programming and human factors
by Jeff Atwood
I encourage my coworkers to lock their computers. Security, after all, is everyone's business. But often gentle encouragement is not enough. Sometimes, more.. persuasive methods are necessary.
I first learned about the noble art of goating from from Omar Shahine:
We have this problem in Hotmail. If you walk away from your desk, even for a brief moment, and your PC is left unlocked, someone will walk in, and send mail to a broad distribution list with something silly. Like "I like oranges", or worse things, some downright embarrassing. For some reason this is called "Goating". I find it incredibly annoying. My office has a lock on the door, so I am in the habit of keeping my door locked when I walk away.
Goating techniques vary from insidious and subtle to invasive, borderline vandalism. I prefer the milder forms:
Goating can be quite literal. I once walked back to my computer to find this:
It's disturbingly common here, which is why I've learned to reflexively press Windows+L when I get up from my desk.
One of my all-time favorite goating techniques, however, is to install the Clippy parody applet on a victi.. er, coworker's machine. Who doesn't love our old pal Clippy!
After one particuarly inspired installation of Clippy, an email titled "What The Heck" went out to all employees:
Is this another prank or something? What the heck is this … It's rude.Look at the right hand corner of this image.
So far this stupid thing has told me:
- My typing speed is slow.
- My productivity has been decreasing, I hope everything is Ok?
- My posture is degrading and I should reposition myself.
- Finally: It's time to play a game. Let's play hide-and-seek?
Much hilarity ensued, and more importantly, crucial lessons were learned about computer security by all.
It's up to each of us to go forth and spread the good word! If just one person learns how important computer security is, your work here is done. Many additional goating techniques can be found in these two metafilter threads; Office Poltergeist looks quite promising, as does ErrMess. And you really can't go wrong with Clippy.
But don't forget to lock your computer while you're out there spreading the word.
If you send an email "I've been naughty", or change my desktop, how do I know that you haven't sent or read other email, or read (even changed) documents you had no right to access?
That's the whole point! Your coworkers theoretically LIKE you, and they *could* do anything. Imagine what someone who wasn't a friend or coworker could do.
You could re-arrange all the keys on their keyboard to spell swear words on them.
I actually did something similar to a roomate in college. He came back and his keyboard was no longer QWERTY, it was in alphabetic order from A-Z.
Jeff Atwood on November 15, 2007 1:04 AMMy clippy.txt - which will post THESE comments instead of the built in ones:
What are you, a dumbass?
Are you sure you aren't a dumbass?
Someone just farted!
The guy behind you does twice as much work as you do.
And he makes only half as much!
He's the one that farted too!
Your design is not to spec, would you like me to alter the dimensions?
Always remember you're unique. Just like everyone else.
You are a gross ignoramus -- 144 times worse than an ordinary ignoramus.
Everyone rises to their level of incompetence.
Artificial intelligence is no match for natural stupidity.
If you aren't fired with enthusiasm, you will be fired with enthusiasm
Never let your schooling interfere with your education
Depression is merely anger without enthusiasm
Laziness is nothing more than the habit of resting before you get tired.
If you're too open minded, your brains will fall out.
I see you are incompetent, would you like help in drafting a resignation letter?
I can format your hard drive for you, may I?
No, really I can, should I?
Are you sure?
Are you irritated yet?
Someone farted again!
I see that your hard disk is nearly full, click OK to let me randomly delete files ?
Your breath smells, you need a mint.
There is a trade off between "having fun and teach to lock workstation" and "respect computer privacy and don't use someone else's computer even if it's unlocked".
So the best solution depends on how important "respect of computer privacy" versus "tricking and fun" in your organization.
I don't do pranks on machines of my coworkers even if I can. So if they don't lock their workstation then I either don't do anything or may simply suggest them to lock their machines.
I think "don't touch computer even if it's unlocked" practice improves security (in comparison with "abusing coworkers' computers every time they are left unlocked").
I lock my machine anyway if I'm going away from my machine. Even in such "don't touch other computers" environment.
Ah, can't stop myself laughing from the memories of doing this to my mates. That ended ages ago. Big companies have no sense of humour. Don't laugh, just work. I'm sad now. Maybe I'll find a way of installing clippy onto someone's computer. Unfortunately I can't download it, I'm not allowed access to a floppy drive, a CDROM drive or a USB stick. But I'll work it out!
Naked Programmer on November 15, 2007 1:08 AMThat clippy parody is a great find which I'll use next time!
I listed some of my antics at my blog http://damieng.com/blog/category/fun but some you don't have include switching Google's language and making the hourglass a permenant feature.
[)amien
Damien Guard on November 15, 2007 1:27 AM
How many offices contain people that could cause some real harm if they found an unlocked computer?
Wouldn't it feel silly to have to lock your computer only to keep your mischievous colleagues from pulling a prank on you?
Wouldn't it feel a bit bad to be in an environment where potentially very embarrassing stunts were certain to be pulled on you any time you leave your computer unlocked?
Luckily where I live, workplaces are such that you can leave your computer open for all eternity, and nothing bad will happen!
jugimaster on November 15, 2007 1:28 AMMore importantly: how do you get the taskbar to display on all monitors?
Inferis on November 15, 2007 1:32 AMWouldn't it feel a bit bad to be in an environment where potentially very embarrassing stunts were certain to be pulled on you any time you leave your computer unlocked?
If by "a bit bad" you mean "totally awesome", then yes!
Obviously, everything in moderation.
Jeff Atwood on November 15, 2007 1:32 AMI always lock my computer before I step away from it (I'm on Fedora Linux), frankly because I am as much concerned with my privacy from my fellow workmates as anything else. A vital habit to get into in a shared office I think.
In my girlfriend's company they take it one step further: if your laptop is not physically locked to the desk, the sys admin team in the company will confiscate it during one of their regular patrols, and replace it with a warning note about security!
john on November 15, 2007 1:33 AMJugimaster, are you saying your account has no access to anything of value, importance or sensitivity?
Whenever I hear of unlocked workstations being used for nefarious means the user's first line is normally "I thought that didn't apply to us."
It only takes pressing Windows key and L, one second when you leave your desk. Get into the habbit and be safe.
[)amien
Damien Guard on November 15, 2007 1:36 AMI worked for the Australian Defence Force for a short contract, and the network admin there was very fond of 'goating' though I never heard the term. If he found your PC unlocked, the head of department would get an... unusual email from you.
Qmanol on November 15, 2007 1:36 AM[quote]Replacing the desktop with a screenshot of the desktop, and hiding all the visible items on it.[/quote]
Classic! Gonna try this today on some people at my school.
PS. Love this Site. As a Software Engineering student I can say some of my best reading comes from here.
(quote)
If you send an email "I've been naughty", or change my desktop, how do I know that you haven't sent or read other email, or read (even changed) documents you had no right to access?
Gordon on November 15, 2007 12:48 PM
(/quote)
You don't. And if I didn't change your desktop or send a funny email, you wouldn't even have reason to suspect that I've been ordering office supplies against your account, changing your code, and doing heaven-knows-what else that will all be logged as being you, not me.
*That's* the point of the prank - a tweak that says "you are *so* lucky it's only embarassing"
Allen on November 15, 2007 1:42 AMI'm freaking out that you get so many comments on a topic like this.
But then, mass hypnosis does freak me out.
Steve on November 15, 2007 1:47 AMjugimaster said "How many offices contain people that could cause some real harm if they found an unlocked computer?"
Are you certain that this is impossible in your office? It could be that a disgruntled (former) cow-orker might wander by your office and see your computer unlocked and be tempted to take out his frustrations using your access.
Also, many workplaces with larger numbers of employees do not really have any truly effective ways of preventing someone from being able to wander freely, if only for a few minutes. Sometimes, this is even possible in places like hospitals.
Back in school, while studying network security, we did a lesson that involved the class being turned loose on the campus to see what we could get our hands on. We also were to try to figure out what places we might be able to sneak around in, or talk our way into. We did things like dummying up official looking work orders to "install updates", using a staff roster that we found on the school's website, in order to get access to computers. We were also able to slip into a lot of offices with unlocked workstations. One guy happened to have a hat with the phone company logo on it and managed to talk somebody with more keys than sense into letting him into the server room while the IT guys were out of the office.
Part of the lesson learned was that unless you take measures to make sure that people can't get access to your workstations, starting with locking them, you can't guarantee anything about your organization's security.
kettch on November 15, 2007 1:49 AMWe never make such pranks around here, but we all lock our screens every time we get up. I tend to forget, though, so I was *very* happy when I noticed Fedora 7 does that automatically after a few minutes.
Felix Pleoianu on November 15, 2007 1:51 AMWe used to do this kind of thing where I once worked. "I need a hug" or "I'm a little tea-pot" were pretty common blurbs to all employees from the 'victim'. Now, it may seem STRANGE to have to lock your computer when you leave it, but the thing is, in order to remain certified, or pass security audits, these kinds of things must be in place - and practiced. How would you feel if you got fired because a criminal accessed sensitive data from your machine when you were at a meeting?
The best trick to pull on others in an office such as this is to take a screen cap of your desktop, and use that image as your screen saver, set screen saver to require login. Sit across the room and watch the 'do-gooders' be stupefied by the login screen, instead of having full access to your email. Jokes on them. Too funny.
Dad on November 15, 2007 1:53 AMI should also point out that the instructor taught that class at least once per year, so you'd think that the staff would learn.
Lesson 2: Security must made to be part of the company culture.
kettch on November 15, 2007 1:54 AMThe Clippy prank is great. Used it about 10-minutes after reading the article
Kevin Fairchild on November 15, 2007 1:56 AMA lot us at my office use Vim. When they leave their computers unlocked I like to type ggVGg?. This Rot 13 encodes the the entire file.
Ben on November 15, 2007 1:57 AMThis works very well on mobile phones as well.
Word of advice: If you leave you mobile phone unguarded/unattended in my vicinity, you'd better learn how to operate it in arabic - mean, I know ;o)
Jinx on November 15, 2007 1:59 AMMy top two "goating" (Good term for it) tactics I've seen were:
2) Take screenshot of desktop. Set as wallpaper. "Hide icons on desktop"
1) Wallpaper as http://www.aquarionics.com/fun/lemming/back.html
Aquarion on November 15, 2007 2:06 AMI imagine the term 'goating' comes from people sticking Goatse (if you don't know what it is, don't google it - you'll have nightmares for years - and probably get fired if you are at work) pictures as backgrounds.
Ian Tyrrell on November 15, 2007 2:09 AMJeff, thank your lucky stars no one has ever goatse.cxed your work machine.
brad walker on November 15, 2007 2:09 AMI'm a gov't employee with access to your data. Yes, I mean you, and you, and millions more of you. The gov't makes lots of noise about PII and security and all the rest of it, yet we continue to use IE 6, and one idiot downloading a movie can take down the entire network. 7 letter passwords change every month. Lock a workstation? I do, but I don't see other people doing it consistently, so you can walk around my building and see personal data on screens all the time, because this is a cube hive, and the gov't is too cheap to give us desktop printers. So to print documents, a constant part of the job, we have to get up and walk some distance, and everybody leaves the workstation open. Lock the screen, come back, and have to login again? Please. .
TomatoQueen on November 15, 2007 2:12 AMA great productivity killer is having a scheduled task pop up a browser to a specific site at a non obvious interval. People are convinced they have spyware and will spend a long time trying to rid themselves of it.
Chris Mayer on November 15, 2007 2:16 AME-mail itsupport@[mycompany].com
Subject: "Please Help"
Can someone please help me learn to lock my computer?
Thanks!
Send, WinKey + L.
Alternatively, if it IS a higher-up IT Support person, e-mail goes to employees@[mycompany].com.
Somedood on November 15, 2007 2:16 AMI used to work in a place with high security requirements. Goating there was common, and it was struck me as an essentially childish practice, depending on how far you go with it.
Basically, this is just an excuse to play a practical joke. If you truly wanted to help security and your employer, you'd simply lock the unlocked station instead of sitting around wasting everyone time.
It was sometimes a great annoyance: I would get up and return to my seat in 30 seconds. I didn't want to waste time. Also there were no unauthorized people around. The only person who could touch my PC at that time was someone who decided to make a childish point. So now I had to break my concentration to undo whatever damage that person done. Great job! Thank you for wasting my time and everyone else's.
At some point these became so annoying that I created the following policy: "If you don't touch my PC, I will not format yours". Goating incidents dropped dramatically afterwards.
I regularly lock my workstation when I leave it, but was stung for my care the other day. The intranet had been shaky all day, and apparently unlocking a computer logged into a domain requires a connection to the domain controller. I came back to my desk after lunch and couldn't even unlock my machine. All I could do was pull the plug or wait and see if the network came back.
Weeble on November 15, 2007 2:23 AMThis goating thing happened to me once.
My computer was unlocked[1] while I was somewhere else in the building a security auditor went in, went through all my email, found some questionable correspondence[2], and I ended up with a record on my permanent file.
H-I-L-A-R-I-O-U-S.
[1] only reason why my computer was unlocked was because I had to kill the screensaver while remote desktopping in from somewhere else in the building.
[2] never found out what it was exactly... email forwards I received but hadn't deleted?
engtech on November 15, 2007 2:29 AMThe "goating" policy (it's actually part of the AUP) at my current workplace is to send an e-mail to everyone from the unlocked machine, offering to buy doughnuts for everyone in the company. It works quite well as a deterrent, although it plays havoc with the diet!
Chris Butler on November 15, 2007 2:35 AMI generally go for the three strikes rule.
First time they leave their PC unlocked is minor, but by the third time they should know better.
First Strike:
Change desktop wallpaper to rival sports team, which is bound to annoy them.
Second Strike:
E-mail to whole deparment with something silly, and also mention in the e-mail that they really should lock their PCs when they leave them alone. Plus make use of Outlook's send later feature for even more fun.
Strike Three:
Draw a crude image in MS Paint, set it as wallpaper.
Set default homepage to a site they'll dislike.
Change desktop colours / theme to something garish.
Change their keyboard mapping to another language that doesn't use QWERTY, or if possible Dvorak.
Change thier sounds so everything is the alert ding.
Change default Word template to have a message saying that they really should have locked their PC.
My favourite is to replace an often used word like "the" in MS Office's auto correct feature with another word or phrase, every time the person types a document it comes out fairly different to what they intended.
Baldy on November 15, 2007 2:56 AM
M said: "Basically, this is just an excuse to play a practical joke. If you truly wanted to help security and your employer, you'd simply lock the unlocked station instead of sitting around wasting everyone time."
- Exactly!
What I'm saying is that there should be no evildoers traipsing around in your office anyway, so what you're shielding yourself from is this kind of "hilarious" office humour.
I'm certainly not averse to humour, and I've been known to even smile every now and then, but I wouldn't feel comfortable in an environment like that. There are other ways of building a good atmosphere/spirit at the workplace.
Besides, some of these pranks I've heard of are downright nasty.
Think of it this way:
What if your co-workers kept secretly attaching "I'm a dork!" -signs on your back without you noticing? What if they did that every single time they could?
- You know, just because you should learn to "watch your six" at all times. After all, you never know when that habit might come in handy!
Damien: I do have access to things, but just about every single office building in Helsinki has its doors locked all the time, and employees use keycards/whatnot to get in.
This means that disgruntled former employees can't get in either because they won't have keys anymore.
On the other hand, if all offices are open to anyone in America, then it definitely is a good idea to lock your computers.
But if you'll get punk'd for spending 30 secs away from your computer, it could be that your co-workers are not paying enough attention to their work.
Think about the awesomitude of not having to worry about pranks all the time..
jugimaster on November 15, 2007 3:02 AMGeez, I cannot believe the number of vandals on this site. Here is an analogy most of you should relate to - when you see someone leave their house door opened and unlocked (because they just went to collect the mail, or throw out the garbage, or go pick something from the car), do you run into their house and pull some prank? Of course not.
So don't do similar things for peoples PC's. I stepped out for coffee, with an office full of collegues to monitor for intrusions. The company trusts its employees. It is very detrimental to overall productivity for you pranksters to play practical tricks on a collegeus PC, and in my world can lead to a written warning before dismisal.
no-fun on November 15, 2007 3:03 AMAt home I've never really needed to worry about physical security. Now I'm at University I'm having to give consideration to things like this. It's quite frankly a pain.
[ICR] on November 15, 2007 3:07 AMLuckily where I live, workplaces are such that you can leave your computer open for all eternity, and nothing bad will happen!
Well, there’s no way *that* statement will come back and bite you in the arse.
pauldwaite on November 15, 2007 3:14 AMI am very happy with this article, I knew people played pranks in the office, but before I read this, I had no idea how to defend myself or recover from such attacks.
I've heard that there is a way to get past a workstation lock, so if someone really wants to get in, can't they?
Well, there#8217;s no way *that* statement will come back and bite you in the arse.
At least as long as I live here, the statement is very likely to hold true.
You just keep on having "fun" though.
jugimaster on November 15, 2007 3:25 AMI am glad this does not happen where I study. If it did though I would only lock my computer until I got my hand on some wires that I could attach to the keyboard. That would ensure that whoever thought they where funny only did it once. 220V through the fingers does not kill but you fingers will shake for quite some time.
This could even be made safe for me by rigging up some RFID to automatically turn it off.
Tommy on November 15, 2007 3:26 AMHere's what I used do. Since we all usually carry mobile phone all the times , iI use "Float MobileAgent" along with it which locks my machine whenever my mobile phone moves beyond a certain range. Further i can use the same application to control my machine using Phone's HID Interface.
Neat isn't it.
The new GNOME has a new feature where you can write notes on a locked screen, e.g. If you meant to catch someone but they were away or, I suppose, if their computer was unlocked you could always lock it for them and then write a warning note...
Not as fun as the clippy parody though! ;-)
Ben on November 15, 2007 3:29 AMIts all a bit school yard isn't it?
I used to read the daily WTF, but its quality slowly declined. The article they had on goating was the nail in the coffin for me. 200 plus replies of childish pranks, masquerading as security concerns. I unsubscribed after that.
You can do better than this Jeff.
mat roberts on November 15, 2007 3:32 AMLooking PC doesn't help sometimes! Someone has joked at some guy in our office by switching two buttons on his keyboard. He did notice this after some time has passed. And just changed his keyboard to the new one one(he was going to change it anyway and keys woking incorrectly were good reason). After that his friend has changed the same keys on the _new_ keyboard! That forced keyboard owner to turn his brain on and find the reason. That was very funny :-))
Vitaly on November 15, 2007 3:58 AMdon't touch my shit. If you screw with my machine "because you didn't prevent me from doing so" I'm going to set your mailfile to /dev/null because I can.
Sean on November 15, 2007 4:06 AMI can't believe the number of people that are offended by this sort of office humor. Fundamentally, what it does is serve to increase the security of the company's assets by making employees learn to lock their workstations. There is nothing bad about such education! Can it go too far? Absolutely, but changing the desktop background or installing Clippy is an easily undoable thing. The people who consider this "childish" really need to loosen up. In particular, the guy advocating electrocution of his officemates is a psychopath.
ScoPi on November 15, 2007 4:20 AMBeing a student makes things a lot funnier than they really are:
On a VAX system at the university I went to I had found a user that had left themselves logged in and left. Added to their login script an alias such that when they asked for a directory listing, it only showed files that were created 10 years earlier. (ie. showed no files in their account)
The sys-op/lecturer approached me a few days later, saying he "knew" I wouldn't have done such a thing!! And proceeded to tell me that the user is a niece to the head sysop in the parent university.
He apparently got in trouble for my 'trick' because some previous time he had also come across this user left logged in and had shifted all her files off into some system area so she had no files in her account.
She had cried 'help' to her uncle, uncle had talked to lecturer, lecturer explained to uncle what had happened.
This time, she complained to uncle, uncle sent a rocket at lecturer, and lecturer explained that he had done nothing this time.
Good thing I got on well with the lecturer.
lol, we do this all the time at our office, too.
Other fun stuff we did:
- Replacing the Internet Explorer icon with Firefox Icon and visa verca.
- Replacing the icon of shortcuts on the desktop or quicklaunch menu with something silly like a star.
- Placing a little bit of office tape underneath the optical sensor of the mouse.
- Hiding the startmenu and set the desktop wallpaper to an image, which displays the startmenu.
We have a similar practice at my office. If someone doesn't lock their machine they get "hoffed" and will end up with a new background of David Hasselhoff. It's quite disturbing.
Josh Bush on November 15, 2007 4:22 AMClippy parody is just... Brilliant, I've just tried. Superb, brillaint.
KTamas on November 15, 2007 4:27 AMDuring an internship a couple of years ago, a couple of people in the group I was in went on holiday for a few days at the same time. For various reasons relating to who had the working builds, they left their laptops in the office and told us their administrator passwords.
Mistake.
We cooked up a small program which would shake an inactive window very slightly every 120 seconds, with the period becoming smaller and the shakes becoming more violent every time. The victim tended to use one almost-maximised window on each of his monitors, which was ideal: it took him about three hours to convince himself that he wasn't imagining things.
(Switching X and Z also entertained for a few seconds.)
Will Thompson on November 15, 2007 4:40 AMJeff wrote: Imagine what someone who wasn't a friend or coworker could do.
I don't know about anyone else you, but we generally don't allow random people to roam unsupervised in our office.
I have to agree with Gordon: tampering with the tools coworkers use to do their job isn't the answer. And this isn't an issue of being uptight about pranks. As a developer I use my computer for all aspects of my job, and I don't want it to be jacked up because you're trying to teach me a 'lesson'. If physical security is critical in your particular environment, then the IT department should mandate locking your system when you're away from it. Don't take it upon yourself to enlighten the world by any means necessary.
A better solution might be making it as quick and easy to unlock a system as lock it (perhaps using biometrics.) Sure it's only a few seconds to log back in the standard way, but if you roam your office a lot as part of your job, having to type in your ultra-strong password all the time, along with the inevitable typos and re-typing, gets old fast.
thisiscmt on November 15, 2007 4:44 AMYears ago I used to work in a largeish public sectory company who had just moved from dumb unix terminals to windows machines running the dumb-terminal software, all atop a standard corporate desktop.
For weeks staff moaned the new system was slower.
While people were at lunch we had great fun switching monitors on the person opposite and awaiting their return.
For the first few minutes you'd mimic them, and then start to make comments on the work they were doing by tping other things you thought they would be thinking. ("This person is an idiot") ("It's time for a coffee break") (etc)
-Dx
D. Rimron on November 15, 2007 4:46 AMif you want to have SAFE and SECURE system - don't use WINDOWS, for start. ;)
dootzky on November 15, 2007 4:48 AMWow.
If you work in an environment requiring security I suppose this is a "Nice" way to tell someone to keep things locked up (Nice as opposed to some official warning), however if this caught on a company I worked for, I'd be pretty annoyed.
Generally my PC has no better access than any laptop dropped onto the network. Everyone in the room has checkin/out privileges and stuff.
If someone really wants to read my gmail, go for it. Usually the first thing I do on a company PC is disable the screensaver lock and, if possible, disable the login screen altogether, but it depends on the company/group I'm working with.
I know I'm pretty pissed when I'm helping some paranoid asshole and every time I have to do anything on his PC, he has to reach over and enter the password every couple minutes.
Bill on November 15, 2007 5:02 AMAAAAH memories.
Back in the late 90's when I was an intern, I wrote a clippyesque prank on one of our Oracle DBAs. Back then, she used the Windows version of SQL Plus (which hasn't changed in the past 10 years) to interact with our Oracle server (a dual Pentium Pro with 4GB of RAM! Amazing power!)
So I wrote a fake SQL Plus. It would tell her that she needed to get an expensive consultant to execute the commands, or it would tell her thing s like "ORA-02834: An error occurred. Whoops, never mind."
She actually looked up the first few errors in her manuals before she realized what had been done.
David Markle on November 15, 2007 5:04 AMIf someone else tells me that I need to lock my desktop at work when I stand up, then the terrorists have already won.
Andy on November 15, 2007 5:16 AMHey Now Jeff,
I hear you load clear. Windows button L every time I leave my workstation (Win + L). Inverted screen left handed mice are kinda funny too.
Coding Horror Fan,
Catto
Back in the early 90s I worked in a *nix shop and we played similar pranks. My favorite trick was to add a nice'd shell to the end of a .login; this had the effect of making all of that user's processes run at a lower priority.
I remember one particular episode that was less dramatic but highly entertaining for all: a programmer in my dev group was going on vacation and decided to write down his password on a piece of paper so that I could have it 'in case I needed it'. I took it, copied it onto a much larger sheet of paper, and then stood up in the middle of the dev group, held up the sheet and said, "Everyone... may I have your attention........ this is Tracey's password." Suffice it to say that he never did that again.
Jim G on November 15, 2007 5:19 AMI'm sure some environments must be more secure that others. Having worked at multiple sites handling highly senstive personal info, not locking your PC isn't an option. It's not so much someone using your access, but any data on your screen visible to anyone walking by was a bad thing (especially since the developers had more data access than almost anyone).
Goating at my current office is nonexistent, but people also leave machines unlocked rampantly (which I'm amazed to see). At my old shop, it was usually an email to the developer DL with something silly and a warning about leaving your box unlocked (then we'd lock it). It may seem silly, but after someone has that done to them, they remember to keep the box locked and in the long run avoid a bigger talking to by management.
As a side note, the most fun i had with it isn't really goatign per se. IT screwed up and used my box for the new developer image, and by mistake had my ID as an admin on every developer box. I found a tool that let you lock/unlock machines on your netowrk as long as you had admin rights. That was a fun 30 minutes after hours. :)
Shawn on November 15, 2007 5:20 AMSo let me get this straight. Most of you work in places where security is so important that leaving your PC unlocked even for 30 seconds is seen as a really bad thing; but where on the other hand the controls are so relaxed that making unauthorised changes to the setup of co-workers computers, sending spoof emails and other such schoolboy antics (any of which would be serious breaches of IT policy at most places that take security or auditability at all seriously) are seen as perfectly acceptable. A curious mixture of attitudes I think.
When my coworkers leave the office, I rummage through their desk and their personal belongings. I like to find some paper that looks important, then write something funny on it. One time, my coworker came back and found that her report said "Kilgore was here" at the very top. I almost busted a gut.
userd on November 15, 2007 5:28 AM It's disturbingly common here, which is why I've learned to
reflexively press Windows+L when I get up from my desk.
Uh...why would I want to log off from Windows 2000?
Seriously, where I work, everyone has everyone elses password (or can get it) because you never know when you'll have to check in some code, or at least see what they've been doing or whatever. I think the idea is that you've got nothing private on your work PC, so what's the problem?
Alex on November 15, 2007 5:32 AMAnother subtle yet quite dangerous goating technique is changing the bookmarks' addresses, especially around here, college dorms. But then I am not sure if that can actually be called goating because it's a complete different practice.
Can Duruk on November 15, 2007 5:39 AMAnd doubtless made a mental note to get a job somewhere where dev team leaders aren't socially dysfunctional cretins and bullying isn't the preferred means of staff feedback:
Jim G wrote:
I remember one particular episode that was less dramatic but highly entertaining for all: a programmer in my dev group was going on vacation and decided to write down his password on a piece of paper so that I could have it 'in case I needed it'. I took it, copied it onto a much larger sheet of paper, and then stood up in the middle of the dev group, held up the sheet and said, "Everyone... may I have your attention........ this is Tracey's password." Suffice it to say that he never did that again
I have to say, your windows system administrators probably love you for this bit of advice. HOWEVER, installing the Blue Screen Screen Saver is asking for trouble if you have relatively new desktop support technicians at your location.
Case in point, as a young intern several years ago, I would roam our cubicles attempting to make sure that our users were not having problems from time to time. One day, I happened across a computer system with this screensaver enabled, and the user was nowhere to be found. Never having seen the bluescreen screensaver before, I thought it was real, so I wrote down the exception code, and powered down the system. When I powered it back up, of course, the system came up just fine. Woo-hoo, system fixed. ('That was easy'.)
I was fortunate that the user did not actually have any files open that hadn't been saved, and that the system was not corrupted when I forced the power off.
My advice to all: Use a screensaver with a password, but, do not use a screensaver that will make some eager newbie bite, and think he'll be helpful by fixing your computer for you.
Jim on November 15, 2007 5:48 AMmake a folder on the desktop called "porn" (or something else) take a screenshot, delete the folder and copy paste the folder image to the exact place it was on the background image.
Zaphod on November 15, 2007 5:48 AMMessing with people PC's here is practically a sport. We usually fire up outlook and being emailing the victims friends (and boss) with resignations, love letters, and out-of-the-closet notices.
Mike on November 15, 2007 5:57 AMWow! Don't any of you work anywhere that has to comply with SAAS 70, Sarbanes-Oxley, etc? In a public company, modifying another employee's computer without his consent is usually a serious security violation that can get you fired. Maybe this is more lax in a software company, but in the finance industry there's not going to be a warning before you're escorted out the door.
Reread your company's policies on this kind of stuff before adopting any of these ideas.
CAA on November 15, 2007 5:59 AMfantastic. i was hacked slightly on the ay this article came out. how timely. the xkcd.com was good too. also, the onion's article on fellatio was quite appropriate.
bob dobbs on November 15, 2007 6:11 AMFor one off offenders I start of with a emails about buying drinks moving up to resignations etc for more persistent offenders and for those who do not change then it's on to the auto correct facility in office. Great fun!
Security is important, getting the basics right is just as important as getting the big stuff right.
At Neteller, we used to Man-paper each other's unlocked PCs. Man-papering basically meant quickly navigating to a href="http://www.manpaper.com"http://www.manpaper.com/a, picking the most provocative homosexual-themed picture and making it the wall paper. This went on for months and was quite effective, until upper management became concerned about the possibility of a sexual harassment lawsuit.
Jack on November 15, 2007 6:16 AMI find that if you switch a guy's background to a picture of the Backstreet Boys and the text "Official Fan Club Member", they will quickly learn to lock their computer.
David Osborn on November 15, 2007 6:18 AM"Goating"! Are you fracking serious! Do you people work in professional offices or junior high school locker rooms? I mean, really, if you have the mentality to want to pull off a mischevious (some would deem, malicious) act such as goating, then don't consider being one of my fellow employees.
Plus, what company do you work for where you have the free time to be plotting out devious ways to sabotage your unsuspecting peers? I know, I know, someone is going to say, "hey, Kenneth, lighten up will-ya it's all in good fun." Well, so would running around my office naked, but it's not proper behaviour for the workplace. Additionally, why are you touching my stuff, dirtbag? That's just the way I feel about it. But if you're the kind of person that gets your kicks doing this kind of stuff, ok, go ahead, my opinion certainly won't change your ways...dork.
Kenneth on November 15, 2007 6:19 AM@CAA
Why would anybody fire you for the reason of changing your co-workers desktop wallpaper? Unless your bosses practice some kind of strict dictorship, in which case you probably don't wanna work there in the first place.
jan.g on November 15, 2007 6:21 AMMy screensaver locks after 5 minutes of non activity.
Works really well.
Given your attitude about locking your computer, I'm guessing you aren't that well trained on not letting someone into the building because they happen to be walking behind you when you use your key.
True. I'm not at all trained in not letting outsiders in. I can use common sense though.
Of course it's possible that someone comes in uninvited with the help of someone who has a key, but I'm sure that a stranger wandering around, looking at people's screens would attract some attention.
It's just not happening though. Maybe because the outsider would get caught on tape by the security cameras anyway, or maybe because there's just not enough espionage going on in Helsinki.
Someone with a ski-mask looking at people's screens would definitely attract attention :)
I think we can all agree that not letting outsiders into the office in the first place is a better defense than locking your computers.
jugimaster on November 15, 2007 6:27 AM Wow! Don't any of you work anywhere that has to comply with SAAS 70,
Sarbanes-Oxley, etc?
No. I'm at work, not in prison, and my pc is a development tool, not a production server. If someone put a silly screen saver on, i'd giggle and then take it off again. I doubt very many people here would tolerate working somewhere so strict.
Dave on November 15, 2007 6:33 AMIt's just not happening though. Maybe because the outsider would get caught on tape by the security cameras anyway, or maybe because there's just not enough espionage going on in Helsinki.
I've caught several people walking around that others have let in that weren't there for espionage, but for a quick buck by stealing purses/wallets/laptops. We've had others that have not been caught until the police were called in to review tapes and track them down and still others that were never caught. The thieves dressed according to our dress code and acted like they belonged. The average person doesn't notice that. "Common sense" isn't common. Don't rely on other's being sensible. They aren't.
Rob Smith on November 15, 2007 6:38 AMOf course it's possible that someone comes in uninvited with the help of someone who has a key, but I'm sure that a stranger wandering around, looking at people's screens would attract some attention.
Actually, it usually won't. An interesting phenomenon has been demonstrated many times in supposedly secure buildings: Once somebody gets in, everybody assumes they belong there, and they have the run of the place. Journalists have used this to get stories in hospitals, airports, construction sites. There was even a case in the Australian military not that long ago of a civilian sitting in on a classified meeting after walking through a door that hadn't closed fully.
Hevach on November 15, 2007 6:39 AMCongrats. You just got me future-fired.
devolute on November 15, 2007 6:41 AM-------------------------------------
I think all of this is really stupid
-------------------------------------
You are claiming that you do this crap in the interest of security. But many (not all) of these pranks require admin access to install. There are people here talking about installing windows services and scheduled tasks. Isn't it more imporatant to make sure that you aren't running as an administrator?!?!?! Doesn't that help your security more than locking your computer for the 15 seconds it takes to walk from your machine to the coffee maker for a refill?
If you require employees to lock their computers while away but allow everyone to run their computer as an administrator then you do NOT really "care about security". And you need to tell your employees to get back to work instead of playing games.
Matt on November 15, 2007 6:45 AMWhy would anybody fire you for the reason of changing your co-workers desktop wallpaper? Possibly because there are regulatory requirements for them to keep track of who has access to what information or who initiated what transactions. And if some smartass is in the habit of sitting down at other people's computers and using them for unauthorised and unknown purposes they can't possibly meet those obligations?
Some of the guys posting to this discussion don't seem to have thought it through. You're playing these jokes (you say) because security is important where you work. So if there is some sort of security violation it's presumably going to get investigated, and the first question to be asked is who used the workstation in question. Answer - you did, because you're in the habit of sitting down unsupervised in front of an unlocked terminal whenever you see one. Admittedly you claim you weren't responsible for emailing confidential information to an external email account (or whatever the security violation was), but so does the guy who sits at the workstation, and he plays golf with the CEO's son-in-law, so it's obviously you who's lying.
Or could it perhaps be that security isn't really that big a concern where you work, but it provides a convenient excuse for you to torment your co-workers with cretinous pranks?
At E-Trade you could be fired for leaving your desk without locking your computer. (I Didn't work there, but my brother-in-law did). When I first heard about it, they were on NT. I thought it was strange and difficult, but obviously someone there knew what they were doing. It made me trust them a little more when they appeared to have such strict computer security in mind.
Jim on November 15, 2007 6:48 AMAt college, if someone left their computer unlocked, we would set their home page to (and background image to, and fill their start up folder with) the web page of Ouchy the Clown, purveyor of "adult clown services". We called it "ouchying" someone.
B on November 15, 2007 6:53 AMAt my students times, people left the public (from all used) pools, and didnt logged out. In these cases we often sent a mail to the person: "Note to myself: dont forget to log out, else login could be very hard" and added as first line in their login script "logout".
I once stand next to one of the admins, as one student entered, and complained that his account doesnt worked. Very embarassing for him as the admin asked, if he maybe forgot to logout the last time he worked on a machine. The admin fixed it, told him to check his emails and advised him, to log out when he leaves the terminal (with a hint that really evil people could do some really bad things, like delete his home directory, hack into the CIA, ...).
I work in IT for a bank. They cram every aspect of security down your throat to limit the risk of ANYTHING ever leaking. Locking your workstation is not only encouraged but a JOB REQUIREMENT. Most areas are secured with 2 factor biometric fingerprint and smart card readers for enter. We are not allowed to bring in cameras, operate camera phones, all USB ports are disabled so you can't copy off files, lots of webmail and file web sites are blocked so you can't upload confidential data, etc. etc.
Come on, it's 2007! Lock your PC when you step away. Do you leave your wallet containing your personal info and credit cards laying around, too?
spoulson on November 15, 2007 7:02 AM"No. I'm at work, not in prison, and my pc is a development tool, not a production server. If someone put a silly screen saver on, i'd giggle and then take it off again. I doubt very many people here would tolerate working somewhere so strict."
I work in the healthcare/medical research industry. So even if I don't run as administrator, I still have access to patient records or un-masked research data. Sure we have card-key access to our part of the building, but we often have visitors. A couple of years ago, a worker at the Seattle Cancer Care Alliance was convicted of identity theft. They had access to an unlocked system and obtained protected health information (phi) on a few patients. Due to HIPPA regulations, we are required to secure not only our servers, but our workstations.
Scott on November 15, 2007 7:08 AMDont just lock your computer when you leave for the day. Kindly shut it down too. Think of the amount of energy saved by just waiting 5 min
cronos on November 15, 2007 7:10 AMThis can escalate very quickly though. Setting things via Group Policy is cruel, but amusing... :D
Ian on November 15, 2007 7:13 AMInstalling the comedy Clippy's one thing, but I'd definitely think twice and stop short before installing either of the last two utilities linked at the bottom of the post. They're both network utilities and if you have an administrator with a pulse, you're going to be sending it skyward if you install what could be described as a trojan on someone else's computer. For that matter, I probably wouldn't install Clippy because if something goes belly-up on their box and you cop to having installed it, good times will not be had by all.
I'd stick to the tried-and-true desktop screenshot or "I have a shiney heinie" e-mails to the company. Or just go to http://wigflip.com/automotivator/ and roll your own faux-motivational poster encouraging them to learn to slap Windows+L before they walk away from their desk. Or a screensaver with a 1 minute timer and password on return.
I've always wondered about the window key + l thing. It isn't ctrl-alt-del, so it can be intercepted, right? Although if someone has enough control of your computer to popup a fake lock/login screen at that point, I guess getting your password too isn't much worse.
a on November 15, 2007 7:14 AMThe Office Poltergeist site is blocked by my company's net-nanny because it is classified as "Criminal Skills." Not a good sign for any kind of joke using it being taken well...
Brian on November 15, 2007 7:19 AMIf you're really just doing it for security, lock the 'victims' machine and leave a sticky note with a reminder.
Anything beyond that is a prank, so be honest and call it that.
no-fun,
As with most analogies, yours sucks. The penalties for entering someone's home uninvited are far worse than changing someone's computer desktop image at work. You're misunderstanding the context and intent of "goating".
However, if someone did come in and prank you everytime you left your house unlocked, you'd start to think twice about locking your door, wouldn't you?
About 7 years ago I installed the Blue Screen screensaver on my buddies machine.
He was developing this VB6 application that ineteracted with some weird API - anyway - it was complex and very hard to work with.
He came back from his lunch, saw the blue screen, and said some explatives and then turned off his computer.
I fount out later that he had been working on something for over 5 hours and did not save it. Ohhhhhhh bummer man. CTRL + S is your friend.
Donn Felker on November 15, 2007 7:32 AMHartmut,
Do you have kids? If I picked up my kid's toys for them every time they left them laying around and just stuck a sticky note on them, they would never learn to clean up after themselves. They would, however, learn that other people's messes are their problem which is exactly the opposite of what I want them to learn. Teaching someone that there are consequences for their actions (or lack of action in the case of not locking their workstation) is far better than being an enabler.
I lock my computer when I am not using it. But not because of "humourous" coworkers. I work at home. My 4 year old daughter is learning to type and she likes to "practice" on any keyboard she finds.
I just don't want my clients to get the "I am a princess" email. It might send the wrong message.
Plus, if you install one of the parallel processing screen saver apps like the @Home processes, that buys you an extra 10-15 minutes of processing time before it would kick in automatically.
Chubber on November 15, 2007 7:35 AMI work in a company that deals with protected health information (PHI) and compliance requires machines to be locked when leaving your desk.
When it involves information that can be sensitive, it's not just to keep people out, it's to keep the information on your screen from being seen by guests, friends, others without proper auditing.
HIPAA has some tight requirements to protect the health information of patients, and it's our job to make sure that information remains protected.
And, yes, we have several people in our office that will dive into an open machine and make sure everyone knows you left it unlocked.
Chris Patterson on November 15, 2007 7:52 AMThis brings back fond memories. I previously worked at a fortune 500 company where SOPs were in place about locking your workstation when you are absent. This coworker of mine was notorious for leaving without locking, so I felt it my duty to 1) teach a lesson, and 2) have a little fun.
So, I composed an outright abusive email to the CEO, screen captured it, and saved it to the network. I then walked over to his workstation (that title in and of itself is a joke, since little work occurred there) and saved it as the background on his screen.
When he returned, he got completely frustrated when he could not minimized the mail program. Oh, those were the good old days!
Super G on November 15, 2007 7:59 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |