That clippy parody is a great find which I'll use next time!

I listed some of my antics at my blog http://damieng.com/blog/category/fun but some you don't have include switching Google's language and making the hourglass a permenant feature.

[)amien

How many offices contain people that could cause some real harm if they found an unlocked computer?

Wouldn't it feel silly to have to lock your computer only to keep your mischievous colleagues from pulling a prank on you?

Wouldn't it feel a bit bad to be in an environment where potentially very embarrassing stunts were certain to be pulled on you any time you leave your computer unlocked?

Luckily where I live, workplaces are such that you can leave your computer open for all eternity, and nothing bad will happen!

More importantly: how do you get the taskbar to display on all monitors?

> Wouldn't it feel a bit bad to be in an environment where potentially very embarrassing stunts were certain to be pulled on you any time you leave your computer unlocked?

If by "a bit bad" you mean "totally awesome", then yes!

Obviously, everything in moderation.

I always lock my computer before I step away from it (I'm on Fedora Linux), frankly because I am as much concerned with my privacy from my fellow workmates as anything else. A vital habit to get into in a shared office I think.

In my girlfriend's company they take it one step further: if your laptop is not physically locked to the desk, the sys admin team in the company will confiscate it during one of their regular patrols, and replace it with a warning note about security!

Jugimaster, are you saying your account has no access to anything of value, importance or sensitivity?

Whenever I hear of unlocked workstations being used for nefarious means the user's first line is normally "I thought that didn't apply to us."

It only takes pressing Windows key and L, one second when you leave your desk. Get into the habbit and be safe.

[)amien

I worked for the Australian Defence Force for a short contract, and the network admin there was very fond of 'goating' though I never heard the term. If he found your PC unlocked, the head of department would get an... unusual email from you.

[quote]Replacing the desktop with a screenshot of the desktop, and hiding all the visible items on it.[/quote]

Classic! Gonna try this today on some people at my school.

PS. Love this Site. As a Software Engineering student I can say some of my best reading comes from here.

All these years and I've been pressing ctrl+alt+numpaddel. winkey+L means I don't have to move my arms as much now!

jugimaster said "How many offices contain people that could cause some real harm if they found an unlocked computer?"

Are you certain that this is impossible in your office? It could be that a disgruntled (former) cow-orker might wander by your office and see your computer unlocked and be tempted to take out his frustrations using your access.

Also, many workplaces with larger numbers of employees do not really have any truly effective ways of preventing someone from being able to wander freely, if only for a few minutes. Sometimes, this is even possible in places like hospitals.

Back in school, while studying network security, we did a lesson that involved the class being turned loose on the campus to see what we could get our hands on. We also were to try to figure out what places we might be able to sneak around in, or talk our way into. We did things like dummying up official looking work orders to "install updates", using a staff roster that we found on the school's website, in order to get access to computers. We were also able to slip into a lot of offices with unlocked workstations. One guy happened to have a hat with the phone company logo on it and managed to talk somebody with more keys than sense into letting him into the server room while the IT guys were out of the office.

Part of the lesson learned was that unless you take measures to make sure that people can't get access to your workstations, starting with locking them, you can't guarantee anything about your organization's security.

It's a shame +L doesn't go back to the unlock dialog though

We never make such pranks around here, but we all lock our screens every time we get up. I tend to forget, though, so I was *very* happy when I noticed Fedora 7 does that automatically after a few minutes.

it's a shame the no html rule also removed my angle brackets in the first comment and 'winkey' in my previous comment

I should also point out that the instructor taught that class at least once per year, so you'd think that the staff would learn.

Lesson 2: Security must made to be part of the company culture.

A lot us at my office use Vim. When they leave their computers unlocked I like to type ggVGg?. This Rot 13 encodes the the entire file.

This works very well on mobile phones as well.

Word of advice: If you leave you mobile phone unguarded/unattended in my vicinity, you'd better learn how to operate it in arabic - mean, I know ;o)

My top two "goating" (Good term for it) tactics I've seen were:

2) Take screenshot of desktop. Set as wallpaper. "Hide icons on desktop"

1) Wallpaper as http://www.aquarionics.com/fun/lemming/back.html

I imagine the term 'goating' comes from people sticking Goatse (if you don't know what it is, don't google it - you'll have nightmares for years - and probably get fired if you are at work) pictures as backgrounds.

Jeff, thank your lucky stars no one has ever goatse.cxed your work machine.

I'm a gov't employee with access to your data. Yes, I mean you, and you, and millions more of you. The gov't makes lots of noise about PII and security and all the rest of it, yet we continue to use IE 6, and one idiot downloading a movie can take down the entire network. 7 letter passwords change every month. Lock a workstation? I do, but I don't see other people doing it consistently, so you can walk around my building and see personal data on screens all the time, because this is a cube hive, and the gov't is too cheap to give us desktop printers. So to print documents, a constant part of the job, we have to get up and walk some distance, and everybody leaves the workstation open. Lock the screen, come back, and have to login again? Please. .

A great productivity killer is having a scheduled task pop up a browser to a specific site at a non obvious interval. People are convinced they have spyware and will spend a long time trying to rid themselves of it.

I used to work in a place with high security requirements. Goating there was common, and it was struck me as an essentially childish practice, depending on how far you go with it.
Basically, this is just an excuse to play a practical joke. If you truly wanted to help security and your employer, you'd simply lock the unlocked station instead of sitting around wasting everyone time.

It was sometimes a great annoyance: I would get up and return to my seat in 30 seconds. I didn't want to waste time. Also there were no unauthorized people around. The only person who could touch my PC at that time was someone who decided to make a childish point. So now I had to break my concentration to undo whatever damage that person done. Great job! Thank you for wasting my time and everyone else's.

At some point these became so annoying that I created the following policy: "If you don't touch my PC, I will not format yours". Goating incidents dropped dramatically afterwards.

I hadn't seen the Clippy parody. I wrote a macro which I'd add to the default document template at unoccupied workstations with similar behavior - he'd pop up at random intervals and say "This document is no good." Very rarely, he'd bounce around the screen, pong style, and cycle through random animations (and there are lots of them). I think I was the only one who was sad when Clippy was removed from Office, as that prank was now worthless.

A co-worker at an old job pulled a great goating prank - he installed a windows service which allowed remote control (via browser) of the audio playback volume. His cube was in the same room as the victim, who loved to listen to techno on his headphones. The perpetrator would slowly tweak the volume louder, louder, REALLY LOUD... then when the victim lowered the volume, he'd keep making it quieter and quieter. He had fun with that for months - when the victim figured that out, he hacked the other guy's website. It was the start of an entertaining, sort-of-friendly-ish war.

I regularly lock my workstation when I leave it, but was stung for my care the other day. The intranet had been shaky all day, and apparently unlocking a computer logged into a domain requires a connection to the domain controller. I came back to my desk after lunch and couldn't even unlock my machine. All I could do was pull the plug or wait and see if the network came back.

The "goating" policy (it's actually part of the AUP) at my current workplace is to send an e-mail to everyone from the unlocked machine, offering to buy doughnuts for everyone in the company. It works quite well as a deterrent, although it plays havoc with the diet!

I generally go for the three strikes rule.
First time they leave their PC unlocked is minor, but by the third time they should know better.

First Strike:
Change desktop wallpaper to rival sports team, which is bound to annoy them.

Second Strike:
E-mail to whole deparment with something silly, and also mention in the e-mail that they really should lock their PCs when they leave them alone. Plus make use of Outlook's send later feature for even more fun.

Strike Three:
Draw a crude image in MS Paint, set it as wallpaper.
Set default homepage to a site they'll dislike.
Change desktop colours / theme to something garish.
Change their keyboard mapping to another language that doesn't use QWERTY, or if possible Dvorak.
Change thier sounds so everything is the alert ding.
Change default Word template to have a message saying that they really should have locked their PC.

My favourite is to replace an often used word like "the" in MS Office's auto correct feature with another word or phrase, every time the person types a document it comes out fairly different to what they intended.

M said: "Basically, this is just an excuse to play a practical joke. If you truly wanted to help security and your employer, you'd simply lock the unlocked station instead of sitting around wasting everyone time."

- Exactly!

What I'm saying is that there should be no evildoers traipsing around in your office anyway, so what you're shielding yourself from is this kind of "hilarious" office humour.

I'm certainly not averse to humour, and I've been known to even smile every now and then, but I wouldn't feel comfortable in an environment like that. There are other ways of building a good atmosphere/spirit at the workplace.

Besides, some of these pranks I've heard of are downright nasty.

Think of it this way:

What if your co-workers kept secretly attaching "I'm a dork!" -signs on your back without you noticing? What if they did that every single time they could?

- You know, just because you should learn to "watch your six" at all times. After all, you never know when that habit might come in handy!

Damien: I do have access to things, but just about every single office building in Helsinki has its doors locked all the time, and employees use keycards/whatnot to get in.

This means that disgruntled former employees can't get in either because they won't have keys anymore.

On the other hand, if all offices are open to anyone in America, then it definitely is a good idea to lock your computers.

But if you'll get punk'd for spending 30 secs away from your computer, it could be that your co-workers are not paying enough attention to their work.

Think about the awesomitude of not having to worry about pranks all the time..

Geez, I cannot believe the number of vandals on this site. Here is an analogy most of you should relate to - when you see someone leave their house door opened and unlocked (because they just went to collect the mail, or throw out the garbage, or go pick something from the car), do you run into their house and pull some prank? Of course not.

So don't do similar things for peoples PC's. I stepped out for coffee, with an office full of collegues to monitor for intrusions. The company trusts its employees. It is very detrimental to overall productivity for you pranksters to play practical tricks on a collegeus PC, and in my world can lead to a written warning before dismisal.

At home I've never really needed to worry about physical security. Now I'm at University I'm having to give consideration to things like this. It's quite frankly a pain.

> Luckily where I live, workplaces are such that you can leave your computer open for all eternity, and nothing bad will happen!

Well, there’s no way *that* statement will come back and bite you in the arse.

> Well, there’s no way *that* statement will come back and bite you in the arse.

At least as long as I live here, the statement is very likely to hold true.

You just keep on having "fun" though.

I am glad this does not happen where I study. If it did though I would only lock my computer until I got my hand on some wires that I could attach to the keyboard. That would ensure that whoever thought they where funny only did it once. 220V through the fingers does not kill but you fingers will shake for quite some time.

This could even be made safe for me by rigging up some RFID to automatically turn it off.

Here's what I used do. Since we all usually carry mobile phone all the times , iI use "Float MobileAgent" along with it which locks my machine whenever my mobile phone moves beyond a certain range. Further i can use the same application to control my machine using Phone's HID Interface.
Neat isn't it.

The new GNOME has a new feature where you can write notes on a locked screen, e.g. If you meant to catch someone but they were away or, I suppose, if their computer was unlocked you could always lock it for them and then write a warning note...

Not as fun as the clippy parody though! ;-)

Its all a bit school yard isn't it?

I used to read the daily WTF, but its quality slowly declined. The article they had on goating was the nail in the coffin for me. 200 plus replies of childish pranks, masquerading as security concerns. I unsubscribed after that.

You can do better than this Jeff.

Looking PC doesn't help sometimes! Someone has joked at some guy in our office by switching two buttons on his keyboard. He did notice this after some time has passed. And just changed his keyboard to the new one one(he was going to change it anyway and keys woking incorrectly were good reason). After that his friend has changed the same keys on the _new_ keyboard! That forced keyboard owner to turn his brain on and find the reason. That was very funny :-))

Another classic is to create a transparent icon and then set this as the default icon for all mouse cursors.

I had a friend at work go through about 3 mice declaring them all broke last time I did this :)

I can't believe the number of people that are offended by this sort of office humor. Fundamentally, what it does is serve to increase the security of the company's assets by making employees learn to lock their workstations. There is nothing bad about such education! Can it go too far? Absolutely, but changing the desktop background or installing Clippy is an easily undoable thing. The people who consider this "childish" really need to loosen up. In particular, the guy advocating electrocution of his officemates is a psychopath.

lol, we do this all the time at our office, too.
Other fun stuff we did:

- Replacing the Internet Explorer icon with Firefox Icon and visa verca.
- Replacing the icon of shortcuts on the desktop or quicklaunch menu with something silly like a star.
- Placing a little bit of office tape underneath the optical sensor of the mouse.
- Hiding the startmenu and set the desktop wallpaper to an image, which displays the startmenu.

We have a similar practice at my office. If someone doesn't lock their machine they get "hoffed" and will end up with a new background of David Hasselhoff. It's quite disturbing.

Clippy parody is just... Brilliant, I've just tried. Superb, brillaint.

During an internship a couple of years ago, a couple of people in the group I was in went on holiday for a few days at the same time. For various reasons relating to who had the working builds, they left their laptops in the office and told us their administrator passwords.

Mistake.

We cooked up a small program which would shake an inactive window very slightly every 120 seconds, with the period becoming smaller and the shakes becoming more violent every time. The victim tended to use one almost-maximised window on each of his monitors, which was ideal: it took him about three hours to convince himself that he wasn't imagining things.

(Switching X and Z also entertained for a few seconds.)

I can't believe how seriously some people seem to take themselves. At our office you will generally just end up with a my little pony wallpaper or a very sentimental email going out to your team.

Also, to the guy who said they don't need to worry about it because their office building has a lock on the door and former employees wouldn't have a key card to get in, good luck with that. Given your attitude about locking your computer, I'm guessing you aren't that well trained on not letting someone into the building because they happen to be walking behind you when you use your key.

Years ago I used to work in a largeish public sectory company who had just moved from dumb unix terminals to windows machines running the dumb-terminal software, all atop a standard corporate desktop.

For weeks staff moaned the new system was slower.

While people were at lunch we had great fun switching monitors on the person opposite and awaiting their return.

For the first few minutes you'd mimic them, and then start to make comments on the work they were doing by tping other things you thought they would be thinking. ("This person is an idiot") ("It's time for a coffee break") (etc)

-Dx

if you want to have SAFE and SECURE system -> don't use WINDOWS, for start. ;)

AAAAH memories.

Back in the late 90's when I was an intern, I wrote a clippyesque prank on one of our Oracle DBAs. Back then, she used the Windows version of SQL Plus (which hasn't changed in the past 10 years) to interact with our Oracle server (a dual Pentium Pro with 4GB of RAM! Amazing power!)

So I wrote a fake SQL Plus. It would tell her that she needed to get an expensive consultant to execute the commands, or it would tell her thing s like "ORA-02834: An error occurred. Whoops, never mind."

She actually looked up the first few errors in her manuals before she realized what had been done.

Hey Now Jeff,
I hear you load & clear. Windows button & L every time I leave my workstation (Win + L). Inverted screen & left handed mice are kinda funny too.
Coding Horror Fan,
Catto

Back in the early 90s I worked in a *nix shop and we played similar pranks. My favorite trick was to add a nice'd shell to the end of a .login; this had the effect of making all of that user's processes run at a lower priority.

I remember one particular episode that was less dramatic but highly entertaining for all: a programmer in my dev group was going on vacation and decided to write down his password on a piece of paper so that I could have it 'in case I needed it'. I took it, copied it onto a much larger sheet of paper, and then stood up in the middle of the dev group, held up the sheet and said, "Everyone... may I have your attention........ this is Tracey's password." Suffice it to say that he never did that again.

I'm sure some environments must be more secure that others. Having worked at multiple sites handling highly senstive personal info, not locking your PC isn't an option. It's not so much someone using your access, but any data on your screen visible to anyone walking by was a bad thing (especially since the developers had more data access than almost anyone).

Goating at my current office is nonexistent, but people also leave machines unlocked rampantly (which I'm amazed to see). At my old shop, it was usually an email to the developer DL with something silly and a warning about leaving your box unlocked (then we'd lock it). It may seem silly, but after someone has that done to them, they remember to keep the box locked and in the long run avoid a bigger talking to by management.

As a side note, the most fun i had with it isn't really goatign per se. IT screwed up and used my box for the new developer image, and by mistake had my ID as an admin on every developer box. I found a tool that let you lock/unlock machines on your netowrk as long as you had admin rights. That was a fun 30 minutes after hours. :)

So let me get this straight. Most of you work in places where security is so important that leaving your PC unlocked even for 30 seconds is seen as a really bad thing; but where on the other hand the controls are so relaxed that making unauthorised changes to the setup of co-workers computers, sending spoof emails and other such schoolboy antics (any of which would be serious breaches of IT policy at most places that take security or auditability at all seriously) are seen as perfectly acceptable. A curious mixture of attitudes I think.

> It's disturbingly common here, which is why I've learned to
> reflexively press Windows+L when I get up from my desk.

Uh...why would I want to log off from Windows 2000?

Seriously, where I work, everyone has everyone elses password (or can get it) because you never know when you'll have to check in some code, or at least see what they've been doing or whatever. I think the idea is that you've got nothing private on your work PC, so what's the problem?

Another subtle yet quite dangerous goating technique is changing the bookmarks' addresses, especially around here, college dorms. But then I am not sure if that can actually be called goating because it's a complete different practice.

And doubtless made a mental note to get a job somewhere where dev team leaders aren't socially dysfunctional cretins and bullying isn't the preferred means of staff feedback:

Jim G wrote:

I remember one particular episode that was less dramatic but highly entertaining for all: a programmer in my dev group was going on vacation and decided to write down his password on a piece of paper so that I could have it 'in case I needed it'. I took it, copied it onto a much larger sheet of paper, and then stood up in the middle of the dev group, held up the sheet and said, "Everyone... may I have your attention........ this is Tracey's password." Suffice it to say that he never did that again

I have to say, your windows system administrators probably love you for this bit of advice. HOWEVER, installing the Blue Screen Screen Saver is asking for trouble if you have relatively new desktop support technicians at your location.

Case in point, as a young intern several years ago, I would roam our cubicles attempting to make sure that our users were not having problems from time to time. One day, I happened across a computer system with this screensaver enabled, and the user was nowhere to be found. Never having seen the bluescreen screensaver before, I thought it was real, so I wrote down the exception code, and powered down the system. When I powered it back up, of course, the system came up just fine. Woo-hoo, system fixed. ('That was easy'.)

I was fortunate that the user did not actually have any files open that hadn't been saved, and that the system was not corrupted when I forced the power off.

My advice to all: Use a screensaver with a password, but, do not use a screensaver that will make some eager newbie bite, and think he'll be helpful by fixing your computer for you.

make a folder on the desktop called "porn" (or something else) take a screenshot, delete the folder and copy & paste the folder image to the exact place it was on the background image.

Messing with people PC's here is practically a sport. We usually fire up outlook and being emailing the victims friends (and boss) with resignations, love letters, and out-of-the-closet notices.

Wow! Don't any of you work anywhere that has to comply with SAAS 70, Sarbanes-Oxley, etc? In a public company, modifying another employee's computer without his consent is usually a serious security violation that can get you fired. Maybe this is more lax in a software company, but in the finance industry there's not going to be a warning before you're escorted out the door.

Reread your company's policies on this kind of stuff before adopting any of these ideas.

fantastic. i was hacked slightly on the ay this article came out. how timely. the xkcd.com was good too. also, the onion's article on fellatio was quite appropriate.

For one off offenders I start of with a emails about buying drinks moving up to resignations etc for more persistent offenders and for those who do not change then it's on to the auto correct facility in office. Great fun!

Security is important, getting the basics right is just as important as getting the big stuff right.

At Neteller, we used to Man-paper each other's unlocked PCs. Man-papering basically meant quickly navigating to <a href="http://www.manpaper.com">http://www.manpaper.com</a>;, picking the most provocative homosexual-themed picture and making it the wall paper. This went on for months and was quite effective, until upper management became concerned about the possibility of a sexual harassment lawsuit.

I find that if you switch a guy's background to a picture of the Backstreet Boys and the text "Official Fan Club Member", they will quickly learn to lock their computer.

"Goating"! Are you fracking serious! Do you people work in professional offices or junior high school locker rooms? I mean, really, if you have the mentality to want to pull off a mischevious (some would deem, malicious) act such as goating, then don't consider being one of my fellow employees.

Plus, what company do you work for where you have the free time to be plotting out devious ways to sabotage your unsuspecting peers? I know, I know, someone is going to say, "hey, Kenneth, lighten up will-ya it's all in good fun." Well, so would running around my office naked, but it's not proper behaviour for the workplace. Additionally, why are you touching my stuff, dirtbag? That's just the way I feel about it. But if you're the kind of person that gets your kicks doing this kind of stuff, ok, go ahead, my opinion certainly won't change your ways...dork.

@CAA

Why would anybody fire you for the reason of changing your co-workers desktop wallpaper? Unless your bosses practice some kind of strict dictorship, in which case you probably don't wanna work there in the first place.

My screensaver locks after 5 minutes of non activity.
Works really well.

> Given your attitude about locking your computer, I'm guessing you aren't that well trained on not letting someone into the building because they happen to be walking behind you when you use your key.

True. I'm not at all trained in not letting outsiders in. I can use common sense though.

Of course it's possible that someone comes in uninvited with the help of someone who has a key, but I'm sure that a stranger wandering around, looking at people's screens would attract some attention.

It's just not happening though. Maybe because the outsider would get caught on tape by the security cameras anyway, or maybe because there's just not enough espionage going on in Helsinki.

Someone with a ski-mask looking at people's screens would definitely attract attention :)

I think we can all agree that not letting outsiders into the office in the first place is a better defense than locking your computers.

> Wow! Don't any of you work anywhere that has to comply with SAAS 70,
> Sarbanes-Oxley, etc?

No. I'm at work, not in prison, and my pc is a development tool, not a production server. If someone put a silly screen saver on, i'd giggle and then take it off again. I doubt very many people here would tolerate working somewhere so strict.

>It's just not happening though. Maybe because the outsider would get caught on tape by the security cameras anyway, or maybe because there's just not enough espionage going on in Helsinki.

I've caught several people walking around that others have let in that weren't there for espionage, but for a quick buck by stealing purses/wallets/laptops. We've had others that have not been caught until the police were called in to review tapes and track them down and still others that were never caught. The thieves dressed according to our dress code and acted like they belonged. The average person doesn't notice that. "Common sense" isn't common. Don't rely on other's being sensible. They aren't.

>Of course it's possible that someone comes in uninvited with the help of someone who has a key, but I'm sure that a stranger wandering around, looking at people's screens would attract some attention.

Actually, it usually won't. An interesting phenomenon has been demonstrated many times in supposedly secure buildings: Once somebody gets in, everybody assumes they belong there, and they have the run of the place. Journalists have used this to get stories in hospitals, airports, construction sites. There was even a case in the Australian military not that long ago of a civilian sitting in on a classified meeting after walking through a door that hadn't closed fully.

Congrats. You just got me future-fired.

-------------------------------------
I think all of this is really stupid
-------------------------------------

You are claiming that you do this crap in the interest of security. But many (not all) of these pranks require admin access to install. There are people here talking about installing windows services and scheduled tasks. Isn't it more imporatant to make sure that you aren't running as an administrator?!?!?! Doesn't that help your security more than locking your computer for the 15 seconds it takes to walk from your machine to the coffee maker for a refill?

If you require employees to lock their computers while away but allow everyone to run their computer as an administrator then you do NOT really "care about security". And you need to tell your employees to get back to work instead of playing games.

Why would anybody fire you for the reason of changing your co-workers desktop wallpaper? Possibly because there are regulatory requirements for them to keep track of who has access to what information or who initiated what transactions. And if some smartass is in the habit of sitting down at other people's computers and using them for unauthorised and unknown purposes they can't possibly meet those obligations?

Some of the guys posting to this discussion don't seem to have thought it through. You're playing these jokes (you say) because security is important where you work. So if there is some sort of security violation it's presumably going to get investigated, and the first question to be asked is who used the workstation in question. Answer - you did, because you're in the habit of sitting down unsupervised in front of an unlocked terminal whenever you see one. Admittedly you claim you weren't responsible for emailing confidential information to an external email account (or whatever the security violation was), but so does the guy who sits at the workstation, and he plays golf with the CEO's son-in-law, so it's obviously you who's lying.

Or could it perhaps be that security isn't really that big a concern where you work, but it provides a convenient excuse for you to torment your co-workers with cretinous pranks?

At college, if someone left their computer unlocked, we would set their home page to (and background image to, and fill their start up folder with) the web page of Ouchy the Clown, purveyor of "adult clown services". We called it "ouchying" someone.

At my students times, people left the public (from all used) pools, and didnt logged out. In these cases we often sent a mail to the person: "Note to myself: dont forget to log out, else login could be very hard" and added as first line in their login script "logout".
I once stand next to one of the admins, as one student entered, and complained that his account doesnt worked. Very embarassing for him as the admin asked, if he maybe forgot to logout the last time he worked on a machine. The admin fixed it, told him to check his emails and advised him, to log out when he leaves the terminal (with a hint that really evil people could do some really bad things, like delete his home directory, hack into the CIA, ...).

I work in IT for a bank. They cram every aspect of security down your throat to limit the risk of ANYTHING ever leaking. Locking your workstation is not only encouraged but a JOB REQUIREMENT. Most areas are secured with 2 factor biometric fingerprint and smart card readers for enter. We are not allowed to bring in cameras, operate camera phones, all USB ports are disabled so you can't copy off files, lots of webmail and file web sites are blocked so you can't upload confidential data, etc. etc.

Come on, it's 2007! Lock your PC when you step away. Do you leave your wallet containing your personal info and credit cards laying around, too?

"No. I'm at work, not in prison, and my pc is a development tool, not a production server. If someone put a silly screen saver on, i'd giggle and then take it off again. I doubt very many people here would tolerate working somewhere so strict."

I work in the healthcare/medical research industry. So even if I don't run as administrator, I still have access to patient records or un-masked research data. Sure we have card-key access to our part of the building, but we often have visitors. A couple of years ago, a worker at the Seattle Cancer Care Alliance was convicted of identity theft. They had access to an unlocked system and obtained protected health information (phi) on a few patients. Due to HIPPA regulations, we are required to secure not only our servers, but our workstations.

Dont just lock your computer when you leave for the day. Kindly shut it down too. Think of the amount of energy saved by just waiting 5 min

This can escalate very quickly though. Setting things via Group Policy is cruel, but amusing... :D

Installing the comedy Clippy's one thing, but I'd definitely think twice and stop short before installing either of the last two utilities linked at the bottom of the post. They're both network utilities and if you have an administrator with a pulse, you're going to be sending it skyward if you install what could be described as a trojan on someone else's computer. For that matter, I probably wouldn't install Clippy because if something goes belly-up on their box and you cop to having installed it, good times will not be had by all.
I'd stick to the tried-and-true desktop screenshot or "I have a shiney heinie" e-mails to the company. Or just go to http://wigflip.com/automotivator/ and roll your own faux-motivational poster encouraging them to learn to slap Windows+L before they walk away from their desk. Or a screensaver with a 1 minute timer and password on return.

I've always wondered about the window key + l thing. It isn't ctrl-alt-del, so it can be intercepted, right? Although if someone has enough control of your computer to popup a fake lock/login screen at that point, I guess getting your password too isn't much worse.

The Office Poltergeist site is blocked by my company's net-nanny because it is classified as "Criminal Skills." Not a good sign for any kind of joke using it being taken well...

I wonder how many of the same people here complaining that this practice is childish and pointless were also replying to some of the earlier security posts suggesting that people use custom hash functions or saying that it's OK to store passwords in plain-text because people shouldn't have access to your database.

Here's what I have to say to you folks:

1. Every company has at least one nutbar, or will soon. If you're positive that it's not any of your coworkers, then it's probably you.

2. Every company has *several* people who will fall for a social engineering stunt, whether it's technological in nature (phishing) or personal (cable repair!).

3. A security breach isn't just a bug that you can fix later. You don't get a second chance.

4. Locking someone's computer for them solves the immediate problem, but not the long-term one. Typical rookie mistake. You want to discipline people to lock their workstations, and doing it for them accomplishes the exact opposite! Pranks aren't perfect, but they're a lot better than heavy-handed reprimands or summary dismissals.

5. Locking your computer doesn't "waste time". I can't believe the people whining about how they're only gone for 30 seconds. Who cares? It takes a fraction of a second to lock it, and maybe 3 seconds to unlock it, if you happen to be the slowest typist on the planet.

6. Lighten up already. Yes, it's childish - and yes, it's funny. If 5 wasted minutes can ruin your whole day, you need therapy. And quite frankly, the people who are most "uncomfortable" (i.e. who completely freak out) when pranked are usually the funniest to watch. Like Jeff's coworker who sent out a mass e-mail about Clippy.

And as for Sarbanes-Oxley, that's exactly why you don't hire finance guys to run an IT department. If you're a public company and you're forced to follow those inane rules, fine, but otherwise, who cares?

Isn't setting up the type of enviornment where everyone giggles when someone sits down at a machine they're not supposed to be at and uses it for a few minutes a bad thing? Are you really saying that smart security concious people will let me sit down at an unmanned machine at your business and install a program from the internet? It seems like most of you think that as long as it has a silly and easily removed side effect like clippy there wouldn't by any further questioning then 'how do they turn clippy off?'

If you're really just doing it for security, lock the 'victims' machine and leave a sticky note with a reminder.
Anything beyond that is a prank, so be honest and call it that.

no-fun,
As with most analogies, yours sucks. The penalties for entering someone's home uninvited are far worse than changing someone's computer desktop image at work. You're misunderstanding the context and intent of "goating".
However, if someone did come in and prank you everytime you left your house unlocked, you'd start to think twice about locking your door, wouldn't you?

About 7 years ago I installed the Blue Screen screensaver on my buddies machine.

He was developing this VB6 application that ineteracted with some weird API - anyway - it was complex and very hard to work with.

He came back from his lunch, saw the blue screen, and said some explatives and then turned off his computer.

I fount out later that he had been working on something for over 5 hours and did not save it. Ohhhhhhh bummer man. CTRL + S is your friend.

Hartmut,
Do you have kids? If I picked up my kid's toys for them every time they left them laying around and just stuck a sticky note on them, they would never learn to clean up after themselves. They would, however, learn that other people's messes are their problem which is exactly the opposite of what I want them to learn. Teaching someone that there are consequences for their actions (or lack of action in the case of not locking their workstation) is far better than being an enabler.

I lock my computer when I am not using it. But not because of "humourous" coworkers. I work at home. My 4 year old daughter is learning to type and she likes to "practice" on any keyboard she finds.

I just don't want my clients to get the "I am a princess" email. It might send the wrong message.

Plus, if you install one of the parallel processing screen saver apps like the @Home processes, that buys you an extra 10-15 minutes of processing time before it would kick in automatically.

I work in a company that deals with protected health information (PHI) and compliance requires machines to be locked when leaving your desk.

When it involves information that can be sensitive, it's not just to keep people out, it's to keep the information on your screen from being seen by guests, friends, others without proper auditing.

HIPAA has some tight requirements to protect the health information of patients, and it's our job to make sure that information remains protected.

And, yes, we have several people in our office that will dive into an open machine and make sure everyone knows you left it unlocked.

This brings back fond memories. I previously worked at a fortune 500 company where SOPs were in place about locking your workstation when you are absent. This coworker of mine was notorious for leaving without locking, so I felt it my duty to 1) teach a lesson, and 2) have a little fun.

So, I composed an outright abusive email to the CEO, screen captured it, and saved it to the network. I then walked over to his workstation (that title in and of itself is a joke, since little work occurred there) and saved it as the background on his screen.

When he returned, he got completely frustrated when he could not minimized the mail program. Oh, those were the good old days!

>Change desktop wallpaper to rival sports team, which is bound to annoy them.

My pastor from years back had a Coke classic theme on his computer. I goated his computer to display a Pepsi theme. He was not amused.

Another time, I changed his screen saver to display my picture, just so he would know. Then I left. Another friend saw what I had done, opened my picture in paint, edited it so it looked like I was sticking out my tongue, and set a screen saver password. Yes, the goater got goated.

Similarly, I changed the associate pastor's screen saver to display the picture of one of the young ladies who worked in the office (no password). The AP was single. She happened to be talking to him the first time it flicked on. She gave him a quizzical look, he looked, blushed and said it must have been me. Her response was, "So, you're saying I'm not a catch?"

Ahh, yes. I miss those days. I work in advertising, so people used to get very creative with what they sent out. Lots of "I like stickers and unicorns" type messages.

Apparently not enough people learned their lesson about locking their stations, though, and eventually the only solution was for management to take away access the whole-office distribution list. :(

I've become obsessive about locking my computer every time I walk away from it at work. When I was in college, a few people in the computer lab thought it was "hilarious" to replace your desktop wallpaper with hardcore porn if you left your computer unlocked.

At my last job we called this "noiding" (after the Pizza Hut/Domino's guy from the ad campaign back in the day).

What many of you are missing is this is a tactic to embarrass people into remembering to lock their computers. If it is an official policy, it won't be against policy, will it? The point isn't that your co-workers are nefarious (though some are) but if your office is open to people, any of them could get information off of your computer, and many people do have information that could be useful in the "wrong hands".

I have worked in multiple offices that have had people gain access to the office, during office hours, and stolen items and been gone before it was discovered. Now imagine that what was stolen wasn't a purse or wallet, but accounting information or passwords...

When I was still in the dorms, I had a friend that kept loading his pc up with spyware from looking at porn. After about the 10th time cleaning it up I installed a lemonparty.org type screensaver, put a password on it, and put a shortcut to it in his startup folder. He couldn't use his computer for several days until I gave in and removed it all. It didn't help, I still had to clean his spyware infestations on a regular basis.

GNOME keyboard shortcut for locking your desktop:

CTRL+SHIFT+L

and by CTRL+SHIFT+L, of course, I meant CTRL+ALT+L.

If you really want computer user security principles drilled in to you, work for the DoD for a while. Every time I stand up from my computer I lock it out of pure habit. If you don't, you are violating the use agreement and subject to loss of computer privileges, which would ultimately lead to untimely termination.

While some commenters here are shocked at this infantile behavior, I think that there are environments where this is a good idea.

I work at a University. Our building is open to the public, and will remain that way. Non-employees can and do enter our building. Laptops have been stolen when people forget to lock the door to their office.

Most people around me are very good about closing the door to their office when they leave, but a few are not. Polite reminders are not always successful at convincing them to close their office. Sometimes a mild prank is a good way of reminding someone of their vulnerability.

I prefer very mild pranks. For instance, on Unix-type computers I like to edit their login so that it prints out a message when they login. Harmless and easy to remove (for the folks that are here) but a good reminder.

A mild prank is better than a stolen laptop.

See the Jargon File entry under "baggy pantsing".

Security, shmecurity, goating is FUN! Someone gets goated every day around here.

This morning's: "I wish procreating was as simple as matrix multiplication."

At Research in Motion, if someone leaves his computer unlocked, he often finds that he's subsequently offered to purchase a box of donuts for his entire team. (Of course, regardless of whether or not he actually produced the e-mail, he's now responsible for the team's donut coverage.)

Back at SFU, we called it "Baggy Pantsing", and it usually ended up with an e-mail to everyone about the very baggy condition of one's pants. (I think the terminology was lifted from the Jargon File)

Since I work with sensitive data, we are all required to lock the computer if we get up from our desk. If you forget to do this, the computer locks automatically after 5 minutes of inactivity. That's goo in theory, but when you are staring at the screen trying to figure out why an algorithm isn't working and the computer locks on you it really gets frustrating.

If we happen to forget and walk away and one of the security guys comes by, they will leave a big SECURITY VIOLATION message in a Notepad window on your desktop. It's a joke to some, but I think they might actually log when that happens. Just building the case for when the axe starts swinging...

WA

At my last job, the tradition was to use an unlocked workstation to send an email to the group saying something like, "You know, I really love you guys. I really do."

Obviously, variations occur--I once "got" the most avid gamer in the group by "offering" his new Xbox 360 for "$100 (or best offer)" :-)

My favorite:

Email "I'm not wearing any pants".

Pssst... "these two" point at the same URL as eachother.

I really really don't understand this. I've never worked anyplace where stunts like this were pulled. I don't think I would want to.

Are you guys still in Junior High or what?

In the early 90s when I administered the CS labs at Old Dominion University, inserting "logout" as the first line in .login was an effective goating technique. We only ever used it on other staff members who knew better.

"1) Wallpaper as http://www.aquarionics.com/fun/lemming/back.html"

Oh My God! My eyes almost died!

On my team, "Fabio-ing" has been made into a near-Olympic sport. If someone's away from their unlocked computer for less than a minute, one of my coworkers is in their cube putting a picture of Fabio on their desktop. Priceless.

Great job Jeff for covering an important piece of positive (!) social engineering, and for giving me all kinds of new tricks to pull ;)

When this happens, I tend to mess with the autocorrect feature in Word. Think leetspeek :)

On a more serious note, where I work we use smartcards for building access, and for computer logon. Locking your workstation is as simple as removing the card when you get up and leave, unlocking when you get back is as simple as inserting it and entering a pin code.

Ah well, the screen should automatically lock when the chair in front of it is vacated. And shouldn't unlock whilst it is.

I will vouch for what TomatoQueen said. I work in a large federal building as a contractor and frankly most of the IT staff are clueless about computer security (not to mention computers, but that's a different issue).

Whenever we get an email that screams "security risk" (e.g. from an unknown person asking for personal information or telling us to open the attached file, often with very poor grammar) it's pretty much a sure thing that it's not only a legitimate email, but that it's from the security department that doesn't actually follow any of the procedures they dictate.

Plus IE6 is *required* to be your default browser, and we only upgraded to SP2 on XP about 6 months ago.

Wicked tip about Clippy. Had a go at a workmates computer and he was instantly baffled - even had an IT guy come over and look at it. They both agreed that it had to be a joke, though, which was good. I actually think he'll keep Clippy running on the comp, just cause it's a great humor-stunt.

As for the differing opinions on this issue: as far as I'm concerned, if your company has a policy on locking your comp when leaving it, you're to blame for whatever happens to it if you don't.

Regards
Fake

Yes, one side effect of this technique is that you quickly learn which of your coworkers do and don't have a good sense of humor.

As always, use your own judgment about what is appropriate behavior in your work environment. I am not proposing that you do this indiscriminately to everyone, to your CEO or boss.. unless you know they'll go along with the friendly joke.

Wow! Not a big fun of goating myself but... People, forget about your tight-ass ultra-corporate offices for a moment and relax.

Somebody once said about programming: "Remember, it is supposed to be fun. If it isn't, you are doing something wrong".

Considering the sensitivity and importance of corporate knowledge and data in general, I can't believe the degree of naïveté in some of these responses. And, while I agree that a few of the actions mentioned above might be extreme, the practice itself is a necessary evil. Most of the examples given would take far longer than the “30 seconds” cited by those complaining, so I think that exaggeration is also lending to a much more negative perception. Here’s my rule of thumb: I don’t lock my workstation if I’m in view of the area as I’ll know when someone enters my space, but if I go to lunch, the bathroom or across the floor to vending, I lock it.

Though the finance industry may have their specific, above-mentioned guidelines strictly designed for monitoring access, even more companies (if not All) have some form of security policy that includes a “need to know” confidentiality clause. This pertains not only to external entities, but your trusted co-workers. I’ve worked in a secure environment for the past several years and, as mentioned above, leaving my workstation unlocked is NOT an option. My clearance level may be above that of my co-worker. So, while they are allowed in the building, floor, and cubicle, they aren’t allowed to view certain documentation. To make it more complicated, I may never know what some of my co-workers clearance level is, which becomes irrelevant if I lock my workstation. The responsibility for security begins with ME. I’ve acted as SSO for several systems and I can assure you that the easiest and main point of access for most intrusions are at the individual security level, from inadequate password protection (too easy or taped to their monitor) to, you guessed it, leaving their workstation unlocked.

Even the Cum-Bay-Ah office environments glorified above probably aren’t as secure and friendly as the posters would lead us to believe. People are easily rubbed the wrong way, so a simple email inviting one co-worker over for a BBQ may seem innocent to you, but may leave another, uninvited co-worker feeling snubbed. He may not have done anything nefarious this time, but after having learned that you don’t like him enough to have him over to dinner and having time to stew over it, your next lunch excursion may be his opportunity to exact some sweet revenge on you by sending an email from your account letting your boss know exactly how you feel about him.

No personal information on your workstation, you say? What about your emails? None of those slip into the personal realm? What about things like annual performance evaluations, usually communicated via email? Think your co-worker would be satisfied to find you receive twice the salary to do half the work…even if that is only his perception?

If you don’t like it happening to you, than lock your workstation. If you can’t be bothered to follow through with such a massive inconvenience as locking your workstation, than report it. Why don’t you report it? Because the first question you’ll probably be asked is how they gained access. When I was told that the user left the machine unlocked, as a security officer my first response would always be to chastise that user. That would be followed by the question “what exactly do you expect me to do?” All the system logs will prove is that YOU were logged in; good luck attempting to invoke your SAAS 70 (which I believe more than assumes the Owner is acting responsibly and maintaining the fundamental security and access to said system by, yes you guessed it, locking the machine when they are not present.)

We've most commonly referred to it as "getting bageled". The first offense is usually a warning by way of email from their own account reminding them the importance of network security and their role in it. On further lapses, the offender (and that is EXACTLY what the person NOT properly securing their workstation is) generously emails the office his intention to bring bagels (or donuts) for breakfast the next morning. Anything beyond that is usually a judgment call based on the relationship between the offender and the person catching him or the offender’s demeanor in general.

Judging by some of the uptight responses above, I’d guess most of these “pranks” are attempts at levity designed to help you removed the sticks from your behinds.

Okay, content filter got me on this post. Wherever you see happy, just replace it with a slang for being homosexual.

Someone got me once. In Sybase SQL Anywhere's front end (it was a while ago) you could run queries. When a column was null, is would appear as "NULL" italicized. I didn't know that was configurable. So, one day I came back to my machine, sat down, ran a query, and instead of NULL is said "Matt is happy". Very juvenile. However, also pretty funny.

I was EXTREMELY upset at first -- not because it said I was happy, but because I thought, just for a second, that the database really had that data in there, and I had just sent a copy to a client for testing. I thought that I was going to get in SOOOO much trouble for sending out such an unprofessional message.

Of course, people misunderstood why I was originally so upset, and they all thought that I was homophobic.

Funny, it sounds like you're the one who's violating the corperate security policy. It might be a good lesson but you are still breaking the rules to 'teach' it. Frankly I would give him a warning about not locking the computer and dock you a days pay and make it clear that if it happened again you would be fired.

If someone were to attempt to dock my pay for goating, they'd be forced to demonstrate my involvement in court. That's going to be pretty hard to do...probably just as hard to prove as you being in the bathroom when that porn was downloaded.

Not only that, but if that user were ever foolish enough to leave his machine unlocked again, my motivation would probably swing from harmless fun and security reminders to pure revenge.

On a lighter note....

It's also a good prank to go into MS Word and mess with the auto correct dictionary, replacing common words like 'the' with either misspelled versions, or completely different words.

I really don't understand why so many people seem to be offended by the idea of office pranking - especially in this situation.

For the "anti-prank" contingent:

What's worse:
- co-worker changing your desktop background
or
- malicious user using your computer to do (insert the worst possible thing you can accomplish with your access).

The prank is the lesson - lock your computer, or else be liable for any random act any random person would like to do as you.

(Heck, if it was supposed to be malicious, I'd be sending out resignation letters, but that's just me.)

I lock my pc all the time but if someone were to ever mess with my pc b/c they thought it was funny, well then, I would take a funny shit on their keyboard. There's funny for you.

Yeah, that works. BTW, if someone were to type an email in my evolution and try to send it, it asks for my gnupg passphrase :) This can be disabled, but then, there's no proof at all that *i* ever wrote that email. It doesn't help in the scenario where i'm threatened to type it in, but ok...

well my original post on this topic didn't last more than 1 minute. Do unto others as you would have done to you. Live by it.

My top "goating" trick was to full-screen a virtual machine to a bare bones Windows OS. I left a note that the machine had been reimaged due to a new corporate policy.

My office buddy was in the habit of walking away without locking his machine so we did a couple things to it over a few days.

1. Created a really crappy drawing of the him using paint.exe with a bubble saying "I love <project>", where project is the dead-horse being beaten. Then we set it as his desktop and sent that email out to everyone in the company using his email.

2. A Week or two later he didn't log out agian so I wrote an app that would logout a user from windows every 2 min. And it went something like this.

Login, work, logout. Huh?
Login, work, logout. Expletive.
Login, work, logout. Plethora of Expletives.
Profit!!
Uncontrollable laughter ensues.

He locks his machine now :-)

My office has "Hoffing," where you get the raciest picture we can find of David Hasslehoff placed on your desktop the moment you walk away.

The US Army has a pretty good way of defeating this: your ID card is used to login with a PIN. Of course, when my soldiers forget their ID cards, it's two-fold revenge: an entertaining wallpaper which they're ordered not to change for a week, and about 200 push-ups. I don't get to pull that very often anymore.

When I was at university -- 1991 to 1993, and we're talking Unix shell accounts here -- this practice was sometimes in force too. Never heard the name "goating" for it (which is my wife's term for flirting, but that's neither here nor there). Most common mode took the form of altering the victim's .login file, so the hilarity would only ensue the next time they logged in. Sometimes the script would even helpfully clean up after itself so the prank only happened once. They actual prank might involve sending out emails, or posting to Usenet, or writing to the consoles of everyone else logged in, or any number of other fun things. It might even display a message afterward explaining what had happened and admonishing the victim never to walk away from a logged-in open terminal again.

This is totally wrong.

A quiet word to a co-worker is one thing. Using their computer while they are logged on is quite different. Bluntly it is unethical and a breach of trust. It is identity theft.

If you send an email "I've been naughty", or change my desktop, how do I know that you haven't sent or read other email, or read (even changed) documents you had no right to access?

Screensaver, wait 5 minutes -> On Resume Password Protect
That will protect you from most of the Goatboys.

Why stop pranking because the user "merely" locked their workstation.

If the fool left a bootable drive on their machine you can download bootdisks and BIOS password changers and go to town. Change everything you want.

You could re-arrange all the keys on their keyboard to spell swear words on them.

Mess around all of their monitor display settings making sure you set the display language to Swahili or something, good luck in getting that back to normal.

Flip the 110/220 switch on the back of the power supply to 220v.

And top it off with the old shoe polish on the headphones trick.

Amateurs... Touch my PC and feel my wrath.

Ha, this is even better if you do it remotely - which requires that you have remote access to the PC in question, if you're in the administrators group you can.

This is clip2.cmd which requires the sysinternals (now MS, blech!) PS Tools, Google 'em up. Run it from the command line with the NAME of the PC after it, just the name, no "\\". CHange paths to match your system.
REM ~~~~~~~~~~~~~~~~ Start cmd code ~~~~~~~~~~~~~~~~~~
REM Kill Clippy if it's already running, can't run well twice.
C:\util\ps\pskill.exe \\%1 clippy.exe
REM Make a temp dir if it doesn't alreay exist
md \\%1\c$\temp
REM Copy the file(s) to the PC, change path to YOUR PC's
REM local path to Clippy.exe, also can copy clippy.txt
copy C:\util\ps\clippy.* \\%1\c$\temp
REM Run PSExec to start it on their PC
C:\util\ps\psexec.exe \\%1 -i -d C:\temp\clippy.exe
REM ~~~~~~~~~~~~~~~~ End cmd code ~~~~~~~~~~~~~~~~~~

> If you send an email "I've been naughty", or change my desktop, how do I know that you haven't sent or read other email, or read (even changed) documents you had no right to access?

That's the whole point! Your coworkers theoretically LIKE you, and they *could* do anything. Imagine what someone who wasn't a friend or coworker could do.

> You could re-arrange all the keys on their keyboard to spell swear words on them.

I actually did something similar to a roomate in college. He came back and his keyboard was no longer QWERTY, it was in alphabetic order from A-Z.

My clippy.txt - which will post THESE comments instead of the built in ones:

What are you, a dumbass?
Are you sure you aren't a dumbass?
Someone just farted!
The guy behind you does twice as much work as you do.
And he makes only half as much!
He's the one that farted too!
Your design is not to spec, would you like me to alter the dimensions?
Always remember you're unique. Just like everyone else.
You are a gross ignoramus -- 144 times worse than an ordinary ignoramus.
Everyone rises to their level of incompetence.
Artificial intelligence is no match for natural stupidity.
If you aren't fired with enthusiasm, you will be fired with enthusiasm
Never let your schooling interfere with your education
Depression is merely anger without enthusiasm
Laziness is nothing more than the habit of resting before you get tired.
If you're too open minded, your brains will fall out.
I see you are incompetent, would you like help in drafting a resignation letter?
I can format your hard drive for you, may I?
No, really I can, should I?
Are you sure?
Are you irritated yet?
Someone farted again!
I see that your hard disk is nearly full, click OK to let me randomly delete files ?
Your breath smells, you need a mint.

There is a trade off between "having fun and teach to lock workstation" and "respect computer privacy and don't use someone else's computer even if it's unlocked".
So the best solution depends on how important "respect of computer privacy" versus "tricking and fun" in your organization.

I don't do pranks on machines of my coworkers even if I can. So if they don't lock their workstation then I either don't do anything or may simply suggest them to lock their machines.
I think "don't touch computer even if it's unlocked" practice improves security (in comparison with "abusing coworkers' computers every time they are left unlocked").

I lock my machine anyway if I'm going away from my machine. Even in such "don't touch other computers" environment.

Ah, can't stop myself laughing from the memories of doing this to my mates. That ended ages ago. Big companies have no sense of humour. Don't laugh, just work. I'm sad now. Maybe I'll find a way of installing clippy onto someone's computer. Unfortunately I can't download it, I'm not allowed access to a floppy drive, a CDROM drive or a USB stick. But I'll work it out!

Jeff, didn't you have a post just like this one not too long ago?

(quote)
If you send an email "I've been naughty", or change my desktop, how do I know that you haven't sent or read other email, or read (even changed) documents you had no right to access?
Gordon on November 15, 2007 12:48 PM
(/quote)

You don't. And if I didn't change your desktop or send a funny email, you wouldn't even have reason to suspect that I've been ordering office supplies against your account, changing your code, and doing heaven-knows-what else that will all be logged as being you, not me.

*That's* the point of the prank - a tweak that says "you are *so* lucky it's only embarassing"

I'm freaking out that you get so many comments on a topic like this.

But then, mass hypnosis does freak me out.

We used to do this kind of thing where I once worked. "I need a hug" or "I'm a little tea-pot" were pretty common blurbs to all employees from the 'victim'. Now, it may seem STRANGE to have to lock your computer when you leave it, but the thing is, in order to remain certified, or pass security audits, these kinds of things must be in place - and practiced. How would you feel if you got fired because a criminal accessed sensitive data from your machine when you were at a meeting?

The best trick to pull on others in an office such as this is to take a screen cap of your desktop, and use that image as your screen saver, set screen saver to require login. Sit across the room and watch the 'do-gooders' be stupefied by the login screen, instead of having full access to your email. Jokes on them. Too funny.

The Clippy prank is great. Used it about 10-minutes after reading the article

E-mail itsupport@[mycompany].com
Subject: "Please Help"
Can someone please help me learn to lock my computer?
Thanks!
Send, WinKey + L.

Alternatively, if it IS a higher-up IT Support person, e-mail goes to employees@[mycompany].com.

This goating thing happened to me once.

My computer was unlocked[1] while I was somewhere else in the building a security auditor went in, went through all my email, found some questionable correspondence[2], and I ended up with a record on my permanent file.

H-I-L-A-R-I-O-U-S.

[1] only reason why my computer was unlocked was because I had to kill the screensaver while remote desktopping in from somewhere else in the building.

[2] never found out what it was exactly... email forwards I received but hadn't deleted?

I am very happy with this article, I knew people played pranks in the office, but before I read this, I had no idea how to defend myself or recover from such attacks.
I've heard that there is a way to get past a workstation lock, so if someone really wants to get in, can't they?

don't touch my shit. If you screw with my machine "because you didn't prevent me from doing so" I'm going to set your mailfile to /dev/null because I can.

Being a student makes things a lot funnier than they really are:

On a VAX system at the university I went to I had found a user that had left themselves logged in and left. Added to their login script an alias such that when they asked for a directory listing, it only showed files that were created 10 years earlier. (ie. showed no files in their account)

The sys-op/lecturer approached me a few days later, saying he "knew" I wouldn't have done such a thing!! And proceeded to tell me that the user is a niece to the head sysop in the parent university.

He apparently got in trouble for my 'trick' because some previous time he had also come across this user left logged in and had shifted all her files off into some system area so she had no files in her account.
She had cried 'help' to her uncle, uncle had talked to lecturer, lecturer explained to uncle what had happened.
This time, she complained to uncle, uncle sent a rocket at lecturer, and lecturer explained that he had done nothing this time.

Good thing I got on well with the lecturer.

Jeff wrote: Imagine what someone who wasn't a friend or coworker could do.

I don't know about anyone else you, but we generally don't allow random people to roam unsupervised in our office.

I have to agree with Gordon: tampering with the tools coworkers use to do their job isn't the answer. And this isn't an issue of being uptight about pranks. As a developer I use my computer for all aspects of my job, and I don't want it to be jacked up because you're trying to teach me a 'lesson'. If physical security is critical in your particular environment, then the IT department should mandate locking your system when you're away from it. Don't take it upon yourself to enlighten the world by any means necessary.

A better solution might be making it as quick and easy to unlock a system as lock it (perhaps using biometrics.) Sure it's only a few seconds to log back in the standard way, but if you roam your office a lot as part of your job, having to type in your ultra-strong password all the time, along with the inevitable typos and re-typing, gets old fast.

Wow.

If you work in an environment requiring security I suppose this is a "Nice" way to tell someone to keep things locked up (Nice as opposed to some official warning), however if this caught on a company I worked for, I'd be pretty annoyed.

Generally my PC has no better access than any laptop dropped onto the network. Everyone in the room has checkin/out privileges and stuff.

If someone really wants to read my gmail, go for it. Usually the first thing I do on a company PC is disable the screensaver lock and, if possible, disable the login screen altogether, but it depends on the company/group I'm working with.

I know I'm pretty pissed when I'm helping some paranoid asshole and every time I have to do anything on his PC, he has to reach over and enter the password every couple minutes.

If someone else tells me that I need to lock my desktop at work when I stand up, then the terrorists have already won.

When my coworkers leave the office, I rummage through their desk and their personal belongings. I like to find some paper that looks important, then write something funny on it. One time, my coworker came back and found that her report said "Kilgore was here" at the very top. I almost busted a gut.

At E-Trade you could be fired for leaving your desk without locking your computer. (I Didn't work there, but my brother-in-law did). When I first heard about it, they were on NT. I thought it was strange and difficult, but obviously someone there knew what they were doing. It made me trust them a little more when they appeared to have such strict computer security in mind.

CAA said:
"... In a public company, modifying another employee's computer without his consent is usually a serious security violation that can get you fired. ...

Reread your company's policies on this kind of stuff before adopting any of these ideas."

Yes, yes indeed. Please do read your company's policies on security. For somewhere as strict as you make it sound, I would be quite shocked if there wasn't something in there about users locking their workstations. Most companies require that you lock your computer, many force it with a short screensaver time-out that's password protected.

my favorite trick is to turn off their spacebar (or the key of your choice).... it's a quick little reghack, especially if you've got the .reg file prepared --- info @ http://www.usnetizen.com/fix_capslock.html

you can use these powers for good as well on your own computer, for example i've turned off my CAPSLOCK and <insert> keys........

insert keys

At my school, all of the teachers are given complete local administrator access. They also have complete access to all of our (the students') private information - grades, addresses, phone numbers, email addresses, some health information and I'm not even sure what else. Despite this, they often leave their computers unlocked for extended periods of time, with the student information software wide open. It's a miracle no students have changed their own grades yet. I don't understand why IT restricts the students so much that we can't even change the screen resolution (yes, really) but can't be bothered to implement a policy to require password protected screensavers.

Back in college, if you walked away from the NeXT terminal without logging out, a friend of mine was fond of sending an email to yourself with the following:

"<Name>, this is you from <some odd year>. Whatever you do, don't talk to the monkey!"

I'm sure glad I don't work in an office with you soul sucking dweebs that can't take a joke.

Don't want juvenile jokes played on you? Stop acting like a child and follow the grown up policies your employer has set for you.

You touch my computer and I'll probably kick your ass pretty good.

One's PC should be locked, but if I don't and you mess with that which I need to work, you will be sorry.

Violence is your answer to a simple prank? You seem to have some anger problems. Not that I endorse all of the suggestions here, but a simple desktop change (not to porn) or a silly email sent to others is a harmless way to add a little embarrassment to the lapse of not locking a computer. Much more effective than just a note on the screen.

A very great way to play a prank on someone. An inspiration to teach people the importance of computer security :)

On one of my past places of work, Goating was compulsary if anyone left their computer unlocked. The pranks ranged from the ones mentioned in the blog here to much more creative things. The "desktop screenshot" is a good one, but in combination with switching the mouse buttons and setting the mouse speed to the lowest possible value makes it so much more ammusing.

Sending e-mails to managers are always fun. I once found myself having invited the finance director of the company to a movie and dinner.. Funny thing about that one is that I'm married to her today, and that prank was what got us started speeking.. So thank you to the one who pulled that one!

One of the more elaborate schemes was when I scripted one guys firefox to send him to www.string-emil.de each time he hit the A-key on his keyboard... oh, don't go to that site if someone is watching... or if you are sensitive to middle aged, long haired men in skimpy underwear.

Why do you think you'd lock down a desktop and not let students change screen resolution? Oh, yes thats because the little darlings change screen resolutions to limits that the monitors don't support. Very clever.

As far as locking screens go, there has been cases of Civil Servents in the UK being disciplined and fired for not locking their work stations - data protection issues mostly.

Our trick at College was to put a "logoff" in the users "logon" script. I did it to one guy who'd just gone to a printer, he went ballistic at the class joker. Felt immature and silly so wrote a small program that locked the screens, and then never did it again.

Oh, and a final note, in XP is it possible to unlock another users workstation (ie log them off) without being a member of the administrator group?

> I've caught several people walking around that others have let in that weren't there for espionage, but for a quick buck by stealing purses/wallets/laptops. We've had others that have not been caught until the police were called in to review tapes and track them down and still others that were never caught.

Several? -Even though your entrances are locked.. ?

Well, what can I say.. As far as I know, that sort of thing just doesn't happen i Helsinki, which is nice.

For the record, I'd find "hoffing" funny too, but not a resignation e-mail sent in my name.

I usually play the nasty "animal sex goating" - no pun intended :P

Where I work, we have an internet filter like Websense, so when you try to access "unusual" sites your request is denied, logged and reported to the admins.

That's why, when my coworkers leave the PC unlocked, I open Explorer and load animalsex.com... then I hit F5... 100 times...

[Hope this comments doesn't get filtered]

I think something that a few of the people offended by the idea of "goating" are missing is that this is really done to people you get along with and that you know can take a joke. I wouldn't do this to someone I don't know or I know would get in a tizzy about it (like the 220 V keyboard guy or the shit on keyboard guy).

What you need is one of these: http://sewelldirect.com/Cables-Unlimited-Automatic-USB-PC-Lock.asp

A USB key for the pc and a transceiver in your pocket. When you get so far away, the pc auto-locks for you.

I've used one in the past. Works great!

Get one of those "things" that senses your presence and locks the computer when you are no longer in proximity to it...

jeff...you're my hero.

Ah the old "wallpaper is a screenshot of your desktop and move all the icons to a temporary folder" trick. I've used that one hundreds of times.

In my more cruel days I bound every key on the keyboard to reboot the machine.

Swap the M and N keys round ...
Then turn co-worker's drawer unit round so the back is facing them ...

Then try not to laugh too hard when they realise what's happened and go for their penknife in the drawer to lever the keys off ...

Ghost mouse ...

Tie a piece of string to their mouse and move it as they reach for it (don't do this if co-worker has a weak heart).

And the universal yellow sticky on the bottom of the mouse so the laser can't see any movement... removing ball from old-style mouse

Swap co-workers mice and keyboards around ...

I don't do this stuff any more because I upset someone too much and didn't want to do it again. But if you're in the mood ...

To A Schools Admin:
They lock down all sorts of stuff. It's windows 2000 and windows xp computers. Since they disable the display control panel, there's no way to change the screen resolution from the default (800x600) to the monitors' native resolution, which is usually 1024x768 or 1280x1024. Fortunately, a few of the computers now have the Intel GMA driver installed, so we can change the resolution that way. They restrict just about everything - we can't lock our workstations, either. Probably because they don't want someone to lock one and leave it like that, but all the teachers are admins and could unlock them, or they could add the Force Logoff button to the computer locked dialog, since the Novell options allow that to be set.

A few more favorites, edit their wallpaper file and put an error dialog box right into the center, of course they can't click it and get riled up because they can't clear the "error".

Decrease resolution to 640x480, increase fonts and icons to maximum - I actually did this to a guy that wore coke bottle glasses and he LOZVED it!

I used to have an executable file that just played a few gun shots, a fart, burp and a scream. Put it in the startup folder and turn their volume up as load as it will go without hissing, log off.

Ah sweet sweet 'Goating'. My favorite goat technique is to send out an email stating his/her resignation.

It's not goating. It's goading.

Goad \Goad\, v. t. [imp. & p. p. {Goaded}; p. pr. & vb. n.
{Goading}.]
To prick; to drive with a goad; hence, to urge forward, or to
rouse by anything pungent, severe, irritating, or inflaming;
to stimulate.
[1913 Webster]

That temptation that doth goad us on. --Shak.

you should really have your computers locked when you're not around. Are you sure that no one in your company dislikes you?

btw, how likely is anyone gonna be suspicious of a person wearing a Fedex/IBM shirt and wandering about in your office premises? Those are *trustworthy* companies.

for the person who's trying to change the screen resolution without admin rights, use this.

http://www.dougknox.com/xp/utils/xp_userdisplay.htm

works a treat. For some very odd reason, every Dell PC with a 17" LCD is set to 1024x768 by default, when it should be 1280x1024.

First of all, JPL, Kenneth, Jugimaster...

You wouldn't have to deal with getting mad if you simply locked your PC.

Second,

If you say you work for a company that has no important info... does that mean you don't get paid too???

Third,

3 seconds, how hard is that??? you take longer getting over your anger than locking and unlocking the PC.

Fourth,

It's fun!!! Lock your computers. every company has important info. end of story. no brain surgery included.

Thanks, techy. I'll check that out.

In other news, I busted two teachers for having their passwords written on sticky notes on or near their computes today. They are slowly learning...

1) Lock!!
2) Don't write down your password so anyone can unlock!
3) Don't share your password either!

Personally, there's very little someone could gain from accessing my computer with my account, other than the ability to use my email address. I'm even thinking of changing that by ditching Outlook and using the webmail. The only issue there is saving old email, since IT doesn't like anyone storing email on the server for any period of time.

On the other hand, I still have my computer set to lock itself after a couple of minutes. The real issue I have is when someone uses my computer while I'm out of the office, with their own login/password, and manages to screw up the system by installing a virus or spyware, and I end up spending a day or two getting the system back into working order instead of doing any actual work.

Of course, there are the low-level "classics" (for people with really old work hardware!):

http://www.kolumbus.fi/xtmb/goatsefloppy/
http://sam.zoy.org/lmos/

You can use them even if the target computer is locked: just turn off the power, insert disk/CD and wait for the victim to boot up. Both are very NSFW so don't just go and write the disk images on your boss' hard drive...

Although I like a good laugh, I think this kind of behavior is very rude. Accidentally leaving the front door of your house open isn't an excuse for anyone to just go in and spray graffiti all over the wall, is it? Of course it could, and probably should be qualified as "your own dumb fault" but that doesn't make it less rude in my eyes. If you really respect your colleagues you should note them of locking their workstations in a more friendly way.

What's interesting to me is the number of people here who don't see the fundamental difference between (a) changing somebody's wallpaper to something silly (not pornographic), which makes the point but is easily fixed without wasting someone's time, and (b) making changes that will cause the person to waste hours of time and aren't easy to fix.

(b) is not a prank; it's vandalism.

Oh, and a fun one in some versions of Windows was to go into Control Panel > Mouse, click the Orientation tab, and move the mouse steadily to the upper-right or upper-left. Alas, I'm not sure Windows XP has that tab anymore.

Nice :)

Where I live, i can leave my computer open for all eternity, and nothing bad will happen! Not for the others though.
I will use this here :
<a href='http://www.oldschool.gr'>www.oldschool.gr</a>

The clippy spoof works great in wine-0.9.47. Thank god the team I lead is using Ubuntu, loathes Windows, has a passion for hating clippy, and for some reason has given me sudo rights on all their boxen...