hpr-knowledge-base/hpr_transcripts/hpr3678.txt

Episode: 3678
Title: HPR3678: "Stupid Users" ... no, not those users, the other "stupid users"
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3678/hpr3678.mp3
Transcribed: 2025-10-25 03:41:24

---

This is Hacker Public Radio Episode 3678 for Wednesday the 7th of September 2022.
Today's show is entitled, Stupid Users, No Not Those Users, The Other Stupid Users.
It is part of the series' privacy and security.
It is the 10th show of lurking prion, and is about 15 minutes long.
It carries an explicit flag.
The summary is, Brady and I discussed stupid things done by those of us who really should
know better.
Good morning, good afternoon, good evening, wherever you are in the world.
Welcome to another episode of the Stuff Evil Steve doesn't want you to know.
I'm your host, lurking prion.
Here to guide you through the wonderful fun world of internet security.
So sit back and get ready to wear, I don't know what we're going to do.
Hey, stand by, it'll be fun.
How's your week been, man?
It's not been too bad.
I'm going to lie to you.
You're going to lie to me?
Okay.
Lie to me, tell me the truth, lie to me, tell the truth, come on, I don't know you.
It's been great.
Well, anything you want to talk about, or you just want to let it go with that?
As far as my work week, or any part of it you want to talk about?
Well, I mean, we fixed the sprinklers, the main, so that's great, because it was coming,
like, I sent you the pictures, but it didn't really show.
It was coming out from under this, like, one tongue, or two tongue rock, right?
So that was a really difficult part.
We had to, like, build in, connect into there, and then build in two 90 degrees, and match
it back up to the bottom of the main, and it was like about a two foot difference.
So yeah, and we had to replace the entire sprinkler manifold, because that whole thing,
like, one of them was broke anyway, so it was like a complex, okay.
So yeah, we had to re-engineer the entire thing, and then get it in there, and then
get it to fit, well, you know, with the glue that basically is knelt up together, and
if we failed, the easiest, the best point of success that we had was to tie it into the
filter.
If we failed, that filter was going to cost another 100 bucks if I just stood up.
So, but we got into the first.
That's good.
That's good.
Yeah.
Yeah.
Because the ISSO work, which was basically the system's documentation for accreditation,
certification, OAM, small like this one, okay.
One of the guys that I have an alternate for, who is my alternate on assistant by phone
ery for, got COVID for the third time.
And so like, for the last two weeks, he's for the last three weeks, like he was out, and
then he kind of came back for a week, and then out again.
And I feel like everything has just fallen behind.
I'm not getting any help on my system.
It's a brand new certification process for this system.
Right.
And then the other ones, he's got documents that he's just to be finishing up, that he
won't stand just a certain way, and they're all late.
And so I'm like half in the, try to catch these flaming turds, and you know, people are
like the contractors that are responsible for making sure they get uploaded into the
system.
Right.
You know, they're getting dinged because they're late, and I want to help them out, I'm
trying to do the best I can, but you know, I've got enough of my own work to do.
So it's been, it's rough.
He's a good guy.
He's just sick.
Yeah.
Well, you know, I mean, COVID, I'll do that to you.
All right.
You better talk about some users.
Let's talk about users.
Let's talk about users.
You know, I don't know about you, but having worked in security for a while, I've run
across a lot of stupid users.
What about you?
I've run across a lot of users.
I hesitate to say that they're stupid.
I've no, the worst, the worst ones are too smart for their own good, to be honest with
you.
Now, you know, I use the word stupid on purpose because that's kind of what I wanted
to talk about.
Yeah.
It's an easy word to use.
Actually, if we're going to just talk about sure intelligence, I would rather, if
we're just air quotes here, stupid users, because they make simple mistakes in this
case.
That's usually really easy to figure it out.
Yeah.
It's the ones that are too smart for their own good.
Those are the ones that make me angry.
The ones who didn't do anything, the ones that you have to figure out what they didn't
do so that you can go and undo it or figure out where it's not looking.
Yeah.
Let's reach back to that episode, like I think it was either last time or the time before
that where, you know, when you're troubleshooting the biggest question to ask, the one that will
get you the furthest in life is what changed?
Now, you know, it's kind of interesting.
I can't find that recording anywhere.
Oh, man.
Yeah.
I think I have to record it again.
I think we're going to have to and we'll have to circle back around to that conversation.
But we'll just cover it really quick then.
Yeah.
If you're ever troubleshooting, yes, parts go bad.
Yes.
But and sometimes a patch gets pushed out and you don't know about it.
You can filter out some of these things by saying, hey, what changed?
Going back to the log to see if, you know, the application log see if a patch hit for, you
know, if you're troubleshooting an application, that will solve that one.
The biggest part of that though, if you're asking what changed and you're asking the user
and they don't know, or they say nothing, right?
Well, but here's the thing.
Sometimes the user doesn't know what they did.
But a lot of times they do know and they're afraid of getting in trouble.
Yes.
And you can usually tell when somebody's lying in that case.
If you're an experienced admin, even just getting started, you'll pick up pretty quick
when somebody's feeding you a line of BS.
You can.
But here's my question.
Should we be punishing users for making mistakes?
It's an interesting question.
I'm looking back and reflecting on my own career and I've never actually been in a position
when I was interfacing directly with users of being the one to punish them.
Well, no, it's not so much that we're the one that's going to punish them because, you
know, if you look back when we were dealing, you know, customer facing, we were at the
lower level.
But what we found would get reported up the chain and then somebody would bring a hammer
down on them.
And because of that, it was very difficult to get information and we had things go on
much longer and cause much more damage.
And if somebody had just been honest and said, hey, look, I did this.
Where do we start?
How do we fix this?
And I think maybe we need to get to a culture of not punishing people.
Now, don't get me wrong.
There are people that consistently make bad choices.
And I think that that is a separate issue.
But I think that people should...
Well, then, let's take a stop right there because I get punitively, I can agree with
you.
However, a lot of punishment is take away their access and make them re-accomplish trading.
Do you see that as a formal punishment?
Okay.
Did the training work the first time?
No.
So we're going to make them do the same thing again and expect a different result.
Well, you got to do something, right?
So we're just going to circle around with insanity.
And we know that pretty much every company on the planet does this.
Hey, you did something wrong.
You're going to go and you're going to redo your training.
And we end up in this endless cycle where nothing really changes.
So I guess what it boils down to, you have to do something, right?
You do have to do something, but maybe we're doing the wrong something.
And like, okay, so I want to hear how you propose to change it.
Okay.
I think that we shouldn't focus on what the user did wrong.
I think instead we should focus on what could have happened.
But what could be the ultimate follow-through from this?
Because a lot of users are like, oh, so I clicked on a link in an email.
Who cares?
I think that if we sat down with users and we showed them, play by play, how this could
lead to, oh, I don't know, let's say the end of your organization like Lincoln College.
Well, let's break down what happened there.
Somebody clicked on an email and we ended up with ransomware and all of their records
were encrypted.
They weren't able to get them decrypted.
And a historically black university that's been around for a hundred and some odd years
is out of business.
So for me, I don't view that as the user didn't cause that.
In that case, with ransomware, and I hate to say this, but you want to call it a stupid
user.
Somebody out there is going to be like, that stupid user, you know, that person was trying
to do their job.
I'm sure.
They were.
They made a mistake.
You said ransomware.
What is the number one way of defeating ransomware back up?
Backups.
They can encrypt your data all they want, but if you can restore it, then you're fine.
That is the failure of the IT staff.
But here's the thing.
We've been reaching backups for two decades and nothing changes.
Okay.
Every organization, no, and I 100% agree with you.
One of the jobs that I got, when I made one of my first big moves after getting out
of the Air Force, it turned out that the system admin, who was getting paid a fair amount
more than the junior admins and the qualifications for this company to be a senior admins, you
had to have a four-year degree, and the two junior admins didn't.
And there was a lot of animosity between the three of them for that distinction.
Well, I came in and I had already finished my bachelor's, and they had taken a big step
back because they had both tried to get the job and were told that they couldn't have
it because they didn't have a degree.
So here I ended up, I showed up, and I walked into a bunch of animosity, and what I found
out had happened is this system administrator.
There were two servers that housed similar data for two organizations that belonged to
two different units that did the same financial work.
And this admin had blown up one server that more important of the two, and he had done
it while the backup was running.
Oh, but that's, I mean, that's not a big deal, right?
Because if we're backing things up properly, you should have the backup there.
I mean, it was a day, or at worst, it was a week.
You're right, but how many tapes did they have?
No tapes.
Oh, no tapes.
Microsoft script, because the unit didn't want to pay for a tape backup, and it was just
a USB hard drive, the only USB hard drive.
So it corrupted, and on that USB hard drive, that he didn't do incremental backups.
He didn't, he didn't even do full backups and keep them.
He had it scripted that he had created, and it rewrote it over the, it wrote over the
backup as it was backing up.
So when it crashed during the backup, it blew up the only backup that they had.
That's pretty horrible, but to the point of the user though, the user, the person who's
down at marketing clicking on something, they can't control that back end.
No, they can't.
What we can do is we can show them what the end result would be, and maybe that would
get their attention a little bit more.
Maybe, but we're still going to run into the same problem.
In that case, I think you need, we need to be building an infrastructure that can handle
that is robust enough to handle the mistakes that people are going to make in the last
job.
Well, security, hold on, let me, let me just tie this in really quick, and then we, we
can back off, and you can, you can show me the error in my ways.
No, I'm not showing you the error, I'm running out of time.
That's all.
We ran DOD security for the Dota, which is the DOD Department of Defense Information
Network, 24 or seven shop.
We had a guy with a CISSP, bugged his cell phone into his government laptop to charge
it because his power went out.
He was trained.
He had a CISSP, which is one of the premier certifications you can have in insurance.
He still had a moment of, I don't know, just, he didn't really think about the consequences
of what it was doing, and plugged his personal cell phone into his government laptop because
his power went out, and he felt like he needed to remain available to be contacted in
case something happened.
No way he could charge that phone that he could think of instead of going out in his garage
and, you know, starting up his truck and charging it that way, he plugged it into his government
laptop.
So, you know, even very educated people will make very stupid mistakes.
So, even just calling a user stupid, you know, we all make really dumb mistakes.
I think the key is making sure that your IT environment is robust enough to handle those
mistakes.
And I think that sounds like a great topic for next episode.
We should get into it.
I think we should.
I think we should talk about how to, let's start with our home environment.
How can we make our home environment robust enough?
Because, I mean, what happens if your computer crashes, do you have all those pictures backed
up somewhere?
I do.
Because I learned that mistake very early on in my marriage where we had scanned, or actually
it was when the first digital cameras came out, and, you know, copied all the mall over
to the computer, and then the computer crashed.
And you will learn technical lessons very quickly when you upset your wife.
I think we should cover that.
Let's do it.
Let's cover technical cures for marital bliss.
All right.
I like it.
All right, man.
Hey, thanks for hopping on with me, and doing a short recording.
But, hey, thank you all, and talk to you all next week.
See you next week, guys.
All right.
Bye.
Bye.
Thank you for listening to another episode of The Stuff, Evil Steve, doesn't want you
to know I'm your host, Lurking Cryon, getting in your brain, and perhaps scratching an
itch that you didn't know you had.
Until next time, try to stay safe on the internet, and win it out.
Quit clicking, shit.
You have been listening to Hacker Public Radio at HackerPublicRadio.org.
Today's show was contributed by a HPR listener like yourself.
If you ever thought of recording podcasts, click on our contribute link to find out how easy
it really is.
Hosting for HPR has been kindly provided by an honesthost.com, the internet archive, and
our sings.net.
On the Sadois stages, today's show is released on their creative comments, attribution 4.0
international license.