←back to thread

The April Fools joke that might have got me fired

(oldvcr.blogspot.com)
514 points goldenskye | 1 comments | 01 Apr 25 07:11 UTC | HN request time: 0.239s | source
Show context
busyant ◴[01 Apr 25 12:00 UTC] No.43545713[source]
I worked at a biotech startup about 20 years ago.

- Two of the VPs at the company were named Jim Collinsworth and Peter Sachs (not their real names).

- For reasons I can't remember, I was able to send emails through the company's Windows email server under any name that I wanted.

- So, I merged the two VP names and I sent an email blast to the entire company from "Peter Collinsworth" (just swapping first and last names).

- "Peter" Collinsworth's email said something to the effect of "In honor of the 765th anniversary of the establishment of the Exchequer and the signing of the Magna Carta, <biotech-startup-x> is declaring April as 'English Unit' Celebration Month. All laboratory generated results will be reported using the following units: Instead of mg/kg/day, we will use pounds/stone/fortnight ...." etc. etc. etc.

- Well, Jim Collinsworth (real VP) saw the email and even he thought that the email had been sent under his own name.

- So, Jim fired off an email blast saying, "I did NOT send this. I don't know what this is about."

- Everyone soon realized it was an April Fool's joke.

- Jim eventually made his way to my office to say ... "That was really funny. Don't EVER do it again."

replies(4): >>43545738 #>>43545867 #>>43546504 #>>43568760 #
1. zbentley ◴[03 Apr 25 12:39 UTC] No.43568760[source]
When I was junior IT at a smaller place (150ish people), we set up DMARC for the first time in "quarantine" mode. Plan was to eventually set it to full reject but only if folks didn't report issues for a month or so.

While it was in quarantine mode, I asked my boss if we could use it for an object lesson in email trust at our next security training. He said sure, got permission from the CEO, and then an hour before the next quarterly IT security training meeting everyone in the company got an email from the CEO's address saying "URGENT all-hands company meeting, attendance mandatory!" (which came from a Postfix running under my desk, sans DKIM validation record).

In DKIM "quarantine" mode, everyone's Outlook flagged the message with a banner or popup or something saying it was suspicious, I think it also had a prompt to auto-spambox future validation failures. Plenty of folks saw that and/or the Nigerian-prince-style typos I put in the "CEO"'s message. They checked with him or IT, who told them congrats, feel free to head home 30min early after the security training.

The more credulous folks that came to the URGENT all-hands were surprised to find themselves in a regular IT security training, no CEO in attendance. We started off with "so today we are going to talk about phishing, sender forgery, and you...".