What's the sneakiest way a user has tried to misuse your IT systems?

[-]

Otto-Korrect@reddit

We had a user using a VPN to completely get around our web filtering (before we had one smart enough to block it).

When confronted she denied doing anything wrong. All the way out the door.

[-]

My guess is the translate servers download the original page, translate the test and then send you the translated text. No idea on if they refer you to the original site for images or if they would be cached and re-displayed to the user too.

It's honestly a clever trick though.

[-]

MajesticCat98@reddit

IIRC it redirected me to the original site. I was able to navigate to the different sub-forums, login to my account, post and comment, see users profiles etc…. Then again this was almost 12ish years ago now. Thinking about it now not sure if it changed the URL to something the web filter didn’t recognize or what was exactly happening in the background… but I do know nothing was going to stand in my way of 14 year old me bumping the post advertising the server I moderated LOL.

[-]

BlackV@reddit

This was very very common back in the day, and way back machine too, there was another big one that did that too that alludes me now

[-]

dr_warp@reddit

That's the great thing about pulling these shenanigans in high school and college. At least back in the day. I found out I could install programs to a zip drive, and if they didn't need any registry info (like if they were dos games or simple software) they would run on the colleges computer labs. Napster is one such program, as is OG quake 2.... The computers get wiped and reimagined every night, so they never bothered to look at logs or anything....

[-]

MajesticCat98@reddit

Man now you’re making wish I would have tried this back then… I had quite a few study halls where I was in the computer lab most of the day and that would have been sick to have some games to play.

Tl;Dr at the bottom.

Years ago when I was the white glove tech at an MSP I was sent a call to help a client set up a user account in their AD. He didn't need it to be able to login but their financial software was tied to it.

They did this a lot for contractors, would set them up as an 'internal user' who couldn't do anything inside the domain but it allowed for easier integration to be able to cut the person checks etc. It was unusual for me to be getting this level of request but they were newer to our MSP so I figured it was just to establish good rapport. So I'm chatting with the guy, asking what the users name is etc and he goes 'Just make it up', I'll change it in QuickBooks. So I set it up as Jane Smith and let it ride.

Couple weeks later I get a call from the owner's wife about a quickbooks issue. So I'm helping with that and she happened to see this Jane Smith account and mentioned these random accounts showing up ever since getting us as an MSP and it being weird cause she used to be the one that setup all the QuickBooks access. I clarified that I had actually set it up per her husband's request. She goes, oh well at least it makes sense now, I'll ask him about it. We hang up and I think nothing else of it for months.

Eventually we get an email about a year later that they won't be renewing our contract. Late I mentioned to their sales rep I was shocked to see them go, we didn't have any major issues that I knew of and handled them well. Turns out they weren't renewing because the company was being split up as the husband/wife owners were getting divorced but she had already resigned with us under her new company. I laughed and asked him if he had managed to get the husband to sign a separate contract too and he said 'No, he blames us for the divorce, apparently someone here tipped her off to his cheating.'

I have a lot of technical questions actually, but this story hilarious. The fact that you have two of these is kind of impressive.

[-]

I am always amazed at the money some of these sex fiends will blow without a second thought.

[-]

smoike@reddit

Especially if it is someone else's money.

[-]

fuknthrowaway1@reddit

Years back I had a client come to me because the standalone machine they used for Peachtree didn't seem to be backing anything up. It was Thursday, so the accountant was super busy doing a payroll run and couldn't be interrupted, but would I mind swinging by over the weekend when he isn't there to look at it?

I hit their office on Saturday afternoon and right off the bat my key to the accountant's office doesn't work, and neither does the one from the key box. After a call to the owner and 'Are you sure you're using the right key?' I'm forced to resort to popping the door with a bit of a cut up Coke can and leaving a note for the building engineer.

As for the backup, it looks like someone's mucked with it so that it's only backing up the desktop and registry. I point it back at C:\sage, pop in a CD-R, and fire one off.

After about ten minutes: "Not enough space on target device. Please contact your administrator." Huh? This is only a \~30 person company and they specifically chose backup to CD because they never had more than a few hundred megabytes of data.

One quick peek later I see the PC is a total mess. There's \sage, \sage\sage-2000, \sage\sage-old, \sage\arthur-2, \sage\peacht-1, etc, etc. I'm not sure what the fuck is going on, and I'm not going to muck with any of it without some CYA, so I call the owner again. "There's multiple copies of multiple versions of the accounting data, it seems. I'll go ahead and back it up to an external drive, but you're going to have to talk to the accountant."

Sunday evening I get another call from the owner, who'd like me to come over sometime the next day, after the accountant had been fired, to reinstall everything and restore the data from backup. Huh? The owner had decided to have a look at what was going on before bothering his totally busy employee and discovered why he was so busy; He was running a business out of the office, doing accounting work for a half a dozen other companies.

[-]

DarthJarJar242@reddit

I actually had to let one of my junior sysadmins go because he did basically the same thing when we started WFH during COVID. He got a job as a help desk agent for our outsourced IT call center. His output had been slipping and I was considering putting him on a PIP after multiple attempts to talk him through it. Only found out he was double dipping when he responded to one of our engineering tickets with his desktop support email by accident. Made firing him a no brainer.

[-]

kitolz@reddit

Their divorce was totally your fault for honestly answering a routine question about a task, and not his cheating and lying.

[-]

Slicester1@reddit

Back in the day when I worked for Compaq I was addicted to playing Everquest. Corporate firewall blocked it but there was an outside phone line in the server room down the hall. I tapped into the phone line and ran a cable in the overhead ceiling down to my office.

ring ring

[-]

CelestialFury@reddit

Wow, that's a really smart way to deal with it. It's like souring the milk for a baby.

[-]

Basic_Chemistry_900@reddit

Would you have been terminated if you were caught?

[-]

Slicester1@reddit

Probably, but I also worked in support for CompuServe, Prodigy, and AOL so I felt I could bullshit my way out of a justification if they found the line.

[-]

BlackV@reddit

Oh man at my hp/Compaq days someone was testing this massive omni directional antenna, that I think was going to be used for some rural work, decides to plug in random ap with no password on the thing and piggy backed on to corporate lan

We got warchalked, hard, angry people everywhere, corporate emails everywhere

[-]

ComputersForMeAlas@reddit

Got SOW?

[-]

TU4AR@reddit

A true champion of Norrath. And people thought wow was addicting.

[-]

Chris_87_AT@reddit

I did some bad guy stuff back in the early 2000s. Wrote a backup program that used a DAT Walkman connected to the optical port. Later this evolved into a soft modem using the sound interface. Was good for about 3 MBits using a 192kHz capable on board HD Audio chip using both channels.

[-]

This was at a hospital I worked. One of the medical techs had setup a computer in his office connected to some Internet only port or wifi, can't remember, but he ran a newsgroup leecher on that thing. The thing was that he setup a scheduled service to only start downloading at Friday evening and quit late Sunday morning.

This proves my monitoring processes were in place cause I did catch him after seeing some reports with some REALLY weird traffic increases in the weekend where you'd normally, even in a hospital, see decreases. Reporting lead to investigation and seeing a very bulky newsgroup session each weekend made his manager have a talk with him ...

Seems like he found some flaws in your security alerts then. Btw you don't "run it":
This 1 string is not something you run, it is simply a test string that doesn't do anything.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

IMO fired on wrongful termination.

[-]

Forumrider4life@reddit

Changed the wording, very aware you do not “run” it but they downloaded it ontop of other scripts they ran around the same time that they downloaded…

[-]

smooth_like_a_goat@reddit

Thanks, sounds quite the useful tool.

[-]

Forumrider4life@reddit

Meh, we use it periodically for “science” but for most things we have other tools.

[-]

IronVarmint@reddit

A string of characters that triggers AV for testing. Comes in multiple formats.

RikiWardOG@reddit

That's hysterical

[-]

BloodFeastMan@reddit

Screen lock policy, guy has a private office, tells me over a beer once that the policy was a pain in the butt for him .. He made a little python script that double taps the scroll lock every few minutes :)

[-]

iliark@reddit

I've used the F15 key. It's a recognized key but since almost no keyboards have it, it's generally not bound to anything.

[-]

drthtater@reddit

Could we get a copy?

[-]

iliark@reddit

https://gist.github.com/jamesfreeman959/231b068c3d1ed6557675f21c0e346a9c?permalink_comment_id=5008311#gistcomment-5008311

We have improved thigs since, now on my macbook I just touch the TouchID.

There was a while in corporate america where you had to change your password all the time and have a complicated password and type it so many times a day just to log in to your own computer.

[-]

NitraNi@reddit

Ah, the classic undoing of mischievous actors. They brag.

[-]

BloodFeastMan@reddit

Ah, I never said anything, project manager who's quite proficient in several scripting languages including, interestingly, Matlab and R. Isn't privileged enough to screw anything up :)

[-]

aXeSwY@reddit

using a PS doing this on almost every remote desktop.

Absolutely agree, when I first started there they didn't have any monitoring. They just ran treesize once a week, and compared it to the week before to see how much it was grown. They would export the data to a fileshare somewhere, and we would compare it to the week before. That was how they monitored it this was maybe 20 years ago,

Everything was a manual process, even our 40 backup system would take us around 3 hours to check manually every day to see if each one succeeded or not by login in and checking. The manager that time didn't like anything automated, so it really depends on who checked it. Some people got lazy and just copy and pasted the data from the week before.

Manager was canned after working there for 15 plus years, for embezzlement kinda funny it took so long for one of the mid size financial institutions.

[-]

LeftoverMonkeyParts@reddit

We had a similar situation, but it was our IT Department head who was instructing employees in other departments that they should use the built-in Windows Backup feature to backup their local documents folder to their home drive on our file-server. He was also instructing employees on how to create PST archives of their inboxes that should be put into their documents folders. He did this all on his own without telling the rest of us in the department what he was telling people to do.

We had just been sold a Dell Powerscale/EMC Isilon and hadn't set up proper monitoring at that point. Thankfully we caught it right when usage crossed the 90% threshold.

The fix was easy, but tracking down all the users he had "guided" took a while. He took zero responsibility

[-]

RoosterBrewster@reddit

I wonder about that as a user as I'm not sure if IT here is really monitoring and testing backups. They say Microsoft recovery is the backup for onedrive files, but from what I've read here, that's not a proper backup. But I'm not in a position to call them out...

[-]

redit3rd@reddit

It's a balance between an ideal and what's going to work most of the time. There are tons of stories of backups that should have been working, but weren't, and that fact was only discovered when it was time to restore. Whereas if you interact with OneDrive on a regular basis you're bound to notice when something isn't working and it can be fixed.

I worked at a shipyard quite a while back and some of the union guys built a secret room in a gap space where 2 buildings had been joined. They wired a consumer grade router to an internet only port on a nearby switch and setup a bunch of personal PCs that they could use to surf the net. They even had a couple couches and some cots for napping.

One of the security guys happened to be in the area and noticed the wifi network. When he tracked it back to its source, the shit hit the fan. They locked down the space and confiscated the equipment. Stupidly a bunch of folks had been job searching in there and left their resumes on those PCs, a bunch more had left their personal mail accounts cached in the browsers. Anyone they could prove had been in there got fired for time card fraud, which is one of the few things that union would never fight.

[-]

thedanyes@reddit

If only they'd gone with wired networking.

[-]

Nesman64@reddit

Reminds me of a 99PI episode: https://99percentinvisible.org/episode/621-secret-mall-apartment/

All I heard from the supervisor was 'thank you for letting me know' and the firewall never logged any 'torrent' events from that day on. This user that wanted to torrent didn't stay much longer at the company, they left on good terms and they never brought up torrenting or not being able to torrent. I think I did hear them mumble that 'they didn't have this issue at the last company they worked at' but I had no reason to engage in that conversation.

[-]

PaulTendrils@reddit

...you wouldn't know it was there unless you were part of the click.

FYI it's clique, not click - I say this to educate, not demean!

[-]

dervish666@reddit

That is a user with just enough knowledge to be dangerous.

[-]

legendov@reddit

I have a similar story Working far up north in a camp for months at a time (mid 00s)

Took a router with me, cloned the mac address of the shared PC that had internet access on it. Hid the SSID. Had internet in my room until I got busted.

[-]

If I'm not mistaken, there are also some higher end Cisco devices that can specifically find and locate those devices. I wanna say we had a doctor's office that used to specifically kill any wifi nearby it didn't know as a feature.

[-]

dougmc@reddit

Well, any of the many WiFi sniffing applications will easily find these devices (if they're in use) and by looking at signal strength as you move around it's usually not too difficult to physically find them.

As for the Cisco feature, that sounds like this, which I'm a little surprised that they offer -- for example, in the US it sounds like a potential violation of FCC and computer hacking laws. (I mean, it's OK if the "rogue" AP is yours, but if it belongs to somebody else, the ethical and legal issues may become more complicated -- especially if it really belongs to your neighbor and isn't "rogue" at all.)

That said, tools like "Kali" include similar functionality and more -- sending many deauth packets (to force reauthentication over and over) is a big part of how one cracks WiFi networks.

[-]

VulturE@reddit

They had somebody come in and set up a hotspot that had almost the same name as the guest network and stole a bunch of info, then emailed the users they stole from and blamed the doctor's office.

It was a very personal attack.

It was a justified implementation though since they owned the entire building, But also, since they insisted on using crap tier HP inkjets at some specific desks, it meant we could finally block the Wi-Fi on them that was seemingly not configurable to turn off direct connect.

[-]

dougmc@reddit

Sure -- that's why I said "the ethical and legal issues may become more complicated" rather than "it's illegal and wrong".

That said, in the US the FCC has made their position clear, and it's not clear that laws like 18 U.S.C. § 1030 permit "hacking them back", even if justified -- especially if it turns out that your target isn't what you thought it was.

It wouldn't be a bad idea to see what your legal department thinks about it.

[-]

VulturE@reddit

Yup. We had automation in place that would create a ticket that we could reply back with "enable" or "disable" to stop the rogue network. So we would call our point of contact on site, they would have gotten a copy of the rogue detection email as well, made a determination on what to do, then they'd reply back to the ticket on what to do.

The automation was something my boss stood up so that someone from the doctor's group was the one that was actually performing the command to disable the AP. Ticket tracking, email tracking, And we weren't the ones making the change technically. Sometimes MSPs can get creative if it means they can resell a solution.

[-]

butterbal1@reddit

It should show up as an unknown network in most wireless network lists.

[-]

chipredacted@reddit

MAC collision was probably a mofo that set off some investigation on the shared PC, if i had to guess

[-]

BlackV@reddit

That or hidden ssids are only kinda hidden, more like they're just not displayed and listing time (same with xxx$ SMB shares)

[-]

legendov@reddit

Nah I put the router first and the shared PC second

Someone found my router hidden under the desk

[-]

This is pretty wild but kinda funny.

[-]

WonderfulWafflesLast@reddit

One of the security guys happened to be in the area and noticed the wifi network

couldn't have even hid the SSID?
using WiFi to begin with for a non-descript situation? Not even a switch with wired cables?

wild

[-]

Library_IT_guy@reddit

I feel like with a little tweaking, they could have easily gotten away with it lol.

[-]

SemiAutoAvocado@reddit

I mean....

https://arstechnica.com/security/2024/09/sailors-hid-an-unauthorized-starlink-on-the-deck-of-a-us-warship-and-lied-about-it/

[-]

Nosbus@reddit

I had serious case of a tech admin copying prod payroll into test, clearing all monitoring and alerting via sql script., Then browsing what ever data they wanted!

[-]

Immediate-Cod-3609@reddit (OP)

Wow.

I worked with a guy who a found salary list at the printer, and scanned it to himself, but this is way more sophisticated.

[-]

Nosbus@reddit

We only randomly found out, as we had a trail network monitoring devices in place, which he’s machine had the highest connection counts to our test sql server. We also bought the network monitoring devic

[-]

Sintek@reddit

A junior IT assistant created backup task in a windows machine that had access to source code of the companies proprietary application. The task would use small transmissions of data to our cloud provider AWS, which was allowed because we were backing up to AWS.

So he set up an S3 bucket and slowly transmitted small 64MB chucks over the course of a few months because he was in IT and knew larger transmissions would get suspicious.

These small sizes would look the same as an incremental size backup.

The source code was like 12GB he got to like 8 or 9 GB before getting caught because the company had a physical security audit done like a pen tester. He was on lunch in the cafeteria and the pen tester was just walking around and taking pictures of people laptops that were left unlocked.

When they reviewed the images of his machine unlocked and not at the table in the Cafe.. it was his own personal laptop logged into the S3 bucket and you could see the filename of some of the source code files.

It was investigated and he was fired and blackballed.

Apparently he was going to try and sell the source code to a competing company for a few hundred thousand dollars.

But popping takink 5 min isn't big time.

I had to go to wash my hands sometimes more than once (toner) and It was Ok.

[-]

Nu-Hir@reddit

I worked for FedEx previously, and currently work IT for manufacturing. I have spent a lot of time washing my hands.

[-]

The_Wkwied@reddit

Our boss told us to poop on company time. Best boss I've ever had.

[-]

I have a hoarder level collection of 25 year old MP3 files that should be distributed on a mass scale.

[-]

davidgrayPhotography@reddit

The other week I actually bought a CD (a single, actually) that's been out of print for 25 years and uploaded the contents to archive.org because literally nowhere else had it.

I just wanted it for one specific track but I figured if I've got the CD, and nobody else has it, and the band and featured artist are no longer in the music industry and probably paid them all a pittance for their work, I might as well share it online.

[-]

DIYnivor@reddit

Long ago (late '90s) I was hired as the sole IT person for a small newspaper. They fired the old IT admin after they discovered he was running his own business while he was on the clock, and using company resources to do it. Everything was wrong with this place because he hadn't been doing his job. The expensive robotic tape backup unit was sitting in the original box in the corner of the server room—no backups! There was no inventory of any of the hardware (PCs, Macs, servers, switches, routers, digital cameras). Network cables coming into the server room through the drop ceiling were tangled in a big 3 ft high hairball on the floor. No records of software licenses. You get the picture.

After getting backups working (the most important thing on the TODO list), I started by inspecting and inventorying every piece of hardware and software. I discovered that one of the reporters had installed a modem in his computer so he could work remotely. Anyone with the number could have dialed in and accessed his computer; I wouldn't be surprised if someone had, but I didn't find any evidence of it.

[-]

Mr_ToDo@reddit

"back in the day" security through obscurity by way of not knowing what number to call for the modem was not uncommon.

Even made it into pop culture. I think it was Hackers where the MC called in and had the security guard read the number on the back of the modem as part of their break in. Kind of a weird piece of history that persisted a little too long(IP's are not the same. Way to easy to brute force, especially when you don't care who's on the other side)

[-]

BrainWav@reddit

I think it was Hackers where the MC called in and had the security guard read the number on the back of the modem as part of their break in.

"I need the files off the BLT drive or the boss is gonna make me commit hari-kari"

peanutbudder@reddit

Also, SETI@home is what shit down. The search for extra terrestrial life of (or, SETI) is ongoing from multiple organizations, including the SETI Insitutue, which is why I was asking what shut down.

[-]

Kitchen-Tap-8564@reddit

Wow, you are amazing at misinterpreting and assuming.

I wasn't mad, I was laughing at you because it seemed really dumb in a way that was funny.

And it was pretty obvious what was shut down, that's on you for not being able to read - it was plain and clear that the SETI search client thingy was shutdown.

I'm amazed that you thought it was better to ask a group of strangers a fairly dumb question instead of 1s of googling.

Not mad, laughing at the dumb. But you go ahead and keep up with that dumb, seems to be working well for you.

[-]

Seems like these things are usually caught from the network side, even though they're stealing power more than bandwidth.

Sounds like if somebody is serious about getting away with it they should just get a cellular access point and use that for network connectivity.

(On the flip side, maybe they do, and they don't get caught and so these aren't the cases we hear about!)

[-]

Ziegelphilie@reddit

even though they're stealing power more than bandwidth.

I mean, how many of us are actively monitoring power usage? I can hook into the smart meter at home but I don't even think we have one of those installed at the office.

[-]

dougmc@reddit

But even the smart meter at home only gives totals. Somebody might notice that the consumption went up, but to tie that to something specific would require a lot more research.

A PC or two could be easy to hide, though the noise from the fans or the heat might eventually be noticed if it's in a place where such things are not expected. A whole bunch of PCs ... that's harder to hide.

Either way, it seems destined to eventually get somebody fired, and for not that much money.

[-]

ErikTheEngineer@reddit

for not that much money, no matter how you do it

Ah, but if you were smart and started early - even if you stopped and said "this is stupid" when you had had 100 bitcoin you could have a nice retirement nest egg. I wasn't smart, so I continue to work.

I'm a very honest person but still kind of regret not using the entire mini data center/lab filled with mostly-idle equipment I had access to to mine crypto back in the day. Oh well, at least I didn't get fired over it.

[-]

SerialMarmot@reddit

And for a decent sized school or office building, it may not even be that noticeable of a change in draw

[-]

Barbarian_818@reddit

I'm reminded of a tale from the early days of 2600 of a guy who installed a cordless phone base station into a phone booth powered from the lamp circuit.

Makes sense. It's generally easier to track down odd network usage than power. How often do you see a facility with meters more granular than per building? Plus, even if they're not found via monitoring, a stray network cable tends to stand out much more than a stray power cord.

[-]

dougmc@reddit

How often do you see a facility with meters more granular than per building?

According-Vehicle999@reddit

My predecessor built and hosted a media server with company-owned equipment. He had also used his company card to do all kinds of personal computer purchasing and had a bunch of his personal packages sent to our building, including a glock (I know because he pulled it out in the car and tossed it into my lap).

He was an interesting guy though, very entertaining; there are pictures (taken by fellow teammates who were able to see everything in plain view from our building) that show how much entertaining he did with some of the ladies in our building too.. anyhow.. once he was gone, the IT managers had been trying to get into the last server left to be inspected and couldn't get into it.

I'd just come from a computer repair shop and was a temp they hired to help transition to the company that had just bought them (so presumably my 5 minutes were up any time) but I did enjoy breaking into that server on our conference call and reporting back what I found. Nothing wild, a lot of music, a bunch of local radio show episodes and a small amount of adult material.

By default any user can join 10 (or was it 5) devices to a domain

[-]

Cuive@reddit

Users with delegated permissions to containers in Active Directory to create and delete computer accounts

This is what I guess you're talking about. Never worked for anywhere that delegated writes to users to add their own devices to the domain. Always been a Domain Admin thing in my world.

[-]

peanutbudder@reddit

That's just a user type that isn't limited in the amount of devices they can register to the domain.

[-]

MrMaarten92@reddit

https://learn.microsoft.com/nl-nl/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain

[-]

tdhuck@reddit

It should not take you a long time, you should have a MDM or some type of inventory system where you'd be able to see the machine you are working on is not the machine that's owned by the company.

For me, the remote program I'd use to remote into that PC would be the dead giveaway as their machine wouldn't be in that system if it were not a company PC.

[-]

First_Jam@reddit

nice plan,

simply join private notebook to domain with regular domain user
let IT install the software on the local user account
remove domain binding
profit

[-]

Significant_Swim8994@reddit

"I noticed the work laptop had not been security acid-marked or properly registered in our system, so I went ahead and fixed that. However I was unable to fix the issue, so I ended up having to scrap the computer, as not even a reinstall of Windows fixed it.

Since it was not properly registered, but you have another PC registered to you, it must have been an extra PC from your department. If you need the extra PC, please have your boss request a new one."

Then watch him panic... Of course you did nothing to the PC, as it is his private property, but when he complains; bring the matter to his boss and hand over the PC to his boss.

[-]

architectofinsanity@reddit

And they said asset tracking was a waste of time.

[-]

Icy_Panic_5860@reddit

Lmao

[-]

EnterpriseGuy52840@reddit

How long was this ago? Autodesk supports home use if you license with named user - it's just use your work Autodesk account. So if this was recent with Autodesk trying to push everyone to named user, this doesn't even appear to be a licensing violation.

https://www.autodesk.com/support/account/admin/home-use/products

[-]

Skullpuck@reddit

That's awesome. Was there any fallout for him from this?

[-]

Hangoverinparis@reddit

Shit did the guy get fired? This seems like such a risky move for free AutoCad

[-]

havens1515@reddit

That was going to be my question as well. I hope he got fired for this. This is stealing

[-]

lol_umadbro@reddit

Had a faculty member use Migration Assistant on a Mac to transfer all of the Adobe Creative Cloud and Microsoft Office suites from their work machine to their shiny new personal iMac.

They also transferred over JAMF management, so we quickly saw a new device not in compliance and not in any static inventory groups.

Mr_ToDo@reddit

I had a user who's mouse had a twitch. Drove me nuts. Mostly because our remote software at the time was set up to give up control for X seconds if the user moved the mouse(nice feature normally).

Not nearly as bad as the user who's mouse was a few degrees misaligned. Their "left" was left and a bit up.

Why are those the kinds of user who don't want equipment changes?

[-]

Iseult11@reddit

It's like when your wheel alignment in your car has been off a couple degrees for years and you don't care to get it corrected

[-]

SimplifyAndAddCoffee@reddit

user who's mouse was a few degrees misaligned.

[-]

waxwayne@reddit

You have to ask uncomfortable question about why users don’t want to deal with you.

[-]

Snuzzlebuns@reddit

Often the answer is that through the official process, you might get the thing you want in a few months, while you can have Steve's jerry-rigged solution this week.

[-]

waxwayne@reddit

I had a dev team tell me it would take 2 months to change the wording on an internal web app. The time it takes and the approval framework can be frustrating.

[-]

Snuzzlebuns@reddit

I bet. In our company, most departments are at such a high work load, anything of normal or lower priority just doesn't get done, ever. If you could prioritize your own tickets, everyone would just set theirs to high. But with someone else trying to objectively prioritize everything, you often get the feedback "the only way you'll ever get this is through shadow IT".

[-]

Reinazu@reddit

Normally, yes, though this case is a little different. Most users are happy to come to use if they need a new feature or tool.

This particular user, however... I'm pretty sure he has a grudge ever since we had hired a new member internally and passed him over. Since then, he's basically become a shadow IT and has been inserting himself into any situation to "prove" he should've been the one promoted. And I guess somehow his supervisor is convinced that we're "too busy" to add minor tools or features, and this user will happily "step up" to provide a solution, even though it's copy/pasted code from AI.

[-]

SimplifyAndAddCoffee@reddit

And I guess somehow his supervisor is convinced that we're "too busy" to add minor tools or features, and this user will happily "step up" to provide a solution, even though it's copy/pasted code from AI.

Ugh, kill it with fire!

I would never trust a user to code something with an AI assistant. I would hardly trust most seasoned IT admins I know to do it. It's more about sensibility than knowledge, really... most people just do not have the mindset to assess risks and prioritize safe and secure failure modes when creating scripts etc to use as shortcuts to do their work.

It's like trusting someone at a party with a retina-destroying laser pointer. You have to know them to know they will take safety seriously, or you're gonna be hella uncomfortable with them waving that shit around.

This is also why I won't do range days with people I don't know. To many goddamn idiots will sweep you with their barrel. It's always the same kind of people, and they are everywhere.

[-]

waxwayne@reddit

Makes sense. Sounds political.

[-]

DadLoCo@reddit

I can answer that. Predecessors were gatekeepers and jerks. I want to enable people to do what they need in a secure way but bcos of the legacy most won’t even engage with me.

[-]

davidgrayPhotography@reddit

"Because I knew IT would say no" is one I've heard recently. Dude wanted to install a billion and one programs onto his machine but because he didn't have the admin password, he couldn't, and when he tried to go around IT and complain to the big boss about IT not catering to his esoteric needs, his excuse was essentially "because IT would tell me no"

So the big boss basically said "I refer the decision of whether to allow that software back to the IT manager", and of course the manager's response was "I already told you no"

[-]

HistoricalSession947@reddit

This needs to be asked WAY more often In this sub 😃

[-]

koshka91@reddit

Bingo. People don’t want to deal with a demographic that’s known for nastiness and rudeness.

[-]

tartarsauceboi@reddit

Im going to play devils advocate here, not for the end users but for other IT techs in these situations. Let me explain:

We have a sysadmin who i sort of work under and the guy is incredibly dense. Nothing gets done because he basically thinks that anything me or the other helpdesk come up with that might be a good idea is a hackjob or might get us hacked again.

I explained we should setup a proper truenas server instead of using windows file sharing and properly set it up with a raid 1 or 2 setup so there redundancy but the transfer speeds will be better. We will have better ACL setups and control.

He saw that they sell the truenas in prebuilt NAS options and said it's proprietary and that's not a good idea. "What if it breaks?"

I explain no, it's just a free ISO you would load like windows 10 or 11 and install it. But because he got this initial feeling of "its proprietary, I don't like it" now we're not even considering it. Ffs.

So when you say, you'd wish end users would come up to you and ask, I guarantee you they have a feeling you'll react just like my sysadmin does and just deny it outright and it's not worth a damn to try.

[-]

MarquisEXB@reddit

On the other hand we get pseudo IT folks that think they know what they're doing and take matters into their own hands. They'll make their own file server, permission it as an open share, put critical corporate data on there, and then get ransomwared without having a backup. This is with our company having a robust storage department that could easily setup a secure share with backup for them. But these pseudo IT folks always think they know better.

So I'm not a huge fan of "shadow IT".

[-]

tartarsauceboi@reddit

I totally understand that. I wasnt talking about shadow IT. I do Tier 2 helpdesk. im regular IT

[-]

Reinazu@reddit

I can see that. In his past jobs, his IT department probably rejected him outright. But in this particular case, I have the opinion he has a grudge for passing him over when we were hiring internally. Since then, he seems to always be inserting himself into situations to prove he can do IT tasks. If some of his work didn't look like copy/pasted code from chatgpt or stackoverflow, and if he didn't seem to break half the things he was trying to fix, I'd at least give him a chance. I guess in that sense, I would be like your co-worker.

[-]

BlackV@reddit

No I agree with them your are wrong (without more context)

Better ACL control? Why? What about domain users? What is "better'?

Raid 1 raid 2 ?

Who is patching maintaining that?

Who controls security on that?

How are you backing that up?

[-]

Soap-ster@reddit

and said it's proprietary and that's not a good idea.

What does he think Windows is?

[-]

Remarkable-Host405@reddit

commonly supported, already paid for

[-]

Scale is Debian, almost nobody sane would use TrueNAS Core (let alone in corporate environment)

[-]

zfs_@reddit

My bad, slight distinction difference. Still the same concept.

What is he, stupid?

[-]

dustojnikhummer@reddit

What is he, stupid?

Yes

[-]

LankToThePast@reddit

I agree with your sysadmin who didn't want to setup a truenas system. "Hacked again" means he needs to tighten up the environment, and likely can't afford putting forward the use of a new system that he doesn't fully understand. It's not for the reasons you've mentioned exactly, but I understand his point of "What if it breaks?". If he doesn't know what truenas is, or hasn't worked with it before, it's a system he would need to put time and effort into understanding. He needs to know the answers to many other questions as well.

How do I back it up? How do I secure it? How reliable is the system? How do I get notifications for issues? How do I find out about updates and new releases? How do I use it to help our current environment? How do I get support for it when something happens? How do I justify spending time building this system vs a windows system that we understand? How do I make sure I'm not the only one supporting it?

So the "what if it breaks" is totally valid, and it's his butt in a sling if it doesn't preform or has a problem, and his time to learn to set it up. I would keep using windows, and normal file shares unless given a clear and useful advantage.

[-]

tech2but1@reddit

because he got this initial feeling

I've got a customer like that. The amount of times we've done something the hard way because they've got the wrong end of the stick entirely is infuriating.

[-]

dustojnikhummer@reddit

He saw that they sell the truenas in prebuilt NAS options and said it's proprietary and that's not a good idea. "What if it breaks?"

Does he not know HPE and Dell sell servers with Windows Server preinstalled on the raid array?

[-]

sorean_4@reddit

I’m sorry but that not a great idea. A user coming to IS asking for a specific NAS distribution?

The IS will run what the IS understands and what they can support.

From the user perspective hey this is cool software that will be great to use and it will be faster

From IS perspective: IS staff training on setup and configuration, maintenance, performance testing, user mapping changes to the shares, data migration between platforms. backup and recovery testing, DR replication etc….

Unless you have some major pain points the ROI on the change is just not worth it.

IS should listen to staff however addressing the pain points it’s their jobs and selection of platform to address the issue.

[-]

Mr_ToDo@reddit

Well he's right and wrong

There's nothing wrong with not doing every random project. But at the same time there's a point in addressing the needs and wants of the end users.

Hacked again sounds, um, fun. I'd say for a NAS, or anything really, if he isn't willing to put in the time to actually learn an environment then it really might be more secure to not have it(for the wrong reasons sure, but still). I do know I've put objectively worse performance solutions in place simply because I or someone else can't maintain(or possible put in the time required to maintain) the better ones

Although "raid 2"? Like Z2?(maybe 10?) because as far as I know in the standard raid levels 2 is not really used anymore. Lot's of different configuration options in Truenas for speed depending on how it's being used, but the more tuning you want to do the more you need to know about how it works(And my ability there is not so great myself)

[-]

AgentD20@reddit

Damn, that guy sucks.

[-]

tartarsauceboi@reddit

I understand his cause for concern and precausions.....but like just setup a basic isolated network to test it in if youre so scared. its FREE. you dont like it, scrap it. but atleast give it a shot.

[-]

iCashMon3y@reddit

So many red flags. Why are end users allowed admin access to their computers? Was that page reachable via the internet? How does your security possibly allow that?

[-]

Reinazu@reddit

The biggest concern, no its not reachable from the internet. I made sure to block all traffic to his mac in the firewall from external networks, and the guest/IoT/VoiP vlans.

But for users having admin access, that's how the devices were set up for the majority of user devices before I joined... Small company and the leaders up high don't care too much about how things are set up, as long as they don't hinder workflow, which blocking employees from installing new software apparently does. Hell, my biggest complaint about that is that we have people editing photos and videos directly on the ftp server through an smb connection, and refused to make local copies to work on because "It's takes too long copy these 4K image files back and forth".

So yea, security is pretty lacking, and any changes need to be passed by someone higher level, and most of the time, the answer is "It's works how it is now, why change?" Literally all I can do is wait until something happens, and have a "I told you this could happen" moment. Hell, just getting the firewall replaced with something that wasn't accessible and managed by the third-party original installer felt like moving a mountain.

[-]

iCashMon3y@reddit

I would highly recommend sending an email highlighting the security flaws in detail to your boss and any higher ups that make decisions. Local admin access makes it very easy for threat actors to traverse your internal network if you get breached. It also opens the opportunity for someone to install a backdoor. I would also recommend making as many changes as the company will allow to tighten security. Also make sure that you document everything you have done, and document every time that you let someone in power know that you are vulnerable.

Basically cover your ass, I know you don't want to be in a "told you so" situation, but you would much rather be able to outline all the steps you took and all the times you were told no.

[-]

Firthy2002@reddit

This is why SMEs are very tempting targets.

[-]

fahque@reddit

Why would you assume that?

[-]

Gadgetman_1@reddit

There's at least one 'web server on an USB stick' out there that doesn't require Admin rights.

This is why we use Applocker and disable running anything from any folder except C:\windws and C:\Program files and their subdirectories.

[-]

The sad part is that they mostly use it just to print off some 4x6 labels for inventory. The rest is basically running a report on a third party site, downloading a csv then uploading it to his site to import to his mysql, and then it spits out another csv with things organized a different way. The problem is that most of its functions, our internal web server already does but with direct sql database access, so the data is always up to date, or is something minor that could probably be integrated within a couple days if they'd just speak up...

[-]

fresh-dork@reddit

right? now that you know about it, getting the thing in a rational form that works properly and doesn't require tending from their squad or the security holes they probably have can turn into a good will thing.

[-]

1stPeter3-15@reddit

"But why would I jump through all of your hoops when I can just set something up quickly myself?" - End User

The age old IT problem. We're held accountable for doing it right when they can simply do it quick.

[-]

bamboo-lemur@reddit

People do this because IT is slow to get things done and won't allow them to do things the way that they want. So they end up with a hack job like this.

[-]

djmonsta@reddit

A remote user renamed his personal laptop to be the same as his corporate laptop to try and log into company resources undetected. Yeah didn't work.

[-]

withdraw-landmass@reddit

I can totally relate to "rouge VM". Orgs that install Crowdstrike on developer Macs are just silly. Partner did a bench of their MDM'd M4 Pro vs a personal M1 Pro evaluating the same Nix derivation. The M4 took 3 times as long just based on how much it bottlenecked IO. It got worse when actually compiling.

[-]

bao12345@reddit

Your options are network access or an AV. You might think that you’re great at avoiding malware, but anyone is susceptible. Maybe it isn’t you that gets compromised, but another host on the same LAN…then you become a juicy target for lateral movement, because they could sit on your machine unnoticed because you lack an AV. Your host will become the distribution point for malware throughout the organization.

Don’t care how technically proficient you are, suggesting that installing anti-malware is a bad thing is pretty silly. That demonstrates a lack of awareness. Perhaps your IT security team needs to train you better, or you can train your selfish on the tactics and techniques used by threat actors.

Okay, counter my claims. That’s how debate works. Instead of attacking the words, how about debating the substance? Otherwise, you’ve contributed nothing to this conversation other than vitriol.

[-]

MorallyDeplorable@reddit

What is there to counter? You have said absolutely nothing in support of live heuristics, lmao. You just rambled about auditing and paper trails and nonsense about fantastical cross-host attack vectors. None of what you said even attempts to back up what you originally claimed.

[-]

bao12345@reddit

Okay, it sounds like you're just angry and want to vent. You should try this instead of social media: https://www.supportiv.com/tools/need-to-vent-anonymously

You can also leverage tools like rewordify to reinterpret some of what I've said so you can better understand it. https://rewordify.com/

If you'd like to learn more about cybersecurity best practices, here are some resources for you:

CISA - https://www.cisa.gov/topics/cybersecurity-best-practices

CIS Critical Security Controls - https://www.cisecurity.org/controls

NIST CSF - https://www.nist.gov/cyberframework

MITRE ATT&CK - https://www.mitre.org/focus-areas/cybersecurity/mitre-attack

When you'd like to contribute meaningfully with an argument against EDR, that argues against the best practices laid out in the frameworks mentioned, then I'd be happy to engage further. Until then, I suggest you take your ad hominem attacks elsewhere.

[-]

MorallyDeplorable@reddit

Okay, it sounds like you're just angry and want to vent.

Lol, so anyone who points out how much of a clown you are is just angry?

[-]

MorallyDeplorable@reddit

You're not an intelligent person regardless of how you dress up your posts. What you are saying is nonsense.

Your entire threat model is bullshit that was imagined to scam people into buying overpriced performance-hampering nonsense. You don't even seem to know how malware spreads between hosts in a network. You're missing the basic fundamentals while trying to make giant sweeping claims. It's rather pathetic.

[-]

withdraw-landmass@reddit

I don't buy into the lie that security is a product (except to say "we did the industry standard shit" when you get owned as insurance) and that this software is anything but a remediation tool.

That aside, common endpoint security vendors are the worst, because they have zero incentive to provide a good experience. You don't have to convince end users to keep your software installed. The collective time and watts wasted by major AV vendors is something I don't even want to imagine, because it'd just make me angry.

Now don't get me wrong, I don't think I or anyone is invincible, but if I get hit it'll probably be a supply chain attack of some kind that messes up my .profile or something along that way. On a large enough scale, compromise is a fact of life. I see a lot more value in getting your configuration right, rolling out zero trust and just-in-time access to systems and making this process easy to follow so everyone has the right incentives to not have to work around a shitty tool that insists on scanning the same goddamn files (on a copy on write filesystem) every time I try to access it.

I liked Kollide a lot. Shame it only works on Okta and is now restricted to be a value-add to 1Password Enterprise. I'd very much recommend their manifesto: https://honest.security/

Perhaps your IT security team needs to train you better

I held the title of Cloud Security Engineer for a while. I better train myself.

[-]

bao12345@reddit

I’m an IT Security Director. Came to the leadership track from engineering.

Heuristic detection looks at the behaviors and actions of files on your machine - what is the thing doing, not just whether a file matches a signature. That’s why your AV is scanning your every action…because files change, and when that happens, malicious activity can be embedded in it, or the action itself can be part of a broader group of actions being performed by a malicious actor.

For a more comprehensive understanding of what anti-malware applications are really doing, I’d suggest researching how an EDR works. Perhaps with greater understanding, you can appreciate that EDRs can detect and respond to zero-day attacks like what you describe.

Something like 9 out of 10 breaches occur because of users’ lack of awareness or understanding. While the majority are social engineering attacks (ex. Phishing), many are just lackadaisical approaches to basic security. Many supply chain attacks, for instance, could be prevented with File Integrity Monitoring or Privileged Identity Management, or a good EDR.

That said, ZTNA is good. EDRs contribute to ZTNA by assessing every file save for malicious activity. It’s in the name: I have zero trust that you are not acting maliciously, so I’ll assess every action you take. No good ZTNA implementation lacks Defense-in-Depth.

You’re also right - compromises are commonplace now. It isn’t really about stopping it before it happens, but about detecting it as quickly as possible and impact reduction. EDRs improve Mean Time To Detect (MTTD) and Respond (MTTR). By not having one, an Advanced Persistent Threat (APT) can park themselves on an unprotected host and lie in wait in your environment, quietly distributing ransomware to your whole fleet and exfiltrating sensitive data. This is why there should not be any exceptions to deploying an EDR unless the host is extremely walled off from network access.

To suggest we shouldn’t use EDR solutions because they can’t prevent malware is like suggesting we shouldn’t wear seatbelts because we can’t prevent car accidents. I hope you improve your understanding of modern IT security practices and develop a greater understanding and appreciation of what your security team is doing for you.

RE: Kolide

You can do effectively the same thing as Kolide with Intune and any IAM product. Most modern MDM's offer similar functionality (usually at a price), but I agree - Kolide's perspective on this is novel and clean. It does not replace or mitigate the need for an EDR, though. In fact, one of the controls you can enforce via Kolide is the requirement to have an EDR solution implemented and kept up to date.

RE: Honest Security

I've heard of this before, and agree with the approach. I think this is directed at a lot of the "old guard" security professionals who like to keep their tools, features, and functionality close to the vest. I've worked for and with folks like this before - it ends up pissing everyone off, and makes everyone's jobs less enjoyable and more difficult. Those are the guys whose default answer is "no". They cause more problems than they solve. It sounds like this is the typical IT Security professional you've dealt with.

I'm more aligned with the group of security professionals who *love* to show people what we do. My answer is typically "Here's how I think we can do that securely - will this work?" which aligns with the Honest tenets. That said, there are still times where a hard "No" is unfortunately the only answer to protect the business or the end user from themselves.

Just know that there's a new era of security professionals that are spreading that have this perspective, and we're now in leadership roles to affect this change. Maybe someday, you could jump to SecDevOps and help people like me achieve that optimal equilibrium of operational stability, security, and performance.

You might not think that I align with the Honest Security tenets based on this encounter, but know that understanding and trust goes two ways. If you think my tools and industry is no more than an insurance policy, then I have no reason to trust you either. If you want to remove EDR from your endpoint because it negatively affects your productivity, I perceive this as an uninformed decision or an irrational one, so I'll try to educate you. We established that removing the endpoint completely or complete disregard for your productivity are NOT the answer. Fortunately, at this point in our chat here, we came to an understanding that there *is* something that can be done: Optimizing the endpoint behaviors. We *can* work together.

You might have a better experience with your Security teams if you approach them as if they were as technically proficient as yourself. Treat them as peers who you can work with to solve a problem, and you might improve your own experiences. It's not a blame game: it's a problem to be solved. Isn't that why many of us love IT in the first place? We love solving problems? Build off that shared motivation and maybe next time we discuss something on here it will be a more positive experience.

[-]

withdraw-landmass@reddit

Fortunately, I do not deal with that team anymore. I now deal with a completely understaffed team of two, one non-technical CISO who has very weird priorities (pings about Apple RSRs releasing when we have about 2 Macs in the company), with me in a "default fallback" infra team, where we drive some security topics, but with this few people, it's very much a game of picking your battles. Oh, and the device management is done by an oldschool IT team, so it's rather permissive and restrictive at the same time in the wrong ratio, so I'll admit I took the "I run NixOS, I am ungovernable, your binaries - if you had any - don't run here" route. Probably makes me incidentally immune to a lot of supply chain attacks too. But I also don't have critical permissions and despite our IP block being old enough to be dated 1970-01-01, we don't actually have most normal users on any kind of VPN.

As for "insurance policy", I think that'll always be part of the pitch and a driver for how security vendors prioritize (or deprioritize) features. We all have to justify our existence to someone, even if we care about more than hitting goals on paper. That offensive security team at a different place got pitched after a close call and immediately killed when someone found out how much you'd have to pay someone who could lead that team...

I'm pretty sure the reason the BeyondCorp papers never explicitly mentions EDR or any kind of endpoint security beyond "monitoring health" is because this area has a lot of pitfalls.

[-]

Mr_ToDo@reddit

Sorry for my ignorance, I'm not a developer. Is it common for the building to be done on the local machine? It feels like the kind of thing where unless it's a small part of the company where it doesn't pay, that having a small compile farm gets more bang for the buck.

I'm guessing that dev's are especially hard to do security for since I'm betting that they have more rights and access then other users for daily tasks. Or not I'm not sure, again, not a dev. Maybe it depends on what they're building?

I suppose most of that could feel safer if you remove internet access from whatever machine they have elevated privileges on(Dev VM's, or remote machines?)

But ya, I could see how many security products would really bog down on loads that they would put out. Maybe they could be tuned around their workflow, I'm not sure. It'd open more holes but workers got to work too.

[-]

MorallyDeplorable@reddit

IME most devs think it's faster/more convenient to get debuggers and stuff working if you're local.

They can be right if the environment is a mess.

[-]

HistoricalSession947@reddit

Out of interest how did you test that? I have a similar need for testing it with our av

[-]

withdraw-landmass@reddit

any well-rounded benchmark will do, honestly. nix is just something my partner was using.

[-]

At a previous job I go word that we hired a "rockstar" developer, and that as a condition of employment he had to have the newest Mac [we were a Windows shop], a mechanical keyboard [this trend had barely even started], and an "aerodynamic mousepad". [I still don't know what the fuck this was supposed to be] The company sourced all of this bullshit, less the mousepad, plus an extra fancy desk chair.

It's the same at my workplace. Windows honestly sucks to work on.

In the end we are using Linux inside Hyper-V, and I would resign if this is not allowed.

[-]

i_removed_my_traces@reddit

He went on to become a sovereign citizen.

[-]

butrosbutrosfunky@reddit

Worked in IT for a university, and some grad student used his HPCC (high performance computing cluster) account that he had ostensibly for biomedical modelling research to mine a bunch of crypto shitcoins. People obviously noticed, compute time on that kind of expensive shit is in high demand and jealously guarded by other researchers in competition and his massive demands on it led pretty quickly to an informal audit of his KVM instance. He had the audacity to act outraged when caught and subsequently de-hired.

[-]

ADMINISTATOR_CYRUS@reddit

I'm not the sysadmin here, but someone I know who was a student did some funny shit. Their school set up students with a Surface. From what I know:

When the student got the Surface Pro, it came with Windows
During the Windows setup it's possible to get into elevated command prompt if you're offline
It was already set to autoconnect to the school's wifi network
as long as you wait until you get home to even turn on the machine for the first time you could access elevated command prompt and add yourself as administrator

The student did a bunch of stuff but in the end tried directly deleting the files for their school's monitoring software, but that just really fucked it up so any time the device connects to a wifi network it gets a bsod. Eventually they had no choice but to hand it in to IT.

[-]

Kiernian@reddit

Didn't get expelled but got into a fuckton of trouble because apparently trying to force remove the files "damaged the device and was unfixable" after sending it to Microsoft. Not sure if that's actually true or not, sounds incredibly wild.

That's surface support.

You know how some contracted support eschews SLA's in favor of "best effort" support in some circumstances?

Surface support is like that only it's "least effort".

They just rubber-stamp almost everything "busted" and if it's not under warranty, you're buying another.

[-]

ratherBwarm@reddit

Long time ago when storage space was still limited and cost a bundle, as an IT manager I put together a backup program for my division ‘s PC’s. We’d lost irreplaceable data on several l as laptops by then, so they were under a strict schedule.

My server storage was limited, so I’d review the schedule and size of the zip’s backups each week.

One of our higher ups was using 3x more space than anyone else. Turned out he was downloading movies to watch on his frequent flights, and never deleting them. The next biggest user was hosting his wife’s jewelry business off the PC, with Quickbooks accounting, her taxes, and a thousand pic’s of the jewelry.

[-]

McClouds@reddit

I worked for Geek Squad about 12 or so years ago, and there was this Tech Support plan that would service up to 3 personal computers for in store software support under the cost of the contract.

Had a client bring in computers, hit the 3 limit, then said he got rid of the old computer and this was a new one. He did that 3 times, so got 6 computers fixed for the price of 3.

He was charged for another plan when he tried to bring in a 7th computer, which he paid for, and then brought in an 8th and 9th computer.

In the market I'm in, there's two stores. He'd load balance between the stores in hopes that he wouldn't be recognized, but he had a very recognizable voice and some very specific physical features. When he got banned from purchasing Tech Support, he started to use his family to purchase the plans.

I left shortly afterwards, but I remember one of the last interactions I had was his mother bringing in a PC that was registered under a plan for someone else. We called that client who said that they were being charged $150 for the repair. I can't recall what the tech support plan cost, but it was about the same. So the dude made over triple his investment outsourcing his "IT" stuff with Best Buy. I was surprised this was the only time this happened in our market, but it was pretty obvious that these weren't his personal PCs. I wonder how many more flew under the radar.

[-]

BartonSVK@reddit

Haha that was brilliant, I would have never thought about something like that...

[-]

PBF_IT_Monkey@reddit

Except with all that time and energy he spent trying to run his little game on BB, he could've just learned to be a better tech and fixed them himself

[-]

moderately-extremist@reddit

He may have been able to fix computers, but I'm wondering if he only brought them in when it was a hardware failure.

[-]

SimplifyAndAddCoffee@reddit

Probably this. I bet he was the owner of an independent repair shop. I worked in the independent consumer PC repair business as a tech back in the early to mid 2000s. I actually got rejected from Geek Squad when I applied for being "over-qualified"... but I digress. I had some shady ass employers. It was SOP at some shops to charge customers a huge amount up front for trivial work, and then outsource it if it turned out to need more time/resources than the boss was willing to spend on it. One of our biggest advertised services was data recovery. We would plug in the drive to another system, and if we couldn't immediately copy stuff off of it and hand it back to them (for $199) we would send it to OnTrack, and quote the customer a 50% markup from the service OnTrack quoted us. Some of my bosses were known to do things like take out extended warranties on hardware components at Micro Center, then use them to replace customers' failing parts, then put the bad one back in the box and return it to the store. They got caught and banned a few times and would send other employees to do it for them. They just didn't care since there were never any real consequences for that kind of petty retail embezzlement. I'm sure if there had been such a deal available for service from one of the big competitors, those bosses would have jumped at the opportunity to abuse it like that, sending in machines with expensive hardware failures to get free or discounted replacements.

Small business is just full of grifters like that looking for any opportunity to cheat the system for profit.

I finally found one that I really liked in the 3rd one, bought five of them on eBay (because Plantronics discontinued it quickly) and almost 20 years later I'm on my last headset.

I was just a cheap kid back then, but also I had an extremely large head that very few headsets would fit on comfortably. So now I've gotta throw down big money for a headset that will fit my head as perfectly as the Plantronics one.

[-]

weeemrcb@reddit

I moved away from over-ear headphones to these a while back.
Something similar in your country might be worth a look?

I had a user once who printed a barcode with their password on it and stuck it under the keyboard so she could scan it with the barcode reader to log in.

[-]

zenmaster24@reddit

Low key genius - if it looks like the keyboard product sku barcode hiding in plain sight, even better! 🤣

[-]

SimplifyAndAddCoffee@reddit

It was pretty obvious. They even laminated it. It was taped down to the counter underneath the keyboard. It was fairly common for people to put frequently used strings near the shared terminal where they could scan them in, and any other employee curious enough might just scan it to see what it was and if it could be used in their own workflow.

I don't disagree it was clever. But it was a job where people had different logins for a reason. They could have easily been fired if someone else had logged in to their account and used it to embezzle money.

Security by obscurity, isn't.

[-]

helooksfederal@reddit

i've had MD's buy laptops and use them for work without the IT Dept ever seeing them, happened twice this month already.

[-]

Patmyballs69@reddit

Came in and tried sticking his bt router in on a random wallport in the office because it wasn’t working at home…

[-]

Brwdr@reddit

Early 2010 I used to burn in new VM clusters using SETI@home and had switched to Folding@home to burn in clusters years prior. Enterprising young IT admin took that job over from me shortly after I hired him. Took at look at the latest cluster the Febuary and found the servers all running a bit higher than I expected so I investigated because I told him to run them but not max them out. He was running a Bitcoin miner, albiet inefficiently. I didn't really care, just curiousity and surprise.

This guy in my case was a sales guy and apparently he came with recommendations from his previous job so everyone in the management was bending over backwards for him. I just found his reasoning for the CAD workstation class laptop amusing, as he explained he needed to view complex CAD models in his daily job. As the person who had installed majority of the computers in the whole place, I was very acutely aware just what they needed and the models they had to view ran at 30+fps just fine even with the Intel's integrated GPU. But nevermind the voice of reason, when someone wants a pissing contest about who has the sales department's hottest (literally) computer.

[-]

HistoricalSession947@reddit

Someone was strongarmed into dropping the PROCESSES of not installing games instead of dropping the ROGUE EMPLOYEE!??!?

[-]

da_apz@reddit

No, the user was not seen running unexpected processes again.

[-]

HistoricalSession947@reddit

Ah, thank heavens!

[-]

Zenith2012@reddit

Many years ago I worked in a school, one of the kids created a new website (to bypass the blacklist filtering on the internet, I'm talking early 2000's). He added a bunch of tools to the website that he had downloaded at home that would allow him to try and hack the network, then downloaded them in school.

Our AV caught them as soon as he downloaded the files, the head of ICT removed him from lesson and he was no longer allowed to use any PC during his time in school (their goes his exams). His excuse was "I wasn't going to use any of it, i just found the tools, created the site, uploaded the tools, then downloaded them in school but wasn't going to use them, honest".

Meh #kids

[-]

Isorg@reddit

On a Christmas Eve years ago, while working for an MSP, we got called in for a new client. Their IT admin had gone rogue/AWOL, wasn’t answering phone calls, and was causing issues. They wanted him gone, but he wasn’t giving up passwords.

Their servers were located in a datacenter about a three-hour drive away. We sent a tech to the datacenter to break into the servers, regain control, and kick the rogue admin out. When we got to the DC and gained access to the "racks," we told the client about the two racks. They were confused—they only had one.

Well... we were looking at two racks. One had what we determined to be the company’s gear/servers. The other rack, located right next to it and connected to their gear/internet, was some kind of long-distance calling card service with serious hardware in it.

Us: “What do you want us to do?”
Client: "Shut it down!" No problem—click!

During all this, the tech onsite needed more assistance because things had snowballed into a major issue. I geared up and began the three-hour drive to the DC. During the drive, I joined a three-way phone call with the tech, our manager, and the client’s sales rep to plan our next moves.

The rogue admin then started calling, but the owners had locked him out of the DC. By then, we’d regained domain admin, locked things down, and secured the situation. While I was driving and listening to my manager and the sales rep discuss next steps, the onsite tech took a break and stepped outside.

Coming back into the DC, I overheard him having a conversation with a third-party person who couldn’t get past the mantraps of the DC’s security doors (he’d "forgotten his badge") and offered my tech money to let him in. My tech said, "No, I can’t do that."

My manager and the sales rep were too busy talking to each other, but I caught the conversation in the background. I interrupted to ask the onsite tech, "Who were you talking to?" Turns out, it was the rogue admin! We figured he’d started driving to the DC the moment we cut the power and internet access.

Long story short, the rogue admin had been reselling rack space/internet to a calling card company specializing in long-distance calls to Mexico. The whole thing was shady—money laundering/cartel-level shady.

From what I understand, the calling card people lost a lot of money with their systems being down. My client didn’t care—they didn’t have a contract with them! Two days later, I was back at the DC, supervising the calling card company as they removed their gear.

All of this happened on Christmas Eve, and the sweet, sweet holiday/emergency rate paid for my new motorcycle!

[-]

Not_your_guy_buddy42@reddit

I'm getting faint die hard vibes

[-]

redthrull@reddit

Wasn't going to comment but your post reminded me of something. Not really malicious, just...clever.

We thought.

Later that evening, he **dialed in** through a modem connected to a Cisco router in a telco closet, got authenticated to a domain server, and ran a script under a service account. His aim was, we think, to wipe out all access to all the data (but not the data itself). Because we did backups, and turned off the only vulnerable domain server (Windows 2000) that would accept that account, damage was minimal and easily undone. Domain logging captured everything he tried, and we were able to not only prevent him doing that again, but we had evidence of sabotage that was undeniably him. I believe he was arrested, but he was an older guy, so I am not sure if he went to jail or not, since I was not part of that cutover after it was done. It was thanks to me and a Windows Admin that it didn't end up being a disaster. But dialing in through a serial connection on a forgotten Cisco router was pretty creative.

[-]

nostril_spiders@reddit

Lieutenant Kijé

I had that on tape, growing up. It was a B-side on Peter And The Wolf. Heavily abridged versions for kids, narrated by Johnny Morris.

gif

[-]

keetyuk@reddit

Weirdest one ever, back in the day, when laptops were the exception and not the norm, a user had been assigned a laptop for one reason or another.

[-]

drkstar1982@reddit

Several devs wanted upgraded Mac’s so they disabled certain keys in terminal. Unfortunately for them they forgot to delete the terminal history. Two got fired as that was the last straw with them And three others got written up.

[-]

Kaon_Particle@reddit

How did they expect to explain how all 5 laptops ended up with the same problem at the same time??? Maaan those guys are dumb.

[-]

Snuzzlebuns@reddit

drkstar1982@reddit

They were older Intel machines, and our helpdesk would normally just give them something new because it was faster than a wipe. As the Mac admin, I was the last line of support. And helpdesk asked me why the key would work in recovery mode and not in the OS.

I asked the user to log in and looked at the terminal history in front of them, reversed the issue, and said, Hey, just fyi, I fixed the issue and will be down to talk with you manager shortly. And let me tell you that was a fun conversation.

[-]

Espeakin@reddit

Nothing too crazy my way. We get torrenting. We get porn. We get torrenting porn.

A lot of users hate the 15 minute sleep policy, so they try to bypass that with caffeine, clickers, etc.

All of our science faculty want local admin, because they have it from like 2000-2010 and did whatever they wanted lol

[-]

lebean@reddit

A lot of users hate the 15 minute sleep policy

... which is just crazy, because if your PC idles for a full 15 minutes, you are not at your desk or are not doing work on the PC. Even if you were "reading/studying something", within 15 minutes you'd absolutely have to scroll a document or site. Why do people hate having to unlock their PC when they return to their desk?

[-]

Shadowwynd@reddit

Whenever our systems log out, we have to go through the whole 2FA process again - MS sends us a prompt on our company cell, Facial Recognition (from mobile phone) needs to be done twice to log back in.

10% chance that the key takes so long to arrive in Authenticator that the key has expired and has to be resent.

10% chance that the system drops the main WiFi and switched to the guest WiFi which can’t be used for authentication, requiring a manual change of WiFi (or manually telling it “don’t use this one”).

10% chance the Surface laptops running dual external screens through the dock don’t come out of lock properly, resulting in one or both external displays being dead until a system reboot.

I didn’t go anywhere. I was talking with a coworker for a few minutes in the door of my office. I was on a phone call at my desk. I was filling out dead tree paperwork at my desk…. And all of a sudden I have an external delay of at least one minute, possibly 5-20 minutes - and this happens multiple timescales a day.

[-]

Valadrimin@reddit

MFA back into the PC? After a logout?! Dude… what a massive waste of time!

[-]

lebean@reddit

Not even after a logout, they're saying they have to MFA to unlock the screen of an already logged in session... what?

[-]

Shadowwynd@reddit

Yes, correct. Session is logged in, apps are open, stuff in progress is in progress…. We have 2FA set for every time - login or unlock.

[-]

dustojnikhummer@reddit

Lock is fine but why sleep??

"Okay, I will let this run while we go for lunch" only to find sleep breaks that...

[-]

lebean@reddit

Ah no, we don't sleep them after 15 minutes, it's only a locked screen.

[-]

Mostly just an inconvenience/ignorance thing. No one thinks someone’s going to go through their shit lol

[-]

dustojnikhummer@reddit

A lot of users hate the 15 minute sleep policy

sgt_Berbatov@reddit

People were using the "Clock" app from the Microsoft App store and setting the timer on it, which stopped the screen locking.

[-]

pizzacake15@reddit

An executive and a secretary installing crypto miners.

The executive was repeatedly reprimanded cause he didn't stop. He was eventually let go for reasons unrelated to it.

I didn't know what happened to the secretary as i left the company before infosec could triage it.

[-]

Last_Hunt3r@reddit

An employee managed to run unauthorized software (brave browser) in the session based RDS environment. Because someone told her Edge will steal all her data. We are a Teams/SharePoint company.

[-]

DadLoCo@reddit

Some brainiac back in the day whitelisted an executable without including any metadata. It even a required path. That Exe could be run from anywhere.

Users figured out pretty quick that they only had to rename their desired installer to that Exe and it would run.

I’m the party pooper who shut that down after joining the company.

[-]

Popal24@reddit

A user tried to have direct database access to an inside app I developed. He wanted to bulk load+edit data by himself. After I repeatedly refused, he tried to bypass me an ask the DBA directly.

During the early 2000’s when BitTorrent was a big thing, the FBI came a knocking to our Fortune 1000 door. Seems someone had opened a port to the open internet off a test/build machine for medical devices. Sony or some such called the FBI telling them their pirated movies were being sold from a machine on our factory floor. LOL. The balls.

Anywho… I finally got the budget and mandate I had been espousing for years (to take away local admin rights, lock down traffic correctly, only IT provisioned and maintained systems).

[-]

azuratha@reddit

I have some stories but one of the people involved is still in jail because of me. They get out this year and I am worried they'll come after me as it was pretty obvious I was the one who provided the IT evidence that got them convicted (sole admin situation). I resigned after it happened but they know who I am. Not much I can do unfortunately.

[-]

BarServer@reddit

I don't understand this comment. So you risk exposing yourself by making this comment and then don't even provide the story? I don't get what you are trying to achieve.

[-]

azuratha@reddit

I haven't exposed anything in what I have said. If I gave specifics then I would be exposing myself, but I haven't.

I wouldn't want to risk writing specifics because then my reddit account wouldn't be anonymous.

You are right that there is not a lot of point in my story without specifics, I wrote that while I was on my phone and didn't have time to write anything further. I don't think it's worth the risk to try and write it up without giving myself away, as a reply on a 13 hr old post that probably nobody will ever see.

[-]

First-Literature8880@reddit

For this dude, it’s a business.as a middleman, buy low, sell high.

[-]

teebee@reddit

Way back in the early-mid 00s I was a young sysadmin. My spirit wasn't broken yet. They were magic times. I was doing departmental IT (shadow it) I was taking care of a couple of our shiny new VMware ESX 2.1 servers on Dell 2650s. Each server had about 80vms on it but only 4 VMs would ever be on at once. I only had 2 cores to play with. One day I stroll in and everyone in my department is pissed at me something was going on with VMware. I log in and my 2 cores are flat out 100%. VM On host 1 seti1 and on server 2 seti2. Hmmm those aren't mine. Only other person that had admin was my back up Jim.

Me: Jim, Wtf is seti1/2?

Jim: oh seti2 at home it's a massive parallel project yada yada yada.

Me: why is it in my VMware rig?

Jim: it only uses free cycles

Me: how does it know that across VMs?

Jim: uhhhhb

Me: How long has it been running?

Jim: About 18 hours

Me: ok you've DoS'd our team for the last 18 hours.

I had to write up an RCA and laid blame where it belonged he got a firm talking to and stayed out of my way from then on.

I had companies that had their ftps targeted as warez drops in the early 00s. Had users trying to take over a Netapp for a big mp3 collection.

[-]

ChampionThunderGoose@reddit

I worked at a retail chain. People would

Launch ERP System --> Hit F1 to launch Help --> Hit Ctrl+N to get a new browser window that was outside of the web filter and logging.

We also let staff have a private vending machine on the shop floor to earn some extra cash. They would buy a drinks machine, break one or two of the buttons and hide thier Beers/Burbon and Cola's' behind them. No alcohol was permitted on site, but we were not able to search a privately owned machine

[-]

fubes2000@reddit

Couple jobs ago we had a satellite office in Vancouver so that we could attract "higher-tier talent", and one of these "high-tier" individuals decided that they needed an automated build system, but didn't even attempt to run it by IT. What he did was move an iMac from a recently-departed user's desk into a storage room and installed Gitlab Runner on it.

Desktop IT grilled him several times about the missing hardware, but he played dumb quite authentically. Eventually I got roped into a ticket where another user in that office said "every time we run a build our internet cuts out" which led to "what do you mean 'run a build'?" which led to me finding IT's missing iMac on the network running shade-tree services which was indeed saturating the internet connection with bullshit it wasn't intended to handle.

The company decided that "well they already changed their processes..." and hung the fuckin albatross around my neck to scratch-provision a build system that worked with this fuckwit's cobbled-together workflow. He earned my eternal ire, and I'd like to think that even though he was not immediately fired for this [which he absolutely should have been] that I greatly contributed to his eventual firing for incompetence by constantly pointing out how much the guy fucking sucked at everything.

[-]

TheGlennDavid@reddit

Not an answer to your question but I refuse to be upset over mouse jigglers (not that anybody asked me). If a supervisor can't find any meaningful way to assess the work output of an employee besides "is their PC idle?" then they are bad at their own job.

I get it -- from a "hr box check perspective" it has the same objective flavoring as "is the person in the office or not" but....ugh.

[-]

koshka91@reddit

Not only that. There are hardware mouse jugglers. That’s basically a mouse emulator

[-]

skydiveguy@reddit

You’re a moron. This has nothing to do about making sure an employee is “working”. It’s about making sure that the computer locks if the screen is inactive for a certain period of time to prevent unauthorized use.

[-]

TheGlennDavid@reddit

Ahhh that makes sense. I remember hearing about the return of jigglers during COVID remote work when places were deploying wacky tools to measure time-on-task.

Using them to avoid security based screen locks is certainly bad.

[-]

Nydus87@reddit

We had a guy working in Information Security that had access to our corporate verizon account. He'd go down to the Verizon store, setup a new line of service to get a free IPad or iPhone or whatever, then cancel the line, have the device cost billed to the corporate account, and then he'd give the devices to his friends or sell them online. We busted him, reported him to management, and he was still working there in a leadership and security role when I left a few years later.

[-]

VIDGuide@reddit

Oh this reminds me of one guy we had. And to say this is the least shady thing he did is an understatement. But those were more in the “outright illegal” category.

Anyway, he would talk staff member into a deal of “porting their personal number onto a company plan”, which would then be salary sacrificed to cover the cost. This bit was above board, though a headache when staff ultimately churned, but they got a slightly better plan, and everyone won, right?

wwbubba0069@reddit

there was so much stuff when I took over the IT here (XP era). Was like the wild west, there was no domain, no web filtering, everyone was local admin.

One dude was doing taxes as a side business, one lady was running copies for her bible study group on the mailroom copier, like a ream of paper at a time. 1 in accounting and 1 in shipping teamed up and were shipping stuff on the company UPS account. So many were using their office desktop as photo backup of vacation photos, one guy was keeping nudes of the women he dated so he wife wouldn't see them on the home PC.

The day I put the web filter in place I was the most hated person for while.

ahh... memories...

[-]

davidgrayPhotography@reddit

I know a business where the CFO was doing taxes as a side business during work hours.. and some of his clients were employees. That same place had several people doing side businesses during work hours, but as long as it didn't interfere with the work being done or wasn't using company resources (e.g. no mailing stuff using the company's resources, printing stuff occasionally is okay but not like a whole ream of paper) then they looked the other way.

[-]

moderately-extremist@reddit

I feel like every place I've worked there some middle management or assistant getting busted for using the company shipping account for personal items.

[-]

vemundveien@reddit

I once ran a php chatbot for an MMO I was playing on my webhost because they gave me SSH access. They unfortunately busted me after a few weeks, but that at least gave me some reassurance that they had decent monitoring.

At least one shop installed the game, and loved it.

Admin did not like it. Especially because GroupWise was hard to convince to stop sending the outbound stuff. I think after multiple deletion and repair and reboot attempts, they simply added more diskspace to the server and waited until it was all done, then introduced a size limit for email attachments. Which was a wise decision.

[-]

pdp10@reddit

Groupwise had an awful SMTP gateway. A division had a Groupwise 6.5 that was having outbound mail problems, and it turned out it treated 400-series temporary errors as permanent errors. That was a problem in the age of graylisting.

[-]

dartdoug@reddit

We were contacted by the owner of a small (fewer than 50 employees) distribution company to figure out why they had multiple racks filled with servers and to determine why they had multiple T1 lines (this was before cable and fiber broadband was a thing) even though they really did nothing on the internet except some daily EDI transmissions.

The owner waited until his lone IT guy was on vacation to have us come on site. The owner had admin passwords (which was a pleasant surprise). We snooped around freely for a couple of days.

Turns out IT guy was running a sizable web hosting business. On equipment purchased by the distribution company and using access lines paid for by the distribution company.

IT guy was fired upon his return from vacation. Sadly, the company was in such dire financial straits at that point that it closed up entirely less than a year later.

[-]

PsyOmega@reddit

a wifi router inside the cubicle (like, inside the cubicle wall itself. tricky but if you've ever taken one apart you'll know what i mean.). patched in to the lan port 3 or 4 cubes down and carefully routed the cable under the cubicle walls so it was completely invisible.

We had a client who was ending their contract with us, and it wasn’t exactly a clean cut of ties; it got financially and contractually rocky, and even personal at some points.

Long story short, we are on the phone with them (mostly just this one lady from upper admin) helping troubleshoot, what normally would be, just your average network issue. But sucks for everyone because patch panel cabling is involved

(i say we because it was helpdesk tech with phone on speaker as management is listening in/monitoring. Just to give some context)

Client is pissed because “we made an update that slowed the network” but we are near confident someone plugged a voip phone in twice (dont ask about STP… another story)

I guess this lady on the phone was involved in the “political” drama going on and treated this as like some war; we were the enemeis whom cannot be trusted. Well i guess in her valiant efforts to make us look weak, and most importantly, incompetent, she threw in a little sabotage and started cutting the 3ft patch cables with a pair of scissors.

No telling how far she got before someone saw what she was doing and started yelling and stopping her.

The phone suddenly went mute. My bosses look at each other… grinning. This particular issue was being closely monitored by the c suites of this (big) business. This was definitely used as some leverage point, but I wish i knew the specifics

Nonetheless, they were our biggest client and we lost them.

[-]

Plutus77@reddit

I was a tech department student intern in high school and had certain elevated permissions but still didn’t have firewall bypass access like the teachers had.

I did have access to AD to a certain extent though. I couldn’t add myself to the firewall group directly but did find that the teacher group was added as a whole to the firewall group and that I could add myself to the teacher group.

Got called into the principles office with the IT director. They were mad till I told them they just laughed and said to stop.

[-]

Prestigious-Ad8209@reddit

Worked for a Internet provider/data center that was made up of (not making this up) 52 small mom&pop neighborhood internet providers.

Lots of different processes and employees all over the country. This was back in the dial up/DSL days. The remote guys were all given a T1 line to enable them to work remotely at a reasonable speed.

Many, if not most of the guys bought switches/routers and sold excess bandwidth to neighbors.

At some point, when we had progressed past DSL/ADSL, it was decided to get rid of the T1 lines and put the remote workers on their local providers, except for a few really remote workers.

Well, some of these guys controlled the billing, which is how we kept track of our assets, so they deleted the rows for the employee T1 lines.

They were still paid for, but no longer traceable.

A few years later the company decided they had lost control of accounts/billings/customers. They seemed to have more circuits/nodes than customers.

They brought in a company that said they could do it in about 3 months and $250,000 by following every node in our network. All in the background.

Or they could do it over a week for $30,000. They would pull the cable from the switch. They had a guy with radio in the DC and another guy in CS with a radio. They would pull a cable, a customer would call in, they would plug it back in and when the customer said “It works!” they made sure all the customer information was correct.

[-]

Noob_Skywalker@reddit

Worked at a place with a 45 day password change policy, which is flat out stupid.

Dev set his computer date to ten years in the future, changed his password, corrected the date, and every forty five days whatever process would query for passwords needing a change would run, see his PW as not being 45 days old, and he was in the clear. It was genius.

And no, I didn’t rat him out. At a company function down the road he and I were chatting and I told him I found out what he did, he smiled and thanked me for my discretion.

[-]

rumski@reddit

He was using the router to provide WiFi for his home.

The guy got busted because one of our techs went in to do some maintenance in that room and found it. It spawned an entire investigation.

[-]

skydiveguy@reddit

I blame you for not using port security and disabling ports in the management interface that are not in use. Our infrastructure alerts us to rogue APs and blocks them immediately

[-]

nillawafer@reddit

This was at least like 15 years ago at a small operation. Clearly, this would not be allowed today.

[-]

Basic_Chemistry_900@reddit

User: Took on a new client at my MSP who had no central structure or IT security controls. We found a Bitcoin mining rig in an unused back corner office once we ran a network scanning tool and saw it in the report.

Admin: I was friends with one of my other admins on Venmo and saw someone paid him for "iPhone X". Then another. Then another. I thought that was weird and counted the number of spare iPhones we had in the server room. I counted a few weeks later and turns out we were missing 2 since last count. I told him we seemed to be missing a few spare iPhones and he almost shit his pants. I regrettably didn't report him but he stopped taking them after that.

[-]

blue_canyon21@reddit

Had a similar case where a coworker was taking spare hard drives and selling them as "Old drives from Plex server."

Every few days, he would reset some random users account password and use that account to submit a ticket claiming something like, "Clicking noise coming from computer." He would then immediately claim the ticket and start "working on it" by grabbing a spare drive while saying something like "gosh, drives are dropping like flies lately."

He would go to the user and say something like, "Hey, there was an issue with your account, and I had to reset your password. You can go to the account portal and change it back to whatever you had."

He was caught when the Director noticed that we were ordering a lot of drives and tasked a sysadmin to investigate. Coworker didn't know that serial numbers were logged. It wasn't long until it was noticed that all the machines that should have had new drives didn't, and the common thing was that he was the one that claimed tickets for replacing them.

[-]

SlimDayspring@reddit

Worked at a tech camp for a few summers. One of the staff took computers that were not being used and tried to farm bitcoin. This was like 15 years ago.

[-]

JohnGillnitz@reddit

Way back when a user setup a Counter Strike server and justified it as "a tool to monitor network latency and uptime." Okay. It was me.

[-]

koshka91@reddit

U ever heard of the pure pwnage series?

[-]

Full-Plenty661@reddit

ROUGE VM!!!

[-]

PsyOmega@reddit

Actually rouge pc

[-]

gangaskan@reddit

Second. Same call center. I trained a new class 15-20 of CSR's every 2 weeks. Call center turnover is crazy high. The first thing we told all of them is IT basically knows every call they make, every program you open, every website you visit. We specifically had to bring up pornography and not to go to any sites that displayed it. We had filtering in place but in the early 2000's it was still the wild wild west.

A CSR on his first day in the first hour he was employed sat down, went straight to a porn site. We got an alert and wanted to make sure it wasn't a false alert since no one could be that stupid. We went down to investigate in person and the CSR was already being escorted out by security. Not only did he open a porn site the first hour he was employed. He sat down directly in front of the call center directors office with a huge window he used to over look everything and saw it all.

[-]

bandana_runner@reddit

"...open a porn site...directly in front of the call center directors office with a huge window he used to over look everything and saw it all...

I worked for a now closed hospital in western Ohio, USA. One of my fellow entrance greeters/wheelchair attendants sat at the desk in the Emergency Department waiting room, which was les than 6 feet in front of the mirrored windows of ED's Campus Police sub-office and was looking at gay porn. He was termed real quick!.

[-]

rosscoehs@reddit

rouge

[-]

Flake_3418@reddit

Recently someone in the company reported a samsung galaxy s24 was stolen. It was setup as shared device in intune. The last known location was the home adress of the reporter lol.

[-]

Quagmoto@reddit

I’d see how it was joined to the domain, Intune and by who. All the cybersecurity software is added zscaler and EDR, it’ll start flagging things. Also naming conventions of the workstation in our ITAM will flag things too.

[-]

Quietwulf@reddit

When I was in university, we had an arms race going with the local sysadmins. We liked to install games onto the machines in computer labs so we could host LAN parties, but they kept trying to lock us out.

First they tried to prevent us getting local admin, but at the time MS Office required local admin to run. You could just go into Word, use Open File and select cmd.exe. That’d grant you a command prompt with local admin.

So they tried to block access to the Windows directory to prevent browsing to the file. We used a macro in Word again to just open the file.

This went back and forth for most of my degree.

Good times really. Kept us all sharp 🤣

[-]

KadahCoba@reddit

Mine have been pretty minor.

Had one guy pirating movies. We didn't have much bandwidth at the time so it was a problem. Tried to be nice by giving them the very obvious hint that we knew what they were doing and to cut it out by deleting the whole thing, even left a note to such in the place they had the torrent client hidden. Day later they were doing it again, so I blocked all traffic to or from their workstation to the WAN. About a week later he started torrenting on a different computer but by that morning I already knew he was getting fired that afternoon for other things.

Had another guy had been using his work email to hide his paid porn site subscriptions for years. Was going to have the not so subtle talk about how gmail works with him later that week but he had put in his notice for entirely unrelated reasons. Pretty sure he didn't migrate his email on those accounts before getting locked out.

[-]

NirvanaFan01234@reddit

Not super sneaky or anything, but I used to work for a software development company years ago. One of our interns (who had admin access on some development servers) installed some software that was used for analyzing radio signals. I think it was SETI@home or something like that. He installed it on dozens of servers before anyone noticed. It's one of the only times I've ever heard of an intern being fired. The vast majority of the ones I've worked with are too scared to mess anything up to do anything remotely bad.

[-]

Top_Boysenberry_7784@reddit

Not a user but I worked for a business for a very short period of time and the owner brought in a laptop that was encrypted, and he wanted access to the data. I can't remember the exact story he told but he also said once I got access to not look at any files on the machine. This was 2011 so it wasn't exactly normal to see a laptop with encryption.

There was a a guy I worked with that had a paid megaupload account and would download content on the high speed connection at work and copy to his external drive.

He was downloading more in a week than the rest of the company (1000 staff multiple offices).

Got a paid weeks holiday and interent policy had to be updated, because technically it wasn't against the rules.

He got fired within 12 months of coming back for similar stuff.

I heard from internal IT department one of the files downloaded was "granny bangers 8" or something along those lines.

[-]

matroosoft@reddit

School had storage for each user except they removed all executable files after you logged off to prevent games being played.

[-]

woodburyman@reddit

Back in high school (Early-Mid 2000's) we did something like this, but didn't get caught. Classes after us got busted.

We ran a full on TV station (Local Education Access Channel) from our A/V room. A few nerdy kids like me had keys, and we'd use it as a break room instead of the cafe for lunch, or study halls. Naturally we wanted internet. They wouldn't let us have it because we'd be "unsupervised" in there.

When they redid wiring in 2001-2002, they had to run some fiber and coax for the TV station, and they blindly accepted our request of a few Cat5e cables too. When we were plugging them in the normally locked termination room with their core switches we terminated the Cat5e ourselves and plugged it in. We his the other end of the cord in a ventilation duct, and would pull it out, use it, and tuck it back up as needed to not get caught.

I graduated and the year after I graduated, my clueless now-Ex that was a year behind me, got a old hub (10/100 hub, not switch) and plugged the wire into that, and put a PC in there and left it plugged in and left a Ethernet cable dangling in the breeze to connect to laptops as needed.

Some bright person plugged the loose end of the ethernet back into the hub one Friday morning. Creating a loop.

We found one of our top sales guys using a mouse jiggler. He is super busy all the time and usually comes in the office which is rare for a hot shot sales guy. He is a top earner and spearheads a lot of new business. He refused to explain why he used one. Still doesn't sit right with me but hey, he doesn't use it any more and it hasn't changed anything.

[-]

BlackV@reddit

he doesn't use it any more

Just moved on to a new one

[-]

HistoricalSession947@reddit

There's a ton of micro politics and games at workplaces with "status" on Instant messaging software. You may not need to be worried about it (and good for you!) but plenty of people do and are involved with it.

[-]

ByGollie@reddit

mouse jiggler

In college they had the dorms on a wicked throttle and blocked torrenting. So I figured out how to SSH tunnel past all the blocks , and log into the network with my user credentials. So I could essentially proxy to the unthrottled network and had 2gig internet speed to torrent.

How about IT misusing IT systems...

First 'real' IT job, we were a Compaq shop, convinced my boss to switch to Dell but he didn't trust Dell so he told me that I needed to setup the Dells and stress test them. I configured Seti@Home and ran that on them for however long he wanted. At one point I was in the top 100 accounts.

Hindsight being what it is, this was right when bitcoin was first coming online. I was in a distributed computing forum and there were rumblings about a project that you could 'mine' coins. At the time it was very fringe and not that well understood. I had a fleet of 30+ computers back when you could legit mine BC on CPUs. I don't ever want to know what I could have mined but I also know I would have done something stupid and bought a fucking pizza with them...

[-]

namocaw@reddit

Rogue switches

Rogue WAPs

Putting BYOD devuces on corp WIFI or lan despite signed writtwn policies prohibiting it.

Installing antivirus that fights corp antivirus.

Uninstalling our rwmote acecess software

Actively storing porn on local devices

Hiring IT vendors and signing IT cintracts or using cloud services without consulting rhe IT dept when we typically alreayd hqve other competing services.

Keeping and actively using laptops at gome and sayjng they are lost. (Really? It is live on your home IP right now. Looks like your kids are usng it)

Storing files in prohibited cloud services.

Sending HUNDREDS of outbound emails from domain accounts instead of constant contact and Killing our reputatuin taking outbound email down for the whole org fir a bit.

[-]

RetPallylol@reddit

A regular user somehow got admin credentials, accessed a Cisco switch, and placed his device into a different VLAN. This VLAN did not have restrictions to which sites you could access. I was more impressed than mad really. He later moved into the IT team.

[-]

Kiernian@reddit

WINNER!

LOL.

This one is awesome.

[-]

DiabolicalLife@reddit

Late 90s, my first job was working for the school district (while still a student there). We had Duke Nukem 3D installed on a bunch of our computers and would have early day LAN parties.

At some point we discovered that it worked on computers across the entire district network and many other people joined in.

Backbones between the schools were only ISDN and we absolutely flooded the network to a halt.

That came to an end.

[-]

doctorevil30564@reddit

Way back in the early 2000s when I worked as a computer repair tech who also built new systems for the company to sell. I had a customer who had just bought a really nice AMD Athlon XP Socket A system (wasn't the fastest CPU but it wasn't the lowest spec one either). We offered a warranty on our built computers because we used new components with warranty on them from the company we bought our parts from. To that end I was required to use the foil warranty void if tampered with stickers to seal the case but so long as you didn't do anything stupid we would still honor the warranty.

The PC we sold her was supposed to be for their home business.

A week goes by, the customer comes back with their kid, the kid has broken the deal on the machine and installed a huge double 5.25" drive into the two open 5.25" drive bay slots in the case, and installed a SCSI controller into the single ISA bus slot on the bottom of the motherboard.

She is complaining that the machine keeps randomly freezing up or rebooting.

I ask why did they need that piece of equipment installed into the machine and was told it has some of our business software on it.

I dig out the tester to see how much of the PSU wattage is being used by the added equipment. It's just enough that under an extended burst of read / write activity the machine's PSU is being overloaded. The case and ATX PSU we used was more than adequate for the configuration we sold it to them for the PC with plenty of overhead.

Our recommendation to them was to figure out what software they needed off the drive and copy over to the new drive in the machine, or that we could sell them another drive and copy everything over to that drive from the old one or that we could special order them a new ATX PSU with enough extra available wattage to power that drive and the rest of the system with no issues.

They advise they will move the DOS program over then remove the drive.

A month goes by, the next time the customer's kid comes into the shop with the machine and wants to come back to the workbench area to talk to me about "something" for the PC. Once he gets past our front office and our office admin, he sits the computer onto the workbench and tells me it's not working can you take a quick look at it.

I take the side panel off and look at it and see it's got a different looking heat sink (the one it came with had a sticker on the center of the fan), and when I inspected further after testing it to see if it would post, I discovered that the kid has removed the AMD cpu and tried to cram a Pentium 3 socket 370 cpu into the socket A socket.

There is a lot of damage to the plastic section where you inserted the pins for the cpu into before closing the lever to lock the cpu in place.

I immediately go grab the owner of the company I worked for and showed him the damage before I said anything to the kid. The owner agrees with me that any warranty we had for this machine is now voided.

I managed to clean up the socket enough to re-install the AMD athlon cpu and the customer was called and told what had happened to the computer where "someone" had attempted to switch out the CPU and that as such any warranty we had for the computer was voided but that as a courtesy we had managed to fix the machine by cleaning up the damaged socket and reinstalling the original cpu and heatsink (which the kid had brought with him in a box).

The kicker, the machine still had that old scsi hard drive installed in it. The Kid had been told by someone that a Pentium III was a better cpu than the AMD chip and he took it upon himself to get his mom to buy the cpu as he thought that swapping it out would fix the problems with the computer. Before they left with the repaired computer the last thing we told them and it was also written on the work order that they had to sign was that in addition to the described damage that we repaired, they still needed to remove that drive if they wanted to ensure the stability of that computer for correct operation.

Bypassing firewalls by installing proxies

[-]

WhatsUpSteve@reddit

Former colleague was running a bitcoin mining rig off a decommissioned server. The chief engineer of the data center saw a huge spike on one of of the electrical phases and started tracking it down.
A user was attempting to use a production circuit to torrent his shows off a web server. This one took a while for the cyber security team to track down because they thought it was legit traffic.

These 2 scenarios were from the mid 2000's before fancy monitoring were a thing.

[-]

koliat@reddit

One of sites at previous jobs was somewhere quite deep in Africa. We placed a standard “office stamp” there, dc and fileserver for guys to host their data. Turned out guys have had terrible internet and well, they turned the fileserver into local cache of porn named files. We for sure had a good laugh at IT and kindly told them to clean up as the free space was shrinking

[-]

Palsta@reddit

My virtual machines are cerise rather than rouge.

[-]

monkeh2023@reddit

We supplied one of our users with a high end laptop. He wanted to play games and didn't want to spend money on buying his own PC or console so he decided it would be a brilliant idea to plug in an external SSD and install his own personal copy of Windows.

I visited a branch office because they are having problems connecting to the WIFI and their username/password did not work. First thing i notice when i fire up my laptop is there is a SSID that was removed years ago and the official wireless network was nowhere to be seen.

I rummaged around and found a WRT54G (yes im not shitting you) under a table where is was plugged into a port that was meant for a printer that did not do 802.1x properly so it was disabled for that port.

The real AP i found in a closet on top of the router and switch so it looked ok apart form not being powered up

Oh and to make it real funny the password for the SSID that broadcasted was written on a note and pinned to the lunch room notice board

This AP was used by a external company that they had apparently made an agreement with ... straight into the corp network.

ToBePacific@reddit

We had a malicious actor create a M365 account which they they used to host a few dozen terabytes of pirated movies and tv shows.

[-]

alan2308@reddit

I'd have to say the lengths users went to in order to hide the mouse jigger app on their workstations after the org started cracking down on it. But I guess that's what happens when managment measures productivity by the percentage of the day your status is active in Teams.

[-]

kop324324rdsuf9023u@reddit

I pirate all my movies and TV on the company internet because its faster than what I have at home.

[-]

xKINGYx@reddit

When I was at secondary school, I used to hang out with the sysadmin along with some other students during lunch breaks in his office as I’ve always had an interest in this sector. (10 years later I’m a programmer and homelabber so you could say it set me up for the future.) He taught me how to build a PC and I, along with the other interested kids, built a number of the PCs in use around the school.

He was the sort of chap you could mess with and he’d find it funny - as long as it was essentially harmless, there wouldn’t be repercussions.

I discovered a network share that was mounted automatically at boot by the PCs in school whereby they would execute a few scripts there to configure printers and such. Inside, I put a small VB script to loop opening and closing the disk drive over and over, then waited for the next day when the computers would all start.

Carnage ensues and I go more or less immediately to the sysadmin to let him know what I did so he can deal with it and he just bursts out laughing and is like ‘well I guess that’s on me, that share should have been mounted read only!’

Went on to find a few other security holes for him such as being able to access the BIOS on laptops etc…

Cracking guy. Would genuinely love to go for a beer with him.

[-]

avmakt@reddit

My first IT job back in the 90s was at a college, and one day a ticket came in from a lab saying an RJ45 socket wasn't working.

Checked the switch and it showed the port both working and, more mysteriously, connected, even if the socket was empty.

Removed the plate and found that someone had hijacked the network port and tapped into the power line, routing both below the floor boards to an old Mac motherboard with an HD. Running linux IIRC, but I may be wrong on that. Anyway, it was all very nicely and cleanly done, a lot better than some of my then colleagues would be able to. Can't remember what it was running though, probably just set up remote access to be able to pirate stuff.

Forensics on the HD showed it had been an office computer at a doctor's office, and it turned out the docs son was a student with access to said lab. What passed for legal at the time bucked as soon as the student (through his parent) denied everything and threatened to lawyer up, so he only lost his equipment.

I quit and moved not long after but heard he actually asked for the stuff back after graduating, in person no less.

[-]

bluegrassgazer@reddit

I worked for a marketing research company in the early 90s that had a fancy new piece of hardware called an auto dialer. You load it full of phone numbers, and you have a group of marketing research analysts who talk to consumers. It dials the phone numbers and sends calls that have connected to an analyst phone.

[-]

da_apz@reddit

I worked for an MSP and we set up centrally managed WiFi APs in a customer's very large facility. It was not monitored. When we finally got a call about the system, the problem was that at random some machines don't have working Internet. I went to investigate and true enough, some machines didn't have Internet, but they also had 192.168.1.0 network, which was not what was supposed to be.

What do you mean "misuse"?

If a person starts using a system in previously undiscovered ways that's ... good?

Why would I want to invent a problem where people were able to solve completely on their own?

[-]

TinderSubThrowAway@reddit

I think it’s people doing things to do unauthorized things through unique ways.

[-]

BloodFeastMan@reddit

Exactly, if someone finds a clever way to accomplish a goal, I wanna be introduced.

[-]

hells_cowbells@reddit

This one wasn't sneaky as much as it was just stupid. One day I got an alert from our IDS about a system trying to hit an IP in Russia. I investigated, and found out it belonged to a guy who had somehow convinced management that he just had to have admin rights to do his job.

I went to his office to investigate, and explain what I saw. He said something like "oh yeah, that's probably my PopcornTime app I installed" I wasn't familiar with the app, so he gladly explained that it used BitTorrent to stream media. And he saw nothing wrong with this.

From rouge virtual machines

I've heard of Azure VMs, but rouge is a new one.

[-]

SausageSmuggler21@reddit

My first job was 3rd shift helpdesk back when home internet speeds were 14.4k. The other guy was using the company's three -500k lines to download music. He would fill up some DVDs with music and sell the DVDs to his friends.

[-]

s_schadenfreude@reddit

Gotta watch out for those red VMs!

[-]

tommykw@reddit

I used to store game exes in MS Word.

Since it was also Window's 2000 at the time, login and pull the ethernet cable on profile load to get admin rights.

Built many many CGI:PROXY website's to circumnavigate web filters, also had automated the process.

I will offer my sincerest apologies to my school admin for them 5 years of him chasing me around.

Sorry, P.A.

[-]

BuffaloOnAMotorcycle@reddit

Had a user bring in their own laptop to circumvent a group policy we have that locks the computer after a certain amount of time. He would use a personal hotspot for Internet and just plug his laptop into a TV to display his presentations. I guess he wasn't technically misusing OUR system just going around it..

[-]

InsaneHomer@reddit

Not so sneaky as dumb. Tried to emailed himself a 'work.zip' file. But it wasn't work was it? Screenshots and downloads from his WhatsApp:- nudes, dick pic etc al.

[-]

Special_Luck7537@reddit

I kept seeing outbound traffic and a large influx of email from/to an Amazon type site on a regular basis, and investigated.

A new hire had setup her own store, and was designing her site and taking care of orders while working as a marketing analyst, using our shipping to mail out products, sent under the guise of Marketing Manager ...

She bounced quickly .

[-]