The followings took place more than 10 years ago, so I guess no sensitive information is at risk.
Your security is as strong as your weakest link.
It was my first week working for a big international bank. But instead of working, I got tons of bloated-out-of-proportion dossiers, which if I had stacked them one on top of the other, the height of them would be more than 1 meter tall. I didn’t believe they actually expected me to read page by page all these how-to-deal-with-our-systems boring stuff, but a quick check with my new co-workers revealed they all actually read it all (and I guess some of them could even cite large parts…). Well, it wasn’t for me. However, I was not granted permission to the system until I have finished reading and mastering all the regulations described on those manuals. So I figured, two weeks should be a good time to do nothing. great.
Alas. I was bored.
I stared at my Windows unlock dialog. CTRL-ALT-DEL. No username yet. So my best bet was – either grab someone else’s user/pass, or stick to what I know – Administrator always exists. I had a good hand, the dealer was on my side. I by-passed the lame Windows’ security and logged on (it doesn’t matter how, there are SO many ways of doing so). The day after, I decided to come clean with my new boss (a stupid british executive) which proved itself as a bad idea (at first) – he yelled at me, didn’t even bother to notice the lack of security nor the easiness of the break, but only got upset about “how dare I do something like that which page 63 on dossier 121 clearly states is forbidden!” (or something similar). He concluded that I should never ever try anything like that in the future, that I should finish reading my manuals, and we’ll see how we continue from there. He also stated that this is a serious business, and he will keep this accident to himself for the time being since I’m new.
Needless to say, when I got back home that day, I felt lousy. I felt like I just lost this job. But on the other hand, I was thankful to my new boss to not advertise my ‘bad’ doings, so I still had little hope. My bad.
Come the day after. I got to work at about 9:00, flipping pages in the manuals, trying to win back my boss’s trust. It was about 12:00 when I was asked to get to the management building. My boss gave me a ‘bye bye’ look as I was walking out the department. I knew my days at that place are over.
An hour later, I was a new man. The manager who was informed of my ‘break-in’ (yea, my boss’s word turned out to be worthless) was one of the vice-presidents of the company, and showed great interest at my findings, asked me to elaborate to the IT-administrators how this should be prevented, and asked me to continue doing so, as long as I inform him personally (couple of months later he got his password mailed to him, after I found the Administrator password encrypted in some vbs file on the LAN, which allowed me to run lophtcrack for a weekend. He was pleased :-)), and so I did. He also asked me if there is anything I would like to have while working. I had only two requests: To work at my own (crazy) hours, and a new boss. I got both.