Comment by watwut
7 hours ago
No amount of beating low level employees will change whether they can accept pdf sent by email or not.
And also, they are not supposed to use their intuitive ideas about what is and what is not dangerous use of software. When they do use their intuitive ideas, hacks happen. Karen here doing what she was told and accepting only formats that her organization security team told her to do is Karen doing the correct thing.
We are on HN. People who are responsible for overreaching unreasonable security rules ... are basically us. And we are all paid way more then Karen, but are the first to call Karen an idiot when the hack happens. Karen does not know why pdf is different from doc or whatever. Nor is she required to know.
> We are on HN. People who are responsible for overreaching unreasonable security rules ... are basically us.
I don’t think that is true. Rules that you have to use a fax machine are enshrined in outdated laws. No IT professional is going to say to use a fax machine for security.
The same thing is true for a lot of security practices. Our company had silly password rotation policies because of certification requirements, not because our IT team thought it was necessary.
> No IT professional is going to say to use a fax machine for security.
An IT professional will say don't open PDF files from every random email that comes into your publicly posted email address though.
>No amount of beating low level employees will change whether they can accept pdf sent by email or not.
Yes, but a boss being unable to receive a fax because the machine is "otherwise occupied" may do that.
I highly doubt it. Not accepting PDF files from random email addresses that send to your very publicly listed email address is a smart policy. One angry jerk trying to DoS the fax machine is not going to change the policy. At best, it'd cause them to ditch the paper and toner and upgrade so that all incoming faxes are automatically scanned and sent to an email box.
Disagree. Employees need to be responsible and make their voices heard. The whole thing was justified. We enable nightmares with our acquiescence.
And how does the author (or you) know she doesn't keep raising this?
Edit: can't even confirm that it really is only fax and physical mail that's available; on a cursory search, tackling this fully online is already well possible: https://news.ycombinator.com/item?id=47544562
You mean, Karen lied?
1 reply →
>No amount of beating low level employees will change whether they can accept pdf sent by email or not.
I disagree. I'm sorry Karen here needs to bear the brunt, but if this kept up, at some point Karen's boss will take notice, And then it moves up the chain to someone who can affect that policy.
Companies purposefully set us up to communicate bottom-up, so we can either play the game or break the law.
>People who are responsible for overreaching unreasonable security rules ... are basically us
No, it'd be a policy maker or CEO who thinks we're in the 90's and that secure email documentation isn't a thing. "We" could suggest so many ways to handle it that would save costs while being more secure. We're not much higher on the totem pole than Karen.
Yet suddenly, we get these incidents and our bosses are suddenly rushing to IT to find a solution. As if 6 months of deliberation wasn't enough.
> I'm sorry Karen here needs to bear the brunt, but if this kept up, at some point Karen's boss will take notice, And then it moves up the chain to someone who can affect that policy.
That’s a hilarious fantasy you have here.
I sorta feel there's as much fantasy on the other side. The situation as is—the concrete one we're discussing here—exists. You're voting for a version where this person doesn't complain through the methods designed for it and instead writes to the CEO or something and has things fixed that way. Or possibly just doesn't complain about being screwed at all.
The system is largely bad. That's mostly agreed by each side. I feel like what you're asking for—to treat others as humans—is right and yet only going in one direction. There's a disagreement between the company and the customer and instead of showing up the company disingenuously gives you an unrelated powerless person to speak to. The expectation is that you shouldn't count them as the company, you count them as a human—and you're supposed to do that _because_ the company underpays them and gives them no power.
If the author didn't abuse the fax, why would anyone notice the process was broken. It's only by abusing the existing process that change will be triggered.
You see this all the time in cybersecurity. Nobody cares until there's a breach. Nobody would care if he faxed 25 pages and mildly inconvenienced Karen, but by faxing 500 pages and inconveniencing the whole office, it's going to start something. Even if it takes them another 5 years to fix the process, it's a start.
Realistically, the change will probably be "no more than 25 pages of evidence required". But that's also a win for the person being asked for it.
I'm open to options. Not doomerism "the system can't be fixed" mentality. I don't like to think of myself as combative. Ideally we get listened to in council and they properly pull what strings are needed to help.
But this has been my reality. Employees can evangelize for months for better security, but then a (very avoidable) hack happens and suddenly the budget for it appears out of thin air. Being a nuisance (or letting nature take its course, in the perspective of an employee) is much more powerful to these kinds of organizations than words.
2 replies →