I know this thread is old but: so many HIPPA violations, oh my God. I am a pediatric therapists/child psych, and the clinic I used to work at constantly stored client data in the most insecure ways, and therapists and staff would discuss client names, diagnosis’, address, EVERYTHING openly in the break room. I complained at one point, but it went nowhere. Turns out nobody cares, lol. They also frequently ignored the best interests of our clients to maximize profit from insurance (leaning towards fraud). I ultimately left the company when my boss blatantly violated the safety of one of my clients by refusing to send her home when she had a fever of 104 F. Sure, working with kids means everyone gets sick a lot, but when the child is THAT sick, they need to be in a hospital, not in a hot, cramped room with a therapist.
I used to work for a popular wrestling company, billionaire owner, very profitable, would write off any OSHA penalties as the ‘cost of doing business’ just as they did in 1998, when The Undertaker threw Mankind off Hell In A Cell, and plummeted 16 ft through an announcer’s table
Health insurance company I worked for would automatically reject claims over a certain amount without reviewing them. Just to be dicks and make people have to resubmit. This was over 25 years ago, but it’s my understanding many health insurers still pull this shit. They don’t care if it’s legal or not. Enforcement is lazy and fines are cheaper than medical claims.
Obviously this is in the USA.
Worked at a newspaper for a few years.
With very few exceptions, they do not give a fuck about you or the news. The advertisers are their customers and your attention is their product.
Plain text database of every customer password. I can’t name the company, but it’s huge.
At Disneyland, Mickey Mouse is always played by a woman, due to the small costume. So if you put your arm around him for a photo, try not to accidentally touch Mickey’s boobs.
I worked as a pastor and professor for a global, evangelical television ministry/college. They knowingly conceal scholarship on the Bible and punish their pastors for asking any questions that undermine their most closely held traditions (including anti-evolution, mental illness is supernatural, etc.). They tell their US viewers that they can’t call themselves Christians if they don’t vote Republican, while still enjoying tax-exempt status. They use pseudohistorians to inspire Christian Nationalism over their network, and are one of the largest propaganda networks for the Religious Right. A U.S. Capitol police commander told me his men were fighting people who were wearing the network’s brand.
Man, this shit pisses me off.
Especially since I went to a catholic school, we read the bible, especially the parts that condemned using faith to further your own wealth, power or status, using the word of God as a con is pretty much a guaranteed express ticket to the deepest darkest pits of hell.
Sounds like you escaped a violent theocratic cult.
If some of the pastors there had their way, that’s exactly what power would control this country.
No, cults are small religions, this is a big religion
I feel like there are minimum two definitions of cult, that being a high controll group like say jones town and to a lesser but still damaging extent seventh day adventists for example and just a smaller religious grouping.
This place would 100% meet the BITE standard of cult classification.
Thats what I was thinking of but couldnt remember the name, maybe I need to watch more telltale content again.
The BITE classification was invented in order to justify hatred of small religions, by taking a word that already had a meaning (cult) and attaching a second, pejorative meaning to it. It’s like if I write a fantasy novel with a species of evil creatures called jews. Jew is already a word, and it’s a horrific act of religious persecution to take a pre-existing word for marginalised religions and spin it into an unrelated negative.
Yes, because controlling a group’s behavior, information access, thoughts, and emotions is completely acceptable. Autonomy be damned.
I didn’t justify the abusive behaviours described by the BITE model. In fact I was very clear that I disliked those behaviours, and their association with an important religious term. You should work on your reading comprehension so you can stop seeing enemies everywhere.
I mean, no real surprise here bud.
Mental illness is supernatural? What does that mean?
To them, it means if you’re depressed, schizophrenic, or otherwise incapable of controlling your emotions or perceptions, you’re being either possessed or “oppressed” by demon spirits.
Ah, that’s messed up.
Why do people uniform themselves and with something like a brand to commit treason?
They were wearing tshirts with the ministry’s logo, because Jan 6 was for American Jesus.
Send my regards to Jim Bob.
Big german TV production company with succesful primetime action series used rented cars for their stunts. Different people from the team rented them with full insurance, returned them crashed. They did this until every car rent in the city stopped offering insurance without retention.
i worked for a hybrid hosting and cloud provider that was partnered with Electronic Arts for the SimCity reboot.
well half way through they decided our cloud wasn’t worth it, and moved providers. but no one bothered to tell all the outsourced foreign developers that they were on a new provider architecture.
all the shit storm fail launch of SimCity was because of extremely shitty code that was meant to work on one cloud and didn’t really work on another. but they assumed hurr hurr all server same.
so you guys got that shit launch and i knew exactly why and couldn’t say a damn thing for YEARS
Geek Squad, We were flying under the radar upgrading Macbook RAM, until one day we became officially Apple Authorized to fix iPhones, which means we were no longer allowed to upgrade Macbook RAM since the Macbooks were older and considered “obsolete” by apple, meaning we were unable to repair or upgrade the hardware the customer paid for, simply because apple said it was “too old”. it was at this point in my customer interaction, that we recommend a repair shop down the road that isn’t held at gunpoint by apple ;)
I worked at a 3rd party Apple retailer (they had a legacy contract from the 90s that only expired about 5-10 years ago) and they bought the cheapest RAM they could find to upgrade the Macs. They made hand over fist on RAM upgrades and still came in under what Apple charged for the same upgrade.
Man I do not miss those times. Apple authorized to tell you to buy a new device. I made a lot of people unhappy.
Isn’t the ram soldered? Is it too hard to upgrade?
Not for some models at the time, we also did SSD upgrades which we werent allowed to do. Even more ridiculous
if you have a hot air desoldering station it shouldn’t be too hard. but it’s a tool that most people aren’t going to have on hand.
You used to be able to just pop it out and swap. Those were the days
Our business-critical internal software suite was written in Pascal as a temporary solution and has been unmaintained for almost 20 years. It transmits cleartext usernames and passwords as the URI components of GET requests. They also use a single decade-old Excel file to store vital statistics. A key part of the workflow involves an Excel file with a macro that processes an HTML document from the clipboard.
I offered them a better solution, which was rejected because the downtime and the minimal training would be more costly than working around the current issues.
The library I worked for as a teen used to process off-site reservations by writing them to a text file, which was automatically e-faxed to all locations every odd day.
If you worked at not-the-main-location, you couldn’t do an off-site reservation, so on even days, you would print your list and fax it to the main site, who would re-enter it into the system.
This was 2005. And yes, it broke every month with an odd number of days.
downtime
minimal retraining
I feel your pain. Many good ideas that cause this are rejected. I have had ideas requiring one big downtime chunk rejected even though it reduces short but constant downtimes and mathematically the fix will pay for itself in a month easily.
Then the minimal retraining is frustrating when work environments and coworkers still pretend computers are some crazy device they’ve never seen before.
Places like that never learn their lesson until The Event™ happens. At my last place, The Event™ was a derecho that knocked out power for a few days, and then when it came back on, the SAN was all kinds of fucked. On top of that, we didn’t have backups for everything because they didn’t want to pay for more storage. They were losing like $100K+ every hour they were down.
The speed at which they approved all-new hardware inside a colocation facility after The Event™ was absolutely hilarious, I’d never seen anything approved that quickly.
Trust me, they’re going to keep putting it off until you have your own version of The Event™, and they’ll deny that they ever disregarded the risk of it happening in the first place, even though you have years’ worth of emails saying “If we don’t do X, Y will occur.” And when when Y occurs, they’ll scream “Oh my God, Y has occurred, no one could have ever foreseen this!”
It’ll happen. Wait and watch.
Sounds like a universal experience for pretty much all fields of work.
Government and policy? Climate change? A fucking pandemic?!
We’ve seen it all happen time and time again. People in positions of authority get overconfident that if things are working right now, they’ll keep working indefinitely. And then despite being warned for decades, when things finally break, they’ll claim no one could have foreseen the consequences of their lack of responsibility. Some people will even chime in and begin theorising that surely, those that warned them, had to be responsible for all the chaos. It was an act of sabotage, and not of foresight.
Places I’m at usually end up bricking robots and causing tens of thousands of dollars of damage to them because they insist on running the robot without allowing small fixes.
Usually a big robot crash will be The Event that teaches people to respect early warning signs…for about 3 months. Then the old attitude slides back.
Good thing we aren’t building something that requires precision, like semi-conductor wafers. Oh wait.
cleartext usernames and passwords as the URI components of GET requests
I’m not an infrastructure person. If the receiving web server doesn’t log the URI, and supposing the communication is encrypted with TLS, which removes the credentials from the URI, are there security concerns?
Anyone who has access to any involved network infrastructure can trace the cleartext communication and extract the credentials.
What do you mean by any involved network infrastructure? The URI is encrypted by TLS, you would only see the host address/domain unless you had access to it after decryption on the server.
They said clear text, I would assume it’s not https.
The comment we are replying to is asking about a situation where there is TLS. Also using clear text values in the URI itself does not mean there wouldn’t be TLS.
Nope, it’s bare-ass HTTP. The server software also connected to an LDAP server.
I don’t even let things communicate on /30 networks via HTTP/cleartext…this whole thing is horrifying.
I would still not sleep well; other things might log URI’s to different unprotected places. Depending on how the software works, this might be client, but also middleware or proxy…
As weird as it may seem, this might be a good argument in favor of Pascal. I despised learning it at uni, as it seems worthless, but is seems that it can still handle business-critical software for 20 years.
What OP didn’t tell you is that, due to its age, it’s running on an unpatched WinXP SP2 install and patching, upgrading to SP3, or to any newer Windows OS will break the software calls that version of Pascal relies upon.
You’re literally describing the system that controlled employee keyscan badges a couple of jobs ago…
That thing was fun to try and tie into the user disable/termination script that I wrote. I ended up having to just manipulate its DB tables manually in the script instead of going through an API that the software exposed, because it didn’t do that. Figuring out their fucked-up DB schema was an adventure on its own too.
I’m also describing the machine in my office that runs my $20,000 laser plotter/large format scanner. The software in the machine uses (Java?) over a web interface which was deprecated and removed from all browsers around 2012-14, iirc. The machine isn’t supported anymore and the only way to clear an error or update where it sends scans is using that interface. I have a XPSP2 machine running the internal IE6 browser which will still display the interface. Since I’m now a one-person office, and I use the scanner about 6 times a year, I keep that machine around in case I need to turn it on to update the scanner or clear a print error. Buying a new plotter isn’t worth the time/money - when it dies I’ll just farm out the work to a 3rd party vendor; but while it does work it’s convenient to have in-house.
If it’s that old, I’m betting it doesn’t use HTTPS for its connections. You could do a network packet capture on the XP machine (or if you can find one, hook it up to a network hub with another computer attached and capture there) while performing the “clear error” action and find out how it works/what you need to send to it to clear the error. You could also set up a SPAN port on a switch and mirror the traffic on the port going to the printer to capture the traffic, if you have a switch capable of doing that. If not, you can get one off Amazon for about $100.
It’d be pretty simple to put together a script that sends the “clear error” action to the printer after seeing how it’s done in the packet capture. I’ve done this numerous times, the latest of which was for a network-connected temperature sensor that I wanted to tie into but didn’t (publicly) expose an API of any kind.
It’s more than that, though - it’s used to setup custom sheet widths as well as enter new server and login details for sending scans via FTP to a server. If I’m doing billable work, I’m charging $225/hr. If I’m snooping the network, which isn’t my field and I do almost never so it takes me several times longer than an expert, I’m making nothing. With an annual value on the machine’s services at less than $500 (more than half of which would become reimbursable if I didn’t have it), there’s no actual value in “fixing” it by creating a different work around. 🤷♂️
Anything can if you don’t update it.
A national (not US) cake company uses expired ingredients because it’s cheaper. Yes, I did report them to the authorities.
Worked in tech support for a satellite based Internet company that oversold its bandwidth on one of the satellites.
We told customers on that beam we were working on it. The actual solution was attrition. Eventually enough customers would quit that service would be better for those that remained.
The majority of tech startups are super chaotic and barely keeping things running. More than you would ever imagine.
The first steel mill I worked for, the test requirements were more of a suggestion than a rigid specification. I, a trained and skilled engineer with the capacity to make informed decisions, had to run all rejections by my boss who would tell me “it’s close enough” even if it wasn’t. Sometimes it bit us in the ass with warranty failures, but the warranties were probably cheaper than internal rejections (and what is brand perception worth?).
My second steel mill job, I was the one making the rejection decisions. I did the hard thing and rejected our failures but I also troubleshot them to prevent recurrence, making our product and capability better over time.
It very much matters who you buy your steel from; two mills can have vastly different performance for the same products based on how they handle these situations.
