I would answer that rhetorical question with no, HR departments have not have heard of social engineering attacks in computer security. Almost any company asking for a password will have a brain-dead HR department in charge of that policy; it's not like your fellow future programmers thought that one up.
I mean, I'm not a fan of people not understanding a tool(service) they use, but if your job pertains to asking for passwords, then you should definitely need to understand the repercussions of such a request, at least on a social engineering level.
It's not even programming, it's privacy. If companies are going to continue to hire non-technologist that use technology especially in a specialized way like this, then they're going to continue to make common-sense mistakes like this.
Oh, it is absolutely a problem! But, having people not knowing what they're talking about has always been a problem. Nothing short of a strictly-enforced policy mandating that HR departments need to have decent knowledge in a certain area will change that.
Besides privacy, it could turn out that HR involved in other domains are broken relationships. If anybody has any examples, I'd love to hear them.
Someone who has run through their 99 weeks of unemployment and is living on friends; charity does not have the privilege of saying "No" to such a request. Reread the original article.
Anyone else notice that there have been exactly zero specific cases of an employer asking for a FB password? It seems that "Employers ask for FB passwords!" is more of an outrage tool than an actual issue.
For those who watch TDS/Colbert, they poke fun from time to time at Fox News et al for making up scary things that kids supposedly do - the latest was soaking tampons with vodka and sticking them up your butt. This feels like the "soaking tampons with vodka" of the professional world. Someone probably has done it, but it is really uncommon and not worth losing sleep over.
It's true, this seems very uncommon in the wild. However I would be surprised if it was completely non existent.
Whilst this may be a non-story at least it shows that people are thinking about these things and waking up to the things that suddenly become possible once your entire life is lived online.
If I were more cynical I might think that this story was intentionally stirred up by someone who had an interest in gauging the public reaction to this.
The insidious thing about this is not if it happens for people looking for tech jobs (they're generally clued in enough to refuse, or go somewhere else, or make a fake Facebook account filled with stuff like "I love working so much!" and "I saved a man's life with a quick appendectomy at my volunteer gig"). People looking for lower-tier jobs are in less of a position to be able to refuse.
And if you're a job-seeker: I don't really care how badly you need the job, you don't need that kind of employer.
Unfortunately, that isn't true for some people. When unemployed and living paycheck to paycheck with few, if any, marketable skills in a depressed area with a spouse and kids, the employer/employee power balance shifts dramatically to the employer. If I were in that situation and I thought giving up my password was the only thing between me and the job, I would probably consider it.
You're right that it isn't universal. Just like any compromise or "selling out" of principles in the name of short term gains, though, I think the empathy should only go so far. Pity those people but don't desire to be them or think it's okay that they compromise on principles.
"Take as your life's objective the goal of getting money for doing
your own thing. You were born to do this. Never lose sight of
this and settle for second best because this is one compromise
that will guarantee unhappiness. Leave that kind of compromise
to others - they were born for it. You are not."
-- Mark Tarver
You've never been unemployed for a long period of time, have you? Unemployment makes you realize how few principles really are important. At the end of the day, I'll value being able to eat over some abstract sense of morality. But if you have been unemployed for a long period of time and kept to your principles, more power to you.
Did you just try and justify stealing bread from a shop is okay if you're hungry enough? I guess that's why some barbaric places still chop off your hand if they catch you since "abstract sense of morality" isn't enough deterrent. But anyway, while I haven't personally been unemployed long enough to be tempted into wage-slavery, I've known a few people who have been unemployed for at least a year who didn't compromise. (How long is "long period" for you?) They waited for a better opportunity even if it meant they grew a little thinner for a time.
Unemployment is bad for your health, even if you have enough to eat.
Quality of life surveys in Germany, where the government-provided social net is rather tightly knitted compared to American standards, shows unemployed to have about as much joy as cancer patients.
I have been unemployed for some period of time--- six months. After which I decided that the best course of action was to become self-employed.
I can completely understand why someone would hand over their passwords to a prospective employer when asked. There is a huge power differential as you point out. However it is no less stupid.
Here's a basic rule I try to keep in mind, and I think it is extremely important in a hard job market as well, and that is to keep options open and work on ensuring you aren't on the bad end of such a bad exchange. The way you do this is by doing what odd jobs you can to put food on the table, so that even if you need the job you don't need it so badly to take a shit deal.
Not everyone is capable of being self-employed. A lot of people are willing to work hard, but need the structure of being told when and where to show up, and what to do.
The fundamental nature of any transaction is that when one party is in a tough position (the formal term is having a poor "best alternative to a negotiated agreement") that person is going to get screwed over. When your BATNA is to have your kids go hungry, most decent parents will gladly give up their own dinners, let alone their Facebook password.
Everyone can do at least odd jobs to reduce the impact of being unemployed. The general point is that you want to maximize your strength so you can negotiate from the strongest position you can....
My husband, Rob, interviewed at a firm where his HR contact could not understand why my he was upset when an automated email that appeared to be from the HR contact sent Rob his password in plain text. Rob replied to the email to complain, thus actually giving his password to Mr. HR. When Rob continued to complain about this problem, Mr. HR accused Rob of not trusting him and insinuated that maybe the hiring process should stop right there. Rob could not even explain to Mr. HR why he was so upset in a way Mr. HR could understand. So HR departments tend to have very different ideas about passwords than, for example, HN readers.
To graduate you had to apply online. However, they never actually integrated the graduate application process with their auth process. So when you applied to graduate you had to "sign" your application with your password. This app, password and all, would then be emailed out to everyone in the Records and Registration office. I presume they then manually logged into my account, and if that succeed I had verified my identity. If this password wasn't tied to, say, the ability to take out a student loan then maybe it wouldn't be a big deal.
I tried explaining to the person who answered the records office phone that this process was broken and I needed another way to identify myself (I'm an out of state student). They didn't care and didn't understand the issue. No one took me seriously until enough people tweeted about it that a PR person contacted me and had IT fix the problem.
So: Mr(s). Non-technical also tend to have very different ideas about passwords than, for example, HN readers.
24 comments
[ 2.9 ms ] story [ 61.9 ms ] threadI mean, I'm not a fan of people not understanding a tool(service) they use, but if your job pertains to asking for passwords, then you should definitely need to understand the repercussions of such a request, at least on a social engineering level.
It's not even programming, it's privacy. If companies are going to continue to hire non-technologist that use technology especially in a specialized way like this, then they're going to continue to make common-sense mistakes like this.
Besides privacy, it could turn out that HR involved in other domains are broken relationships. If anybody has any examples, I'd love to hear them.
For those who watch TDS/Colbert, they poke fun from time to time at Fox News et al for making up scary things that kids supposedly do - the latest was soaking tampons with vodka and sticking them up your butt. This feels like the "soaking tampons with vodka" of the professional world. Someone probably has done it, but it is really uncommon and not worth losing sleep over.
Whilst this may be a non-story at least it shows that people are thinking about these things and waking up to the things that suddenly become possible once your entire life is lived online.
If I were more cynical I might think that this story was intentionally stirred up by someone who had an interest in gauging the public reaction to this.
The insidious thing about this is not if it happens for people looking for tech jobs (they're generally clued in enough to refuse, or go somewhere else, or make a fake Facebook account filled with stuff like "I love working so much!" and "I saved a man's life with a quick appendectomy at my volunteer gig"). People looking for lower-tier jobs are in less of a position to be able to refuse.
Unfortunately, that isn't true for some people. When unemployed and living paycheck to paycheck with few, if any, marketable skills in a depressed area with a spouse and kids, the employer/employee power balance shifts dramatically to the employer. If I were in that situation and I thought giving up my password was the only thing between me and the job, I would probably consider it.
"Take as your life's objective the goal of getting money for doing your own thing. You were born to do this. Never lose sight of this and settle for second best because this is one compromise that will guarantee unhappiness. Leave that kind of compromise to others - they were born for it. You are not." -- Mark Tarver
Quality of life surveys in Germany, where the government-provided social net is rather tightly knitted compared to American standards, shows unemployed to have about as much joy as cancer patients.
I can completely understand why someone would hand over their passwords to a prospective employer when asked. There is a huge power differential as you point out. However it is no less stupid.
Here's a basic rule I try to keep in mind, and I think it is extremely important in a hard job market as well, and that is to keep options open and work on ensuring you aren't on the bad end of such a bad exchange. The way you do this is by doing what odd jobs you can to put food on the table, so that even if you need the job you don't need it so badly to take a shit deal.
The fundamental nature of any transaction is that when one party is in a tough position (the formal term is having a poor "best alternative to a negotiated agreement") that person is going to get screwed over. When your BATNA is to have your kids go hungry, most decent parents will gladly give up their own dinners, let alone their Facebook password.
To graduate you had to apply online. However, they never actually integrated the graduate application process with their auth process. So when you applied to graduate you had to "sign" your application with your password. This app, password and all, would then be emailed out to everyone in the Records and Registration office. I presume they then manually logged into my account, and if that succeed I had verified my identity. If this password wasn't tied to, say, the ability to take out a student loan then maybe it wouldn't be a big deal.
I tried explaining to the person who answered the records office phone that this process was broken and I needed another way to identify myself (I'm an out of state student). They didn't care and didn't understand the issue. No one took me seriously until enough people tweeted about it that a PR person contacted me and had IT fix the problem.
So: Mr(s). Non-technical also tend to have very different ideas about passwords than, for example, HN readers.