This article is more than 1 year old

Our hero returns home £500 richer thanks to senior dev's appalling security hygiene

Because no one will ever think to look for logins here

On Call Welcome back to On Call, a special corner of The Register where readers can share tales of their cries for help and the deaf ears on which they fall.

Today's yarn, which includes a non-Linux-based solution to Active Directory woes, comes from a reader we shall call "Clive", who was struck with a run of bad luck at the hands of the capricious employment gods.

Having taken the P45 walk of disappointment from his first post-university job, Clive was luxuriating in a new position of IT manager. Sadly, it was not to last.

"I was in the job barely three months when the managing director came to me and advised me that the company was struggling and that he needed to let me go."

Cue an escorted second walk, accompanied by a box of belongings, directly out of the building.

If you're expecting Clive, as a scorned IT manager, to indulge in nefarious and vengeful activities, you'd be wrong. He instead began looking for a new employer.

"About a week later," said Clive, "I received a telephone call from the asset recovery agents of a well-known accountancy firm."

It seems that the company had gone bust since his departure, Clive's name and number had turned up, "and how would I like to earn £500 doing half a day's work?"

Faster than you can say Homes Under The Hammer, Clive accepted: "All I had to do was get the administrators of the company back into the network, back up all the files to a supplied hard drive and submit an invoice."

Continuous paper printer

Rise of the Machines hair-raiser: The day IBM's Dot Matrix turned


Simple stuff for the ex-IT manager, surely?

Clive met the administrator at his old workplace and found his old computer at his old desk, ready to go. Alas, whoever was in charge of security was better than whoever had been actually running the business and, unsurprisingly, Clive found his account password had been changed.

Anticipating a problem, Clive told us: "I had brought with me a password reset CD, that I had used several times before. I inserted it into the PC, booted the software and reset my password."

Sadly, that approach had been thought of, and Clive discovered that his Active Directory account had, quite correctly, been disabled.

What to do?

Fearing that £500 might be about to slip through his fingers, Clive was trying to remember the login details of the backup account when he noted something strange.

"The senior web developer's PC was switched on, odd as every other machine on the premises had been powered off."

He sauntered over and gave the mouse a tentative jiggle. Would the screen turn on? Would there be another login box to taunt him?

No. "It was a beautiful page of Visual Studio code."

Better still: "Right there in the middle of the code was this guy's username and password in the clear."

As is too often the case, the senior developer (or "code monkey", as Clive described him) had an account festooned with admin rights. Certainly enough for Clive to log in as him, re-enable his old account and then do the deed as far as retrieving the data required.

"A job well done," he observed. Although probably not in reference to the practice of slapping cleartext credentials into a source file.

As for what happened next? Clive left the defunct company behind and went on to become a contractor. He even completed some of the projects left unfinished for grateful customers (for, we'd wager, a good deal more than £500).

However, "the events of the day," concluded Clive, "left an impression on me."

Ever saved the day thanks to a co-worker's terrible working practices? Or perhaps, their final, vengeful act? Of course you have, and you should tell On Call all about it. ®

More about

More about

More about


Send us news

Other stories you might like