Coffee shop open WiFi on the same network as the main retail central point of sale system server for several stores.

I have posted about this before. I’m pretty sure I win.

I’m not going to name names. I worked for a company, three of their clients include the United States Air Force, the United States army, and the United States Navy. They also have a few thousand other clients, private sector, public, and otherwise. Other nation states services as well.

I worked for this company quite recently, which should make what I’m about to tell you all the more alarming. I worked for them in 2021.

Their databases were ProgressABL. I linked it because if you’re younger than me, there’s a slim chance in hell you’ve ever heard of it. I hadn’t. And I’m nearing 40.

Their front end was a bunch of copy/pasted JavaScript, horribly obfuscated with no documentation and no comments. Doing way more than is required.

They forced clients to run windows 7, an old version of IE, all clients linked together, to us, in the most hilariously insecure 1990s-ass way imaginable, through tomcat instances running on iis on all their clients machines.

They used a wildcard SSL for all of their clients to transact all information.

That SSL was stored on our local FTP server. We had ports forwarded to the internet at large.

The password for that ftp server was 100% on lists. It was rotated, but all of the were simple as fuck.

I mean, “Spring2021”. Literally. And behind that? The key to deobfuscate all traffic for all of our clients!!

The worst part was that we offered clients websites, and that’s what I worked on. I had to email people to have them move photos to specific directories to get them to stop failing to load, because I didn’t have clearance to the servers where we stored our clients photos.

We had legit secure servers. We used them for photos. We left the keys to the fucking city in the prize room of a maze a 12 year old could solve.

Holy shit.

My current job.

Many SQL servers use scripts that run as domain administrator. With the password hard coded in.

Several of the various servers are very old. W2K, 2003, 2008. SQL server, too.

Several of the users run reports via rdp to the SQL server - logging in as domain admin.

Codebase is a mashup of various dev tools: .net, asp, Java, etc.

Fax server software vendor has been out of business for a decade. Server hardware is 20 years old. Telecom for fax is a channelized PRI carrying POTS - and multiport modem cards.

About a 3rd of the ethernet runs in the office have failed.

Office pcs are static IP. Boss says that’s more secure.

We process money to/from the Fed.

My partner worked for a local council. They reset your password every 90 days which prevented you from logging in via the VPN remotely. To fix it you’d call IT and they’ll demand you tell them your current password and new password so they can change it themselves on your behalf.

Even worse, requesting a work iphone meant filling out an IT support ticket. So that IT could set up your phone for you, the ticket demanded your work domain username and password, along with your personal apple account username and password.

It’s it too soon to say, “letting Crowdstrike push updates to all your windows workstations and servers”

Wells Fargo. I worked for them for a few years and I have never banked with them after witnessing the travesty of inefficiency and incompetence, literally in my face.

I had a boss at an animation company (so not exactly a hub of IT experts, but still) who I witnessed do the following:

• Boot up the computer on her desk, which was a Mac

• Once it had booted, she then launched Windows inside a VM inside the Mac

• Once booted into that, she then loaded Outlook inside the Windows VM and that was how she checked her email.

As far as I could ascertain, at some point she’d had a Windows PC with Outlook that was all set up how she liked it. The whole office then at some point switched over to Macs for whatever reason and some lunatic had come up with this as a solution so she wouldn’t have to learn a new email thing.

When I tried to gently enquire as to why she didn’t just install Outlook for Mac I was told I was being unhelpful so I just left it alone lol. But I still think about it sometimes.

Freight shipping company still running on a custom AS400 application for dispatch. Time is stored as a 4-digit number, which means the nightside dispachers have their own mini Y2K bug to deal with every midnight.

On one hand, hooray for computer-enforced fucking-off every night. On the other hand, the only people who could fix an entry stuck in the system because of this were on dayside.

Apparently, this actually isn’t uncommon in the industry, which I think is probably the worst part to me.

A behavioral health company with 25 iPads deployed to field employees as patient data collection devices all signed into the same iCloud account instead of using MDM or anything.

They all had the same screen lock PINs and though most of the data was stored in a cloud based service protected by a login, that app’s password was saved by default.

I was a backend developer for a startup company where:

• Windows servers without any firewall and security hardening.
• Docker swarm without WSL. We had to use 4 GB Windows base images for 50MB web apps.
• MSSQL without any replication and backups.
• Redis installed on Windows via 3rd-party tool that looked like a 2010 era keygen generator.
• A malware exploited the Redis * what a surprise * and kept killing processes to mine crypto on CPU…
• VPS provider forgot to activate new Windows Server on production and it kept restart for every 30 minutes until I checked the logs and notified them about the missing license.

I left there after 6 months.

One of my ex employers sold a construction company a six figure “building logistics system” which was just a Microsoft Access file. And the construction dudes had to use a CDMA dongle to remote desktop into a mainframe to open their access files. A travesty.

Using Filezilla FTP client for production releases in 2024 hit me hard

This was 5 years ago at a usd200mil multinational…

The email system was pop3. There were no document backups. There was no collaboration tools. There was no IT security. You could basically copy company data out and no one would ever find out. The MS Office license was bought singly. Ahem!

Current company (Remote Desktop inception): Linux host machine -> Remote Desktop to windows machine -> Remote Desktop to Linux machine

Bad frame rates, modifier keys hardly ever work, super annoying to code. Windows machine resets all settings and files (besides desktop and one specific folder) each day. Each day I have to install a language pack, change display options, keyboard layout etc.

No IT at all.