Worst thing I ever witnessed in IT in 20+ years

[-]

peteybombay@reddit

Honestly, if this company will be dealing with your data or have access to your systems, you should definitely mention this to your boss and management at the least and their leadership at the most. I'd recommend trying to lock down their accounts or access as much as you can or at the very least send your concerns in an email for CYA if they decide not to listen to you.

Reply

[-]

smoothvibe@reddit

This. Your company should never make deals with them.

Reply

[-]

Icy_Performer_9675@reddit

yeahh for real

Reply

[-]

Cczaphod@reddit

If there’s any concept of Vendor Risk Management at OPs company, this app does not pass the vetting process.

Reply

[-]

Comfortable_Place465@reddit

Yep and this is exactly why vendor selection needs technical knockout criteria upfront. A spreadsheet with root passwords on HTTP instances should've disqualified them before any demo. Btw, tools like [ERP Pilot](https://www.erp-pilot.com/) catch these dealbreakers like this early-worth running any vendor through that filter before they even get to screen share if you're asking me..

Reply

[-]

Upbeat_Whole_6477@reddit

Unfortunately a vendor like this would just lie on the risk assessment. I’ve worked with people like this. They will talk security all day, but in practice…

Reply

[-]

tankerkiller125real@reddit

"SOC 2 or ISO Report?" Immediately wipes out the vast majority of the slimy "security is around everything" lying scum. There are still ones out there that cheated on those, but are far rarer in my experience, and so long as you get the contract right, incredibly easy to pull away from them when you discover it.

Reply

[-]

seanhead@reddit

"can you work in an air gap?"

Reply

[-]

hardolaf@reddit

If you ask for a SOC 2 report from AI vendors, you eliminate almost all of them. It's one of the few things that legal insists on that is saving my employer from going all in on AI everything.

Reply

[-]

awful_at_internet@reddit

To be fair, with security that poor, you can probably just make them lose your number.

Reply

[-]

tagehring@reddit

Just log in as them and delete your own contact info.

Reply

[-]

chuckmilam@reddit

“Oh yeah, we’re totally STIG/FIPS compliant!”

Reply

[-]

ConsciousEquipment@reddit

why tf would the vendor straight up say that they do this lmao, this was clearly internal stuff that they had for their own convenience and not what they officially state that they use.

Reply

[-]

pinkycatcher@reddit

As a director, I would red-flag this vendor so hard. If one of my employees saw this and *didn't* bring up this massive security risk I would be livid.

Reply

[-]

PapaDuckD@reddit

> If one of my employees saw this and didn't bring up this massive security risk I would be livid. Not disclosing this is a resume generating event. You're either complicit in some way or flagrantly incompetent. Both are cause for removal.

Reply

[-]

pinkycatcher@reddit

It depends, for a senior not to bring it up I would definitely put them on the short list and we'd be talking to figure out why it wasn't brought up. For a junior, I can see thinking it's normal, but we'd definitely talk and I'd definitely have a good long conversation on things they should bring up and they should always feel comfortable to bring up concerns at any part of the process. For a cybersec employee I would walk them.

Reply

[-]

Curious_Morris@reddit

I need to get off this vendor ASAP. That is going to be an inevitable disaster. I hope neither of the companies are publicly traded.

Reply

[-]

tdhuck@reddit

100% agree here. That being said, I bet a lot of companies are doing stuff like this and we have no clue because it wasn't shown via demo and we don't see the backend of many companies we deal with. I'm not saying this is common or the norm, but I bet it is a lot worse than we think.

Reply

[-]

cvc75@reddit

You’re probably right about other companies having similar backend security, but *this* company is the one who also exposed the sheet to a third party, in a recorded session. That should be three strikes against this company.

Reply

[-]

tdhuck@reddit

100% agree.

Reply

[-]

helloiisclay@reddit

Honestly, since that's all screen recorded, I'd probably reach out to the people on the list's IT departments and let them know that you have a screen recording of their ERP root passwords from the provider leaking them during a recorded call. At the very least, to let them know so they can demand a password change. It doesn't sound like the vendor is going to consider this a significant leak.

Reply

[-]

krypticus@reddit

Our company would flip their shit and open a huge incident response from the corporate side if any of our employees share production environment passwords in a spreadsheet on a friggin’ LIVE SCREENSHARE!!

Reply

[-]

peteybombay@reddit

Yeah, I am generally for letting people stew in their own mediocrity, but sometimes it only takes a little nudge to let someone in charge know what a shit show they are running.

Reply

[-]

TreborG2@reddit

Should have taken a screenshot, and said that to the boss.

Reply

[-]

Equal-Daikon9456@reddit

They have the full recording.

Reply

[-]

hardolaf@reddit

Also, OP should assume the senior leader didn't know about this and probably should let them know as a heads up to help them avoid recommending the vendor again.

Reply

[-]

Dull-Personality5131@reddit

i experienced similar thing

Reply

[-]

Suspicious_Drummer27@reddit

Was there any indication they had basic controls in place at all (backups, access restrictions, credential rotation), or did it look as bad as it sounds?

Reply

[-]

WitnessTemporary3415@reddit

That’s not just bad, that’s terrifying. One leak and everything’s gone.

Reply

[-]

arcsilencer@reddit

That’s not just a red flag, that’s basically a full security fireworks show

Reply

[-]

Fantastic_Self_5151@reddit

Was it a company in Maine by chance? Was the guy's name John? (Asking for a friend!)

Reply

[-]

ChampionStrange7719@reddit

im not surprised tbh. I once found a file on a desktop called passwords.. full of tonnes of critical ones. safe to say we had a few chats that day and it still gets mentioned during info sec inductions.

Reply

[-]

Loopback76@reddit

Yikes. Worse than a sticky note with a password

Reply

[-]

cheetah1cj@reddit

My previous company had a client once that worked in the medical field, and had many customers coming back repeatedly for months; so, they would come up with a treatment plan and monthly cost for each customer. All of that was stored in an excel spreadsheet with the customer's credit card info, and one person would manually copy and paste each number into their credit card processing system once a month to charge each user. I discovered this when someone accidentally deleted a single item in the spreadsheet, shifting each credit card number up so that the cards suddenly were mixed up with the customers, they got lucky that they failed to run them due to the other card info not matching the card number. Oh yeah, and that spreadsheet was unprotected and sat with an obvious name in their file share that everyone had access to; and almost every employee accessed it regularly to add or update customer information as needed.

Reply

[-]

DesertDogggg@reddit

Were all the passwords P@ssword?

Reply

[-]

eric5149@reddit

This shit is criminal

Reply

[-]

TreacleNo8508@reddit

Ich kann auf so eine Geschichte nicht glauben. Fast alle IT Mitarbeiter sind klug, energisch und sensibilisiert für Risiko.

Reply

[-]

VirusHunt3r@reddit

Can you share the recording with me? We're um.. We're looking for a new ERP.

Reply

[-]

Cyber_Faustao@reddit

Sounds like they have a cloud-native solution for secret management, with full history tracking, support for rich text and more. Plus their backend provides full transparency for IDS software running in your network, with zero configuration required given its use of mature protocols that are well supporyed.

Reply

[-]

dnuohxof-2@reddit

The worst words to hear in IT “I know a guy”

Reply

[-]

Itchy_Bug2111@reddit

I lowkey want to become that guy sometimes when I get a look at how much we pay for trivial services. Postman is valued at billions for a basic http client 😩

Reply

[-]

haroldthehampster@reddit

Agreed but also what's the context bc if some SSDs fell off a truck well...

Reply

[-]

LaughableIKR@reddit

I've seen this kind of thing before in a screen share. I remained quiet and wrote them off.

Reply

[-]

Puzzleheaded-Durian6@reddit

That's what happens when the entire product dev and deployment is left to developers. Not being negative, just every team has their speciaisto

Reply

[-]

BLC_ian@reddit

i've been on this sub for a very long time with my alt. and i keep hoping things will get better, but nooooo. so hat's off to the lion's share of you cyber ninjas who have and maintain good ethics and morals, because the damage done by ever-increasing layman stupidity just boggles the mind. can't help but think there has got to be a course somewhere on whatever the opposite of Criminal Psychology is; Think Like a Double-digit 101.

Reply

[-]

malikto44@reddit

Wasn't near as bad, but I kept having a client send me the private key to their wildcard cert to their entire domain, more than once.

Reply

[-]

Xzenor@reddit

Ugh.. had that PLENTY of times .. sent securely thankfully, People don't get what the keys are for exactly, and I get it. It's not easy if you're not into this..

Reply

[-]

bentbrewer@reddit

Yeah, when I first started working with certs I sent the private key to a co-worker. I had no excuse other than lack of experience and I didn’t RTFM.

Reply

[-]

TastySyllabub1@reddit

What manual do you read on this? My skill set when it comes to certs isn’t nearly as developed as it should be, and I want to change that, so resources you yourself find useful are appreciated.

Reply

[-]

bentbrewer@reddit

In this instance specifically, I read pretty much the entirety of the "manual" section from here: https://www.openssh.org/manual.html. I also read much of documents section from here: https://docs.openssl.org/master/man7/ossl-guide-introduction/

Reply

[-]

TastySyllabub1@reddit

Thanks, I appreciate it! These are going straight on the reading list for when I'm back at work

Reply

[-]

timrojaz82@reddit

If something says private. Or key. Or private key. Don’t share it unless you absolutely HAVE to. And share it securely

Reply

[-]

darthwalsh@reddit

Unless it's a firebase webapp API key, then you just embed it in the HTML. I keep getting security scanners emailing me "YoUr kEY iS pUbLiC" but it's literally in the official docs.

Reply

[-]

R4ndyd4ndy@reddit

Except it's a Google maps api key and you enabled gemini on your project, then it's suddenly supposed to be secret

Reply

[-]

AndyceeIT@reddit

😁 "Can you send me the cert... no not *that one*!"

Reply

[-]

ocdtrekkie@reddit

I've had so many vendors indicate we should just give them our domain registrar credentials so they can go update our DNS, and be very confused at the "are you joking? absolutely not!" answer they got every time. People do not realize that their domain account pretty much backs the entire security model in modern web-based nonsense.

Reply

[-]

Valkeyere@reddit

I work in MSP land. The number of times ive had a client send their DNS logins to some new web developer who had decided to move DNS from where I have the nameservers pointing to their own shit or something because thats how they do the website hosting, all in one big box, is nuts. Of course, email goes down. I get angry phonecalls. Takes a while to get to "You gave logins to someone who shouldnt have them. And they have broken your email. Give me one minute and Ill get email working. And I will need to talk to this webdev'

Reply

[-]

Royal-Wear-6437@reddit

Strangely I had this with a client just a few weeks ago. Neither client nor the webdev had considered that moving to a new DNS provider without copying all the records would have had such a visible impact

Reply

[-]

Valkeyere@reddit

Its not strange to me. I think I see this several times a year across all the clients. They simply don't understand and no amount of education gets through.

Reply

[-]

TheDarthSnarf@reddit

A rather large OT firm (that supports a frightening amount of critical infrastructure), that I was brought on to assist with a security assessment of, had their customer VMs setup in a way that for authentication back to the parent server the customer had to update the private key for their wildcard certificate every month (to keep it secure). They were literally sending their single Wildcard cert with the private key to every one of their customers every month "to keep it secure". The key could be used to authenticate to any of their services and and to mimic any user. Their API's "authentication" was simply their Wildcard Cert for <example.com> coupled with the proper subdomain name for the customer. Nothing else. So anyone with the cert from say <company1.example.com>, could use it to authenticate as <company2.example.com> simply by changing the domain name in the request. It didn't even require DNS validation or anything else - that was it. The worst part is, as far as I know, that's still how it functions.

Reply

[-]

RikiWardOG@reddit

this honestly doesn't even surprise me in the lease, as unfortunate as it is.

Reply

[-]

Kraeftluder@reddit

Back when I was implementing eduroam with FreeRadius to our eDirectory, my buddy from a school in Wales said "Hey man I'll send you our Freeradius config!" for which I was very grateful as I'd never played much with it. So I open up the config files and spot two things; first they use their tree admin account to authenticate instead of a proxy user, but most importantly I spot an actual admin password in there as well. Whoops.

Reply

[-]

graph_worlok@reddit

Were you needing to deploy a cert at all?

Reply

[-]

Cooleb09@reddit

Generally its people who don't give a fuck just send 'all the files' to the computer weenie because figuring out which is which takes too much effort or care.

Reply

[-]

ItsDaManBearBull@reddit

I'm fairlyy tech savvy, but i'd do something similar if nobody told me how sensitive those keys are.

Reply

[-]

kaaz54@reddit

General handling of certificates are in my experience something that people very often half-ass (often with the excuse "it's complicated"/"I only do this once a few years"/"we'll do it right when we have the time to properly look into it") or generally haven't leant properly, as it's often one of the last topics in school which gets skipped when time is short.

Reply

[-]

Kurgan_IT@reddit

This is quite common. also, it's CC to 20 people every time. And everyone will keep that email forever in their inbox, waiting to be compromised. This is "real life security" at every big org.

Reply

[-]

Ok_Wasabi8793@reddit

That’s more understandable but maybe worse?

Reply

[-]

CodeGrumpyGrey@reddit

> A rogue employee or that Google Sheet getting compromised That Google sheet has already been compromised. They utterly failed to keep it confidential when on a screen share with you. And from the sound of it, it’s just business as usual - so you can bet it has been shown to others as well.

Reply

[-]

Adventurous_Gold721@reddit

We trust you so much Mr customer we are willing to show this highly confidential document! I am such a great vendor for you!

Reply

[-]

Kurgan_IT@reddit

And it's unencrypted on Google anyway, so it's compromised by design.

Reply

[-]

musashiXXX@reddit

Explain yourself. FYI, everything stored at Google is encrypted at rest. [They've got a whole ass whitewater about it](https://services.google.com/fh/files/misc/google-workspace-encryption-wp.pdf).

Reply

[-]

ka-splam@reddit

> Explain yourself. FYI, everything stored at Google is encrypted at rest What difference does that make? Encrypted-at-rest is only useful for things which are powered off, or disposing of old disks. If "opening the file" brings it back in plain text, it's irrelevant whether it was encrypted or not on disk. Anyone who cons or phishes that salesperson's password can see the Google sheet with plain text root passwords. Anyone who steals their unlocked Android phone or unlocked laptop from a cafe can as well.

Reply

[-]

musashiXXX@reddit

What the hell are you arguing about? I clearly said... >Storing secrets in a spreadsheet (instead of a password manager or similar), likely shared with others, is extremely reckless and bad practice. It doesn't matter if it's Google Sheets, Excel, or LibreOffice. I'm not defending that whatsoever. My original response was in reply to this brain-dead comment: >And it's **unencrypted** on Google anyway, so it's compromised by design. (Emphasis mine.) Whether it's a Google Sheet or any other file, if you get compromised, everything is at risk... duh.

Reply

[-]

ka-splam@reddit

What the hell I'm arguing about is: You: "FYI, everything stored at Google is encrypted at rest" Me: "What difference does that make?" If you call that a "hell of an argument".

Reply

[-]

Kurgan_IT@reddit

Storing secret in a spreadsheet is wrong, uploading it to cloud is wronger. Don't care if it's google or MS or whatever, unless it's encrypted locally and sent encrypted, which is not the case for Google or MS or almost any cloud provider. And if it's encrypted at rest, who cares? Who's gonna steal Google's servers to retrieve data? No one, reasonably. Who is gonna hack Google? Probably almost no one, but if it happens, encryption at rest is useless. And who know what's Google (or MS, or any other cloud storage provider) is going to feed to its AI training? I'm not saying they will actively steal your passwords and use them, but they are going to mix everything into their AI training data, and who knows what will this lead to?

Reply

[-]

musashiXXX@reddit

As an IT professional, how do _you_ manage secrets? Furthermore, how do you manage the sharing of secrets, securely, within a team? I'm not asking for the "official" answer, I'm asking you how _you_ do manage this process within your organization, out of curiosity. Storing secrets in a spreadsheet is bad practice; I've said this already. Your comment regarding "Google" and "compromised by design" was what started this conversation. Let's be honest, it was an ignorant thing to say. Regarding Google using your data: "Nothing is free on the internet. If you aren't paying for it, you are the product." ... This statement holds true once again. If you're a paying customer, Google doesn't use your data to train AI models (among other things). ["Google Workspace customers own their customer data, not Google. Customer data that Google Workspace organizations put into our systems is theirs, and we do not scan it for advertisements."](https://workspace.google.com/learn-more/security/security-whitepaper/page-6/#:~:text=Google%20Workspace%20customers%20own%20their%20customer%20data%2C%20not%20Google.%20Customer%20data%20that%20Google%20Workspace%20organizations%20put%20into%20our%20systems%20is%20theirs%2C%20and%20we%20do%20not%20scan%20it%20for%20advertisements.) Finally, "encryption at rest" is not useless, and I find it amazing that I even have to say that.

Reply

[-]

ka-splam@reddit

> As an IT professional, how do you manage secrets? Furthermore, I'm not asking for the "official" answer, I'm asking you how *you* do manage this process within your organization, out of curiosity. We've all been on the internet long enough to know that you aren't asking "out of curiousity", lol.

Reply

[-]

musashiXXX@reddit

Bro, I wasn't asking for the username and password to the Box.com account containing the notepad doc you use to store the admin and root passwords for every server, firewall, switch, and coffee maker for every organization serviced by the MSP you work for...

Reply

[-]

ka-splam@reddit

> This thread is full of people who can all explain why storing secrets in a spreadsheet is bad, yet I guarantee at least half of them are doing equally heinous shit behind the scenes You can't "guarantee" it. What you're doing is "fantasizing that other people are dumb" because it makes you feel superior. Look: > wasn't asking for the username and password to the Box.com account containing the notepad doc you use to store the admin and root passwords for every server, firewall, switch, and coffee maker for every organization serviced by the MSP you work for... This is all fantasy, and the purpose of the fantasy is to paint me as inferior. It's not backed up by any facts. It's been like 18 years since I worked for a company that held plain text file passwords, in that time even the budget MSPs who don't want to pay for a cloud vault like LastPass have KeePass Free on a network share.

Reply

[-]

Mirigore@reddit

You were never advocating for the spreadsheet approach and I think a lot of people missed that

Reply

[-]

musashiXXX@reddit

Oh, definitely. 🤣

Reply

[-]

Kurgan_IT@reddit

I work alone, that's why I'm OK with keepass on local storage, plus abundant local, non-connected backups. If I have to share something (it happens) I usually send encrypted keepass databases (with the needed credentials) and then tell the password by phone or anyway I use a different way, not the same I have sent the data over. Not perfect but workable. About free things, it's clear that free services will use (abuse) your data. fine. Paid for services should not. But do you really know what happens for sure?

Reply

[-]

musashiXXX@reddit

KeePass is great, I've used it myself. In single-user scenarios such as yours, it works well. Sending an encrypted KeePass database, containing only the credentials intended to be shared, via electronic means, then delivering the database password out-of-band can also be good practice. As with any credential sharing scenario, context is king. Whether or not the act of sharing credentials is sufficiently secure is always highly situation-dependent. It sounds like you have a good grasp of all that. > Paid for services should not. But do you really know what happens for sure? When a multi-billion-dollar company puts certain statements into their legal documents, then routinely conducts SOC 1 and 2 audits and releases SOC 3 reports, I'm inclined to believe that they're at least trying to live up to what they've promised. You have a point, _but_ taken to its logical extreme, it's easy to descend into conspiratorial thinking. Defense-in-depth (multiple, overlapping controls) is a thing because no system is ever 100% secure, 100% of the time, legal and/or technical documentation be damned. To put it another way, I agree with you in principle, but business needs must still be met. _Our job(s)_ is to ensure they are being met in the most efficient, secure manner possible, balancing the myriad, oftentimes conflicting requirements of our users, principals, customers, etc., given the available resources. Needless to say, it's not an easy job. I hope you have a great day!

Reply

[-]

CodeGrumpyGrey@reddit

> As an IT professional, how do you manage secrets? Furthermore, how do you manage the sharing of secrets, securely, within a team? I'm not asking for the "official" answer, I'm asking you how you do manage this process within your organization, out of curiosity. A shared Bitwarden vault, which uses SSO to our Entra tenant so everybody has their own login. It's not exactly an unsolved or difficult problem. Anybody using a spreadsheet in this context is doing it wrong - dangerously wrong.

Reply

[-]

ConsciousEquipment@reddit

> shared Bitwarden vault, which uses SSO to our Entra tenant so everybody has their own login lmao and you conveniently forget to mention what a pain all that is to set up. Probably also costs a fortune. You can have google workspace business standard for 6bucks per user month or even free google drive. Then put a sheet in there done deal bookmark the link takes a second

Reply

[-]

CodeGrumpyGrey@reddit

Ok, ‘free’ option - Keepass(or KeepassXC or similar of your choice) with a vault file in a shared location and a shared password. Not ideal - lacks an audit trail, but still better than a spreadsheet. At least with a proper password manager you don’t run the risk of exposing all your client passwords because you opened the spreadsheet on a recorded zoom call. Setting up a password vault isn’t hard though. Cloud hosted Bitwarden is $6 for the SSO supported plan. If your business requires that you have credentials for customer systems (or even for your own systems), then that seems like the bare minimum you should be doing to show you actually give a shit about customer security.

Reply

[-]

runamok@reddit

I wonder if the AI note taker summarized it, lol.

Reply

[-]

syntaxerror53@reddit

But did AI inform the compromised companies that they had been compromised though?

Reply

[-]

Dzov@reddit

Plus op was recording, so they can log into all of those instances.

Reply

[-]

ConsciousEquipment@reddit

it's not because OP is not doing anything with it, or at least that is what you would commonly expect lmao....it is generally assumed that no one does something unreasonable and if OP is quiet and hasn't seen that, you know...HAS NOT SEEN THAT, then it is all fine. It's only a problem if you make one of it and if it were me tbh I didn't see this because why the fuck am I opening a rats nest about whatever that is not my problem. If they have a security issue they can solve it when they see a need to.

Reply

[-]

wrincewind@reddit

Or, yknow, op's company gets compromised through their login when it's added to that sheet... Hell, what about the "ai note taking app"? Was that reading the screen? Did all those root passwords get scraped and added to ChatGpt?

Reply

[-]

ipreferanothername@reddit

crazy, but not that surprising to me - i work in Health IT, we are a not-for-profit org. 10 hospitals, 100 clinics, 15k employees, $1b+ in revenue. every time we have to renew a contract for something i swear we find the cheapest alternative and just go with it on cost. right before covid , so like....2018? we had bought a vendor hosted instance for some kind of medical app, tested everything fine, went to the production rollout and had TERRIBLE performance. Eventually we found out that the vendor was running only 2 servers: 1 for ALL CUSTOMER TST, and 1 for ALL CUSTOMER PRD. management lost their shit on that place and scurried to find another vendor. i never heard more details after that. lots of people playing video games are bad at games - they just dive in and start clicking. turns out, lots of people treat IT the same way.

Reply

[-]

czenst@reddit

>lots of people playing video games are bad at games - they just dive in and start clicking. turns out, lots of people treat IT the same way. I just felt pain going through my body, like something would come out that was there inside that I couldn't name - but here it is spelled out.

Reply

[-]

slonk_ma_dink@reddit

> 1 for ALL CUSTOMER TST, and 1 for ALL CUSTOMER PRD. I'm struggling to find a silver lining here, but at least they weren't testing on prod lol

Reply

[-]

MathmoKiwi@reddit

You're assuming they named the servers correctly. That might be it *used to be true*. But now for the sake of "load balancing", they have half of customers on one server, and the other half on the other server.

Reply

[-]

ConsciousEquipment@reddit

…lol. In Germany it was somewhat common for a lot of medium size businesses to build or hugely customize their own software and there was this old ass stockkeeping program that would keep track of granulate silos and containers full of pellets and stuff like that. Basically early production planning but made with delphi or nav 2009 iirc. You have no idea how many times I saw wild UI issues and heard oh yeah that was made by, like, a guy. And he doesn’t work here anymore so. Zero info or support on prod critical software, completely orphan. Or hm this runs well on a nav dynamics windows server 2009. This particular one. But it won't even launch on modern windows without compatibility modes that are crazy inefficient and have windows scaling issues, crash in Vcenter etc.so basically if that 20 year old AIO that Jürgen from RnD bought back then ever goes kaput, we are cooked and have to halt manufacturing.

Reply

[-]

slonk_ma_dink@reddit

> oh yeah that was made by, like, a guy. And he doesn’t work here anymore so. lol in smaller industries in the US, or at least specialized ones, you'll see this often too. I have two clients with customized erp/crm solutions tailored to their exact business logic with a "guy" they call when they have issues, the developer. none of the shit gets updates, so a month or so ago I had to handhold one of them through explaining that TLS1.2 wasn't going to cut it anymore for one of the integrations. That was rough to troubleshoot, and rough to explain.

Reply

[-]

MuffinsMcGee124@reddit

The AI note taker watching all this go by ![gif](giphy|s06SLiBLOG1dMHTUZr|downsized)

Reply

[-]

UntrustedProcess@reddit

Have they passed an SOC2?

Reply

[-]

planedrop@reddit

Sorry but SOC2 doesn't really mean anything lol, in fact just over the last few days the infosec community has been hugely making fun of it. Still, yeah this is bad enough even an audit would've caught it lol

Reply

[-]

planedrop@reddit

Man, these same people that do shit like this will get paid $500k a year and make stupid mistakes constantly.

Reply

[-]

StochasticLife@reddit

Wow. That dude did you a huuuuuuuge favor.

Reply

[-]

Imobia@reddit

I have a similar story, small ERP. Consultants come onsite to perform an upgrade. Ran into an issue. guy goes I saw this on a customer’s site, I’ll check what we did there. Proceeded to pull his personal laptop out of bag and RDP’s to this customer’s ERP server. As Administrator by the way! I asked hey did you connect to a vpn ? Looks at me like an alien what’s a VPN. Dude literally had their customers ERP on the net with Administrator as the user. WTF man, this dude was probably paid more than me. I didn’t get the password but given he tried to set our password as only 5 letters it can’t have been good.

Reply

[-]

sheikhyerbouti@reddit

I used to work for a niche EHR company as their tech support. Every now and then a weird issue would come up that would require me to escalate the ticket up to our engineers. Nine times out of ten, the dev would tell me to grant read/write permissions to "Everyone" on the local database instance. I mentioned the security risk that creates to my management, and they just shrugged. I'm so glad I don't work there anymore.

Reply

[-]

Kurgan_IT@reddit

It's the same for every customer probably, too.

Reply

[-]

MathmoKiwi@reddit

Five letters he says? Bet the password is: "Admin"

Reply

[-]

dhanson865@reddit

> Administrator as the user. WTF man, this dude was probably paid more than me. > > > > I didn’t get the password but given he tried to set our password as only 5 letters PW = Admin

Reply

[-]

Nu-Hir@reddit

As if the capitalized the a.

Reply

[-]

hutacars@reddit

`adMin`, to make it extra secure.

Reply

[-]

jcpham@reddit

The information Security department has determined this password meets strength requirements set forth in company policy because 2 out of 4. That capitalized A really seals the deal, without the capitalized A this password would be deemed non-compliant. My work here is done, heading back on over to shittysysadmin

Reply

[-]

RevLoveJoy@reddit

Password!

Reply

[-]

AnonymooseRedditor@reddit

I will say this because I used to work with them business application administrators that looked after ERP. They are not technical people. These are business people with an understanding of the process and the business application. There is a huge skills difference between a functional consultant and a technical resource. I was the technical SME for a consulting firm and let me tell you some of the shit that my functional consultants tried to pull on customers like this boggles my mind thankfully I was able to shut that crap down pretty quickly and bring that organization into some semblance of hey Moose‘s team takes care of all of the technical plumbing and we implement the software job done that’s it. I did not give any of those consultants administrative access to services, especially in production environments you want admin in dev environment to do some testing fill your boots guys.

Reply

[-]

psiphre@reddit

> don't fucking name them or anything

Reply

[-]

AnonymooseRedditor@reddit

Sadly this wasn’t uncommon 10 years ago

Reply

[-]

dreniarb@reddit

not even 5 years ago. at bare minimum i'd hope that they'd at least restrict the source address to their office's static public ip address.

Reply

[-]

RevLoveJoy@reddit

Wasn't uncommon 25 years ago. 20 years ago. 15. 10. 5. Now. I've seen things you people wouldn't believe.

Reply

[-]

syntaxerror53@reddit

Easy1 no one can guess that one can they? /s

Reply

[-]

ConsciousEquipment@reddit

ok but you do realize that this guy probably needs to remote into all kinds of shit all the time really fast. Authentication fatigue is real and then a vpn on top of that, all that doe sis make things even slower. It would have taken like 5 minutes of back and forth and pasting auth codes to get in there if it had been some kind of assbang service account where you need to fully log out and change to a admin account etc that's a hassle a I can totally understand that he obviously wants this quickly accessible and what are the fucking odds someone will do shit about it. Honestly calm down

Reply

[-]

G8racingfool@reddit

That's why there's this awesome little thing called **DOCUMENTATION**. But who does that nowadays, amiright?

Reply

[-]

Automatic_Rock_2685@reddit

Jesus christ

Reply

[-]

say592@reddit

In case this isn't sarcasm, unsecured RDP was/is one of the leading vectors for ransomware. Combine that with using the "administrator" account, yikes. Attackers are specifically scanning for unsecured RDP and attempting to brute force admin accounts. There are ways to secure it. You can use an RDP gateway, for example. Using a VPN is an obvious and easy way. Not using RDP and using a different remote client, which has MFA, is a fairly obvious and easy way.

Reply

[-]

shtef@reddit

I can't tell if this is sarcasm or not

Reply

[-]

Imobia@reddit

I’m with you, but every person who I’ve met gunho about security has a different opinion when they deal with a crypto lock .

Reply

[-]

AustinGroovy@reddit

I was a contractor brought in to help a company transition from one large Corporation to splitting a division off into a separate org. During this transition, many of the IT staff chose to go to the new corp, so the old corp was limited. One day, someone discovered their "Password Excel spreadhsheet" got deleted from a network share. Everyone panicked - one of the senior guys on the old team reached out to his buddy who left for the new Corp and asked if he had a recent copy. HE DID. #1 - they were using Excel to store all the critical IT passwords. Whoa. #2 - The IT staff that left for the new corp were allowed to leave with this same spreadsheet. Whoa.

Reply

[-]

Coinageddon@reddit

I'm guessing they also have soc2 or PCI compliance?

Reply

[-]

frankv1971@reddit

This is the reason i never share my whole computer desktop, only the screen/application that I want to share. I explained this multiple times to coworkers that it is not good to share your computer desktop, there could always popup something that is confidential.

Reply

[-]

_the_r@reddit

Full ack. Tried the same multiple times, some people just don't want to understand the risks. And that's not only non-technical staff. And to make it worse, Dev Team lead also tends to warn to not share full screen on teams and then does interviews with potential devs (or bots?) on Tuple where always the full screen is shared (and in addition uses parts of the prod codebase)

Reply

[-]

jduartedj@reddit

the cherry on top is the AI note taker being there to capture it all in pristine detail lol. that recording probably got processed, transcribed, and who knows where that data ended up. so now you've got root passwords to prod instances potentially sitting in some third party AI companys servers too. i had something similar happen at a smaller scale, vendor was demoing their monitoring platform and casually opened a browser tab with their internal wiki that had API keys for like a dozen clients. didnt even flinch. just alt-tabbed past it like it was nothing. when we brought it up later they said "oh nobody noticed that" ... we did, very much. the "I know a guy" pipeline is the #1 way companies end up with vendors like this. nobody does proper due dilligence because some VP played golf with the founder once

Reply

[-]

daven1985@reddit

Wow... I would not being using that solution anymore. In my reason for not using I would tell them "When your user showed us all the passwords to your system, which are stored in a cloud google sheet. And this could happen every time I believe your system has no security."

Reply

[-]

fuknthrowaway1@reddit

I used to sub for a MSP friend of mine when he was busy. It was never anything terribly complex and he paid contractor rates, so I didn't mind. Anyway, one day he calls and asks if I can pop over after work to reboot a print server just down the street from me. When I hit the reception area I met a nice lady called Dana. Who got my name wrong, didn't ask for ID, and promptly handed me a big ring of keys and a three-page printout of passwords. Seriously, it was just "Hi! You must be Bob's guy, Tim. I'm Dana. You'll need these, it's room 306 upstairs." It was even worse because room 306 also contained a copy machine, a fax, and a shredder. I could've exfiltrated everything without them even being the wiser.

Reply

[-]

mrtuna@reddit

Was Dana told to frisk you?

Reply

[-]

fuknthrowaway1@reddit

I wasn't expecting the third degree or anything, but.. They were a pretty big financial services company, and standard at a company like that back then would have been a business card or showing a company ID, perhaps flashing my driver's license to show it matched, and then signing for the key. Not keys, key, just the one to get into 306. I might even get escorted up. Not necessarily watched, more likely just shown where I was going and left alone. (And any printed password list would be locked in a safe and only ever be pulled out in the case of a bus, not handed to the first long-haired guy in khakis to enter the lobby. )

Reply

[-]

trueppp@reddit

I work for an MSP, this is the case on 95% of client sites. You can get in almost anywhere if you have a high-vuz and a clipboard.

Reply

[-]

_litz@reddit

and a white hard hat

Reply

[-]

MathmoKiwi@reddit

Extra bonus if wearing safety glasses

Reply

[-]

bbbbbthatsfivebees@reddit

I work for an MSP and it's genuinely surprising to me when any of our clients have any sort of physical security in place. Usually I can just show up unannounced and say "I'm such and such from so and so" and they'll let me do anything. When I encounter any resistance that slows me down, it's actually refreshing because it shows that someone actually cares. In those cases I usually tag my boss in a message because it's so rare and he goes to bat for me when those situations arise by directly contacting the POC for our client and saying "Hey, we encountered resistance here but that's nothing but a good thing because it means people are watching out for threats".

Reply

[-]

Michelanvalo@reddit

Dana is the most trusting person in the world apparently.

Reply

[-]

trueppp@reddit

You'd be really suprised how much access a bit of confidence and a good excuse will get you.

Reply

[-]

Michelanvalo@reddit

No I wouldn't. I've been doing this for a long time. I've seen and experienced it personally just like /u/fuknthrowaway1 where someone just trusted I said who I said I was.

Reply

[-]

fuknthrowaway1@reddit

I didn't say anything. I just walked in and she assumed,

Reply

[-]

IMongoose@reddit

You got profiled so hard.

Reply

[-]

trueppp@reddit

Thats like 99% of clients...

Reply

[-]

Generico300@reddit

Not trusting. Apathetic. Most people don't give a fuck about the company beyond just keeping their own job. And why would they? Most companies treat employees (especially low level employees like receptionists) like dirt.

Reply

[-]

DeifniteProfessional@reddit

Reminds me a bit of a situation I hit recently. One of our offices moved, they downsized to a serviced office. Naturally the serviced office runs their own network and all the ports on the wall feeds back to their own switch & network (which is run by an IT company in another part of the country). I had to install our firewall/switch into this comms cupboard and hook the ports to our office into it. Someone from reception gave me a contractor fob that gave me access to the main room (which was a large office rented by another company in the building). The actual comms room itself had a physical key lock, which reception unlocked and left me to it, taking the key away with them. Inside this cupboard was a rack full of networking kit for various companies, and multiple different servers. And then to make it worse, when I was finally finished (feeling uneasy about having my firewall in there, but I generally run on the premise that a bad actor could be on my network at any point), I went to return the fob to reception. Nobody was about, hung around for a bit, didn't see anyone - later found out that one receptionist often services two buildings or something weird and they just cross the road every so often. I left the fob on the desk, I presume the cupboard has since been locked, not that it really matters. What I hate about this is not only is this fine for them, but in my company I'm the only person who was against putting our firewall outside of our controlled office space, and I can't help but worry why I'm the odd one out!

Reply

[-]

Crinkez@reddit

If your seniors give the go ahead, the onus is on you to leak all those passwords before the system goes live in your business.

Reply

[-]

FoundForNow@reddit

So where they demoing Odoo? Was it Odoo or a provider that just uses Odoo?

Reply

[-]

JohnWellPacked@reddit (OP)

It's a provider that uses the Odoo Community Edition. Important to mention this has nothing to do with Odoo - the company.

Reply

[-]

segagamer@reddit

So why aren't you naming the provider? There are clearly *many* people affected by this and you're gatekeeping it?

Reply

[-]

mirrax@reddit

As much as I would also like to know, name and shame can open up issues with libel. Even if it's protected by being the truth that doesn't dodge the possible hassle of a lawsuit.

Reply

[-]

segagamer@reddit

"OP, I wonder if we had the same supplier? If so then it's XXXXX" Do that on a new account

Reply

[-]

ConsciousEquipment@reddit

wtffff just stop its literally not your problem. Why is everyone obsessed for calling someone out over what is probably an internal note sheet that they use for own convenience. OP can just have never seen that screen share and it is fine why make a problem out of nothing

Reply

[-]

Ferretau@reddit

In some countries this is considered a reportable breach by authorities.

Reply

[-]

montvious@reddit

Are you insane? Any one of these things are egregious breaches, and saying it’s an “internal note sheet” neglects the fact that he exposed it on a screen share with a *prospective client*. Clearly not too “internal” if we’re hearing about it on r/sysadmin 🙄

Reply

[-]

segagamer@reddit

> wtffff just stop its literally not your problem Well, it might be, I might be using the same supplier. But I don't know that unless OP spills.

Reply

[-]

ConsciousEquipment@reddit

Exactly you don’t know that so as of right now you don’t have any kind of problem why is it so hard to imagine OP had never seen that google sheet they could have the greatest impression ever of that vendor

Reply

[-]

RequestSingularity@reddit

Not knowing if your data is compromised is a problem. If you see smoke coming from the server room, you need to check for fire.

Reply

[-]

schr0@reddit

Passwords in a spreadsheet are a problem regardless of the context. You sound like a junior. Go do more infosec training.

Reply

[-]

wazza_the_rockdog@reddit

Provider was a personal recommendation by a senior manager in OPs company - there's a strong chance that naming them publicly will affect OPs job, and won't achieve much else. If all of these instances are HTTP only then chances are the companies using this provider don't have much knowledge/care about their security, so even telling them outright that their root account password has been leaked will likely, at most, cause them to ask the provider to change the password.

Reply

[-]

segagamer@reddit

"OP, I wonder if we had the same supplier? If so then it's XXXXX" Do that on a new account, or DM someone on this thread to post that.

Reply

[-]

n00lp00dle@reddit

something like this is worth blowing the whistle over i say.

Reply

[-]

Borgquite@reddit

Worth updating the post to say this I reckon.

Reply

[-]

JohnWellPacked@reddit (OP)

It was updated. Thank you

Reply

[-]

Professional_Mix2418@reddit

The first mistake was allowing an AI note taker ;) And sadly the divulging information like that is so common. I mean this one take the biscuit for stupidity that they maintain it like that in the first place, but then sharing it as well. Oh damn...

Reply

[-]

Scary_Bag1157@reddit

That is absolutely brutal. I have seen the 'Excel sheet of death' turn into a full-scale SEO disaster more times than I care to admit. Honestly, when you have teams manually managing redirects or, worse, just leaving everything to rot in a spreadsheet, you are just waiting for a massive 404 spike to tank your rankings. We used to struggle with the same bottleneck where we'd have to sit on our hands for days waiting for the dev team to push simple 301 rules. I got sick of it and we moved our redirect stack over to Redirhub. It essentially lets us cut the devs out of the loop for standard URL changes and migrations, it handles the redirects at the edge, so we are seeing sub-100ms response times and it keeps our Core Web Vitals from taking a hit during shifts. The best part for me is just not having to mess with .htaccess files or relying on slow internal ticketing systems. It's basically set-and-forget for bulk mapping, and it saved us about 5 hours a week in wasted 'is this redirect live yet?' meetings. Just a heads up though, it won't fix poor security practices elsewhere in the stack, so definitely keep pushing management for actual auditing of these vendors.

Reply

[-]

Scary_Bag1157@reddit

That is absolutely brutal. I have seen the 'Excel sheet of death' turn into a full-scale SEO disaster more times than I care to admit. Honestly, when you have teams manually managing redirects or, worse, just leaving everything to rot in a spreadsheet, you are just waiting for a massive 404 spike to tank your rankings. We used to struggle with the same bottleneck where we'd have to sit on our hands for days waiting for the dev team to push simple 301 rules. I got sick of it and we moved our redirect stack over to Redirhub. It essentially lets us cut the devs out of the loop for standard URL changes and migrations., it handles the redirects at the edge, so we are seeing sub-100ms response times, and it keeps our Core Web Vitals from taking a hit during shifts., The best part for me is just not having to mess with .htaccess files or relying on slow internal ticketing systems. It's basically set-and-forget for bulk mapping, and it saved us about 5 hours a week in wasted 'is this redirect live yet?' meetings. a heads up though, it won't fix poor security practices elsewhere in the stack, so definitely keep pushing management for actual auditing of these vendors.

Reply

[-]

nerd8@reddit

Quickest way to finish the POV with a vendor!

Reply

[-]

craigmcallister40483@reddit

exchange server disaster, lost weeks of email. switched to office 365 right after. never looked back.

Reply

[-]

reilogix@reddit

Thank you, OP. It’s stories like this that give me hope. I am not the worst. I AM NOT THE WORST!!!

Reply

[-]

Cobra11Murderer@reddit

my job currently is going down hill quick.. my boss left and upper management just thinks IT knows everything.. sister company and us merged the deparments but kicker is.. the two senior IT folks are not IT more so power bi and such.. I seriously question how long I can navigate this on my own as they will be more bossy than helpful.

Reply

[-]

markth_wi@reddit

Heh that's not a good thing, but that's their practices or lack thereof. My favorite was years ago when we had a new partner in Chenai, the tech leads left after the ink was dry on our contracts. A few weeks after that the server performance becomes increasingly dodgy , a few weeks after that service starts to fall away - the usual. We start the RFP process and "of course" we're going to be looking overseas, HARD, so 14 vendors for a CRP with a very large dataset (40-90m contacts) where grooming and hygiening the data is 90% of the work and popping out demographic data, marketing and such are the bread and butter for our firm. We go for a demo, super slick, new firm and one of the tech leads from the old firm it turns out is involved on the new firm. We're in the presentation 40 people in the room and things are looking fine, then I see it, they pulled on a particular demographic and a name caught my eye, my name, in some test data. I turned to my boss and said I think we have a problem, and he goes - how do you know , and I sat for a few second and off the top of my head said - yeah could you do a query on \*star\* , and it's a common word I figure it should come back pretty fast. Sure enough, all our specific test data was in their data - new vendor 1000 miles away, in a separate country , they'd pilfered the software back to their home-town and decided to just walk off and pitch the customer base, with 90 million Americans , Canadians and European detailed data. I walked out of the demo with my boss and we got our lawyers involved , I was out of there a few weeks later, when you get heavily ignored until it's far , far too late, by folks with access but without clues, you look for greener pastures, for obvious reasons. That never made the news, never made the papers except in the most banal way - the credit-cart firms that had used us for their ERP management had outsourced to the point where all their data was in the hands of questionable guys and they'd expatriated it from servers in Philadelphia to Chenai to Lahore to a "server" operation in Abbottabad.....and then back to Ohio and a cloud instance at Amazon with the data under different management.

Reply

[-]

GreenWoodDragon@reddit

Chennai? There's a very large tech company I can think of based there.

Reply

[-]

markth_wi@reddit

There would be , wouldn't there. And the turnstyle hiring practices being what they are at "some firms" practically invite a degree of inspired entrepreneurial spirit which - coupled with a little five-fingered exfiltration an LLC and the phone number for a dude in New Jersey, and voila you're a consulting firm.

Reply

[-]

FastRedPonyCar@reddit

We used to get patient PII emailed to us basically every day from morons in India when I worked for an EHR company. Full names, socials, health data for minors, all the diagnosis information, etc. you name it, they would just fire unencrypted data at us every single day and we, nor the providers they worked for could stop them.

Reply

[-]

lectos1977@reddit

I still have this happen. Not just outsourced devs but state agencies.... The state of WV isn't smart.

Reply

[-]

ilyas-inthe-cloud@reddit

honestly the google sheet full of root passwords is way more common than people think. i've seen similar stuff at multiple orgs, sometimes its even a sticky note on the monitor lol. the scariest part isnt the sheet itself, its that nobody in the room probably thought it was a problem. security culture has to come from the top or it just doesnt happen. the http on prod thing is wild though, like how does that pass any audit ever

Reply

[-]

2_Spicy_2_Impeach@reddit

I didn’t audit large companies that used my old employer’s cloud platform. We couldn’t call it an audit but if you wanted to work with our group, we had to do our due diligence. It’s wild out there. Regularly having to pick my jaw up off the floor. I worked for a financial institution that a lot of folks use. They were launching a new signature product and one team said they couldn’t add encryption to BANKING LOGIN DETAILS to meet launch time. Even though we had a framework built specifically to handle this easily for devs. Everyone signed off on the risk until I went to our CIO and threatened to quit over it. They implemented it that day. I didn’t want my project being in the news because one dev didn’t feel like reading documentation.

Reply

[-]

one_user@reddit

The Google Sheet with root passwords is bad, but the real tell is HTTP without SSL on production. Every database query, every customer record, every transaction flying across the wire in plaintext. For any customer with PII in that system, this isn't just a security risk - it's a compliance liability that could sink both the provider and the client. What makes it worse is that this was clearly standard operating procedure, not a one-off mistake. The sheet had 100+ rows. They've been doing this consistently for every deployment. That's not incompetence from one employee - it's a systemic absence of security culture from the top down. The "I know a guy" recommendation chain is exactly how these providers survive. They never face a real vendor security assessment because the referral bypasses the process. At a minimum, any vendor touching your data should be required to complete a security questionnaire before the demo even happens. Would have saved everyone a lot of time.

Reply

[-]

jman1121@reddit

I can't fathom why so many data breaches are happening.... Nope, not one clue. Holy moly. 😬

Reply

[-]

ScoobyGDSTi@reddit

The fact they're using Google Docs tells me all I need to know about their competency.

Reply

[-]

musashiXXX@reddit

Woah there buddy... There's nothing inherently wrong with Google Docs. Using it reveals exactly nothing about somebody's competencies.

Reply

[-]

ScoobyGDSTi@reddit

Google Docs is the poor man's version of M365. No one chooses to use it for any other reason than its cheaper. If you're cutting costs there, the likelihood you adequately invest into Cyber Security is next to zero. So yeah, there's plenty inherently wrong with Google Docs. No doubt meeting was also held on some cheap collab tool like Zoom or Google Workspace.

Reply

[-]

musashiXXX@reddit

Bias, assumptions, personal preferences... How about presenting some facts to back up your claims? I'll go first: https://www.virtru.com/blog/industry-updates/microsoft-data-breaches-2025 Searching the terms "history of M365 compromises" reveals many instances where M365 itself was compromised due to system flaws. Meanwhile, the same search, swapping M365 for Google Workspace, does _not_ yield the same quantity nor type of results. Conversations like this one require drawing a distinction between "the user's of a service" getting compromised due to their own bad security practices, and "the service itself" getting compromised due to bugs, vulnerabilities, and/or bad/weak security practices of the humans responsible for managing the service. Almost all "Google compromises" belong to the former category, while the majority of M365 compromises belong to the latter category.

Reply

[-]

ScoobyGDSTi@reddit

Let me know when you figure out the relevance of your link. Given you know, not a single one is related to M365. Really highlights you're sheer ignorance on this subject. Then there's the whole argument about market share and which one is the focus of theat actors. The one used by nobody, or the one with the biggest market share and used by the biggest enterprise customers on the planet.

Reply

[-]

musashiXXX@reddit

Let's review how we got here. You said: >The fact they're using Google Docs tells me all I need to know about their competency. Then, you proceeded to defend that statement with your own biases, claiming, essentially, that if your organization uses Google Workspace, they aren't spending any money on Cybersecurity and as a result, aren't secure. Arguing, as Microsoft fanboys are known to do, that "Google isn't secure." So I presented some facts opposing that position and your argument shifts to "because the events presented don't mention M365 _specifically_, they don't count. " Nevermind that the services involved in the events I highlighted all share the same infrastructure as M365, and in some cases are considered a core part of M365. Again, the core of your argument is "Google isn't secure" and "companies who use Google aren't secure," which is total bullshit.

Reply

[-]

ScoobyGDSTi@reddit

>Nevermind that the services involved in the events I highlighted all share the same infrastructure as M365 No, they don't. Which you'd know if you knew anything about Azure or M365.

Reply

[-]

IJustLoggedInToSay-@reddit

Major enterprises use Google business instead of Microsoft all the time. Usually this is the case if they're using GCP for their primary cloud provider, or if they don't want to get trapped into being a Microsoft-everything shop (e.g. we just wanted to go multicloud with \Azure and now suddenly we have to migrate to AD, Teams, MS365, and Sharepoint for some reason).

Reply

[-]

Life_Clock_5311@reddit

That is a serious fail. Ask for business compliance process certification. I bet they don't have any. If they provided you a process documentation, the chance is it is there to satisfy RFIs and not necessarily followed. The bare minimum is there needs to be a separation of duty and security handling process. It may not be fully automated. But a process must be clear who handles what in where securely. Many 'senior' people never learned and that is why they get promoted and most like the big honcho's drinking buddy.

Reply

[-]

2cats2hats@reddit

I've seen worse but I can't mention here. :/

Reply

[-]

Emotional_Garage_950@reddit

name and shame

Reply

[-]

wordsarelouder@reddit

The thing about this document is that it's not "...when it's compromised.." it's _already compromised_

Reply

[-]

HotTakes4HotCakes@reddit

Feels like it's more like name and potentially save their clients from disaster.

Reply

[-]

7FootElvis@reddit

Or at least, "it's a company that rhymes with..."

Reply

[-]

joshghz@reddit

"Orange."

Reply

[-]

InvincibearREAL@reddit

[https://youtu.be/lPcR5RVXHMg?si=0orHcAIgyKAc2uVP](https://youtu.be/lPcR5RVXHMg?si=0orHcAIgyKAc2uVP)

Reply

[-]

Inquisitive_idiot@reddit

We think alike, you and 🍊 😏

Reply

[-]

H3rbert_K0rnfeld@reddit

Orange CRM?????

Reply

[-]

Infamous-Yesterday53@reddit

I’ve previously seen similar with a prospective vendor. Safe to say it didn’t go past the first meeting. In response they tried to tell us http is ok because you can only access the system over a vpn!

Reply

[-]

Only_Helicopter_8127@reddit

That Google Sheet is now compromised forever, recorded and cached who knows where. This is why vendor security assessments is important before demos. like abnormal AI use zero trust architectures that go through proper security audits and compliance frameworks instead of storing root passwords in spreadsheets.

Reply

[-]

LowerAd830@reddit

Nothing compared to a ceo forgetting to draw his blinds and chatting with really cheap Russian camgirls in full view of everyone walking past when we were doing a facility tour with the DEA..

Reply

[-]

hutacars@reddit

What a moron. Should have stuck with the expensive ones.

Reply

[-]

JesradSeraph@reddit

I hope you filmed him with you phone for later blackm- I mean security consultancy negotiation.

Reply

[-]

LowerAd830@reddit

Heck no, I wanted nothing to do with that, and didnt want to be accused of perving. Also, there were e enough witnesses I didnt need or want evidence.

Reply

[-]

Single-Virus4935@reddit

Odoo was a nightmare to work with. While you can do everything with it, it is clumsy, bad UX.

Reply

[-]

Reverent@reddit

All ERPs look like it was designed in a PowerPoint presentation from the 90s using a pirated copy of Adobe Fireworks. It’s counterintuitive but my consultant advice to most companies is that ERP is a trap. Better to have many IT products that do one thing well than to drown in ERP.

Reply

[-]

dgran73@reddit

Do you have a security team, or at least someone in your org responsible for vendor management? You should refer this issue to them. This is a valid concern.

Reply

[-]

johnwestnl@reddit

When an AI note taker is invited, I leave without notice.

Reply

[-]

fatalicus@reddit

One of the few good things Microsoft is doing in relation to AI: In June they are rolling out a change in Teams, where external AI notetakers are sorted as "Suspected threats" in the lobby.

Reply

[-]

Kurgan_IT@reddit

Unless it's their own crap-pilot, I suppose. This is not security, it's marketing.

Reply

[-]

yrro@reddit

That's not security---it's marketing.

Reply

[-]

Supermathie@reddit

> the codepoint # Dashes <Multi_key> <minus> <minus> <period> : "–" U2013 # EN DASH <Multi_key> <minus> <minus> <minus> : "—" U2014 # EM DASH <Multi_key> <minus> <minus> <m> : "⸺" U2E3A # TWO-EM DASH <Multi_key> <minus> <minus> <M> : "⸻" U2E3B # THREE-EM DASH how do people live without a Compose key? :D

Reply

[-]

yrro@reddit

– — I don't seem to have the latter two. But where's the far more useful [Kierkegaard em dash](https://x.com/kukukadoo/status/1911774838923870641)?

Reply

[-]

Supermathie@reddit

I added the latter two myself, purely so I could be contrary and show I'm f⸻ing human

Reply

[-]

ConsciousEquipment@reddit

lmao I love these boomer comments. So I assume you take your own notes and are zoned off typing during the whole meeting? geez that's so much better be proud of yourself

Reply

[-]

IJustLoggedInToSay-@reddit

TIL people don't listen to anything anyone says in meetings - they either zone out typing notes or they zone out because AI is taking notes. Yet another reason we should just stop having meetings and use emails and chat instead.

Reply

[-]

wrincewind@reddit

Personally, I pay a lot more attention if I'm taking notes, it makes me think and summarise my own points. Way better than staring at the zit on my boss' nose. Plus it helps me practice my touch-typing speed.

Reply

[-]

buidontwantausername@reddit

Notetaking is one area where AI actually provides tangible value.

Reply

[-]

Kurgan_IT@reddit

Yes, but it also uses your data and you lose control of that data.

Reply

[-]

MetalEnthusiast83@reddit

My data? During a demo "my data" would just be some audio clips of me saying "Oh, that's pretty interesting" and asking a few questions.

Reply

[-]

VanillaBean8585@reddit

Why? Its so incredibly useful.

Reply

[-]

Haplo12345@reddit

And now everyone who uses that AI note taker may have access to that data.

Reply

[-]

Tymanthius@reddit

I mean, that meeting is a breech. And their client list should be so informed.

Reply

[-]

No_Investigator3369@reddit

I don't beleive you. You said you recorded it, right? 😂

Reply

[-]

L-xtreme@reddit

Just make sure you use a difficult password. It's fine. Security is just a buzzword for consultants to make themselves feel important.

Reply

[-]

Low_codedimsion@reddit

I guess you’re not going with them, right?

Reply

[-]

sabre31@reddit

A lot of these are flight by night small companies and run by like 5 people or less and wanting to make quick sales form unsuspecting companies. Always vet the company and research it. I do google Gemini deep search on company I never heard of.

Reply

[-]

jake04-20@reddit

We had a vendor share their screen one time and they had their VPN password for our systems on a sticky note on his desktop, including AD passwords to access the necessary servers in our environment. I called attention to it on the meeting, and he got all snippy with me, saying that the passwords were ALSO in a secure password vault. Sir, doesn't that defeat the whole fucking purpose of the password vault?

Reply

[-]

furtive@reddit

(this was 15 years ago) I saw the head of a large multi-national show how he could drill down into a map down to an individual household and show all their personal details (contact info, DOB, gender) income, purchase behaviour and etc for entire family and everyone in the neighbourhood. They did it in front of 500 industry folks. They got let go same week. I can remember picking my jaw up off the floor and grabbing a bunch of photos.

Reply

[-]

57ARK@reddit

and the LLM is just guzzling all of it up omfg what a fucking mess T.T T.T T.T

Reply

[-]

SpiceIslander2001@reddit

Was the meeting recorded? If so, go through the recording, capture a picture of that particular incident, and send it to the presenter, asking "did you really mean to show this to all of us?"

Reply

[-]

Mister_Brevity@reddit

I think mine was working at an msp, got contracted to do a total rebuild of an Apple PowerBook on a morgue table while two sheriffs watched. Once it was repaired I had to help extract data. The material is of the sort you’re probably starting to think it was. Can’t unsee things.

Reply

[-]

Worried-Buffalo-908@reddit

were you informed about what the job was and given an opportunity to refuse it?

Reply

[-]

Mister_Brevity@reddit

I was told the nature of the repair job, given the list of parts, and told I would be assisting with data recovery.

Reply

[-]

miscdebris1123@reddit

"Given a list of parts", hopefully, was just computer related.

Reply

[-]

Mister_Brevity@reddit

It was an entire macbook pro assembly's worth of parts because the damage to the computer was ball-peen-hammer inflicted, presumably while the sheriffs were breaching the house.

Reply

[-]

kenfury@reddit

I've unfortunately seen things in my role that I wish I could never see. There's not enough eye bleach for that.

Reply

[-]

msp_can@reddit

Local ISP uses Meraki as their "managed network of choice" - called in for access to a client's network (the Meraki interface they give is super limited compared to normal access if you buy direct) - ISP, instead of giving me site specific access, gave me read only to the entire Western Canada region. I had every client that had logged in, every password on every SSID throughout every network (I believe there were several thousand networks). ISP simply swept it all under the rug with a "we've fixed it/won't happen again" - but that was 48 hours of quite the interesting visibility.

Reply

[-]

h8tank88@reddit

So, when's he getting promoted?

Reply

[-]

psiphre@reddit

don't fucking name them or anything

Reply

[-]

VanillaBean8585@reddit

Wow. Did you say anything to them?

Reply

[-]

NSFW_IT_Account@reddit

No they just posted it to Reddit for thousands to read

Reply

[-]

Emotional_Garage_950@reddit

guaranteed they didn’t, they don’t even have the balls to name the vendor

Reply

[-]

ConsciousEquipment@reddit

has nothing to do with balls. I also would not say anything, because as far as I'm concerned, I didn't see that. I'm not a snitch and I'm not gonna mess with someone's job or call them out on what is probably just something that they work with for convenience internally for themselves. Maybe if the guy sharing screen was a dick otherwise etc ok but that would have nothing to do with security, I could spite them in many ways regardless of that presentation.

Reply

[-]

Emotional_Garage_950@reddit

It doesn’t have anything to do with an individual, call out the company involved. I am not advocating for getting an individual fired for what was probably not their decision.

Reply

[-]

solipsistnation@reddit

I was waiting in an airport once and somebody a couple of seats down, wearing a pretty nice suit and carrying a fancy briefcase, started telling their secretary how to log into their gmail account, VERY LOUDLY, including their username, domain, and password, carefully spelled out for anyone nearby to write down. Which I did, but I decided not to mess with it. I should have found their IT security people and let them know, I suppose, but whatever.

Reply

[-]

LongTrackBravo@reddit

Both terrifying and not at all surprising at the same time

Reply

[-]

thomasmitschke@reddit

Storing passwords in a spreadsheet is instant cancel

Reply

[-]

burgersnchips87@reddit

You saw their client list and a huge security hole, I'm tempted to say a few anonymous phone calls should be happening to said clients to raise awareness. This way you're helping them and if your boss decides to take this company on, well, they either might not be able to, or they might get a more secure solution.

Reply

[-]

ConsciousEquipment@reddit

what??? and now you're out to sabotage and harm their business because of a fucking google sheet lmaoooo have fun you people are so spiteful and petty it's actually insane. I would have literally not given .1 of a shit it's only a problem if you make one of it. If you had any idea how much egregious shit I came across, in IT and other fields, and just shrugged off because seriously I am not gonna open that can of worms I just won't. I ain't your witness I forgot my glasses I didn't see it.

Reply

[-]

Equal-Daikon9456@reddit

Found the guy giving the presentation

Reply

[-]

yrro@reddit

> sabotage and harm their business because of a fucking google sheet I would hope that if we both used the same service provider, and that service provider leaked to you the credentials for my system, that you would do me the courtesy of informing me so that I can rotate credentials & initiate an internal investigation. Wouldn't you want the same, or would you really rather bury your head in the sand?

Reply

[-]

ITaggie@reddit

Read the rest of their comments in this thread, they don't take their job seriously at all.

Reply

[-]

wrincewind@reddit

Pointing out their dumbassery ain't sabotage, mate. If anything, it's the opposite, because they'd rather find out from me at 10am on a Tuesday, than by being woken up at 3am on a Friday finding out that they've been hacked and *all* their customers have been compromised, the company is going to be bankrupted by all the lawsuits, and he personally is gonna be thrown under the bus for his jank-ass solution that violated the company's cyber-insurance.

Reply

[-]

ConsciousEquipment@reddit

> being woken up at 3am on a Friday finding out that they've been hacked and all their customers have been compromised ok and why would that happen??? no one knows that in whatever company's google drive is a sheet with that stuff. And it is generally trusted and assumed that the people who see it are reasonable and keep to themselves and it's all internally and we're all good. Everything you say is just assuming that the worst case absolute apocalypse scenario will definitely happen and cry me a river they could do it all perfect then get hit with ransom ware and people would still rag on them. What even are the odds of that happening and even then, what are the odds of anyone discovering what the reason was. Especially insurance, why the fuck would they let them know that they used a google sheet. Say your house burns down of course you wouldn't show everyone look I was using these cheap ass chargers from Temu look I was vaping everywhere. They would say it's your fault or even hold you liable. You would throw that shit out and say woe is me what bad luck out of nowhere then.

Reply

[-]

wrincewind@reddit

"it'll never happen to me!" is the calling cry of many a sysadmin shortly before it did, indeed, happen to them. "why would that happen?" - because hackers crack into places as a matter of course nowadays, and even if not, it only takes one disgruntled employee to leak the details of how obscenely vulnerable your security posture is. Have you ever been involved in a breach like this? Ever spoken to the insurance adjusters as they take you through the steps of your policy again and again, trying to make you - or one of your coworkers - slip and admit fault? Ever seen them disassemble your hard drives to break down exactly what happened and when? You sound like the kind of guy on a building site who refuses to wear safety gear. Its *your* ass that's on the line.

Reply

[-]

fatalicus@reddit

Someone leaks access to PII for who knows how many people, and you would just shrug it off? The reason you come across so much of it is because assholes like you aren't helping to make things better in our field. Report shit like this to your local data protection agency.

Reply

[-]

burgersnchips87@reddit

It's the responsible thing to do to let them know. It's not spiteful. Would you let someone know if you saw their wife cheating? I would.

Reply

[-]

Yahnzi@reddit

This is why security questionnaires are necessary when working with new vendors or really any 3rd parties. Especially if they are going to have more than minimal access to your systems

Reply

[-]

MrsLobster@reddit

And requesting their SOC 1 report if they are a SaaS provider.

Reply

[-]

klauskervin@reddit

Did the AI note taker record all of the username and passwords? If it did now no one has any idea who has seen those and every single credential is compromised.

Reply

[-]

MrHorrible2048@reddit

Dang, that's amateur hour. I'd definitely not trust that company to host our data in any way. Just tip off your security peeps about what you saw and tell your boss.

Reply

[-]

ilyas-inthe-cloud@reddit

had something similar happen during a vendor eval a few years back. guy shared his screen and accidentally showed a notepad file with every client's db credentials in plaintext. same password for all of them too. when we pointed it out he just laughed and said 'yeah we need to fix that eventually'. we did not go with that vendor. the google sheet thing is somehow worse though because at least notepad isnt shared with the whole company by default

Reply

[-]

AlbertoP_CRO@reddit

I don't know why, but Odoo is filled with companies similar to this. I've seen multiple official partners with no standards at all, code, security, design...none.

Reply

[-]

mortsdeer@reddit

Even better, this particular clown is using the community edition.

Reply

[-]

mirrax@reddit

The ERP space in general is a circus.

Reply

[-]

eri-@reddit

When you scale as fast a Odoo has, you skip steps. Period. Fabien Pinckaers is a great guy, probably one of the best billionaires on the planet character wise , but he certainly isn't infallible and partner checks are one of the things one generally skimps on when rapidly scaling out

Reply

[-]

SavingsTask@reddit

I've watched a few YouTubers that are sponsored by odoo. Never thought I was their target audience

Reply

[-]

IJustLoggedInToSay-@reddit

Odoo will do the thing that new software companies do. They'll create a do-everything platform that works *well enough* for small-medium sized companies that have only the most generic workflows, and invest ten dollars in marketing for every one dollar in development. Eventually, they'll get trendy enough to start pushing an enterprise offering that isn't significantly different aside from the supporting infrastructure and price tag. Some enterprises will spend a pretty penny to migrate to it, only to discover their promises are not enterprise scale and their ability to customize has been greatly exaggerated. Eventually it'll get acquired by Oracle or SAP or Microsoft or whoever, who will migrate its users back to its primary offerings. 🎵 It's the circle of ERPs 🎶

Reply

[-]

mortsdeer@reddit

The difference is this one is an open source platform that's been around for quite a while. They're trying the open plus model, so there's some secret sauce modules under proprietary license. Even if odoo the company goes the route you suggest, there will still be MSPs doing the above. Sigh.

Reply

[-]

silentseba@reddit

I've seen some crazy flaws in systems where it makes me not trust anyone outside of my network. We has an industrial monitoring device (no details to avoid pinpointing company). The device was installed and I contacted support to gain access to the web interface service to monitor the device. When I logged into my account I had gained access to view ALL customers data, not just my own instance. I could see thousands of devices and I could actually access all the information within each instance. I quickly told them about the issue and they took 2 days to remove the access and properly limit the access to only my device.

Reply

[-]

ConsciousEquipment@reddit

read the title and thought this was gonna be something outrageous, man I assume there are countless and countless companies that do this and credentials in a google doc is honestly not the worst I have seen so calm your tits lmao if they hadn't happened to screen share you would have never found out and prob gotten a good impression you don't know what people do for convenience and if it works it works. Do you want to look into every slaughter house or kitchen I don't think so lol that is their internal stuff and odds of that going out are still slim

Reply

[-]

the_marque@reddit

Are you lost? This is pretty horrific, yes it's standard practice for a lot of smaller or dodgier MSPs etc.

Reply

[-]

ConsciousEquipment@reddit

> yes it's standard practice for a lot exactly. Man this sub is acting like everyone needs super hardened encrypted password manager that they only access via vpn on a locked down linux to wipe their ass. Just think for a second how many people just use whatever to have their shit quick and easy. I have definitely seen stuff like a txt literally called "the keys" (in my native language) and that was emailed around containing license keys and passwords because that's how the software was activated at each start of PC and otherwise, we would have needed to buy like 10 licenses for all the people instead of passing that one around. There was no other way and no one whined about it.

Reply

[-]

ka-splam@reddit

You think "keeping root passwords out of sight on sales calls" is the same as "needing a super hardened encrypted password manager to wipe your ass" is bonkers. Replying to every single comment about how you've seen worse ... doesn't make you look like a tough guy.

Reply

[-]

sp-rky@reddit

License keys/passwords to use software on internal devices is not really equivalent to a master spreadsheet containing links to hundreds of companies ERPs WITH root passwords next to them. You can't really compare the two - one is a dodgy workaround that shouldn't really compromise any sensitive data, and the other one is a GIANT security risk that exposes heaps of sensitive data. If your keys.txt file got leaked, no big deal. If this ERP provider's master spreadsheet got leaked, thousands of confidential files would be up for the taking.

Reply

[-]

wrincewind@reddit

>do you want to look into every slaughterhouse or kitchen Personally? I've jot got the stomach for that shit. Do I want them inspected to make sure that shit stops? Hell yes I do. I love in a country that's much stricter about things than average, and am hopeful that it will stay that way.

Reply

[-]

Abracadaver14@reddit

Said every company that was involved in a data breach ever....

Reply

[-]

dreniarb@reddit

There's so much blind trust that goes with working with vendors which is scary enough but it's even more scary when these vendors have admin access to your data. Had a vendor showing us their GIS work - they were able to login to a handful of various customer GIS interfaces with no authentication of any kind - full admin access. Another vendor was able to remote into many of his clients through some service - don't remember which one - but just like the other vendor needed zero authentication to do so. Both of these vendors walked away from their laptops plenty of times without locking them.

Reply

[-]

cyberman0@reddit

Oh I have one, worked for the navy and some subordinates thought it would be fun to take pictures of them uhh doing mombo on the base commanders desk. They then took the computer and loaded all the pictures on to his computer. Well said computer drive hit 100% capacity between updates, push software and those images. It took 45 mins for a machine replaced within the last 6 months to boot. My memory is he was a rear admiral but we had to go in and find out what the heck was going on and it was usually really old boxes or duty stations that had this happen. Duty stations could have hundreds of profiles but this machine only had a few. I was not on the call but an agent found all the images and him being the base commander made the tech agent open every image, while the idiots that started all this were getting the dress down of all from the base commander of what they had done on every. Single. Surface. In HIS office. Talk about some idiot grunts at the office. Not to mention making the agent do this for 3 hours while yelling at these idiots.

Reply

[-]

a60v@reddit

Holy shit. Don't do business with them.

Reply

[-]

usernamedottxt@reddit

Ah yes. The spreadsheet of doom. I do not miss those days.

Reply

[-]

_Dreamer_Deceiver_@reddit

Not going to tell us which ERP so we can stay away?

Reply

[-]

DefiantDonut7@reddit

He mentions it in his story, also it’s not the ERP’s fault that the implementer (3rd party company) is ran by morons

Reply

[-]

TehZiiM@reddit

And you recorded that sheet?

Reply

[-]

vhalember@reddit

We had similar happen with a company. It was a demo for one of their flagship products. The couldn't show-off a feature in their dev demo environment, but they mentioned a client had it available in prod. They open a browser, type in the client's instance address. A login screen pops up. Login: "admin" Wait are they backdooring a client's instance without requesting permission?! Password... a single fucking character! We're all stunned for a moment - even a non-IT director messaged me realized this was horrible security. We see if we can get to the site. Yep, world accessible. We almost stopped the presentation there, but we let it run as a comparison point to the other vendors. They came in dead last.

Reply

[-]

cdoublejj@reddit

shit i'd be tempted to call those companies up and be like "hey i just met this company and they just gave me the passwords to your shiz"

Reply

[-]

Tricky-Service-8507@reddit

You ain’t worked much I see.

Reply

[-]

joshicaman@reddit

Name and Shame, I've had nothing but bad experiences with 'odont' resellers!

Reply

[-]

secondhandoak@reddit

I've seen similar with ERP implementers using txt files with the login info being opened/closed on screen during meetings.

Reply

[-]

_haha_oh_wow_@reddit

That's, uh, bad.

Reply

[-]

Gunny2862@reddit

You probably spoke with a sales person who has no idea about any of these concerns. Not an excuse, just an explanation.

Reply

[-]

SevaraB@reddit

It was forgivable to use HTTP for dev in... 2012. Let's Encrypt hadn't taken off, WSL was not yet a gleam in Satya Nadella's eye. But now? FFS, it takes *two minutes* to crank out an internal root and leaf cert for HTTPS with openssl *by hand*... *and* it's 100% scriptable. Completely inexcusable.

Reply

[-]

franky694@reddit

If that’s the worst thing you’ve seen in 20+ years of IT, you’ve had it easy lol.

Reply

[-]

phobug@reddit

Fsck, now I’m curious, what have you seen that tops showing a sheet with all the company deployments and credentials in a video recorded call?

Reply

[-]

wrincewind@reddit

Showing me a wiki that had the same information, but all employees in the company had access... And many of the password pairs were "root/companyname". And the company's name was not very long.

Reply

[-]

ConsciousEquipment@reddit

exactly lmao. People here work at ultra enterprise MSP and need 87 factor auth and blood sample for every click, they would probably get a stroke if they saw the average shit I would admin. I have done IT for small local libraries and the equivalent of high schools in my country etc and usually you walk up, it's a open wifi called "school building name" and if you happened to know the file server ip or did a ip scan and tried the usual suspects, type /admin:admin there you go. Literally. You were on the file server with full access in browser, I remember that blue file tree UI where all clicked links went purple etc it was OPEN.

Reply

[-]

wrincewind@reddit

Yeah, that company went bankrupt in a cyber - breach when some hackers got their hands on that wiki. We aren't talking "a small local library", we are talking "the keys to the kingdom for 20+ fortune 500 companies".

Reply

[-]

Adventurous-Coat-333@reddit

One time I was doing contract work and had a ticket for a major retailer. There was this data center in the middle of nowhere and they basically just took my name without checking anything and gave me free reign to the entire data center unattended. No one could even help me find the server that I was supposed to be working on. This was probably about 8 years ago.

Reply

[-]

Hoooooooar@reddit

Developers do not believe in security. Security stifles their genius. HOW CAN THEY CREATE IF YOU REQUIRE MFA? HOW CAN THEY CREATE IF YOU REQUIRE UNIQUE PASSWORDS? HOW CAN THEY CREATE IF YOU HAVE ANY SECURITY OR POLICIES IN PLACE AT ALL? you dare try to control a god?

Reply

[-]

Even-Cartographer551@reddit

Choose and perish! 😏

Reply

[-]

pratofu@reddit

Sounds like your ERP provider is our ERP provider.

Reply

[-]

nphowe@reddit

Had a vendor do this once but first he asked me to look away or close my eyes. Neither of us had out camera on. I said, “Okay…” and then up came the password spreadsheet!

Reply

[-]

wezelboy@reddit

Sounds like a company I used to work for, except they weren't ERP, they were a hosting provider.

Reply

[-]

jcpham@reddit

Information Security nightmare- run away do not walk

Reply

[-]

alluran@reddit

Blank SA password to the database containing 500k unencrypted credit card details - accessible to anyone of the 4000+ employees if they knew where to look. Rest assured though, they were all backed up to an unencrypted external hard drive plugged into the server in the datacenter. We did eventually identify that security risk, and resolved it by having it shipped via the national postal service back to our offices, where it could promptly be placed in an unlocked desk drawer to collect dust. I had originally tried storing it in my OWN lockable top drawer, as my job was to tokenize the table, but it was deemed that the head of ITs broken top drawer was more secure than my lowly desk. Good times

Reply

[-]

genomeplatform@reddit

Reading the part about the root password right next to the no SSL link made me want to have a psychological breakdown on his behalf. This isn't just a security breach anymore; it's practically an invitation to compromise the entire customer system. It's true that those "connections" (I know a guy) always bring about truly devastating surprises. If it were a novice hacker, the whole company would be wiped out in a heartbeat, no joke.

Reply

[-]

kenfury@reddit

Had a MSP come in, bill us like 400k for a migration that I was on CAB for. It was a "this is not my problem" moment.

Reply

[-]

tognols@reddit

Oh hell nah, reading gore of my comfort character (common sense) at Monday morning

Reply

[-]

seahorseMonkey@reddit

Had to back up all the laptops for a nursing facility. One person saved everything to their desktop … everything. It was about three GB IIRC. not too bad but the connection was slow so took over an hour.

Reply

[-]

ConsciousEquipment@reddit

I was working for some librarians that had their whole life saved in a mailbox. They would even have drafts with huge amounts of attachments etc the mailboxes were absolutely huge, tens of GB, and we'd use outlook, thunderbird, these old windows live mail clients etc to compress and move these mailboxes around all the time because storage just ran out. It was all local files and at some point, pushed out to USB sticks because there was no other way to free up space in the mailbox.

Reply

[-]

hopeless_case46@reddit

Lol ![gif](giphy|l3q2K5jinAlChoCLS)

Reply

[-]

Complex86@reddit

Someone calling someone for security practices uses an AI note taker? Hello pot, meet kettle.

Reply to Post

313 Comments