; but a social engineer who managed to tailgate or look trustworthy (or hot :-) ) enough to be held the door open can make up an excuse why he is using your colleagues computer.

    I guess the prank (to teach) and the lock (to prevent damage to the company) are the best combination. If you try to enforce a policy for preventing unlocked computers you must have security people walking around or cameras checking if a computer is unlocked and the user is not there (and I definitely won’t work anywhere where I am under such surveillance) since you can’t count on colleagues rattling an employee for this (I certainly wouldn’t want to work with THOSE people)

  62. Cheong says:

    I think I heard 1-2 years ago that there’s a little bluetooth device for Mac that comes with two parts. If the sender part leaves the receiver for a certain distance, the machine logs off automatically.

    Quite convenient for someone always forgotten to log off.

  63. steveg says:

    Most companies should have a policy on whether or not it’s okay to lock workstations. Sometimes the answer is No, because you *really* need to accesss that app somebody runs.

    At the other end of the extreme are secure sites where when the red light flashes everything gets scooped into the desk and the hood goes over the monitor.

    I think it’s great the Security team play this game; it’s their job to be paranoid. I’d be worried if any Security team that was slack-anteriored about security.

    And as for trusting people at work: any organisation with 10,000s (and much smaller) is statistically guaranteed to have its share of anterior-holes.

  64. nksingh says:

    There was a really long thread about this kind of prank on the MSFT interns mailing list last year.  It was quite contentious, but the prevailing opinion in the matter was that there are more practical and mature ways of dealing with the matter than public humiliation.

    I hope the shell team doesn’t do this, and I doubt anyone would dare do this to Raymond even if he did slip up and leave his computer unlocked.  It’s simply not worth the ill will and "gotcha" games that it engenders.

  65. > Tell me my kid is dead,…

    > The world is not black & white, serious & not serious.

    I was trying to exaggerate hoping that my point will get through: I don’t approve of pranks that exploit trust. Furthermore I find them damaging.

    Why should you log-off when you are leaving your computer unattended?

    (a) Because there’s a serious treat, some outsider or insider may make use of the computer and do evil things.

    (b) Because otherwise some "friend" will probably send emails from your computer or change your wallpaper, as a prank. There’s no serious treat.

    My point is, if it’s (b), it’s wrong (because the prank exploits trust) and in general unnecessary. If it’s (a) then it should be taken seriously and there should be a company policy about it. And if a prank seems as an appropriate action for the company, that should also be in the policy, like:

    – Everybody is expected to log-off when leaving  her computer unattended even for 10 seconds.

    – Anybody who spots an unattended computer with user logged in should check the list at xxx. If it’s the first offense, a prank email is to be sent to all team members with the subject FMLA. Also, mrs.yyyyy must be informed about the situation and she will update the list. In any case, the computer must be left in logged off state.

    – Anyone who violates this policy 3 times will get blah blah blah.

    This is how it seems to me from the *company’s perspective*, exactly black & white. There’s a security treat or not. If there is, establish a policy and make employees conform. If there isn’t, do nothing about it. So, if the company has no policy about this, what remains is a prank involving team members, which I disapprove of.

    I may of course be wrong, but hopefully I have managed to express my current view better this time.

    [Note to Raymond: Sorry for repeated posts, and if my comments sounded like I was nitpicking. I will think twice before commenting from now on]

    [Sorry for my English, I’m not a native speaker]

  66. "Quite convenient for someone always forgotten to log off."

    The trick, of course, is getting said individual to remember to wear the device.

    PMP

  67. Worf says:

    I don’t bother sending emails from coworker’s computers because they annoy everyone *BUT* said coworker.

    However, I have done the following to unlocked computers:

    * Wrote an embarrassing email, moved the cursor to "Send" and set the focus on the button, but otherwise leave the email there

    * Opened a new email and used it as a messageboard

    * Screw with their theme and appearance settings. (I haven’t done the screenshot-as-desktop one yet, but the trick is to leave some icons there so some things work…)

    * Change system settings…

    The last one is great in WinXP onwards – a quick one is to set the icon size to… 128 pixels (XP introduced new icon sizes from the old 16×16 and 32×32 – you can add 64×64 and 128×128 icons)! Explodes the Start menu, and fills their desktop with these huge icons.

    Doesn’t annoy the team, and the victim learns quickly.

    Now, sometimes on my work machine, the ctrl-alt-del dialog takes forever to appear … very annoying when you forget to wait for it, and the ctrl-alt-del, enter key sequence doesn’t work, or you sit there for a good 2 minutes waiting for the dialog…

  68. Anon says:

    This sort of attitude that public humiliation is a public service in some vague way seems sort of twisted to me. People do things like this because they’re bullying a**eholes – the security side of things is just a rationalization.

  69. Not Anon says:

    "This sort of attitude that public humiliation is a public service in some vague way seems sort of twisted to me."

    It’s not humiliating. You’re over-reacting.

    (I’m referring to Raymond’s post.  Some others who have posted here appear to be dicks, but I don’t think they’ve attempted to hide that)

  70. The trick, of course, is getting said individual to remember to wear the device.

    Bingo.  A friend of mine who was into Dungeons and Dragons tried to circumvent one of the rules – "if your attack roll is a natural 1 (5% of the time) you drop your weapon."

    So he told the Dungeon Master "My character straps his sword to his wrist."

    "Fine," says the Dungeon Master.

    Later, my friend rolls a 1.

    "Oh no," says the Dungeon Master.  "You drop your weapon."

    "Wait!" said my friend.  "My character has his sword strapped to his wrist!  There’s no way that he could drop his weapon!"

    "Ah yes," says the Dungeon Master.  "The strap breaks due to flaws in the leather.  Then you accidentally drop your weapon."

    After a few iterations of (progressively more complicated versions of) this, my friend eventually accepted that a natural 1 means a dropped weapon.

    There’s an old African proverb – on the day your luck is out, even the cold porridge will burn you.

  71. Cheong says:

    Paul: I don’t actually seen that product so can’t say whether it’s true, but I think possibly the receiver can be configured to check whatever bluetooth device you assign it to.

    If it’s the mobile phone…and that staff actually managed to just left it on the desk… I think you may just hide it and tell him play the "treasure hunt". It logs off the machine automatically, and annoying enough to teach him a lesson. :P

  72. mh says:

    I just switch their wallpaper too.  On occasion, to a screenshot of the "Installation Completed" window of something or other.

    We do very much have a policy of locking unattended PCs, and it’s a good habit to get into – even at times you don’t need to do it (like if you’re the only person in the building).  The one time it does save your butt will more than make up for the few seconds it takes to lock your PC every other time.

  73. Morten says:

    There are several factors making locking a machine vital in my job. Firstly, I’m in IT and my user has quite high access rights practically everywhere (I don’t think I can play with routers and such but that’s about it). Several of my colleagues have similar access, some of them even higher. This kind of access is much coveted, for humdrum, everyday purposes (bypassing the Change Management process for instance, because it’s boooring and takes a looong time, several minutes AT LEAST…). This just won’t do.

    Secondly, I work in public administration in a building with public access. Some offices must be open to the public so the entire building is open. This is a security nightmare. The other day a consultant forgot to close the door after him when he went off to the little boys’ room (which brilliantly is placed outside the "secure" zone) and I had to stop a group of little old japanese tourists taking a tour of the IT-department. I kid you not. With cameras and smiling guide and everything. Probably terrorists in disguise or something…

    Thirdly, and this is the important consideration, 70% of all IT related crimes are inside jobs. Who cares about the guy trying to pretext his way in? My colleague next door is much, much more dangerous (statistically speaking – I trust him but I don’t leave my machine unlocked anyway). Audit trails are NOTHING if they can be spoofed simply by using an unlocked machine. And inside jobs do a lot more damage than outside jobs. Wanna know how to empty the stores while keeping every account balanced? Easy-peasy, for someone with my access…

    Public humiliation (on the lines of "Free beer Friday!" and such) is a small price to pay. People usually only screw up once. Oh, and the fun that can be had with Messenger/Trillian/etc… Right sir, one Real Time Embarassment coming up. Want IT manager with that? Did this once to our security manager, no less. :-D He bought beer that Friday, he kinda had to when the IT manager starting asking about it.

    And all this really doesn’t matter much. Almost all our machines have USB ports and CD drives with autoplay enabled (not mine, though, I’m a bit fascist about that kind of stuff – TweakUI r00lz… :-) )… *sigh* One day, hopefully soon, our security team is going to do something about that.

  74. Few years back, someone used an unlocked machine to send a very nasty mail to our GM. Next morning, the GM emailed a rant the next day about firing the person who did it (if he ever found out who it was). I don’t think anyone was fingered for it.

  75. AndyB says:

    I’m surprised no-one noticed that it isn’t a prank but a crime. If I accessed an unsecured webserver to send out mass emails, I’d (hope) to be reported as a spammer and arrested under whatever computer misuse laws you have.

    Not locking your computer is not the issue, its the person who accessed it without permission to cause damage.

    Locking it is good practise though, but you leave your coat/wallet/pictures of the kids in your cubicle when you go to the restroom and expect none of your colleagues to steal them while you’re gone. Similarly, you should expect them to leave your PC alone.

  76. JohnDiddler says:

    at a seattle media company, the game is to send "DUDE!" to a specific alias, to which people respond "SWEET!"

    it’s in good fun for a good purpose.

  77. Chester says:

    I worked at a large ISP’s datacenter, and it was a quite common practice, since unlocked workstations were a *very* important security threat (since occasional visitors were inevitable, and we didn’t want to have them feeling like they would be subject to a strip search if they ever waved a hand outside the path between the door and the meeting room).

    We preferred to use IM, since it was less "official" than e-mail and avoided the HR trouble mentioned by some posters – without diminishing either the educational effectiveness or the fun factor.

    Say what you want about litigation or lack of fun, but this "rule" hooked Ctrl+Alt+Del, Enter-after-a-break (and, later, Win+L) into the same neural mechanisms of breathing and heart-beating for me… :-)

Comments are closed.