This has reminded me of an anecdote. I work on a corporate social network. One day a colleague from the parent company comes to us scared because instead of seeing the people photos and the attached images, he saw strange images. As in the past we had some scare with xss reflected, we immediately got scared and went straight to investigate the matter. It turned out that the colleague had a Firefox extension installed that changed his images for Nicholas Cage's faces. He didn't remember having done it, but we did remember his blunder hahaha
I remember one of the students in our school replaced the Windows 95 startup logo with the goatse.cx picture of every computer of a new lab, the rector of the moment called an emergency gathering in the gym BEGGING the students to change it back . promising that there would be no repercussions, he was sweating blood, because authorities picked our school to inaugurate the computer national program that made the lab possible, the next day. nobody talked, they had to change the inauguration to another school, fun times.
Here's anecdote from Google's glory days! We had a similar extension, with Larry Page instead of Nicholas Cage. And anyone leaving their computer unlocked were subject do it.
This became widespread enough to be mentioned at the new employee orientation.
At university, we used this extension to teach our classmates about good security practices, such as locking their computers when left unattended. It was fun, especially when professors didn't lock their computers. And my former classmates did learn to lock their computers :)
I once pranked a coworker/friend with a Windows installation screen after lunch break. He was … astounded. The thing is, we were all using Debian in this company.
A roommate of mine in college used to leave his laptop unlocked all the time, and I found an app that would put an overlay on the screen that looked like a kernel panic. This went on for months, and he became convinced that his laptop had some issue where it would panic if he left it idle for too long. One day he happened to be going through his apps folder, and he saw something with a name like "iPanic.app", and watching his dawning comprehension as he realized what just must have been going on was probably the satisfying conclusion to a prank I've ever experienced.
violating security policies in order to “teach a lesson” is a sure fire way to get people to lose trust in you.
Accessing someone’s computer and manipulating the software was instant termination at my old company. Some new security guy joined and tried to do what you did. Find unlocked computers and mess with them to prove a point. He lasted a week.
There is a time and place for everything—and you should not assume a business environment is the only possible setting in which colleagues might pass by unattended workstations.
Ideally the prank is pulled in a high-trust, low-stakes environment like a college campus or high school computer lab, before corporate policies are part of one's life.
It is also a rich tradition, from the days of yore, before robust security practices became standard:
I would much rather my colleagues be taught this lesson (even if just through a verbal reprimand) than work with someone who is allowed to remain ignorant of the risks of their behaviour.
At the same time, a new hire could actually be a pentester, investigator, or corporate espionage actor. I know people who’s job this was to take over employee computers while the target went to lunch
It depends on the company and probably even the team. At least when I was running an IT team I generally viewed a colleague doing something like this as more effective than me nagging some sysadmin about them leaving their computer unlocked. Would have never tolerated someone on my team doing it to someone outside the team though.
I worked at a place where if you left your laptop unlocked, anyone could use your slack account to announce you were buying breakfast for the team tomorrow. That was more effective than any training video they could have made us watch. But I obviously wouldn't do something like that as a lone wolf.
> Accessing someone’s computer and manipulating the software was instant termination at my old company. Some new security guy joined and tried to do what you did. Find unlocked computers and mess with them to prove a point. He lasted a week.
That's a very strange policy to apply to your security team. They have good reason to make a point about leaving your workstation unsecured.
Working for NCC Group, the expectation was that if you left your computer unsecured, something would happen to it, and you, not the person who followed office policy by highlighting your mistake, would look bad.
I’m of two minds about it. I agree that these days it’s by far the safer choice to steer clear of such antics.
But I do sort of miss the days when we had a little more fun with computers even at work. Twenty years ago it was pretty ubiquitous to get a goofy desktop background if you left your machine unsecured all the time and I never saw any harm come from it.
It is definitely a better CYA move to just have a policy that nobody touches the unlocked computers, but is it actually more effective? If the company mostly employs adults that can be trusted to keep their pranks reasonable, it seems like a good way of self-policing.
If calling out somebody’s unlocked computer gets them punished for real, nobody will call out their friends…
At Amazon there was a "unicorn game". If you find an unlocked computer, you could send "I love Unicorns" message using the credentials of the logged on person.
There was even an internal site with the unicorn image.
I guess it’s a company cultural thing. In one past company, the SECURITY guys were the ones to do this to us teach us a lesson.but rather than a panic screen, it was porn.
To this day a few milliseconds before I stand up I wiggle my mouse to lock the screen. Muscle memory because lessons were learned
At my office it was either a picture of a shirtless David Hasselhoff as your desktop background, or an email sent to the networking+devs list announcing that you were giving away $20 bills at your desk, lol.
There's definitely a difference in company culture. One place I worked at you'd shout donuts into the office chat from your coworker's unattended laptops (and they'd be on the hook to bring in donuts or equivalent).
Always easy to catch the people who usually work from home.
One jnr dev at a place I worked left his desktop unlocked and a very elaborate email about his love for my little pony and wanting to start a company my little pony fan club was sent from his account to whole company lol.
Ironic, given that a ton of the security dogma these days is "don't trust anyone" --- you can guess why that started happening; precisely because of people like him.
Yeah I lean on this side - avoid doing pranks and other practical jokes.
When there is any actual malware or security incident, you don't want your colleagues to think of you and go "Maybe this is just Dave pulling one of his clever pranks".
Damn, I was half hoping it was doing some deepfake face swapping rather than just totally replacing the whole image. Part of me would love to install a "Being John Malkovich" style face replacement plugin onto someone's machine.
At a company selling a B2B platform, we had an internal extension used to teach how to write extensions that drew an interactive pet on screen, similar to the one in this VS Code extension. It accidentally got deployed to one client, which caused a complete company shutdown because lots of people suddenly reported being hit by a virus to their internal IT team, causing company-wide panic.
Sorry for the off-topic, but reading this text I thought about myself.
I find myself at a critical point where I wonder what I should do next. I'm over 40 years old and have accumulated years of experience. Sometimes I feel like Neo when he controls the Matrix. Maybe I've been in the same role for too long, but it doesn't matter what project I'm assigned: I implement it with little difficulty (beyond the time cost, exhaustion, etc.).
On the other hand, despite the confidence they've always had in me, the place where I work is starting to feel hostile. Being an introverted person, I try to figure out if this is something that depends on me (and if I can redirect it) rather than looking for answers where I should. Being introverted, it seems unwise to start something that depends on my social skills. Conversely, every day it seems like new obstacles appear, as if going to a job that I liked 90% now feels like a problem.
I have to say, I work in a flat-structure company where the boss is a megalomaniac who wants to control everything. A good part of the new things we do are his impulsive ideas. The office is filled with figurines (dinosaurs, busts from 80s movies, ...) and motivational quotes. He gives talks about how well he does things and how great it is to work there, but he doesn't improve salaries or do anything to provide training, a better work environment, etc. He also plays dirty tricks on employees, like unexpectedly complicating pre-arranged vacations or trying to delay them without a real reason
While writing this, I realized that the 10% that made me not like the company has always been because of him. And if I don't like it, it's because of him.
The only thing that keeps me tied to this place (besides the money, since I don't live in the opulence of certain regions where software is very well paid) is the entrepreneurial spirit of having done so much in the product.
PS: If someone saw our product, the things we have done with just 4 people (on average), they would be amazed. And, with all humility, a large part of that has been driven by me, which ties me and kills me.
You deserve to be happy and you are not your job. I recommend not clinging to the work you've done. Treat all your work like a puff of smoke or a bubble on a stream.
Thank you for your comment. I'm working on it, to differentiate each aspect and to make it understood as well. It's hard for me because I have been badly accustomed to certain ideas. I do not rule out the idea of making a full reset.
No countryman from the Canary Islands refers to himself as Guanche, not even those born in Tenerife. Generally, "guanche" is the name that we Canarians use to refer to the ancient inhabitants of the islands (those that the Spanish colonizers encountered during their Conquest).
