Microsoft Security: Breaking the Rules - Stories from Employees

แชร์
ฝัง
  • เผยแพร่เมื่อ 21 พ.ย. 2024

ความคิดเห็น • 661

  • @DavesGarage
    @DavesGarage  2 ปีที่แล้ว +283

    BTW, no one can beat Feyman's stories of security theater in his book. I forget if it's in Surely You're Joking or What Do You Care What Other People Think... but his stories of working around rules at Los Alamos during the Manhattan project are epic!

    • @Obscurai
      @Obscurai 2 ปีที่แล้ว +12

      Back in 1994 there was a corporate communications sent to everyone that requested that staff not store firearms in their car glove compartments when parked on campus. Being Canadian, this was just absurd to me.

    • @kevindowd31021
      @kevindowd31021 2 ปีที่แล้ว +9

      Feynman was the best lock picker that never was!

    • @TomNimitz
      @TomNimitz 2 ปีที่แล้ว +9

      Not sure of the book, but "Richard Feynman Lecture -- "Los Alamos From Below"" is a well told story.

    • @DusteDdekay
      @DusteDdekay 2 ปีที่แล้ว +1

      yeah, it's a wonder he didn't get himself shot just once ... :)

    • @boblangill6209
      @boblangill6209 2 ปีที่แล้ว +18

      Among them is a story that after Feyman demonstrated to security people how easily their measures could be evaded, they, in classic security cop tradition, concluded that HE was the security problem.

  • @xlerb2286
    @xlerb2286 2 ปีที่แล้ว +94

    I worked at MSFT for almost 7 years. I saw my share of security theater. One I remember is we had these fancy new double doors that from the outside were locked but when you approached them from the inside they unlocked - fire code wouldn't allow locked exit doors during business hours. It took us devs about 5 minutes to figure out that if you stuck one of those little plastic flags used to mark buried power lines and such through the door from the outside and waved it around a bit the door would unlock. Long story short after awhile they gave up on trying to get the doors to work and hired back the receptionist they'd let go when they set up the fancy doors.

    • @FindLiberty
      @FindLiberty 2 ปีที่แล้ว +4

      @@cykes5124 *REPORTED*
      lol

    • @fake12396
      @fake12396 2 ปีที่แล้ว +13

      Deviant Ollam approves.

  • @PeeterJoot
    @PeeterJoot 2 ปีที่แล้ว +85

    I worked at the IBM Toronto Lab for 20 years. The security theatre ramped up to mind numbing levels. We had to change passwords every three months, but didn't have an integrated password system, that should have been a prerequisite for such a policy. As somebody who had access to piles of different porting test and development machines, changing passwords manually took half a day's work (we eventually wrote expect based scripts to automate this). You'd also get half way through a password change attempt, and then find that one machine of 70 would have different local password rules (which usually didn't conform to the official security policy) so you'd have to use a different password for some subset of the machines, despite trying to conform to the rules (8 characters, no more, no less, can't start or end with a number or a symbol, no dictionary words, upper and lower case required, special symbol required, ...)
    It was inevitable that some machines wouldn't be online for the password change attempt, which would also screw up the attempt to keep things synchronized.
    Of course, I ended up with a file that listed which generation of password I had for each machine, so that I could attempt to get in later without getting a password reset, or using our well known (to development) ssh-based root exploit, so we could reset our passwords without opening a ticket to have it done. I shared our remote root exploit widely within our organization as a protest against the stupidity of the security theatre. I bet it can still be used 6 years later.
    The security managers didn't care how much chaos their rules caused, nor how many real security holes were opened as work arounds for these rules. They just wanted to be able to report compliance to higher ups, so they could have the appearance of being effective. The real risks weren't expired passwords. For example, any student intern could walk out of the lab with all our product source code on a usb key.

  • @rhr-p7w
    @rhr-p7w 2 ปีที่แล้ว +29

    Hi Dave! The reason for having your seat in the upright position is to protect your spine from vertical forces during a non-catastrophic impact, for example, a hard landing during rain or gusty winds. Sadly, most rules in aviation are written with blood (i.e. as a result of a deadly incident).

  • @joenord
    @joenord ปีที่แล้ว +2

    Nice video Dave. I arrived IBM Boca in 1991 after Microsoft had left the building - the dreadful coffee machines were still present ($0.35 a cup). These dispenser vending machines were an IBM dev site standard, at least at the half-dozen or so sites I visited around that time. Dreadful coffee! So good for your colleagues to resist the man and brew a good cup. I add, they were not alone... The OS/2 test labs saved the day, having non-approved refrigerators and coffee pots hidden where for some reason the security folks could not see, so sodas were essentially free as the world intended. After each all hands (free food event), a careful eye would see the test lab managers carting off supplies, always making new friends.

  • @James_Bowie
    @James_Bowie 2 ปีที่แล้ว +228

    "It is a longstanding prank at Microsoft’s main Redmond campus to send an unsuspecting new employee to building 7 under the pretense of having a meeting or needing to pick up something. There is no such building on the main Microsoft campus. This nonexistent building has also been used as a sort of inside joke. For example, if somebody invites you to a meeting in Building 7, they’re probably inviting you off campus to take a break from work."-- devblogs

    • @queenstownswords
      @queenstownswords 2 ปีที่แล้ว +9

      And how many of them ended up in building 8 to be meet by?.. It would make for a few good stories.

    • @imark7777777
      @imark7777777 2 ปีที่แล้ว +8

      I'll keep that in mind when I get hired at Microsoft in my next lifetime maybe?

    • @steeviebops
      @steeviebops 2 ปีที่แล้ว +25

      The BBC had something similar at Television Centre in London. They had news studios numbered from N1-N6 and N8-N10. There was no N7 because they used the main studio TC7 for some news programmes and didn't want confusion between the two. So "I'm off to N7" usually meant going to the bar for a few drinks!

    • @stephenhunter70
      @stephenhunter70 2 ปีที่แล้ว +1

      There in all likelihood a different equally valid reason why it doesn't exist, but I wonder if it works out to be the power-box for the carpark lights. You know about a meter high and here at least the outer case is made of fiberglass.

    • @fightingfalconfan
      @fightingfalconfan ปีที่แล้ว

      A quick google search on the map shows it's under construction.

  • @CallousCoder
    @CallousCoder 2 ปีที่แล้ว +202

    Oh another fun IBM security (or danger) story.
    I was in charge of a block of servers and unlike Unix servers that could perfectly be equipped with upgrades remotely, Windows machines in 2001 did require some stupid console interaction. And because of security, console over IP was not allowed to the office lan. So I got 24 hour clearance to the DC and you had to hand in your mobile phone at the security (why is beyond me because we couldn’t film or steal data on a Nokia in 2001). I got the clearance from 7am to 7am
    So I do the updates of the software at night and then from 5-7am there’s an offline service window. So I come in at 06am start the service pack upgrades and test everything (because with NT and 2000, nothing to as guaranteed to work). But it was all fine so at 07:10am I walk to the exit of the DC hold my card in front of the reader and… a red light. Again… again a red light.
    It dawned on me that some idiot developer, forgot to realize that it’s okay to enter during your service window but not to exit after it expired. You should always be able to exit!!! Also after the entrance periode as passed.
    So I pick up the emergency phone that has a direct connection to security… and nope the line was dead.
    Here I was stuck at 07:15 in a loud DC.
    The first employee that had to be in the DC appeared at 08:00am. Whom had to bring me to security.
    The security guard said: “I was already thinking, where is he? I got your phone here and I hadn’t seen you again”.
    The guy gave me my phone and registered my being in the DC. Then asked me why I didn’t call
    “I did, but that phone is dead!”
    The guy that took me, was like: “oh yeah I’m rewiring the phones lines, there. That makes sense, I’ll fix that one right away. I guess it’s more important than we’d thought.”

    • @AnIdiotAboard_
      @AnIdiotAboard_ 2 ปีที่แล้ว +14

      I just wanted to address some of your questions / statements if you don't mind.
      "you had to hand in your mobile phone at the security (why is beyond me because we couldn’t film or steal data on a Nokia in 2001)"
      Back in the bad old days mobiles and sheildings were non existant, mobile phones in the datacenter was a sure fire way to cause network problems, and data corruption if you ever left it on a server, today shielding is much better but you still surrender your phone. Everything inside a datacenter is critical, you don't want photos leaking out, or photos of racks and switches being public, and depending on the datacenter and its DSS and TIER Raiting its a security requirement today.
      "It dawned on me that some idiot developer, forgot to realize that it’s okay to enter during your service window but not to exit after it expired"
      It dawns on me you wasn't authorised to be in the datacenter, and access in and out is denied, emergency exits are in place to let you out without a card anyways. If your authorisation was till 7am, you should have been out at 06:59, None of my datacenters will allow you to enter or exit if your window has expired, staff are onsite anyways to let you folks out, and write up the security breach report for DSS and TIER certification requirements.
      "The guy that took me, was like: “oh yeah I’m rewiring the phones lines, there. That makes sense, I’ll fix that one right away. I guess it’s more important than we’d thought.”"
      That would have got him fired even way back when, those phones have to be tested daily and a secondary option must be available (but that's a newer rule)

    • @CallousCoder
      @CallousCoder 2 ปีที่แล้ว +9

      @@AnIdiotAboard_ the no phones was indeed a stupid, shielding excuse. Like hospitals and airplanes had. IBM is overly cautious. At least that’s why I think it was. In the two times I had to be in the grid, I never really thought about it. Just handed it in.
      But makes sense because the grids were individual blocks within the DC that were locked so even if you had access to the DC you could only get into the grid where your stuff was. And that’s compartmentalized per client. And each grid (or kavel we call it in Dutch) was also shielded. Because CRT images could easily be captured. Not that I would think any of my colleagues would care. As all of us that had access to that wing supported all those servers.
      Oh perhaps that was the reason why phones weren’t also allowed. As you could call someone over and open the door for them and they could provide access to a different grid. Don’t know, don’t care. Not working there anymore and don’t want to go back to IBM. Hated it there! Poorly paid over managed shit show.
      It makes no sense to allow someone in and not out. Because I can do the same amount of damage, so it’s nonsensical to not allow an authorized person out. Unless you would proactively send security, who I trust far less than a senior grid owner.
      I am not helped with crashing my own grid as grid owner. My clients would call me 😄
      In every other DC I went to, granted not private DC like IBM but public DCs where anyone can host their crap, you just registered your time of arrival. You could always leave.
      Otherwise with a severity 1, you would always be hustling to get extension.
      Because you don’t know how long something takes and that would slow down. Also by work law we are not allowed longer than 1 hour in a noisy environment without a break outside of that environment.
      That’s why you have grids with key access too within the cooled area.
      Emergency exits when your open them required by Dutch law to let the alarm go off. And when an alarm goes off, everything needs to be unlocked. I thought that to be very excessive I sat nicely and comfortably on the wiring guy’s cable spool.
      And the guy being fired over one phone not yet being wired up? A bit excessive, he probably had that planned anyways. Who is usually in a locked data center at 6/7am? At IBM nobody usually starts that early, except is externals who keep the place running 🤪

    • @unicodefox
      @unicodefox ปีที่แล้ว

      @@CallousCoder I mean you could still phone a friend on the outside who was writing everything you said to them down.

    • @CallousCoder
      @CallousCoder ปีที่แล้ว

      @@unicodefox well that would be very inconvenient because the only phone was at the entrance and I’m pretty sure that was an inside line only. Although I never found out because when I needed to call the security to let me out, it wasn’t hooked up. And after that I’ve never touched the red phone.

  • @MrGeocym
    @MrGeocym 2 ปีที่แล้ว +4

    Best security setup I have seen was a command and control center for handling emergency services. These servers were literally handling the dispatch of calls to the operators and providing realtime info on things like the GPS trackers in the vehicles etc. You needed to get through 3 swipe card access points to get to the ground floor level server room... or you could go outside and climb in through the window that was permanently propped open with an AC duct as they had no permission to physically modify the outside of the listed building in which it resided
    Love the coffee pot story. That is pure gold
    Keep up the amazing content Dave, I for one will always be hungry for more

  • @carlam6669
    @carlam6669 ปีที่แล้ว +2

    My wife and I worked at Fairchild Semiconductor in Mountain View in the seventies. We would often swap photo ID security badges for the day: nobody would ever notice, including guards stationed at every entrance of every building. This was a time when software programs and data was stored on IBM cards. If you were carrying a box of blank cards from one building to another you were required to have a signed receipt from your boss. But if they were “used” IBM cards it wasn’t a problem. I guess they didn’t care if you were taking chip designs or other confidential information home with you.

  • @Richardincancale
    @Richardincancale 2 ปีที่แล้ว +181

    I worked in an IBM development lab in 84/86 - it’s all true. You had to lock your desk, filing cab and terminal (or PC) when you left. Security would leave a sticker inside your desk draw if you failed to lock it - I got one! Two security violations in a year meant no pay rise so it was quite a big deal! BTW I bought and read your book - it was so helpful - I recognised so many things in myself! Scored 43 on the AQ test!!

    • @davenz000
      @davenz000 2 ปีที่แล้ว

      Corporates in the late 90's / early 2000's used to have security check whether PCs were turned off at night for energy savings, all good until you came in the next morning and had to spend 30 / 60 minutes waiting for all the B.S scrips / A.V and crap to finish. Say average $35 per hour at the time times, 1000 workers every morning. Yeah, we were saving the planet and personally making bank whilst drinking coffee 20 years before the woke climate change people turned up.

    • @joeldejonge2986
      @joeldejonge2986 2 ปีที่แล้ว +3

      I'm new to computer architecture/software dev and curious about this book, where can one find a copy?

    • @Richardincancale
      @Richardincancale 2 ปีที่แล้ว +1

      @@joeldejonge2986 see the first entry in the video description

    • @leonkiriliuk
      @leonkiriliuk 2 ปีที่แล้ว +6

      Not much has changed. Working at IBM for 22 years now at their Toronto Lab, I feel that only the NSA has stronger security than IBM.

    • @FM4AMGV
      @FM4AMGV 2 ปีที่แล้ว +6

      should've left the desk unlocked with a dye pack in it

  • @usaturnuranus
    @usaturnuranus ปีที่แล้ว +8

    I swear that the coffee maker in the box story was told to me many years ago. I always assumed it was an apocryphal tale, but Dave's word is unimpeachable in my book so there ya have it.

  • @richardclarke376
    @richardclarke376 2 ปีที่แล้ว +69

    I worked at a large bank where the dev server had the same password security policies as the production server. Accounts were locked after 3 incorrect login attempts. You would then have to phone IT to get it reset. With 50 engineers sharing 2 or 3 logins, those logins were locked out multiple times per day, resulting in much sitting around twiddling of thumbs and web surfing. One set of managers was responsible for that idiotic policy and another set berated the devs frequently for their low productivity.

    • @rogeliopanebarcomajr9115
      @rogeliopanebarcomajr9115 2 ปีที่แล้ว +2

      Haha i laugh

    • @KristopherNoronha
      @KristopherNoronha ปีที่แล้ว +2

      wel password sharing is now banned in most orgs... mainly because if someone messes up, you need to know who to blame 😁

  • @quicktastic
    @quicktastic 4 หลายเดือนก่อน +1

    In the mid 90s, I had to go to an AT&T facility to troubleshoot a machine. After I walked down a flight of stairs, I was approached by 2 security people. They collected all my information because I committed a 'violation'. The violation was that I walked down the stairs without holding the handrail. I was in my 20s, working out and running quite a few miles per week. I could traverse stairs with ease. My manager thought it was funny and I asked him to never send me there again.

  • @TheGreatAtario
    @TheGreatAtario 2 ปีที่แล้ว +43

    The most fun (and confusing) security practice I ever observed was at a place where I kept getting emails from random people, addressed to the company "everyone" list, that just had "I love you" in the subject line and nothing (but the signature) in the body. Finally I asked what was going on and was told with a chuckle that people would send such emails from the machines of people who had walked away and left their desktops unlocked, to call out the lapse. (The "I love you" was a reference to the "ILOVEYOU" worm of 2000.)

    • @fredskronk
      @fredskronk 2 ปีที่แล้ว +19

      Worked at a it company in Dublin. Every time we saw an unlocked computer we used to open the group chat at write stuff like “anyone hitting the pub after work. Pints on me!”
      It was fun and you only left your workstation unlocked once (unless you really liked buying pints for your work mates, but hey, you could do that anyways :) )

    • @KristopherNoronha
      @KristopherNoronha ปีที่แล้ว +4

      @@fredskronk we'd send a mail saying "I'm getting married!" and people would walk up to them and congratulate them and it'd be a while before they realized what actually happened.

  • @seylaw
    @seylaw 2 ปีที่แล้ว +73

    These IBM security policies reminded me a lot on my last job in the public sector, some people seem to love to invent rules but don't think of adapting or abolishing them if they either prove to be unpractical or don't age well with new situations or needs.

    • @EannaButler
      @EannaButler 2 ปีที่แล้ว +2

      There are always what I call "Professional Naysayers" in every company. They do provide a function. 1 time out of 10, they will trigger a thought in you, "no, I didn't actually think of that". The other nine times tho.....? 😕

    • @normalnon-spyperson
      @normalnon-spyperson 2 ปีที่แล้ว +2

      This actually applies to a lot of things

  • @CallousCoder
    @CallousCoder 2 ปีที่แล้ว +47

    At IBM after 9/11 they had all these fire drills, password reset drills and security matrix scans.
    But like here, nobody looked at the photo badge. Sure they were RFID but I could’ve given my batch to Osama Bin Laden personally and he could’ve dropped a backpack with a surprise infront of the DC doors.
    My colleague actually had a photo of bin laden pasted over his photo. And after a wel he went to security to ask why they’d not seen this.
    At that moment they gave him a demerit for altering company property.
    Our manager was like: “This is hilarious! And I won’t write you up.”
    And it was a black and white photo copy stuck on their with tape 😂 And I hadn’t noticed as well and we spend time at the (real) coffee machine every morning.

  • @vanderaj
    @vanderaj 2 ปีที่แล้ว +42

    I co-lead the development of the OWASP Application Security Verification Standard and the OWASP Top 10. We do not permit applications to enforce password rotation, as it actually makes it easier for attackers to guess your password. The only thing that we do require is multi-factor authentication and longer passwords than normal. We are aligned with NIST 800-63 b, which has the same requirements. Microsoft also stopped enforcing password rotation in circa 2016 or so. Please stop doing it. It's not actually secure.

    • @ghjkhb
      @ghjkhb 8 หลายเดือนก่อน

      lol

    • @davidroberts9099
      @davidroberts9099 7 หลายเดือนก่อน +1

      As an InfoSec professional of a decent number of years I must agree. Password rotation is a bigger risk than password retention.

  • @billj5645
    @billj5645 2 ปีที่แล้ว +1

    Bisecting the currency to determine why the copier wouldn't copy it reminded me of when I was developing proprietary company software for MS-DOS. To keep employees from taking the software when they left I had the software put a large splash screen on the monitor with the company name and then the software would poke a handfull of screen locations to verify that the proper letters were there. We had an employee one time that somehow figured out there was a connection between the splash screen and the software running or not running so he did trial and error to remove parts of the splash screen until he determined the few screen addresses that mattered. On his screen instead of the full company name printed in large letters formed out of individual characters, he had blank space with only a half dozen letter scattered around the screen seemingly at random.

  • @overclocktime6312
    @overclocktime6312 2 ปีที่แล้ว +19

    A colleague from my previous company told that he refused a job at IBM precisely because of their strict security rules... Another example he gave was having to badge out when going to the toilette (presumably also to track the time the employees spent not working).

  • @makingtechsense126
    @makingtechsense126 2 ปีที่แล้ว +17

    I worked for Symantec over a decade ago. I worked in tech support. The last year-and-a-half I was there I supported their physical firewall product. Because of the nature of the product our lab had to have a direct connection to the internet with a handful of internet routable IP addresses that we could use. When I joined the team part of the training was a very strong warning about the internet usage in the lab. You see, years before, an employee had setup their own private server in the lab and had been serving out large volumes of "content." After that incident it was well known that any abuse of the lab would result in immediate termination. Also, the lab was audited regularly to prevent such an incident.

    • @KristopherNoronha
      @KristopherNoronha ปีที่แล้ว

      I worked at Symantec too! And I never tried to setup private servers or anything like that, but I did notice that filesharing sites were not blocked. I never did anything illegal, although I do not remember ever having to go through any sort of training about what was allowed and what wasn't!

    • @jovetj
      @jovetj 11 หลายเดือนก่อน

      @@KristopherNoronha You sound like a 'content' addict 😉

  • @cheereebus
    @cheereebus 2 ปีที่แล้ว +51

    I had to get a similar waiver when I worked at Microsoft on parental controls in MSN. The difference is that it said that I would not sue the company because my job may require me to look at porn and other adult materials in the normal execution of tasks.

    • @lisam5802
      @lisam5802 7 หลายเดือนก่อน

      @koyaanisqatsi316 It was not him who presented the Bidick on national Television

  • @TheStevenWhiting
    @TheStevenWhiting 2 ปีที่แล้ว +5

    That was our rule at work. You were only allowed to mess with someone's laptop if it didn't interrupt their work. Like when I came back to my laptop none the wiser. Until a week or so later I noticed icons on my desktop at home had been changed. Turns out while I was remoting to home, I'd forgotten to lock my laptop when I left my desk. Engineer next to me noticed, noticed I was remoted to home (we weren't supposed to but was doing it a way they'd not spot the traffic) he never said anything just changed the name of my icons on my desktop :) and laughed when I finally noticed.

    • @clonkex
      @clonkex 2 ปีที่แล้ว

      This should be obvious to anyone with half a brain, but the above message is fraud and not from Dave.

  • @shdon
    @shdon 2 ปีที่แล้ว +41

    Raymond Chen's blog (and his book of the same name, which I also loved) is one of the main factors that made me regard Microsoft in a much more positive light. Like his blog, your channel shows us quite a bit more about the human side of Microsoft, and how the people there are clever and passionate about their work, but also have a sense of fun.

  • @revengefrommars
    @revengefrommars ปีที่แล้ว +3

    There was one time during the company meeting day I decided to stay at work and get more stuff done. Someone else on my team decided he was going to go but had forgotten his cardkey that day, so I loaned him mine since my face was entirely worn off the card. When he came back from the meeting and gave my card back, I asked how it went. He said he showed the badge to a security guard on the way in and the guy let him in, saying: "get a new badge".

  • @jeffwoodard
    @jeffwoodard 2 ปีที่แล้ว +4

    This is a great channel with awesome stories and helpful content. The coffee pot box marked confidential is hilarious. Thanks dave for sharing.

    • @jovetj
      @jovetj 11 หลายเดือนก่อน

      It was marked MICROSOFT-CONFIDENTIAL. 😉

  • @shinigamilee5915
    @shinigamilee5915 2 ปีที่แล้ว +37

    The air force tried to force me to lock my cabinet each night and I only used it to store my jacket and some personal clothes. So I rigged my lock to open when I pulled it out in an upward and to the right tugging motion. The same to close it. One time I got caught opening it without a key. The next day a lock was replaced. Which ironically made it worse. 🤣

    • @davidmartensson273
      @davidmartensson273 ปีที่แล้ว +3

      One problem with unlocked cabinets is that some one else might use your cabinet to store things they would not want to be associated with, which could end up putting you into trouble. If its small things like narcotics it might be hidden enough for you to not notice.

  • @lances8460
    @lances8460 2 ปีที่แล้ว +59

    The company I retired from required us to change our password frequently. At the time I didn't think this was a very good idea since it made more sense to have one highly secure password or phrase. Your password could not be ANY of your previous passwords. To make it easier for myself I used the same word and character followed by the current two digit month and two digit year. Always different, I could guess within a couple of tries if I wasn't sure, not very secure. But it was in compliance.

    • @meneerjansen00
      @meneerjansen00 2 ปีที่แล้ว +23

      Everybody does that. It's impossible to come up w/ a unique password every month and remember which is the current after 2 years. ;)

    • @evoblade2000
      @evoblade2000 2 ปีที่แล้ว +7

      @@meneerjansen00 Which is why I wrote my password on a sticky note on the laptop. F them and their stupid policy. Fortunately they dropped the password change requirement.

    • @Infrared73
      @Infrared73 2 ปีที่แล้ว +10

      My last work had implemented PCI compliance rules requiring password rotations every 3 months. I just tacked on the quarter (Q1, Q2 etc) and the next year the month (5 passwords were retained to prevent frequent reuse).

    • @Chris.Wiley.
      @Chris.Wiley. 2 ปีที่แล้ว +3

      Yep, that's exactly what I do now.

    • @mwbgaming28
      @mwbgaming28 2 ปีที่แล้ว +4

      Password rules are cancer
      If some bozo wants to use 1234, that's their problem

  • @ChrisDreher
    @ChrisDreher 2 ปีที่แล้ว +196

    As a Microsoft employee, I wrote a simple tool that went on the internal tool repository. The 1st time you contributed a tool, you received a prize/gift: a tiny Swiss army knife with the tool team's logo on it.
    6 months later, Microsoft sent out a policy that knives were no longer allowed on campus (ignoring the cafeterias). I kept that Microsoft-branded knife on campus as a joke, calling it my "weapon of mass destruction", even though the blade was so tiny it would have broke trying to spread butter on toast.

    • @twobob
      @twobob 2 ปีที่แล้ว +31

      you rebel. Butter everywhere quakes with unnecessary fear...

    • @FindLiberty
      @FindLiberty 2 ปีที่แล้ว +5

      *REPORTED*

  • @overclocktime6312
    @overclocktime6312 2 ปีที่แล้ว +27

    For the password renewal requirement at my previous company (was 90 days and couldn't reuse passwords) I used the current year + month and 3 chars of my name (8 chars total). I can only assume it was not as secure as the randomly generated 14 chars password that I used for the first time before getting annoyed :-).
    My current company luckily understands that and uses a different way - the security runs regular scans trying to guess your password and only request a change if they are able to guess it. So if you choose a good password you don't have to change it ever.

    • @duneode
      @duneode 2 ปีที่แล้ว +3

      Just get a password manager.

    • @jaykebird2go
      @jaykebird2go 2 ปีที่แล้ว +4

      Wow, that's a kind of smart and intuitive way to do that, having some program or person every now and then going through and trying to guess passwords! I like that

    • @mrtechie6810
      @mrtechie6810 2 ปีที่แล้ว +1

      @@jaykebird2go security audit

    • @luipaardprint
      @luipaardprint ปีที่แล้ว +1

      @@duneode that doesn't work for your main account login, and should also be considered a risk since all passwords are locked behind a single one still.

  • @robertdolby
    @robertdolby 2 ปีที่แล้ว +6

    As a former MSFT FTE (2006-2014 in Redmond) I was hanging on every word. When I worked in Windows, Raymond Chen's office was two doors down in Building 76 -- what used to be owned by SafeCo. Thank you for this, Dave!

  • @CTCTraining1
    @CTCTraining1 2 ปีที่แล้ว +27

    Thx, a great reminder of the excesses of the building security. Remember persuading my boss to get a decent coffee machine maintained by the company for employee use to avoid any potential risk of dodgy home appliances. Turning the dark side against them 😀👍

  • @davep9565
    @davep9565 2 ปีที่แล้ว +11

    Seems getting around rules and security is the favorite sport of all developers! Thanks for the great stories.

  • @zymurgic
    @zymurgic 2 ปีที่แล้ว +24

    The most ridiculous corporate IT security policy I came across was that on company laptops and desktops, all employees were only allowed to run whitelisted software delivered by some in-house application store thing, no exceptions. Enforced by various endpoint security software and group policies. Only problem was the role of a software developer in that company. It took ages to persuade the powers that be to let the developers use a compiler. Then you can imagine trying to persuade the powers that be that each and every output of the compiler could be run.
    Eventually, a virtual machine guest with full admin rights on the guest, but no direct access to the corporate network was approved, and all the work was done in that, and the developers could actually do their job.

    • @lmaoroflcopter
      @lmaoroflcopter 2 ปีที่แล้ว +3

      That's how it should be done. Development on the user's main terminal where they deal with their corporate admin should be prohibited. Instead developers should do their actual development via a VDI. Tbh i'd go so far as allowing a virtual machine on the developers host was incorrect. You could literally run anything you like to attack the wider network in that case. It should still be a managed and monitored machine but can have relaxed controls to enable development, hence VDI.

    • @zymurgic
      @zymurgic 2 ปีที่แล้ว +1

      @@lmaoroflcopter The issue here is that the blanket policy to forbid arbitrary executable code pre-dated the provision of virtual desktops / virtual machines by several months.

    • @lmaoroflcopter
      @lmaoroflcopter 2 ปีที่แล้ว

      @@zymurgic Really? Because you appear to be against the premise of execution arbiters in your first post, you make no mention of timelines, just the security policy of only allowing "whitelisted" software delivered via application packaging.
      Granted there is a right way and a wrong way to implement things, ensuring folk can do their work for one, but the cry of 'but I'm a dev and I wanna' should not be pandered to.

    • @clonkex
      @clonkex 2 ปีที่แล้ว +1

      @@lmaoroflcopter Meh, maybe it should be done like that (I'm not convinced btw), but I wouldn't want to work that way.

    • @lmaoroflcopter
      @lmaoroflcopter 2 ปีที่แล้ว

      @@clonkex you may not want to work that way, I'd rather not spend my days implementing security controls for an environment, but sadly there's a reason why we do.

  • @robertianhawdon
    @robertianhawdon ปีที่แล้ว +2

    You can tell Dave did a good job with Activation as Windows XP's offline activation has only recently been fully cracked, a full 22 years after release. However, most of us just used the Volume Licence version that didn't have activation in the first place.

  • @DanielleWhite
    @DanielleWhite 2 ปีที่แล้ว +1

    I am loving this one! It reminds me alternately of working for a large, privately held software firm and of earlier Unix sysadmin jobs for universities. The former more for things like the security antics and the latter was an absolute trove of forgotten hardware. There was a memorable day in the early 2000s when we decided to clean out all dead-in-place wiring and equipment which remained under the university's main data center floor. The project quickly ballooned into two and a half days and included a lot of tech archeology. My personal favorite was the length of Thinnet which had an unusual MAU attached - longer and thinner than most and with a quarter-round profile.

  • @Hanneth
    @Hanneth 2 ปีที่แล้ว +28

    Back in the 90s Microsoft did some research on how often you could change a password and still have it secure. For the average user it was every 2 years. You could push it as low as every 1 year, but that was the absolute minimum amount of time between password changes. Programmers were a little different. You could safely have them change their password once a year and them still remember their secure passwords. This could be pushed as low at every 6 months.
    I think the default password change policy for Windows Server is still every 45 days.
    I remember taking the beta Microsoft Cybersecurity Architect exam.
    As part of that you needed to read the official Microsoft red book and Writing Secure Code was highly recommended.
    The funny thing was that Writing Secure Code directly referenced the red book saying multiple times, don't listen to this, it is bad security.
    I got to meet Michael Howard, I think at the Microsoft VSLive! 2008. I asked him about the red book, and also about why Microsoft Server was not taking some of their own research into consideration. After a few colourful swear words about how the red book should never be read, he had quite a few colourful names for what he referred to as the idiots making some of the decisions on Windows NT security. He got visibly angry at the mention of both of those. He calmed down quicker about my questions on Windows NT actually answering the question about why the 45 days hadn't been changed. His answer was basically it takes a long time to get through the red tape.
    I also got to ask one of the members of the Silverlight team weren't they worried about security holes with integrating .Net 2.0 straight into the plugin. I was flat up told there weren't any security holes in .Net 2.0. After that answer, I didn't even bother asking why they weren't going with .Net 3.5 that has been out for a few months, with one of the focuses being on plugging all the security holes from 2.0. Also just 5 days earlier a new exploit in .Net 2.0 had been discovered that you could have your .Net app completely bypass all sandboxing.

    • @ThisIsTheBestAnime
      @ThisIsTheBestAnime 2 ปีที่แล้ว +7

      "there weren't any security holes" That's hilarious and a little sad.

    • @jbutler8585
      @jbutler8585 ปีที่แล้ว

      My understanding of The Password Rule is that if a nefarious actor captures an encrypted password in transit in some way, it'll take time to brute-force break the encryption and figure out what the password was. No problem, as long as the time it takes to expire is shorter than the processing power needed to decode. It assumes the attacker isn't dedicating a processor farm to finding Average Joe's password, so admin credentials expire much faster since they are worth more effort.

    • @Hanneth
      @Hanneth ปีที่แล้ว

      @@jbutler8585 Most people don't try to brute force encrypted passwords. It is inefficient.
      Quite often they will get a number of encrypted passwords at one time. Depending on the source of the passwords, they will either use common password attacks, directed attack, or both.
      Directed attacks being finding out information about the people that made the password and using common password tropes used on that.
      If you force people to change a password too often, then the common tropes become almost universally used, or people having to write them down. Both defeating almost any security that a password is supposed to provide. The research showed that people can't keep track of high quality passwords if you change them too often.
      The fallacy is that they are making really hard, rarely used attack harder, while making the more common attacks almost trivial.
      Before someone says, you just need better password rules. Many password rules actually make it easier to guess the passwords as it narrows down the possibilities. That's not to say that you shouldn't have any password rules at all, you just have to be very careful to not make them too restrictive. After all, "password" as a password should never be allowed, yet it is one of the most common passwords used on the Internet.

  • @AugustusTitus
    @AugustusTitus 2 ปีที่แล้ว +118

    Never underestimate developers. Can't use the last 25 passwords? Someone will write something that changes the password 26 times.

    • @EdgeDC
      @EdgeDC ปีที่แล้ว +13

      All undone by setting domain password rules for *minimum* password age. :)

    • @aperson9495
      @aperson9495 ปีที่แล้ว +4

      @@EdgeDC This lol. Complexity required, max password age 90 days, min password age 70 days, last 100 passwords remembered. Have a nice day. 😈

    • @EdgeDC
      @EdgeDC ปีที่แล้ว +2

      @@aperson9495 …except that Windows & AD won’t let you set the # of passwords remembered to be higher than 24, but otherwise yes, I agree. 🙂

    • @KristopherNoronha
      @KristopherNoronha ปีที่แล้ว +2

      I find it easier to remember one password (and change it - I follow a pattern that's easy to create the next password from my current one) and muscle memory takes over after about 2 days. The brain is sometimes easier to program than a computer!

    • @liamhome1664
      @liamhome1664 ปีที่แล้ว +8

      Yep, gotta love corporate security. Saw my coworker's password by accident one time: "Believe55". Better believe she is now on Believe58 since it's been nine months since then...

  • @neilbradley
    @neilbradley 2 ปีที่แล้ว +12

    When I worked at Intel in the early 90s, there was a standing rule that you could only take out 10 3.5" floppy disks, but you were allowed two, 250MB tapes. Then there was the time I was reprimanded for plugging in two outlet strips into each other, each with two wall warts that consumed a few watts each, yet no problem on the outlet strip on the adjacent cube that caught fire because there were 4 10 amp devices (American Ariums) plugged in to it.

    • @xlerb2286
      @xlerb2286 2 ปีที่แล้ว +5

      I hear you. At my first job out of college we were located in a converted retail mall. Outlets were at a premium and we had daisy chains of outlet strips plugged into outlet strips. If a circuit breaker popped you just found another chain of power strips that led back to an outlet on a different circuit and plugged into that. Rumor had it the CEO/owner of the company just wrote out a check for the fire inspection fines due to all our violations as it was still cheaper than having the place rewired. It sounds like that may have been a sketchy place but it was a good company to work for, almost everything except for the power strips was good about the place. And before long we moved out of the mall and into our own new building. We had huge boxes full of power strips that were no longer needed so employees were free to take as many as they wanted for personal use. I have a few good heavy duty trip-lite power strips from that company that I still use.
      (Security there was a joke too, btw. But as others have said those were simpler times).

    • @mrtechie6810
      @mrtechie6810 2 ปีที่แล้ว +1

      Where I worked, it was forbidden to plug anything in to a power socket. Only IT had permission to do that.

  • @KurtisRader
    @KurtisRader 2 ปีที่แล้ว +5

    Grey beard here (now 61 years young) and I have experienced nearly every example of security theatre/idiocy described in this video. Being forced to change my passwords every two or three months in the 1980-2000 time frame was particularly infuriating. I too used workarounds similar to those described in this video. The people responsible for security policy had zero knowledge of human behavior.

  • @terristen
    @terristen 2 ปีที่แล้ว +45

    I was once asked to write a printer sharing tool so that managers could share their printer with their direct reports without going afoul of the corporate rules on who could have a desktop printer... circumventing the strict security rules they had in place to prevent resource sharing in windows. I wrote it in MS Access VBA so that there were no new installed executables for IT to question. Worked great!

    • @MS-ho9wq
      @MS-ho9wq 2 ปีที่แล้ว +5

      Access VBA... ugh, please don't remind me 😆

    • @heathbruce9928
      @heathbruce9928 2 ปีที่แล้ว +1

      Why is Access VBA such a chore? Just because MS chooses not to update the ide?

    • @terristen
      @terristen 2 ปีที่แล้ว +7

      @@heathbruce9928 so, back in the day, I actually liked it... but then I grew up in my expectations of a language. There used to be an Access Deployment Toolkit that allowed to to "compile" an Access mdb and install it as if it was a standalone exe. I used (abused) that to no end. Wrote an instant messaging app (cause IM was against security policy) that gave me backdoor practical jokes I could pull on anyone I could message. I.e. send a special coded message and make their motherboard start beeping every 3 seconds for 10 minutes, or make their cdrom tray eject. All that with Access VBA, and therein lies the problem. If I'd wanted to do major harm, it would have been a breeze. It might be a clunky base-index-1 tortoise of a language, but the dangers were myriad, and there was no way at the time to track down threats. Later, I used those skills to make a realtime multi-player chess game in an excel worksheet. So, could it do great things? Absolutely. Was it slow and clunky? Yes. Was it a security nightmare? Without a doubt.

    • @onemoreguyonline7878
      @onemoreguyonline7878 ปีที่แล้ว +2

      ​@@heathbruce9928ahaha what IDE?

  • @WarpFactor999
    @WarpFactor999 2 ปีที่แล้ว +8

    Dave! Great segment! I also date back to the early DOS days (and CPM, TPM, DEC PDP's running RS-11M and RT11, VAX VMS, etc.). You always manage to bring back so many memories. I worked for a utility company that hated MS, so they went with OS2 instead, never thinking that it was partially a MS product. Great stuff Dave! Thanks so much! Cheers from Texas!

    • @robsku1
      @robsku1 2 ปีที่แล้ว +4

      OS/2 might've been partially developed by MS at one point, but it ended up being a competing product - and fairly superior IMHO, having had some experience with it in the mid-/late-90's. Also here in Finland it was still used in the early 2000's by some government services and when I asked them (their workers) about it, they seemed to like it better and more stable than Windows.
      Fun thing, because of the earlier co-operation between the two, IBM ended up with having rights to use 16-bit Windows source and OS/2 ended up having more stable and reliable 16-bit Windows than Windows itself (doesn't matter if we're talking of 16-bit Windows itself, or the implementation of it in the 32-bit windowses, OS/2 did it better) :)

    • @scottmesserschmidt7778
      @scottmesserschmidt7778 2 ปีที่แล้ว

      Two 56k modems combined them for 115k speed called bbs 0S/2 Warp downloaded files need hung the phone up it made slip knot it was done. I have a box OS/2 with several 3.5 disk. Also had Geosworks a small windows program back in the day. later learned MSD format

    • @WarpFactor999
      @WarpFactor999 2 ปีที่แล้ว

      @@scottmesserschmidt7778 Wow! Awesome! Life in the fast lane back in the day!

  • @DavesGarage
    @DavesGarage  2 ปีที่แล้ว +14

    1:40 Aboot!

  • @robertthomas5906
    @robertthomas5906 2 ปีที่แล้ว +4

    The password bit. Novell's netware had a password policy. An employee of mine back in 2006 asked me about it. I said there's a lockout on re-use. Probably can reuse it in 12 cycles. Time goes by... He came back to my desk hours later. He said he had changed it 57 times and it still won't let him change it back to what it was. I think we found out it was set such that you couldn't use the same password, ever. I thought that was funny. I'm using the same password - os: no you're not young man.

  • @MeppyMan
    @MeppyMan 2 ปีที่แล้ว +4

    It’s not just about blocking the row behind you. It’s also about your own physical position in case of an accident or emergency landing and needing to brace.

    • @DavesGarage
      @DavesGarage  2 ปีที่แล้ว +1

      I can't rationalize that one, as brace position uses the seatback in front of you. In fact, if you're in the last row, your seatback doesn't come into play at all.

    • @jovetj
      @jovetj 11 หลายเดือนก่อน

      @@DavesGarage It's about making everyone conform so we're all equally miserable. 😁

  • @alfrede.newman1838
    @alfrede.newman1838 2 ปีที่แล้ว +9

    THE worst Blue Badgewho NEVER followed the basic security rule had to be SteveB.
    Either outside a Bldg waiting for the doors to magically open or waiting for some Blue Badge to let him slip in (and we all had that video).
    And when he showed up at the Pro Club with no ID (how did he drive there?) and some new kid on he desk asks "Who are you?" ...
    Yup, my vote for Blue Badge failing the most basic security rule goes to SteveB.

  • @headpox5817
    @headpox5817 2 ปีที่แล้ว +4

    I worked for a company which had air-lock security doors at the front. You swipe to get into the air lock, wait for the front door to close, then swipe to open the next doors to get into the office area. Security were sitting on the other side of bullet-proof class, watching you. One day a whole bunch of us came back from lunch at the same time. Someone swiped the first door and we all crammed into the air lock. Security saw this and manually opened the second door before the first door had closed. Nice fellow, I thought. However, once inside I saw this woman standing, looking a little lost. I asked. She was looking for a totally different orgnanisation. She managed to get swept into the building with all of us, aided by the security guard. I pointed this out, only to be accused of letting her in. Not such a nice fellow after all !

  • @angieandretti
    @angieandretti 2 ปีที่แล้ว +4

    Man I'd LOVE to come upon a time capsule like the one in your story! Also I work for a US retailer that is way over-cautious regarding employee password rules. Requirements: 12 char min length, must contain uppercase+lowercase+number+punctuation, change required every six months, and they track the last six passwords for each employee... and the worst part is that NOTHING this password protects is particularly valuable!! The most serious thing it's used for is signing in-and-out on the labor time sheet. Myself, I cycle the final digit 0-9, but I met this one guy who'd been here for decades - and let's say he was the opposite of a developer when it came to computer skills - I saw him sign-in once and his password was, like, a full paragraph long! Turns out he'd been adding one letter every six months for twenty years. :O

  • @nefariousyawn
    @nefariousyawn 2 ปีที่แล้ว +3

    As a basic wage employee at Marriott, I have to change my password to the employee portal every 90 days. A previous password will never be accepted when changing it. This is coupled with 2fa with every login. My own bank can't even be bothered. I just go through the account recovery process once a year when it's time to download my W2, because I can't be bothered to remember to login to change my password on schedule.

  • @niekotunemoki
    @niekotunemoki 2 ปีที่แล้ว +34

    Hey Dave, your security story reminded me about windows serial number, you had to enter during installation since 95. i found a workaround, and it was never fixed. After its asked, it was possible to boot in safe mode, open regedit and put any serial you like. Reboot and relax and enjoy while windows is finishing installation ;) you can try it

    • @TheInternetHelpdeskPlays
      @TheInternetHelpdeskPlays 2 ปีที่แล้ว +16

      There was an even easier one with windows 95, it was a mathematical algorithm and could be easily cheesed with the serial number 00100-0123456789-00100
      I was 14 and bored when I figured that out.

    • @enzedpcs2
      @enzedpcs2 2 ปีที่แล้ว +12

      With NT 4 you just had to enter 1111, job done

    • @H2Obsession
      @H2Obsession 2 ปีที่แล้ว +3

      Which key in the registry are you editing on reboot? I've seen several candidates from version to version. Just curious which key in the registry compare with all mine. (I have a hexadeca-boot computer because total nerd)

    • @batman4e
      @batman4e 2 ปีที่แล้ว +1

      @@enzedpcs2 Same with Windows 95. 🙂

  • @derek20la
    @derek20la 2 ปีที่แล้ว +7

    9:39 The modern method of currency copy protection is called the "EURion Constellation", which is 5 small circles (yellow, green, or orange) in a repeated pattern across the banknote.

    • @henke37
      @henke37 2 ปีที่แล้ว +1

      Not sure if I'd call it modern. While it certainly exists and is still being used, it's hardly the only, or primary, way that money is detected these says.

    • @derek20la
      @derek20la 2 ปีที่แล้ว +1

      @@henke37 That's interesting to hear. What are some of the newer ways?

  • @stevecagle8002
    @stevecagle8002 6 หลายเดือนก่อน

    So funny, I spent 6 years as a Software Engineer at IBM. Great job Dave !

  • @longlost8424
    @longlost8424 2 ปีที่แล้ว

    I was at the ibm boca facility in 1987 on a return/reclamation shipment of some xt expansion chassis. the company I'd been working for found a "loop hole" (so to speak) in that no one was buying the expansion chassis. we bought thousands of them and dropped in some chinese motherboards (xt & xt286 that we'd sourced) and sold like hot cakes to lumberjacks. when we eventually got caught, ibm had us ship back the remaining inventory. I loaded up the truck and drove down to boca. great memories from the past......

  • @jikemenkins7098
    @jikemenkins7098 2 ปีที่แล้ว +1

    Dave, your content is some of my favorite on YT. I love a good story, and especially a good work-story. Your work stories are excellent. Thank you for taking the time to share, because I really enjoy it.

  • @WilliamBurlingame
    @WilliamBurlingame 2 ปีที่แล้ว +4

    In 1980 I worked for a company that bought a building from IBM. IBM rented some office space from the new owner of the building. I was in a group that moved into the unoccupied part of the building. One day a couple of us decided to eat our lunch at a picnic bench outside the building. Soon a security guard came out and told us that the picnic area was for IBM employees and we would have to leave.

  • @MoseleyJaguar
    @MoseleyJaguar 2 ปีที่แล้ว +1

    Keep up with the stories. As an aspi (and currently reading your book (and it's hitting every point, my partner is going to read it after me)) keep up the good work. You shed light on how the I.T. world works.

  • @beefgoat80
    @beefgoat80 2 ปีที่แล้ว +2

    I loved OS/2 Warp. My father was enthusiastic about it back in the mid nineties. I asked him to put it on my computer, and I didn't think twice about Windows 3.11, or 95 for that matter. I probably was the only student at my high school that ran it. I had completely forgotten about OS/2. Now I have to look into finding an emulator. lol

  • @ForbiddenUser403
    @ForbiddenUser403 2 ปีที่แล้ว +4

    "Microsoft was pretty chill about security..." Oh those few words explain so much of my frustration and pain as an administrator.

  • @NevsTechBits
    @NevsTechBits ปีที่แล้ว

    Thank you for your contributions to digital society

  • @bobwatkins1271
    @bobwatkins1271 2 ปีที่แล้ว +5

    I tried the coffee-maker (or teapot in my case) under a cardboard box trick in my first job. I had the box stacked on a few other moving boxes in the corner of the office to make it look like there was just some random stuff stored over there. But the facilities guy was onto that trick. When he came to inspect the office, he made a beeline to that corner and busted me.

  • @kenmix6974
    @kenmix6974 2 หลายเดือนก่อน

    I worked at a large company that issued laptops to work on. That part was great because you could take it home to work. When you were in the office, it had to be chained to your desk. If you forgot, security would take it and you would have to go to the security office to get it back. Turns out the cleaning people would sometimes steal them.

  • @Jordi0868
    @Jordi0868 2 ปีที่แล้ว

    Former Flight Attendant here… the reason you can’t recline during takeoff and landing is because it’s a critical phase of flight. If something is going to go wrong, this is when it is likely going to happen. As such, they want you to be ready to roll if you have to quickly evacuate and the back of a seat can prevent you from quickly exiting, and when you are in the back row, it’s a preparedness thing. Seconds can be the difference between life and death.
    I love your channel, thanks for the great content and keep that seat up! 🤪

  • @jimdossey1055
    @jimdossey1055 2 ปีที่แล้ว +1

    I love these old stories of the early computer days. Being an old timer myself, I do remember a lot of these things, well, the ones made public anyway. Cringely's Triumph of the Nerds is also a good source.

  • @matthewcaron3319
    @matthewcaron3319 2 ปีที่แล้ว +1

    I'd love to hear more of these stories. I've been writing code all the way up and down the stack for 20 years and have never worked in a company with more than 500 employees (and even then, it was a satellite with about 60 at its peak), so apart from "no tailgating or letting people tailgate" there's not much to tell.

  • @tekvax01
    @tekvax01 2 ปีที่แล้ว +2

    I love these old stories! Please publish more Dave!!

    • @mfaizsyahmi
      @mfaizsyahmi 2 ปีที่แล้ว

      At this point Dave could just take out every page off of Raymond Chen's blog and turn each into a video, with the magic Plummer touch added, and I'll watch them.

  • @hrgwea
    @hrgwea 2 ปีที่แล้ว +10

    12:55 Dave says: "we'll call him Walt"
    Subtitles say: "we'll call him Brian"
    uhmmm... so his actual name is Brian.
    Nice one, Dave.

    • @clonkex
      @clonkex 2 ปีที่แล้ว

      I often wonder if TH-cam's AI engineers get pissed when people intentionally mismatch the subtitles to what people are actually saying :P

  • @qdmc12
    @qdmc12 2 ปีที่แล้ว +5

    Yes! I would like to hear more of these. They remind me of things I had tried back in high school and even now at my current job - IT/Security is so under managed, unpopulated and under paid that they are begging to be challenged. :D

    • @aaronduerksen1378
      @aaronduerksen1378 2 ปีที่แล้ว

      IT/Security is under managed? Is that why the stereotype from my perspective is a bunch of rogues?
      As a live media guy, my impression of IT, either directly or from stories told by other media people, is either A) nothing whatsoever (I guess they're like us in that if they're noticed, that in itself means that something is wrong!), or B) "Gilligan on a power trip".
      The general idea seems to be that if anything at all uses IP packets, then it MUST be managed by THEM, using a boilerplate mentality that ABSOLUTELY DOES NOT WORK FOR LIVE MEDIA!!!!! Meanwhile I'm thinking, "Who cares if it uses IP packets internally?! It's an audio patch cord!" Or maybe video, or perhaps a remote control for a camera, or similar. It literally replaces a bunch of thick and heavy analog cables that they certainly wouldn't have touched, with a single Cat-5. (okay, two Cat-5's for redundancy) Perhaps dedicated WiFi for some of it. That's all it is! Just a much thinner and lighter-weight replacement for the analog signals that we used to use. The IP networking stack simply happens to be a convenient way to do it, and it would have been completely and physically isolated from their network if they hadn't insisted otherwise and I lost the argument.
      So it would have been no threat to them whatsoever. And **I** take full responsibility for MY "network". They don't. At all. Ever. Even if something goes wrong, I still claim it...unless they caused it by their insistence on managing MY gear for me, which are NOT the computers that they're used to thinking of, even if some of it happens to use similar hardware.
      (live-media-processing and PC-gaming specs are often identical, for example, but the software is different, including the operating system in a fair number of cases......so you can't manage it with Windows PowerShell from your mom's basement: is that where the hangup is? /sarcasm )
      I don't know how many times I or someone else has been dutifully locked out of a system that was fully tested and worked perfectly a few days before, because of "IT best practices". In the case of live media, that's a massively big deal because it can easily kill a show at the literal last minute and leave us scrambling and trying to dodge blame for failing our responsibilities, meanwhile the guy that can unlock it again is not answering the phone because it's outside of 9-5 M-F! (and even if we **can** get a hold of him, he's likely to give us a lecture on how "we're a security threat" and require a complete dissertation on why he's supposed to "violate policy" or whatever, AS THE CURTAIN IS ALREADY RISING!!!)
      (I've been tempted before, to get into "the IT closet" by whatever means necessary, and physically replace their managed switch with my unmanaged one. Their stuff wouldn't work, but mine would, and the show could go on. Then I'd put it all back, at least physically. Fortunately, I've never actually done that, and I hope I never do, but the temptation is quite strong with some of these guys......)

    • @qdmc12
      @qdmc12 2 ปีที่แล้ว

      @@aaronduerksen1378 cool story bro

  • @davidlean8674
    @davidlean8674 ปีที่แล้ว +1

    I never found out if it was true. But when I joined I was told that Building 7 was part of the original plans. Located where the fountain was eventually placed.
    But before it was built they'd designed the greater capacity dual X-wing designs of buildings 8 thru 10. And then decided we needed more water than just Lake Bill.
    My theory was that they'd found some employees had cracked the code on buildings 1 thru 6 & could successfully get around them without getting lost. So they increased the level of difficulty with that inner loop in buildings 8, 9, 10.

  • @JanRautiainen
    @JanRautiainen 2 ปีที่แล้ว +1

    This video sparked some old flashbacks from my past when I was assigned to go with my team to IBM facility in France for some performance evaluation, this was back in 2003 or 2004, but I never experienced any such security measures as you described here. But I guess thing were a bit different in US and in Europe around the same time. Nevertheless, this was one of the most enjoyable videos I have seen so far and most entertaining, from the laughing point of view mostly.

  • @PickledHam
    @PickledHam ปีที่แล้ว

    Speaking of resetting passwords every 30 days. Decades ago, I had that problem while employed at Intergraph. Similar to your ideas, I wrote a shell script to request a new password until it accepted my preferred '1 2 3 4' 4 character password. It was just about the principal and the fact that I wanted that specific 4 character password ' 1 2 3 4'.
    To this day I still use '1 2 3 4' for my banks ATM pass code. The bank would make an effort to prevent this but is easy to circumvent. It only involved walking into the bank and speaking with a representative saying some non-sense with trouble with my card. They would hand me the keypad where I would then proceed to enter '1 2 3 4'.
    Some things you just can't change.

  • @HenryGertcher
    @HenryGertcher 2 ปีที่แล้ว

    I work in the copier industry and with today's digital devices you can't copy money. As soon as the counterfeit detection goes off it stops the job. It won't even write to the drum.
    Keep sharing the stories I really enjoy them.

  • @Thumper68
    @Thumper68 2 ปีที่แล้ว +15

    This was hilarious would definitely love to have part duex

    • @mrdownboy
      @mrdownboy 2 ปีที่แล้ว +1

      Part deux!, especially more on that time machine room from the 80's!

  • @rog2224
    @rog2224 2 ปีที่แล้ว

    IBM sharing a campus with AT&T in Tampa was fun. People who'd worked closely for years with IBMers were often greeted with a flat "Who let you in?" IBM at La Gaude had the best coffee I've ever had on a corporate site.

  • @ConnerBurns
    @ConnerBurns 2 ปีที่แล้ว +1

    I worked for an American semiconductor company's contractor at the company's main R&D fab, in Oregon, for a few months. I can't comment on security, but the enforcement of clean room spec was done by, you guessed it, contractors. Underpaid, unenthused, and unmotivated, I think I was one of the only people to ever say good morning to them. The number of people I saw violating clean room spec, every single day, was crazy. But, count on engineers to mitigate the effects of lazy people, because contamination hardly occurred.

  • @ionk3588
    @ionk3588 ปีที่แล้ว

    Man, I love your videos, you're like the mastermind of computer science

  • @MichaelMantion
    @MichaelMantion 2 ปีที่แล้ว +1

    Best episode by far. Amazing

  • @Lhawk2107
    @Lhawk2107 2 ปีที่แล้ว +1

    A great example of “ we thought that was so important back then but it really wasn’t “

  • @dcraig4
    @dcraig4 2 ปีที่แล้ว +1

    The position of an airline seat back has to do with positioning a passengers spine in a way that is less likely to cause an immediately debilitating injury in the event of a crash. If you are reclined your spine is more likely to shear in a way that can damage the spinal cord. Although compression can be just as bad, it's less likely to immediately paralyze you and prevent you from escaping.
    The strength of the seat back is also an issue. The seat is designed to handle the expected forces in a crash, but only when it is fully upright. When reclined, the seat back could break and injure it's passenger, and become a projectile if it comes completely free.

  • @VraccasVII
    @VraccasVII 2 ปีที่แล้ว

    This was one of my favourite videos of yours, I love the old stories

  • @ekenpad8482
    @ekenpad8482 2 ปีที่แล้ว +2

    Funny thing is now, Microsoft IS in Fargo, North Dakota, for 21 years. You could claim it as a business trip now, not a vacation.

  • @copescale9599
    @copescale9599 2 ปีที่แล้ว +1

    I need more security stories please. Also you're one of the masters of spoken word.

  • @55ATA3
    @55ATA3 2 ปีที่แล้ว +4

    I always find this stuff funny, I know that I always loved messing with people I worked with using security rules that most of security did not know were part of there rules. You get to make 2 people look like they don't know there jobs....

  • @Kisai_Yuki
    @Kisai_Yuki 2 ปีที่แล้ว +1

    Oh that password story is a lot like what happened at at&t wireless prior to cingular buying them. What happened was there was like 20 different unique logins and someone created a script to change all the passwords, (to the same password) but unfortunately some of those systems only accepted 8 character passwords, and others had different mixed case rules and password history rules, so it was a major pain in the behind to use it. Ultimately it was discovered that nearly everyone had the same password algorithm for one subsystem that was not in this script and abused it to figure out some efficiency figures.

  • @nathanwatrous1519
    @nathanwatrous1519 2 ปีที่แล้ว

    The camera at the beginning of this looked amazing!

  • @stevejohnson1685
    @stevejohnson1685 2 ปีที่แล้ว +5

    Among my other job responsibilities, I occasionally did vendor IT security assessment for my employer, a large pharmaceutical company that dealt with contractually-deidentified patient data provided by vendors. Part of the security review was physical access to the vendor's data center. In one case, the man traps, locks, raised floors, etc. were all in great shape. I asked my host for a broom - "What??" I used the broom handle to push up the drop ceiling, and showed them that above the ceiling, there was no barrier between us on the outside and the server racks on the inside. Ouch!

    • @jfbeam
      @jfbeam 2 ปีที่แล้ว +2

      Or better yet, the approach sensor that unlocks the door for people leaving is mounted to a ceiling tile that spans the door. Of course there's no wall above the grid.
      In another office -- we inherited as-is, where are the controls for this door security system - keypad, mag-lock, etc - and no one knew where it was. It was install years ago, and no one's sure where those wires go. They go into the wall and don't come out the other side, so who the fudge knows. (there was so much non-permitted work in that building none of it was on any set of plans, and as we'd later learn none of the plans were actually correct.) When running some stuff from the telco closet, I found it... two big red boxes above the ceiling in the hallway... _outside_ the office it was meant to protect.

    • @nickwallette6201
      @nickwallette6201 2 ปีที่แล้ว +2

      @@jfbeam I worked in a dev shop with an in-house data center. It had security doors that were managed by key card, but it was just bog-standard access control that existed in all the rest of the building, and the panels were in the datacenter. I guess it was remarkably competent. There was no getting in over the drop ceiling either, mostly, I assume, because the room was protected by halon and needed to be separated from the occupied areas on the other side of the wall. This was likely a two-way deal -- to minimize halon getting out, and oxygen getting in.
      The place wasn't without it quirks, though. There were a couple of places in the room with a button mounted in a wall-plate. Nobody had any idea what they did. They weren't labeled, and didn't tie into the UPS systems or anything obvious like that. So, I took it upon myself to take our label maker and fix that. One read "End the world as we know it," and the other said "Break loose all hell." Now that we've moved out, I hope nobody presses them.
      Lastly, we had a fire alarm panel that would periodically throw a tantrum and beep continuously with gusto. We would have to call and have it serviced, but in the meantime, we were shown that the button on the side could be held for 10 seconds to silence the alarm. So, I labeled that too: "Press and hold to silence this confounded contraption." I had the satisfaction of watching a tech from the fire alarm company read that, chuckle, and summon his partner to come over and see it. haha
      I miss that label maker.

  • @peterjansen4826
    @peterjansen4826 2 ปีที่แล้ว +3

    I would like a video about keygenerators and cracks. I think that the battle between the two sides (the technical aspects) is an interesting subject.

  • @CRBarchager
    @CRBarchager 2 ปีที่แล้ว +3

    12:15 This exact thing happened to me back in my apprentice days. Eventually my school achknowledged that I was fired from student place illigally and arranged for me to finish my education on the school as an intern. Without it I had to finish a new apprentice job and those were rare at the time.

  • @doughale1555
    @doughale1555 2 ปีที่แล้ว +2

    I set up the machine and maintained it that held and used the Novell Root Private Key. It was inside a room inside a room. The outer room had card badge access and the inner room had a manual combination lock. I had just come out of the outer room when a VP walked by. He tried his card badge on it and it did not open. He was upset so he said to let him in there. I said he was not authorized for that. He said to let him in anyway. I said ok, but let me tell you the consequences. That is Novell’s most sensitive secret and since I am currently the only one with access, if it compromised I’m the only one that can be blamed. But if I let you in there you could also be blamed, so here, let me open that for you. He quickly retreated.

  • @drxym
    @drxym 2 ปีที่แล้ว +1

    I worked in IBM Hursley in the early 90s and I remember the tailgating rules. Lots of doors that had to be swiped. Can't remember much security otherwise. We were contractors and frequently went in on the weekend to finish work and there was literally nobody around. Maybe guards toured occasionally but they never bothered or questioned us. Spent a lot of time killing time browsing the web on the OS/2 web browser. Even back then there were some very "exotic" sites of a pictorial nature and there was no firewall to stop from visiting them.
    There were vending machines around but in moments of boredom I'd walk to the central cafeteria for a coffee or something. They had these rotating vending machines where you used an electronic payment card to slide open the door to buy whatever was inside. I used to insert plastic fruit into vacant compartments and slide the doors closed so it looked like they contained a delicious bunch of grapes. I guess if they wanted to track the mystery plastic fruit bandit they could have figured out who it was from who was in the building at the weekend. So much for security. Oh well.
    I should add I worked hard, but I was glad to be a contractor rather than an employee in the place. Their culture was weird, excessively bureaucratic and using processes & software that seemed to come from a parallel universe. When I read of layoffs in IBM I can imagine the shock and lack of useful skills some of those employees have outside of IBM.

  • @atomikrobot300099
    @atomikrobot300099 2 ปีที่แล้ว +1

    Awesome stuff! Can’t wait for part II!

  • @AttilaSVK
    @AttilaSVK 2 ปีที่แล้ว +6

    Great video as usual :) I worked for Dell doing tech support for Alienware products. It was a 24/7 line, so we worked in shifts, either 5 days with 2 days off or 10 days in a row and having 4 days off. Once I had to change my password on the 10th day, then I had my 4 days off and came back for a row of night shifts. The problem was that I forgot my password by then, and couldn't log on to my computer :D There was nobody else in the building (apart from the two security guards), so I couldn't go to the IT support guys to reset the password for me.
    On the next day, my team leader did ask the IT department to reset my password, which they did, and sent the temporary password to my mailbox, which was protected by the very same password they have sent me :D So there I was for two nights without access to my computer :D (the next day my TL asked to have the email with the temporary password delivered to him and sent me an SMS with it, so I could finally log in)

    • @unnamedchannel1237
      @unnamedchannel1237 ปีที่แล้ว

      A: who the F sends passwords via email .

    • @AttilaSVK
      @AttilaSVK ปีที่แล้ว

      @@unnamedchannel1237 This was standard practice back then at Dell. It was just a temporary password, which needed to be changed at the first login. I wonder if they still do it like this :)

  • @vyzia
    @vyzia 2 ปีที่แล้ว +1

    super interesting video! honestly love listening to your rambles about stories in the past, would appreciate more! :) thanks for all you do, its really appreciated!

  • @irishryano
    @irishryano 2 ปีที่แล้ว +2

    Awesome stories, Dave! Keep them coming!! Love the channel
    Thanks for doing it!!!

  • @recklesswhisper
    @recklesswhisper 2 หลายเดือนก่อน

    I can remember the huge Fortran libraries where I worked, everything stored, boxed, filed, on 7" floppy disks. The library was off limits to me but I used them early am all the time!
    ^..^~~

  • @Heater-v1.0.0
    @Heater-v1.0.0 5 หลายเดือนก่อน

    In the early 1990's I worked on a secure communications project for the military in England. Security was tight. The office the team worked in had to be some meters within the boundary of the site, it had no windows, it had no telephone or other communication cables. Hard drives were removed and locked in safe every night. I needed to show a security pass to a guard on the way into the site. I needed a door access card to get into our building. I needed a second door access card to get int the office. One summer it got really hot in that office, we were all wilting, no windows to open, the door had to be closed at all times, unbearable. We did not get any air conditioning until the MicroVax in that office expired from overheating.

  • @cpuuk
    @cpuuk 2 ปีที่แล้ว +3

    The two stories I know were the 20x boxed Servers stolen from building 11, with the help of Security. And the programmer who wrote "Concept". MS did the best company meetings 🙂

  • @KingSlimjeezy
    @KingSlimjeezy 2 ปีที่แล้ว

    Dave I am just geeking out giddy as a hamster over these thank you so much!

  • @linuxgaminginfullhd60fps10
    @linuxgaminginfullhd60fps10 2 ปีที่แล้ว +1

    It is good when you can joke about your security. These people do their job and take it very seriously, some get punished educationally, others get fired or worse. Security is no joke where I work and they have ultimate control regardless of how uncomfortable it could be. The company is being targeted and sometimes it is being targeted by sufficiently advanced teams. There are lots of false positive and absolute majority of the attacks are stopped and discouraged at the first attempt, but around half a year we see an actual well thought ahead potentially devastating attack being stopped. It is incredible that someone managed to break in and frightening to see what they were gonna do next. I truly respect the security team we have and the work they do.
    P.S. Sometimes I feel terrible realizing how vulnerable computers and homes of regular people are.

  • @AnnoyDroid
    @AnnoyDroid 2 ปีที่แล้ว

    As always great video, love the stories.
    I could listen to you all day and well some times I do.
    Lucky for me I have only recently found your channel and so I have a lot to look forward to and watch.
    Thank you for being a great guy and I hope to see a lot more new videos.

  • @jean-clauded5823
    @jean-clauded5823 ปีที่แล้ว

    I'd love to see the follow ups.. And as a former Microsoft premier graveyard support, I hated that blue screens were blue, and so was the NT start screen.
    Can't tell you how many times I would be on a support call doing BSOD troubleshooting when the customer would reboot and say "I'm at a blue screen" simply as part of the startup process. On a side note, I am thankful that this changed in new versions of Windows.

  • @tbimages38345
    @tbimages38345 2 ปีที่แล้ว

    Ahh, the fun times of product activation and learning about the FCKGW key… memories of a different era.