Another investigation ensued, during which it was discovered the HR person hired a friend – an actual used car salesman – to develop the background check website.

In most companies this would go against HR policy; I wonder if the HR Droid got the boot for this?

I think the HR Droid probably got the whole car, not just the boot!

-------> Mine's the one that has the jangle of used car keys in the pocket if you shake it!

Not when she's given some parts of her human "resources" to the boss. On his desk. When everyone else has gone home.

"Another investigation ensued, during which it was discovered the HR person hired a friend – an actual used car salesman – to develop the background check website."

" In most companies this would go against HR policy; I wonder if the HR Droid got the boot for this? "

Threatening an employee with unwarranted disciplinary action to conceal your own misdeeds would in many jurisdictions constitute a criminal offence.

Clearly couldn't be the case in the US where all law is private; literally privilege .

Taken as a whole I cannot imagine from my experience that the firm that employed Boris would change at all, even after his departure at least until the receivers rolled up.

"Weeks passed. Door access logs were reviewed, and suddenly our Head of Legal was fired," Boris told On Call. "Turns out, the company had hired an ex-convict for the role, and he'd helped himself to the iPads."

Well, I guess he was familiar with the law...

It's the same reasoning people use for hiring ex*-hackers to do cybersecurity

[* for any value of "ex"]

" Used car salesman – to develop the website. "

Anyone else get a picture of Arthur Daley ably assisted by his minder, Terry, knocking up shonky WordPress sites as a sideline ?

A nice little earner.

I was put in mind of CMOT Dibbler or perhaps Bergholt Stuttley Johnson entering the web design market

Back in the 1980's, when th eUK "Enterprise Initiative" was in full swing, grants were available to companies to hire consultants to help them get BS5750 (later ISO9001) certification. Consultants had to be registered with an oversight body but the qualification requirements were quite low. In my region one of the approved consultants had previously been a user-car salesman and used his skills to sell his skills and get a lot of work.

The scheme had some quite strict rules - the day-rate for the fees, a limit to the number of days (15), and the company had to pass a subsequent third-party certification audit. Those rules were perfect for him as it was possible to meet them with cut-and-paste/search-and-replace document templates, and being present during the audit (and selecting an audit body that employed box-ticking auditors). However, most management systems produced this way soon fell apart as they were not designed for the actual business. I picked up quite a bit of work helping companies sort out the mess they ended up with, as did colleagues.

"Given the importance of the site and the data it would store, Boris decided to investigate further.

After pressing F12 to access his browser's Developer Tools, he found his password in the site's code.

It wasn't a strong password at all. Indeed it was related to Boris's name in unsophisticated ways that hinted at similar passwords for all other employees.

Boris tested his theory and was able to guess all his colleagues' passwords and, once he used them, see all the info they'd uploaded to the background check data store.

Boris reported this mess to the HR person who sent the emails, then demonstrated the problem.

She exploded in a fit of rage.

"Why would you do that?!" she shouted. "This is a disciplinary offence!"

"

This reminds me of an event last millennium when home banking was just a new thing. One customer logged on to the Barclays site to check his account. He found that he had access to any account except his own. Concerned at this major security flaw he contacted Barclays and explained the issue, and was promptly accused of hacking their web site. Barclays eventually did accept their web site had an undesirable 'feature' and withdrew their allegation.

Management generally blames the messenger, not the culprit, especially when that culprit is them.

Pressing F12 is hacking

https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-governor-threatens-to-prosecute-local-journalist-for-finding-exposed-state-data/

I found an issue with a bank's app and reported to my contact at the bank. He passed it on and their tech people were quite grateful I had spotted it. I was expecting the 'shoot the messenger' treatment so I was quite pleased it got resolved amicably.

Yes, I do believe that that was the best thing he could do.

Betweeen the idiot hiring an ex-convict as company lawyer and the bitch getting her buddy (lover ?) to be paid for a Wordpress website hosting private data, that company was obviously a complete write-off and nothing good could have come from trying to actually make things work correctly.

Betweeen the idiot hiring an ex-convict as company lawyer and the bitch getting her buddy (lover ?) to be paid for a Wordpress website hosting private data, that company was obviously a complete write-off

Any resemblance to the administrative arrangements of a quondam superpower are unintended and purely coincidental.

going to be a car wreck.

We had an HR person from a sister-company, she proposed an on-line personal-data storage 'application'. "It's free" What could possibly go wrong? Apart from the usual address and employee reference etc, this store would hold banking details, passport, drivers licence...... I'm no security genius but I steadfastly refused for any of my personal information to be stored in this manner. I was threatened with disciplinary action.

At a demonstration of the app's power she held a training session for all of us. Being a super-user, she had access to everyone's data. In the demo, she confided that her password was her daughter's name: "Maisie". Furthermore, she used it for all her passwords......

Incredibly, the system was not adopted and she didn't darken our premises again, so not all bad news ---->

Only for the few seconds as she passed the building's windows on the path of her expedited descent into the company carpark.

Actually Simon might have actually encouraged the use of the software as he and the PFY would never need pay for their drinks or much else ever again. Still Maisie's mom would still require Simon's assistance to exit the building; you don't leave any loose ends hanging around.

I was once accused of leaving a log where it could be easily seen. This was completely untrue as I didn't even have a key for that particular room.

Was it a proper Captain's Log?

The captain had more of a beam than what you would normally call a captain's log.

The first mate handled the log, and the rest of the ship was full of seamen.

And was the cabin boy named Roger?

> I was once accused of leaving a log where it could be easily seen.

So who saw it?

Hope the Bossly Unit did...

The Carpenters.

Robert Plant

I once had to review the security of a physical security system made by a reputable firm in that domain.

In the morning, we had presentations on how safe the badges were, how everything was encrypted, and how people could see their own entry times etcetera.

Lunch, and then demo.

The salesperson logged in and showed his access times. The URL was https://some.name/something?p=1234321. Asked what that number was; it was his personnel number. Asked the personnel number of the other salesperson and filled that in and had instantly access to the other's access times without new login. Scared white faces from sales persons. 10 seconds to break the system, without f12.

And that was made by a reputable firm, not a car salesman. Granted: end of the previous century, but still.

That reminds me of when the City of Johannesburg had the exact same vulnerability - you could log in on their website and with a little bit of URL manipulation, view other people's accounts etc.

CoJ threatened a massive lawsuit against the "hackers" as well as the person who reported it initially.

Nothing happened.