I work for the security team of a company that deals with quite sensitive personal data. This data isn’t ours; we hold it and use it, but it still belongs to the actual clients. Accordingly, we have various policies around both how the data can be used and what applications and online websites you’re allowed to use in the organisation at all. Even with specific training, reminders, and punishments, an extremely high percentage of employees will upload client data even if you tell them the system is only allowed to be used for [task], so it really is an all-or-nothing rule.

Accordingly, you are not allowed to use quizzes as part of online meetings, because the software we use has the meetings application onshore but quizzes are processed in their Singapore data centre. You also cannot use QR codes, because you cannot verify the URL link before going to the site and because you are not allowed to take photographs in the office.

As part of a “new year, new you” initiative, the executives have been having presentations with all the business lines to talk to them. 

In their meeting with the security team, the senior directors all encouraged us to get out our phones, scan the QR code in their presentation, and complete the quiz portion of the presentation.

The theme they gave the security was “not being afraid to admit when you have made a mistake”.

No one dared to bring it up.

It’s the early 2010s. I am serving a customer who was also in yesterday.

Customer: “I got this iPod replaced yesterday. It’s still not working, and I was told that if it didn’t work, you would replace it with the latest model, brand new.”

I look up the serial number and case information from the customer’s paperwork.

Me: “Okay, yes, I can see that this was replaced for you yesterday. I can also see that the person you worked with stated that this was a courtesy replacement since the device was already out of warranty and no trouble was found with the device; it sounded like it was all a software problem. Do you mind giving me some more information about the problem?”

Customer: “I was told that you would give me a new iPod Touch, and I want a new one.”

Me: “So, here’s the deal. I am 100% willing to honor that offer, but you have to tell me about the problem. If the problem is one with our product, you get the newest iPod Touch, guaranteed, since someone already set that expectation. But if the problem you’re having is due to something other than our product, you will not receive a new product. Do we have an understanding?”

Customer: “Fine. Yes. My iPod won’t sync with my computer.”

Me: “When did this start happening?”

Customer: “I don’t think it ever worked with this computer because my son used it with his. That’s where I got the music.”

Me: “Okay. What happened to the other computer that we know this device worked with?”

Customer: “My son took it to college.” 

Me: “So it sounds like you have another machine at home, and you want to sync this iPod with that one, but it isn’t working, is that correct?”

Customer: “Yes, that’s exactly right.”

Me: “Great. Do you have this machine with you?”

Customer: “No.”

Me: “Can you please give me more information about this machine? How old is it? What type of software is on it?”

Customer: “You people are all the same.”

Me: “If you do not know, just say so. That will be fine.”

Customer: “No, I don’t know. How should I know?”

Me: “Here are instructions to use to find out if your computer at home is compatible with this model iPod Touch. If the requirements of that machine do not meet or exceed these requirements, it will never work due to the software being outdated. Does this make sense?”

Customer: “You need to give me a new iPod. This is ridiculous. This was a gift and I intend to use it. You’re stopping me from using this and this is enough. If you can’t give me a new one, you need to give me my money back.”

Me: “It was a gift?”

I look it up in our system and see that it was purchased at [Electronics Chain].

Me: “Ah. I can see here that it was purchased and is still registered to a Mr. [Purchaser]. Is that the person who gave it to you?”

Customer: “Yes! You see! Give me my money back! Let me speak to your supervisor.”

Me: “Well, I actually am the manager, so I won’t be getting anyone else to oversee this conversation. And just to make sure I’m understanding you correctly, please allow me to break down this situation. You received an iPod Touch as a gift — as in, for free — from Mr. [Purchaser] over two and a half years ago. It never worked with the computer you’re attempting to connect it to now and you refuse to look into whether or not this computer has the capacity to work with this model iPod Touch. Furthermore, you think that I should give you — again, without cost to you — either a brand new model iPod Touch or the cash equivalent that was paid at the time of original purchase. Is that right?”

Customer: *Exasperated* “YES! Thank God! You’re finally understanding me.”

Me: “Good! I’m so glad I understand. I will not be replacing your iPod, nor will I give you cash back that someone else spent. Have a good night.”

The customer walked away swearing at me. The f****** balls on some people.

In the days of boxed software, a customer returns one.

Me: “Why are you returning this?”

Customer: “The security seal was broken.”

Fair enough, I suppose, but she follows up with a knowing:

Customer: “I just want to be careful, what with how computer viruses are these days…”

Me: “Oh, are there people replacing our software CDs with fake ones with viruses?”

Customer: “No! The seal means it’s no longer air-tight! Anything could get in there!”

I just smiled and gave her a refund.

Related:
Wish You Could Firewall These Customers

A while back, I was approached by a coworker, and sort of friend, who wanted to know if my being a programmer meant I could break into a password-protected laptop. Apparently, she noticed that someone accidentally left his laptop behind when leaving a train, and it was a little too late to catch him before the train doors closed. She tried asking at the train station how to return it, but they were no help, so now she had a locked laptop in her possession and no clue what to do with it. She figured she might as well make use of it if she couldn’t return it.

I believed her story. She was a very kind and well-meaning person, and I had every confidence that she had made a sincere effort to return the laptop before coming to me. Still, I wasn’t all that comfortable with the idea of breaking into someone else’s laptop, and I originally argued that I didn’t know how to unlock it anyway.

But even as I was trying to point out that being a programmer didn’t make me a master hacker, the geek part of my brain couldn’t help but tackle the problem, and I quickly realized that not only could I probably unlock it, but I didn’t expect it to be all that difficult to do. Now I found myself tempted to help just so I could later joke that I broke into a computer with my 1337 H4x0r skills.

In the end, I agreed to try to do what my coworker wanted, but only on the condition that the first priority would be to return the laptop to the rightful owner and she would only get the laptop back if I couldn’t do so. My original plan for unlocking the machine involved a Linux boot disk, but I was saved from having to burn one by the fact that a quick Google search returned a straightforward step-by-step guide for how to get past Windows passwords.

It involved intentionally shutting the machine down wrong so it would offer to do a full scan of the hard drive when rebooted. When that scan was completed, it would give a message in Notepad about the results of the scan. If I then chose to save that message, the screen that would pop up to pick where I wanted to save the file also allowed me to do some other things, like renaming existing files, and because it opened in admin mode, I could even change files that were usually protected.

So, I replaced the “sticky keys” file that runs when you hit Tab five times in rapid succession with the program that would open a command line prompt. After another reboot, when I was prompted to enter a password I instead hit Tab until the computer tried to run “sticky keys”, and instead, it opened up a command line running in admin mode, at which point I effectively could do anything I wanted on the machine by typing the appropriate commands.

For those who are screaming, “How could Microsoft be so sloppy that you could just Google how to unlock their machines?!” I should first mention that this was a much older version of Windows, nothing you are likely to be running on your computer at home.  

More importantly, the truth is that no matter what operating system you are using, your data really isn’t secure; if this exploit hadn’t existed, I could have fallen back to my original plan to use a boot disk, after all.

I’m sure the folks at Microsoft looked at their password protection as a way to keep non-computer-savvy people away and to slow down savvy folks enough that they couldn’t break in while you were away at the bathroom. Since the exploit I used required waiting for a long hard disk scan first, the password protection still did its job of slowing hackers down, and that’s all they really could hope for.

Anyway, now that I had full access to the laptop, my goal was to try to figure out how to contact its owner with minimal invasion of privacy. I got lucky there when I almost immediately found a resume saved in his documents with a phone number and email address at the top.

Now I had a new problem: the minor detail that I’d just broken the law. At the time, the “anti-hacking” laws we had were excessively open-ended. There was no doubt that my intentional breaking into a laptop qualified, even if I had the best of intentions when doing it. So, I had to figure out how to return the thing without confessing to my evil criminal ways.

In the end, I created a dummy email account to message the person who owned the laptop about returning it. He was quite thankful. Apparently, he hadn’t backed up his computer and thought he had lost some valuable files. He asked me how I managed to contact him, but in my reply, I explained only how I had come by the laptop and glossed over how I’d figured out his email address, and he thankfully didn’t ask about the omission.

I politely declined to have him come pick up the laptop at my house — we master criminals have to hide our addresses, after all — so we settled on my dropping it off at the nearby rental office for the complex he lived in so he could pick it up there later.

My friend was a bit disappointed to discover she wasn’t getting a new laptop any time soon but admitted she couldn’t be too angry at me for managing to return it to its rightful owner.

Once upon a time, when I was still young, naïve, and new at my job, I made the mistake of helping an older coworker with a fairly simple computer “problem” — the keyboard wasn’t plugged in. Since then, some of my coworkers think of me as some kind of tech-wizard who can solve all of their tech-related problems, even though I myself only know the basics and how to Google problems.

Today, I was approached again by one coworker. She needs help with downloading a PDF of a sample letter that she found on some website.

Coworker: “Whenever I try to download it, this weird window pops up!”

I go back to the original page and click on the download button. Another window opens where the actual download button is right next to an ad. I try to click the download button when, suddenly, my coworker interrupts me.

Coworker: “No! Don’t click on the malware! You have to click here!”

She stabs her finger into the computer screen.

Me: “[Coworker]… did you click on this when the ad window popped up?”

Coworker: “Yes!”

Me: “That’s a jewellery ad. The download is actually this one.” *Points*

Coworker: “But THIS—” *points at the ad* “—looks pretty, and THIS—” *points at the download link* “—looks ugly, like a malware!”

I didn’t know what to say to that, so I just clicked “download” and walked back to my desk.