Sacked NCC Group grad trainee emailed 300 coworkers about Kali Linux VM 'playing up' An NCC Group graduate trainee who emailed 300 coworkers to ask for help with what she deemed to be "unusual" behaviour from her Kali Linux VM; contacted the firm’s incident response team to complain about a faulty laptop; and said the machine had been "deliberately sabotaged", has had her victimisation claim thrown out by an …
From my experience of working on a large helpdesk the suggestion of "Have you tried reinstalling Windows?" was the go to option some techs used when they wanted to get the person of the phone because either, the support person had no idea what the problem was, or because they knew it would take a few hours to reinstall Windows and by the time they phoned back their shift would have ended and it would be someone else dealing with it.
Other similar time wasting options were telling the person to run chkdsk or defrag and then call back when it had finished.
... she knew that as soon as she produced anything in that role the gig would be up and they would know she was a fraud.
The hole looks like it kept getting bigger and bigger until she ended up in a tribunal as there was nowhere else to go with the lie.
The alternative is that she was just plain bats$@t crazy.
That is just stupid.
No company should be expecting people to work on laptops instead of desktops anyway, and when something goes wrong with a computer, it should NEVER be up to the new trainee to fix it.
That is the responsibility of IT.
The fact IT refused, means it is the fault of the company.
If you're messing around with Kali then you should have some clue about OS matters and be able to at least research problems. If you're a graduate trainee then you really should be able use google. Or maybe even use the index at a back of a manual if they teach such old skool skills these days.
And I don't know about you but I would not expect somebody destined for a consulting role to be lugging a desktop PC around - that really would be grounds for complaints about unreasonable behaviour.
Easy: HR ended up being on the Board! And being on the board, they need a budget to match their position and to get that budget, one needs to have Processes.
Thus we have this huge recruitment pipelines these days with Recruitment Consultants, DiSC tests (voodoo @150 EUR a pop in licensing fees), The Video Presentation with "AI" digesting facial expressions*, Local HR reading CV's with nothing they'd understand in there ...
After maybe 3 months, Then "we" get to see maybe 5 candidates, and since "we" (since the whole circus goes on our PCC-code) have now invested about 15 kEUR in those 5 dregs-o-the-barrel it is kinda hard to say "None of the Above, do it Again!".
In the bad old days, *we* would read the CV's and interview someone, then maybe after a few months they turn out to be no good, we would fire them again. Doing that was easier because of course with less "preparatory work" it is acceptable to make a mistake or two as one as one corrects it
*) I suspect many of the good candidates drop out at the Video Thing because they are fed up being dragged around by now and there are other jobs to have.
I find Board level HR people tend to not know their responsibilities. Had one job where they were making redundancies, Cue the following:
Called in and told we were all at risk of redundancy.
Told if I didn't take job B then job A would be redundant.
Started looking for another job.
Started job B.
3 weeks later offered a job elsewhere.
Handed notice in, and informed them that under the ACAS Handling regulations I was entitled to redundancy.
HR refuses, saying I was never under redundancy.
Legal advice received (just happens one friend of the family was a specialist in company law and the other is an Old Bailey judge).
HR still stonewalling.
Factory Director and HR Director overheard on shop floor:
"He's saying he'll take it to tribunal."
"He'll never do it, ignore him and he'll go away."
At which point a friend of mine chimed in with "you really don't know him very well do you."
2 weeks later I had a cheque for my redundancy payment in my hand. Bastards still refused to pay the full amount, apparently the "bonus" was only for floor staff and not office staff. They put a clause in the redundancy payment stating that the payment was null and void if discussed with any other member of staff. Totally illegal, but enough to stop any of the other engineers admitting what they got. I got the last laugh though, as I was now officially redundant it meant I was no longer liable for any training fees. As the training fees were more than the redundancy I took that as a win.
Seems a lot of HR drones forget that part of their job is to also protect the employees from the company. As soon as they reach the Board they seem willing to break the law providing it means their bonus at the end of the year is protected.
But it's not clear where - if she'd been working for me then I'd have asked her to stop emailing everyone and I'd have given her a new laptop with the suggestion that she tries a new installation and see if the problem reoccurs. Offhand I'm wondering if this was a VM conflict somewhere, but it sounds like nobody at the company was very interested in figuring it out - that's the scary point, could be every machine at NCC Group is hacked.
Exactly.
Everyone at the whole company did have in interest in ensuring the company was not compromised, but it was the responsibility of her boss and IT to at least ensure she had a good machine to work with.
Things should have been dealt with very early on.
The fact no one helped her, makes them all suspect.
Replying to my own post - I've just read the case report, and the employer is clearly in breach of the Equality Act with respect to disability.
In a properly supportive environment, Ms Hoang sounds like the sort of diligent, methodical, and tenacious person who would do really well in infosec - I wish her well for the future.
Plain English: fuck off, first warning.
p.s. Welcome to the wonderful world of REAL workplace, v. photoshopped images of immaculate males/females feigning attention and intelligent thoughts, while leaning over their shiny-shiny, in the likewise photoshopped "office environment".
I've read the court judgement, all 32 pages of it.
I am not a psychologist, but I'm guessing that the poor woman has Asperger's syndrome, and her whole experience at the company was one long, slow meltdown triggered by something that happened right at the start. It may or may not have been the laptop not being ready on day one; it may have been the noisy office and/or the cold air conditioning (see page 12, section 34) which caused her to 'decide to move seats' - indicating that she'd complained and been ignored or not taken seriously by her manager, and had decided to act unilaterally.
Stuff like this is usually just a minor irritation to a neurotypical, but a classic trigger for an aspie. Whatever it was, it all just ballooned from there out of control, ending up at a tribunal with her manager as the focal point of blame.
You'd think a tech company - particularly one in the business of infosec - would know enough about autism to spot the aspie at interview stage, and at least be able to understand the triggers and manage them (note: I didn't say 'give in to them').
Interesting point, particularly when a good portion (my experience, don't have any data to support claim) of folk working in IT (security or otherwise), if not clinically diagnosed, do show at least some of the behavioral characteristics of someone on the spectrum.
I think assuming NCC would know is a bit of a stretch though. In my last job we had a team of high functioning autists come to work with us; goal of the group who organised it was to help people who are on the spectrum to find and keep work (good cause IMO). Before the group came to the workplace though we had their 'handlers', for lack of a better term, come in to brief us on some of the unique challenges that people on the spectrum, and the people who manage them face.
Turns out that individual managers, and the companies they work for, not knowing how to identify and successfully manage / utilise people on the spectrum is fairly common. That stretches beyond IT though too. I dare say most courses or management programs don't have dedicated learning outcomes for managing people on the spectrum, and if people in management/HR/Recruitment positions have no training or experience in identifying or managing people like that, can't really blame them for getting it wrong either.
As you said, we don't know if this woman has aspergers or some other "on the spectrum" condition, but if she does and NCC didn't manage her well, that would be a fairly typical sort of story.
"You'd think a tech company - particularly one in the business of infosec - would know enough about autism to spot the aspie at interview stage, and at least be able to understand the triggers and manage them (note: I didn't say 'give in to them')."
You are 100% spot on.
I work with a text book Asperger's genius - effing incredible brain in one of the smartest people I have ever met. Once we had worked out what the "problem" was, then recognised what his triggers were and how to avoid them, life became instantly easier for everybody.
Now work is so much less stressful for him and everyone else.
You are also spot on about "giving in". ;-)
Thank you for recognising the problems to be had by people on the spectrum. My son is a great example of an ASD person who is very good at the technical stuff but can lose it at the smallest irritation. Many managers have so many calls on their time that using kid gloves to handle one special person can be overwhelming, even if they do have some training. There are many undiagnosed ASD people out there, who are usually written off as unusual or quirky, but usually they fit right in with all us other misfits in the IT department.
That is stupid.
Of course it is about the laptop.
No one can work on a malfunctioning machine.
Happens frequently, and the solutions are routine.
The fact the whole company refused to take any responsibility is insane.
There is no way a trainee can deal with bad hardware themselves.
The ruling was obviously really, really stupid.
While it is possible for a laptop motherboard to go bad like this, it is not only extremely rare, the company is at fault for only providing a single laptop in the first place.
Laptops are notoriously unreliable compared to a desktop,and it is incredibly cruel to for an intern to work on a single defective machine.
It should have been trivial for the IT department to notice the hardware failure and to suggest a different machine, at least providing a loaner.
I have never heard of any company being so incompetent and insensitive.
To terminate a person over them not being able to work in defective hardware, is just sadistic to the extreme.
NCC sounds large enough for them to have the strategy/policy of suspected hardware problems being dealt with by issuing a replacement laptop from the pool of spare laptops held by IT with a fresh new image on its hard drive / SSD. If the problem is resolved, it was hardware. If the problem continues, you have eliminated the hardware (unless, of course it is a common cpu / other hardware bug that only this user's workload triggers).
In my case, when in the past I was subject to the rigours of IT support, if this ever happened, it would be a real pain, as I had opted out of IT support (which was possible with manager's approval) - so *any* problem reported to IT would result in an offer of a re-imaged laptop or nothing. It meant I could set up my own machine as I saw fit (within limits), but had to support myself, and I was as good at searching on the Internet as IT were for whatever Microsoft patch or registry setting or arcane software configuration needed to be set . In fact, I had a considerably greater incentive to find the fix to avoid a hardware swap-out and a re-imaged system.
It meant I put my own DRAM into 'my' laptop, considerably improving performance, and replaced the fan (which required complete disassembly of the machine) when the original gave up the ghost. Thankfully, the BIOS wasn't locked, so I could boot off a USB stick and run up Linux (this was before the ubiquity of workable VMs), and PortableApps were a godsend* - I could debork, using OpenOffice (the LibreOffice fork hadn't happened then), the vast Word documents generated by my colleagues which would corrupt themselves shortly before the deadline of issuing an RFP response.
It's sad that it is not easy to get quickly to the root cause of many problems associated with Microsoft software, but I can well understand that it is not worth an IT department's time to do a full forensic diagnosis for each and every odd user experience. It is far, far easier to offer a drive re-image, or a PC swapout, and usually faster than a fault-finding session if you have a pile of spare PCs ready to go. You can then spend the time on the users that come back with the same problem after a hardware and software swap-out, or servers, where a drive re-image is more complicated due to needing to re-set-up complex application software.
*I have no connection other than being a satisfied user. YMMV. Use of such things might be forbidden by your IT / Data Security policy.
One of the challenges of managing technical teams is that the corporate support teams known less than your team members. Pursuing the Service Desk route is just a waste of time, getting a new laptop of the same model installing all the same software to the same configuration will likely result in the same outcome a week later.
When you do get the complex issues like this there are normally a couple of guru's in the team who need to be recruited to help.
Unfortunately these are also normally the prickliest, scariest team members who interns and grad trainees are just too scared to approach directly. They also don't respond well to being directed to help new starters as they feel it's a waste of their skills and they often believe that letting Darwin thin out the newbies is a good idea.
I used to finds that I would have to sit down with the guru over a beer / coffee to get them warmed up then take the trainee somewhere safe to explain that they had to approach the guru direct but that help and a learning experience would be theirs for the taking. that also included how to approach this particular person, most want the trainee to sit in worship while the foo is exercised but whilst some want and expect questions other require silent adoration. Even then sometimes things would end in tears, especially on the few occasions where a trainee dumped the 'broken' laptop' on the guru's desk and went home.
The draw back to this approach is that it take time and needs a personal relationship between the manager, tech guru and grad trainee, if they are new to the organisation ans sit in a grad pool rather than the team this can be extremely difficult to manage.
Yes and no. Pursuing the Service Desk route as a first point of contact is always the "correct" response in a corporate environment. Why? It gets the matter on record, date and time stamped and in the system. There will always be exceptions to the rule but it still needs to be the default action. At that point a properly run Service Desk will manage the call and chase up either the tech team or customer as required. Please note my use of the words "properly run" here. That's the ideal but we know it isn't often the reality.
As a former Service Desk then support team bod I had more than my share of new starters, they aren't a waste of time or even begrudged that often. Just the ones where you receive notification at 4 PM on Friday that they start 9 AM Monday. Oddly enough this was most often from those who ought to know better, e.g. IT. As long as the actual requirements are detailed properly it's a non issue, the end user was required to sign off on the build after the first 14 days to confirm that they had what was required and anything extra in that time was just added in.
Part of the established process was to educate the new user on initial contact protocol, everything goes through the Service Desk without exception. It might get copied in to a tech if it was via email but that wasn't guaranteed to be seen by said tech if an incident ocurred, it also ensured that the call would be picked up by someone should the tech be unavailable. I just used to point out that I usually had 2K+ emails daily, the odds of one being missed were rather high so to always raise a ticket or cc our Service Desk to make sure tickets were created and updated correctly.
A classic prank to play on someone who forgets to screen lock their computer before walking away was to:
1. Take a screen cap of the desktop
2. Replace the background image with the screen cap
3. Move all the desktop icons off screen and hide the task bar.
Then wait for the comedy to ensue when the individual exclaims none of the menus/icons worked. It was even more hilarious when even IT was stumped.
I fell victim of this during an internship one summer. It was more humiliating than anything else, especially given that the perpetrator was my then line manager, a prize "appendage" who couldn't complete literally a single sentence without some kind of foul language or being unnecessarily rude.
I was there for six months and he was personally responsible for two resignations in that time. Recently looked him up on LinkedIn and he's still there while literally everyone else I sat with - 15-20 people - now work elsewhere.
Worked at an antivrius company back in the 90's and we would send the newbie the file "rabbit.exe" to test to see if they would open it. It would turn up the speaker and shout "Hey everybody, look at me! I looking at porn over here!" Much amusement was had at the expense of the quickly learning colleague. We also had an online patrol searching through the news groups back in the day for new viruses, worms and trojans. Used to tell them they had a rough time looking at porn all night.
The same NCC trainee should be given the opportunity to do the exercise again using a VBox image , the favorite version of Kali Linux used by Pro's from Eastern Europe, Middle and Far East :
Kali Vbox downloads : https://i.imgur.com/NvIn5FA.png
Kali iso downloads : https://i.imgur.com/XVK9DEk.png
The VM issues sound like misconfiguration and technical incompetence, something which she could easily have sorted out by asking around and taking the advice she was given. The other laptop issues might well have been related to iffy hardware; again, something NCC should - and apparently did - make some effort to resolve.
It just sounds to me like she was considered a combination of "trouble" and "lost cause". She wasn't playing ball with the graduate scheme and its expectations, she wasn't meeting the required standards, she was perhaps being insubordinate and less than professional. None of this bodes well for a potential "security consultant" whom, like all other consultants, need to be able to work well with people and perform to a high standard and produce high quality deliverables for their clients. And all of this can easily lead to exasperation on the part of other staff who would then, for want of a better expression, just give up on her.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
