tankman1989
Active Member
- Reaction score
- 5
Sorry this is long, but it is a difficult situation to understand unless you have all the facts,so please bear with me.
Ok, here is the situation I came across while working for a small local IT firm. The IT firm supported a fairly large regional company (about 150 employees) which is vital to the security and productivity of the immediate area. If this business stopped running, Millions of people would be negatively effected and a GREAT many people and business would not be able to function at all. This company also deals with large sums of money on a daily basis (about $15 million in transactions/good delivered)
So, this is a fairly important company and I would have expected their security to be pretty tight/high. What I found was next to no security and what security there was is VERY lax and often bypassed with common passwords, simple passwords or passwords taped to the LCD screen (on the CFO's monitor none the less!).
Now to the main issue.
We were running Linux servers with XP work stations. My bosses were able to grab the hashed passwords from the network (or on the Linux server) and use Rainbow tables to crack the passwords. Their policy was to keep this list a secret and use the password(s) when it was convenient, in cases such as when they needed to log into the customers profile and make changes or check thing (like Outlook setup and other software). There were many more reasons given by my boss (the IT firm) for having the passwords but many of them seemed strange and bordering unnecessary or unprofessional.
My boss and other two employees (his employees were his father-in-law and brother-in-law) made it a very clear point that I/we were never to let on that we had the password list or that we used their passwords. The boss said "It would be VERY VERY bad, we would get in a lot of trouble". This was another flag that they knew what they were doing was wrong. (at this point I considered quitting but I REALLY needed the job)
I was also told to download the password list and keep it in my encrypted folder on my office desktop AND in an encrypted folder on my personal laptop which I use at work & @ home to do some remote admin work if needed. Well, this is where I felt VERY uncomfortable almost as if I were breaking some serious laws. I made it clear that I didn't want it on my desktop and especially on my laptop but I was "convinced" that it wasn't a big deal because the other 3 guys I worked with did the same. It was stressed that I had to be prepared to assist clients at all times and in any manner, and this meant having the secret password list. So I begrudgingly put the list on my machine but only after sending emails to my boss protesting the existence of the list and especially my possession of it. I used Camtasia (records what is seen on the monitor as video file)while I composed the email and sent it, requested a read receipt and recorded that as well. I also backed up my PST file and uploaded it to my web server and my home machines along with the video file of me composing/sending the email.
A few times I almost felt as if I was being set up to be blamed for something. My boss and his in-law employees went on 9 day vacation 12 weeks after hiring me so I was left alone with the shop and about 600 off-site people to support (we had more clients than the one mentioned). No one in the IT firm had taken a vacation in the 4 years since the company was created - but now they take one leaving a new employee at the helm!? During this vacation I had to use the list at least 10 times which was very unsettling. When they returned I told them I was taking a week off myself (because I had to think about my situation there - there were other issues where my boss acted with little integrity and or honesty).
So, I want to know what you people think of this situation.
Would you have been suspect of the possession of the list? I figured that if anything went wrong within the company (stealing emails, financial records, bank info, making wire transfers, etc) I might have had a tough time proving that I had nothing to do with it. As the new guy and not being "in the family" I didn't want to be in the position of "guilty until proven innocent".
So, what are your thoughts about the following:
-my boss creating the list
-boss & co-workers logging in as employee to fix issues rather than changing
password then logging in under new password and then changing back?
(we had LOADS of time on our hands so this wasn't for lack of time).
-Being told to keep list on personal office desktop and personal laptop (which
I owned).
-The fact that the made a big point of saying that they would be in "VERY big
trouble" if the company exec's found out.
Just as a note, I took my week off, went camping to think and clear my head, and was a day late coming back (I told them I was going to be back late). I was fired that day due to being late, lol. So I didn't have to worry about the list anymore. I told my Boss that he didn't have to worry about me and that I wasn't angry or upset and he didn't have to worry about me taking any type of "revenge". He laughed and said "what could you possibly be angry about or upset with?" I told him some of the issues such as the password list, lying to customers about their broadband speed and other things. He said that they weren't an issue to begin with and that I couldn't "hurt" him.
Some people just don't care what they do or how they conduct their business as long as #1 gets theirs!
Ok, here is the situation I came across while working for a small local IT firm. The IT firm supported a fairly large regional company (about 150 employees) which is vital to the security and productivity of the immediate area. If this business stopped running, Millions of people would be negatively effected and a GREAT many people and business would not be able to function at all. This company also deals with large sums of money on a daily basis (about $15 million in transactions/good delivered)
So, this is a fairly important company and I would have expected their security to be pretty tight/high. What I found was next to no security and what security there was is VERY lax and often bypassed with common passwords, simple passwords or passwords taped to the LCD screen (on the CFO's monitor none the less!).
Now to the main issue.
We were running Linux servers with XP work stations. My bosses were able to grab the hashed passwords from the network (or on the Linux server) and use Rainbow tables to crack the passwords. Their policy was to keep this list a secret and use the password(s) when it was convenient, in cases such as when they needed to log into the customers profile and make changes or check thing (like Outlook setup and other software). There were many more reasons given by my boss (the IT firm) for having the passwords but many of them seemed strange and bordering unnecessary or unprofessional.
My boss and other two employees (his employees were his father-in-law and brother-in-law) made it a very clear point that I/we were never to let on that we had the password list or that we used their passwords. The boss said "It would be VERY VERY bad, we would get in a lot of trouble". This was another flag that they knew what they were doing was wrong. (at this point I considered quitting but I REALLY needed the job)
I was also told to download the password list and keep it in my encrypted folder on my office desktop AND in an encrypted folder on my personal laptop which I use at work & @ home to do some remote admin work if needed. Well, this is where I felt VERY uncomfortable almost as if I were breaking some serious laws. I made it clear that I didn't want it on my desktop and especially on my laptop but I was "convinced" that it wasn't a big deal because the other 3 guys I worked with did the same. It was stressed that I had to be prepared to assist clients at all times and in any manner, and this meant having the secret password list. So I begrudgingly put the list on my machine but only after sending emails to my boss protesting the existence of the list and especially my possession of it. I used Camtasia (records what is seen on the monitor as video file)while I composed the email and sent it, requested a read receipt and recorded that as well. I also backed up my PST file and uploaded it to my web server and my home machines along with the video file of me composing/sending the email.
A few times I almost felt as if I was being set up to be blamed for something. My boss and his in-law employees went on 9 day vacation 12 weeks after hiring me so I was left alone with the shop and about 600 off-site people to support (we had more clients than the one mentioned). No one in the IT firm had taken a vacation in the 4 years since the company was created - but now they take one leaving a new employee at the helm!? During this vacation I had to use the list at least 10 times which was very unsettling. When they returned I told them I was taking a week off myself (because I had to think about my situation there - there were other issues where my boss acted with little integrity and or honesty).
So, I want to know what you people think of this situation.
Would you have been suspect of the possession of the list? I figured that if anything went wrong within the company (stealing emails, financial records, bank info, making wire transfers, etc) I might have had a tough time proving that I had nothing to do with it. As the new guy and not being "in the family" I didn't want to be in the position of "guilty until proven innocent".
So, what are your thoughts about the following:
-my boss creating the list
-boss & co-workers logging in as employee to fix issues rather than changing
password then logging in under new password and then changing back?
(we had LOADS of time on our hands so this wasn't for lack of time).
-Being told to keep list on personal office desktop and personal laptop (which
I owned).
-The fact that the made a big point of saying that they would be in "VERY big
trouble" if the company exec's found out.
Just as a note, I took my week off, went camping to think and clear my head, and was a day late coming back (I told them I was going to be back late). I was fired that day due to being late, lol. So I didn't have to worry about the list anymore. I told my Boss that he didn't have to worry about me and that I wasn't angry or upset and he didn't have to worry about me taking any type of "revenge". He laughed and said "what could you possibly be angry about or upset with?" I told him some of the issues such as the password list, lying to customers about their broadband speed and other things. He said that they weren't an issue to begin with and that I couldn't "hurt" him.
Some people just don't care what they do or how they conduct their business as long as #1 gets theirs!
Last edited:
Alarms went off in my head. I gave a brief explanation and she looked like a deer in headlights. She immediatly began making frantic phone calls and was extremely flustered and became abusive towards all the Dell contractors working the job. 
I did need the job, I had spent A LONG time looking for one up until the point I landed this one. Stand on your soap box and criticize all you want but I'm sure many, if not most, would have done what I had if not less. I know many people who would have never questioned the things that I did let alone tell the boss that they did not agree. 
