a companion discussion area for blog.codinghorror.com

Don't Forget To Lock Your Computer


“1) Wallpaper as <a href=“http://www.aquarionics.com/fun/lemming/back.html””>http://www.aquarionics.com/fun/lemming/back.html"

Oh My God! My eyes almost died!


On my team, “Fabio-ing” has been made into a near-Olympic sport. If someone’s away from their unlocked computer for less than a minute, one of my coworkers is in their cube putting a picture of Fabio on their desktop. Priceless.

Great job Jeff for covering an important piece of positive (!) social engineering, and for giving me all kinds of new tricks to pull :wink:


I’m sure glad I don’t work in an office with you soul sucking dweebs that can’t take a joke.

Don’t want juvenile jokes played on you? Stop acting like a child and follow the grown up policies your employer has set for you.


When this happens, I tend to mess with the autocorrect feature in Word. Think leetspeek :slight_smile:

On a more serious note, where I work we use smartcards for building access, and for computer logon. Locking your workstation is as simple as removing the card when you get up and leave, unlocking when you get back is as simple as inserting it and entering a pin code.


Ah well, the screen should automatically lock when the chair in front of it is vacated. And shouldn’t unlock whilst it is.


I will vouch for what TomatoQueen said. I work in a large federal building as a contractor and frankly most of the IT staff are clueless about computer security (not to mention computers, but that’s a different issue).

Whenever we get an email that screams “security risk” (e.g. from an unknown person asking for personal information or telling us to open the attached file, often with very poor grammar) it’s pretty much a sure thing that it’s not only a legitimate email, but that it’s from the security department that doesn’t actually follow any of the procedures they dictate.

Plus IE6 is required to be your default browser, and we only upgraded to SP2 on XP about 6 months ago.


Wicked tip about Clippy. Had a go at a workmates computer and he was instantly baffled - even had an IT guy come over and look at it. They both agreed that it had to be a joke, though, which was good. I actually think he’ll keep Clippy running on the comp, just cause it’s a great humor-stunt.

As for the differing opinions on this issue: as far as I’m concerned, if your company has a policy on locking your comp when leaving it, you’re to blame for whatever happens to it if you don’t.



Yes, one side effect of this technique is that you quickly learn which of your coworkers do and don’t have a good sense of humor.

As always, use your own judgment about what is appropriate behavior in your work environment. I am not proposing that you do this indiscriminately to everyone, to your CEO or boss… unless you know they’ll go along with the friendly joke.


Wow! Not a big fun of goating myself but… People, forget about your tight-ass ultra-corporate offices for a moment and relax.

Somebody once said about programming: “Remember, it is supposed to be fun. If it isn’t, you are doing something wrong”.


Considering the sensitivity and importance of corporate knowledge and data in general, I can’t believe the degree of navet in some of these responses. And, while I agree that a few of the actions mentioned above might be extreme, the practice itself is a necessary evil. Most of the examples given would take far longer than the “30 seconds” cited by those complaining, so I think that exaggeration is also lending to a much more negative perception. Here’s my rule of thumb: I don’t lock my workstation if I’m in view of the area as I’ll know when someone enters my space, but if I go to lunch, the bathroom or across the floor to vending, I lock it.

Though the finance industry may have their specific, above-mentioned guidelines strictly designed for monitoring access, even more companies (if not All) have some form of security policy that includes a “need to know” confidentiality clause. This pertains not only to external entities, but your trusted co-workers. I’ve worked in a secure environment for the past several years and, as mentioned above, leaving my workstation unlocked is NOT an option. My clearance level may be above that of my co-worker. So, while they are allowed in the building, floor, and cubicle, they aren’t allowed to view certain documentation. To make it more complicated, I may never know what some of my co-workers clearance level is, which becomes irrelevant if I lock my workstation. The responsibility for security begins with ME. I’ve acted as SSO for several systems and I can assure you that the easiest and main point of access for most intrusions are at the individual security level, from inadequate password protection (too easy or taped to their monitor) to, you guessed it, leaving their workstation unlocked.

Even the Cum-Bay-Ah office environments glorified above probably aren’t as secure and friendly as the posters would lead us to believe. People are easily rubbed the wrong way, so a simple email inviting one co-worker over for a BBQ may seem innocent to you, but may leave another, uninvited co-worker feeling snubbed. He may not have done anything nefarious this time, but after having learned that you don’t like him enough to have him over to dinner and having time to stew over it, your next lunch excursion may be his opportunity to exact some sweet revenge on you by sending an email from your account letting your boss know exactly how you feel about him.

No personal information on your workstation, you say? What about your emails? None of those slip into the personal realm? What about things like annual performance evaluations, usually communicated via email? Think your co-worker would be satisfied to find you receive twice the salary to do half the work…even if that is only his perception?

If you don’t like it happening to you, than lock your workstation. If you can’t be bothered to follow through with such a massive inconvenience as locking your workstation, than report it. Why don’t you report it? Because the first question you’ll probably be asked is how they gained access. When I was told that the user left the machine unlocked, as a security officer my first response would always be to chastise that user. That would be followed by the question “what exactly do you expect me to do?” All the system logs will prove is that YOU were logged in; good luck attempting to invoke your SAAS 70 (which I believe more than assumes the Owner is acting responsibly and maintaining the fundamental security and access to said system by, yes you guessed it, locking the machine when they are not present.)

We’ve most commonly referred to it as “getting bageled”. The first offense is usually a warning by way of email from their own account reminding them the importance of network security and their role in it. On further lapses, the offender (and that is EXACTLY what the person NOT properly securing their workstation is) generously emails the office his intention to bring bagels (or donuts) for breakfast the next morning. Anything beyond that is usually a judgment call based on the relationship between the offender and the person catching him or the offender’s demeanor in general.

Judging by some of the uptight responses above, I’d guess most of these “pranks” are attempts at levity designed to help you removed the sticks from your behinds.


Okay, content filter got me on this post. Wherever you see happy, just replace it with a slang for being homosexual.

Someone got me once. In Sybase SQL Anywhere’s front end (it was a while ago) you could run queries. When a column was null, is would appear as “NULL” italicized. I didn’t know that was configurable. So, one day I came back to my machine, sat down, ran a query, and instead of NULL is said “Matt is happy”. Very juvenile. However, also pretty funny.

I was EXTREMELY upset at first – not because it said I was happy, but because I thought, just for a second, that the database really had that data in there, and I had just sent a copy to a client for testing. I thought that I was going to get in SOOOO much trouble for sending out such an unprofessional message.

Of course, people misunderstood why I was originally so upset, and they all thought that I was homophobic.


Funny, it sounds like you’re the one who’s violating the corperate security policy. It might be a good lesson but you are still breaking the rules to ‘teach’ it. Frankly I would give him a warning about not locking the computer and dock you a days pay and make it clear that if it happened again you would be fired.


If someone were to attempt to dock my pay for goating, they’d be forced to demonstrate my involvement in court. That’s going to be pretty hard to do…probably just as hard to prove as you being in the bathroom when that porn was downloaded.

Not only that, but if that user were ever foolish enough to leave his machine unlocked again, my motivation would probably swing from harmless fun and security reminders to pure revenge.


On a lighter note…

It’s also a good prank to go into MS Word and mess with the auto correct dictionary, replacing common words like ‘the’ with either misspelled versions, or completely different words.


I really don’t understand why so many people seem to be offended by the idea of office pranking - especially in this situation.


For the “anti-prank” contingent:

What’s worse:

  • co-worker changing your desktop background
  • malicious user using your computer to do (insert the worst possible thing you can accomplish with your access).

The prank is the lesson - lock your computer, or else be liable for any random act any random person would like to do as you.

(Heck, if it was supposed to be malicious, I’d be sending out resignation letters, but that’s just me.)


I lock my pc all the time but if someone were to ever mess with my pc b/c they thought it was funny, well then, I would take a funny shit on their keyboard. There’s funny for you.


Yeah, that works. BTW, if someone were to type an email in my evolution and try to send it, it asks for my gnupg passphrase :slight_smile: This can be disabled, but then, there’s no proof at all that i ever wrote that email. It doesn’t help in the scenario where i’m threatened to type it in, but ok…


well my original post on this topic didn’t last more than 1 minute. Do unto others as you would have done to you. Live by it.


My top “goating” trick was to full-screen a virtual machine to a bare bones Windows OS. I left a note that the machine had been reimaged due to a new corporate policy.