Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
A previous (huge) company of mine sent out a lot of phishing test emails, some of which were pretty convincing.
As developers, we quickly discovered that all the emails had a metadata header in them which identified them as a phishing test, so we set up a filter for it so every email since is clearly coded with a bright red "Phishing test!" label.
... You must be one of my co-workers. Except that we just delete ours rather than labeling them.
We needed to label them because the requirement was not only that we don't click them, but that we use the "report phishing" function on them.
Also some of them were pretty funny.
Was it hoxhunt? It's a bit spammy but they seem to push for a more gamefied approach over collective punishment.
Not in my case, no. The content was completely custom to the organisation. I assume they were big enough that they felt like a lot of the risk would come from coordinated spearphishing carefully crafted to look like genuine corp email.
Here they started doing such phishing tests a while ago and our IT department had significantly worse stats than other departments, in terms of how often we would click on the link in the phishing mail.
And yeah, the conclusion was that we were just being asshats that decided to poke around in the obvious phishing mails for the fun of it. Rather than getting extra security training, management told us to just stop dicking around, so that our stats look better.
Where I work they use the microsoft phishing simulation, for which they publish a list of domains they send from.
we do monthly phishing tests and some of our people are so bad that we put in the test email "this is a phishing email, do not click sign in" above and below the sign in box and they still give creds
seccomp sent pre-notice emails out about the phishing tests that were coming.
75% of the company reported the pre-notice email as phishing (even the CEO).
we did it mostly because the seccomp team was a huge thorn and caused so many unnecessary delays due to them injecting themselves into every single process.
the CSO quit soon after and some of their lackeys with them. we then hired a competent leader that worked with the org to meet compliance and regulatory requirements instead of being a blocker.
People see the word "phishing" and automatically remember that phishing mails exist, so their first reaction is to report them, not read them.
Had to setup a fake phishing system as well.
Before the training was setup, people rarely reported mails. But the moment we send out mails about the phishing training, a ton of those got reported.
If phishing mails actually told you they were phishing, we wouldn't need training.
Shit.... I'm doing that course in normal business hours. Get fucked brenda!
For real! A course is work. If I'm working I get paid for my time. End of story.
Don't let them rob you! (any more than they already are)
If a coworker leaves their pc unlocked near me I like to click the phishing emails so they have to do the course. Tee hee!
I worked at a company where everyone would try and send an email to themselves from an unlocked PC. That mail contained a heads up that the victim willl bring cake into the office e.g. next tuesday. They then were typically forwarded to the whole team while thanking them for their generosity.
It really hammered that lesson home and the victims did honor the cake-mails. Only downside was, that this led to people to tryimg to bait each other into leaving their PCs unlocked and creative countermeasures, such as delaying mails containing the word 'cake'.
Exactly, it's my own version of teaching cyber security!
I recently set somebody's homepage to meatspin.com and they snitched on me to the boss because they were worried they'd get pulled up for visiting NSFW websites. The boss just said "Why was your PC unlocked?"
Maybe your work atmosphere is different, but if I showed meatspin to a coworker, it would be considered pretty fucking weird and inapproproate.
Oh yeah I definitely wouldn't recommend doing this unless you're comfortable with all your colleagues!
Ah, I might try this 😂 my current strategy is to install and run xneko on coworkers' computers when they forget to lock their screen, so they will have a cat running after their mouse pointer.
open their Teams and send "I'm bringing cake next week" in the group chat on their behalf.
I created a little script that ran on startup that would wait a random amount of time between 5 and 15 mins and would just hit the left key once. I dropped it on a dev's computer when he left it unlocked and forgot about it. After weeks of torment, it activated while he had a YouTube video so he figured out it wasn't his fault. He was convinced it was the keyboard and started harassing IT so I had to come clean.
Jokes on me though, every time there was any quirk on his computer, server, or with his code he blamed me and didn't believe me.
We all have to do the course. And honestly I'm not even mad.
In my line of work, most people are not computer savvy. We're running Windows 11 and no one has admin privileges, even the highest ranking people. They're all limited. That's fine. We can't install anything. I'm pretty sure I could hit up PortableApps and get some portable software working, but I'm not trying to push my luck. I'm pretty sure I know what I can and can't get away with, but it's a good job and I don't want to mess it up. Besides, a lot of people are illegally streaming sports or movies and getting away with that, so IT security is pretty lax. That's probably true at a lot of places.
I don't mind the cybersecurity courses because I mute them and make them run at double speed and I ignore them, clicking through, then I ace the test. It's not that I don't care. I just know the material already. I've also helped coworkers who earnestly sat through the whole thing and are genuinely struggling. I know they hate how casually I get all the questions right, but they hate having to go through it a second time even more.
Plus, there's one vendor of training videos that is kind of like an office comedy, and one of the workers has a bunch of anime fan art in their cubicle. So it amuses me to no end that all of my coworkers are seeing these characters. It's nothing recent and I haven't seen it in a while. I know Killua from Hunter x Hunter is there. 12 year old boy, has super powers, something with lightning? (been ages since I watched HxH, and Meruem best boy) and he can rip your heart out of your chest (he's done it before). I feel like they need to add Anya Forger (from SPYxFAMILY) to the wall. That would be funny. (Telepathic toddler, dumb as a box of rocks, and just as adorable.)
I read an interesting report about how most of these courses are rather ineffective because it adds knowledge but doesn't change behaviors.
https://www.cybersecuritydive.com/news/cybersecurity-awareness-training-research-flaws/803201/
For us they just make the people that click them do some online training. I don't think anyone learns anything during that but I suspect not having to do the training serves as a great incentive to be careful.
It doesn't help though that we've had multiple cases of obvious phishing mails everyone just deleted that were followed up by a "no those mails were legit please click the link" by HR...
That is what really irks me. People who write mails exactly like phishing mails.
Just some bland text asking for urgent action, with one link in the middle that is obscured. No signature, no company images, just a name at the bottom.
Better to delete those than to click on actual phishing mails though.
This is every single email that our IT department sends out. Fake Phishing, or extremely important.
"Please upgrade to windows 11 now! If you need assistance. Click here to login to request help"
Nope! You can't trick me
And the link goes to one of the Office 365 things that asks you to sign in every single time for some fucking stupid reason.
Microsoft and session management somehow always have been enemies.
It's not THAT hard, relatively, to do that well, but Microsoft really has been scraping the bottom of the barrel on that one since forever.
I mean, Microsoft sucks and everything, but session handling somehow is extra dumb. Up until about a year ago it was damn neigh impossible to have tso teams tabs open without shit stirring like crazy
The head of IT at one of my old jobs won 3 or 4 iPhones circa 2007
Me, the idiot who clicked the link: "I'm sorry, I'm sorry, I'm sorry. I get four hundred of these a day and I hit the wrong button. I'm sorry."
You, the cybersecurity officer who just gives the Everyone group full administrative access to the entire network: "Fucking asshole, I hope you've learned your lesson"
Our Boss, who just asked his shareholders to pay him a $1T bonus: "That's it, I've had enough of all this human idiocy, I'm replacing everyone at this company with AI"
The Board: "The company is run by geniuses. We're all bidding up the price of the stock by another $100B in market cap."
Can I just sign a waiver making me financially liable if I fall for a phishing email? Seems easier.
I wouldn't sign that. I work in government, and with new generative AI tools some of the emails are getting very good.
We had one sent to an applicant pretending to be me thay appeared to have scraped data from staff reports and minutes for public meetings for vatiances and SUPs. It was very detailed.
It had also scraped our fee schedule, so it had convincing fee amounts with links to the relevant codes and everything. It's just that the payment site was not actually us, but a site made to look just like us with a 1-letter change.
Why would they have to come in at 7am?
Because fuck you.
Its some kind of American exceptionalism thing we're too normal to understand.
Training courses are during business hours or nobody would show up to them in Australia (and I'm guessing its the same in the UK from your username).
So shafted by their work culture they don't even question the meme..
It is sad but true. I am USAian, and it is a constant battle with co-workers to get them to stand up even a little against dumb mandates. It’s especially frustrating because EVERY DAMN TIME we do push back, management backs down. You’d think they would see the pattern..
Yeah, there's billions, maybe trillions or beyond, of dollars' worth of investment put into making sure everyone "Really needs this job." which can be ripped away from them in an instant, so they won't be inclined to risk any "insubordination."
A few years ago we were discussing how some companies were trying 4-day weeks and someone said that they'd like to try four 10-hour days instead of five 8-hour.
They could not imagine that it meant working fewer hours.
You think American work culture is bad (which it is)? You should see Japanese work culture... the sheer amount of unpaid work they do over there, along with mandatory unpaid socialising, even holding a collection for their bosses and bringing back souvenirs for their colleagues and bosses when they go on holiday somewhere :/
bringing back souvenirs for their colleagues and bosses when they go on holiday somewhere :/
Damn, I used to do that for some coworkers because we were actually friends. I cannot imagine how shitty it would feel to be forced to do that.
Yeah, it's a whole thing, it's called omiyage and it's seen as an apology for your absence and thanking your boss and colleagues for allowing you time off.
...y'know, your entitlement to paid leave.
Upper management - make sure everyone is in for 9 for training
middle management - fuck better make sure everyone is there, everyone in at 8 for training,
lowest manger - shit there is no way user will be in at 8, shit bag user be in at 7 for mandatory training!
You want me in your office at 7, Brenda? Sure, I'll come in for 7. But I'm sure as hell going via the timeclock first.
My company like to do this with us by rage baiting us.
"New storage policy is 10 days. click link to save all your stuff before deletion."
Like you POS! How are we not going to immediately panic when the company actually pulls this crap normally!!!
I wish I could get my flock of idiots in for a course. I'm sick of uninstalling swift browser
Well, did he win?
The twist? The cat was Toonces and he never did make it into work that day!