This article is more than 1 year old
Microsoft veteran on how he forged a badge to sneak into a Ballmer presentation
Developers, developers... and top secret coffee machines. Security at MS is definitely tighter 25 years later
Former Microsoft staffer Dave Plummer has revealed how he managed to sneak his wife into a corporate event so that she might experience a Steve Ballmer presentation first hand. The old romantic.
Speaking on his Dave's Garage YouTube channel, Plummer detailed the fights of yesteryear between engineers and those that sought to keep things secure. His own example took the form of a desire to get his wife into one of Microsoft's corporate events.
Who, after all, would not want to sit among throngs of eager employees, awaiting pearls of wisdom to drop from the mouths of the execs? Or, as Plummer put it, "witness Steve's [Ballmer] insanity and Bill's [Gates] vision."
While plus-ones were not on the guest list, anyone with a Microsoft badge could get in. And Plummer had access to a color copier. It was therefore a simple matter to, for want of a better word, forge a mock badge which, while it would not make it past a scanner, would pass muster under the gaze of a guard.
Did the ruse succeed? Would helicopters descend?
"They didn't even look at her badge," he said of the lavish corporate morale-boosting event. "She just walked in like she was supposed to."
Well, Microsoft has had its problems with credentials over the years.
Plummer also retold Raymond Chen's story concerning how Microsoft engineers stationed at IBM's Boca Raton site during the era of OS/2 collaboration smuggled a coffee maker into the office.
IBM at the time was considerably more buttoned up than free-wheeling Microsoft, according to Chen. Big Blue tracked what Chen called "security violations," which ranged from following someone through a door (and thus not swiping your badge) through leaving papers on a desk to wearing shorts in the office.
Various legends had it that six violations would get an employee fired. "A variation of that legend," wrote Chen, "said that Microsoft would have to dismiss three employees after amassing a cumulative ten violations."
Microsoft's employees apparently had difficulty following IBM's rules and at least one discovered that the six-strikes-and-out rule was probably apocryphal and certainly did not get them sent back to Redmond. "I know: I tried," Chen said.
Must ... have... proper ... coffee
More serious was the coffee situation. IBM's vending machines dispensed a rancid brown liquid, far below the expectation of their Seattle partners. And so it was that staffers sneaked in a new coffee machine.
The device broke the rules on two fronts – it was both a fire hazard and a security violation. So what to do? The solution was ingenious; Microsoft's offices at Boca Raton were, according to Chen, "sort of a tiny Microsoft embassy."
Any box with "Microsoft Confidential" on it was safe from prying IBM eyes and so it was that a box, with a cup-sized hole in it, was slapped over the coffee machine and emblazoned with Microsoft Confidential.
Chen did not go into what IBM security made of the doubtless delicious odor drifting out of the Microsoft enclave.
While Plummer managed to dodge OS/2 (although his move to Windows NT might be considered similar, depending where you stand on the IBM and Microsoft agreement), he did have to endure Microsoft's own security policies, and some engineers took exception to the seemingly reasonable requirement that passwords be changed regularly.
"And so," he intoned, "began the war of escalation between [IT Security] and some of its users..."
- It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017
- Microsoft sounds the alarm on – wait for it – a Linux botnet
- Microsoft patches the patch that broke Windows authentication
- Start your engines: Windows 11 ready for broad deployment
There was the changing one's password to the same password. Then IT caught on and captured a hash of the last entry. But all that did was make users enter a temporary password and then switch back. A history of 10 passwords was then stored; surely nobody would change their password 10 times just to keep the same one?
"And yet these were developers," said Plummer, "so soon scripts started to circulate amongst the team that would cycle our password through a dozen temporaries and then settle back on your preferred password.
"I can only wonder how many people accidentally or carelessly stored their domain passwords – with complete access to the source code trees and products in Outlook VBA scripts so that they could conveniently repeat the process every 90 days."
Simpler times, for sure. Microsoft these days, of course, would much rather everyone ditched passwords altogether in favor of something a good deal more secure.
With the cyber threats of today grabbing the headlines, and operating systems more sieve-like by the day, Plummer and Chen's recollections are a pleasing reminder of a time when all security had to worry about was users getting creative with a copier and engineers taking a blunt instrument to corporate policies. ®