[watwut]

No amount of beating low level employees will change whether they can accept pdf sent by email or not.

And also, they are not supposed to use their intuitive ideas about what is and what is not dangerous use of software. When they do use their intuitive ideas, hacks happen. Karen here doing what she was told and accepting only formats that her organization security team told her to do is Karen doing the correct thing.

We are on HN. People who are responsible for overreaching unreasonable security rules ... are basically us. And we are all paid way more then Karen, but are the first to call Karen an idiot when the hack happens. Karen does not know why pdf is different from doc or whatever. Nor is she required to know.

[johnnyanmac]

>No amount of beating low level employees will change whether they can accept pdf sent by email or not.

I disagree. I'm sorry Karen here needs to bear the brunt, but if this kept up, at some point Karen's boss will take notice, And then it moves up the chain to someone who can affect that policy.

Companies purposefully set us up to communicate bottom-up, so we can either play the game or break the law.

>People who are responsible for overreaching unreasonable security rules ... are basically us

No, it'd be a policy maker or CEO who thinks we're in the 90's and that secure email documentation isn't a thing. "We" could suggest so many ways to handle it that would save costs while being more secure. We're not much higher on the totem pole than Karen.

Yet suddenly, we get these incidents and our bosses are suddenly rushing to IT to find a solution. As if 6 months of deliberation wasn't enough.

[masklinn]

> I'm sorry Karen here needs to bear the brunt, but if this kept up, at some point Karen's boss will take notice, And then it moves up the chain to someone who can affect that policy.

That’s a hilarious fantasy you have here.

[johnnyanmac]

I'm open to options. Not doomerism "the system can't be fixed" mentality. I don't like to think of myself as combative. Ideally we get listened to in council and they properly pull what strings are needed to help.

But this has been my reality. Employees can evangelize for months for better security, but then a (very avoidable) hack happens and suddenly the budget for it appears out of thin air. Being a nuisance (or letting nature take its course, in the perspective of an employee) is much more powerful to these kinds of organizations than words.

[masklinn]

> But this has been my reality. Employees can evangelize for months for better security, but then a (very avoidable) hack happens and suddenly the budget for it appears out of thin air.

So your lived experience indicates that harassing front-line low-level employees about it does not work because they won't be listened to. Why, then, are you advocating for harassing front-line low-level employees?

Go for the people who can actually set policy: ministers, representatives, council, agency boards, managers. When you call, rather than take it out on the employee request to be transferred up.

And even if you don't have the energy to keep fighting after your own case has been fixed (a very common remedy when it's usually much easier to grease the squeaky wheel than to actually fix the axle), try to leave information on your process and contact points in accessible locations so that those afterwards can start a step or two ahead.

[johnnyanmac]

>your lived experience indicates that harassing front-line low-level employees about it does not work because they won't be listened to.

I'm saying inconvenience from an outside force (not the low level employee) gets actions done, not words from the employee. It can be the custome, it can be a malicious actor. It can be the federal or state government. But it has to come from outside or up top.

I don't know how you construed that as "so customers can't do anything"

>Go for the people who can actually set policy: ministers, representatives, council, agency boards, managers. When you call, rather than take it out on the employee request to be transferred up.

If you've seen local policy these days... Yeah, not really. LA just had a new Metro line approved despite the mayor's attempts to delay the vote. Policy isn't working with us.

I won't say escalation doesnt work, but I haven't seen it pulled off. Wait queues for help is already so long, so asking more time of the customer might not be feasible. It's already inefficient enough that we need go use Synchronous calls to to do all these duties.

[masklinn]

> I'm saying inconvenience from an outside force (not the low level employee) gets actions done, not words from the employee.

When you harass an employee it’s still word from an employee. And it’s very optimistic to think said words will go beyond you being an asshole doing asshole things.

> I don't know how you construed that as "so customers can't do anything"

You seem confused. I never said that, you just invented it from me saying that harassing front line employees is useless.

[cm11]

I sorta feel there's as much fantasy on the other side. The situation as is—the concrete one we're discussing here—exists. You're voting for a version where this person doesn't complain through the methods designed for it and instead writes to the CEO or something and has things fixed that way. Or possibly just doesn't complain about being screwed at all.

The system is largely bad. That's mostly agreed by each side. I feel like what you're asking for—to treat others as humans—is right and yet only going in one direction. There's a disagreement between the company and the customer and instead of showing up the company disingenuously gives you an unrelated powerless person to speak to. The expectation is that you shouldn't count them as the company, you count them as a human—and you're supposed to do that _because_ the company underpays them and gives them no power.

[leoedin]

If the author didn't abuse the fax, why would anyone notice the process was broken. It's only by abusing the existing process that change will be triggered.

You see this all the time in cybersecurity. Nobody cares until there's a breach. Nobody would care if he faxed 25 pages and mildly inconvenienced Karen, but by faxing 500 pages and inconveniencing the whole office, it's going to start something. Even if it takes them another 5 years to fix the process, it's a start.

Realistically, the change will probably be "no more than 25 pages of evidence required". But that's also a win for the person being asked for it.

[callmeal]

>No amount of beating low level employees will change whether they can accept pdf sent by email or not.

Yes, but a boss being unable to receive a fax because the machine is "otherwise occupied" may do that.

[autoexec]

I highly doubt it. Not accepting PDF files from random email addresses that send to your very publicly listed email address is a smart policy. One angry jerk trying to DoS the fax machine is not going to change the policy. At best, it'd cause them to ditch the paper and toner and upgrade so that all incoming faxes are automatically scanned and sent to an email box.

[cortesoft]

> We are on HN. People who are responsible for overreaching unreasonable security rules ... are basically us.

I don’t think that is true. Rules that you have to use a fax machine are enshrined in outdated laws. No IT professional is going to say to use a fax machine for security.

The same thing is true for a lot of security practices. Our company had silly password rotation policies because of certification requirements, not because our IT team thought it was necessary.

[autoexec]

> No IT professional is going to say to use a fax machine for security.

An IT professional will say don't open PDF files from every random email that comes into your publicly posted email address though.

[trinsic2]

Disagree. Employees need to be responsible and make their voices heard. The whole thing was justified. We enable nightmares with our acquiescence.

[perching_aix]

And how does the author (or you) know she doesn't keep raising this?

Edit: can't even confirm that it really is only fax and physical mail that's available; on a cursory search, tackling this fully online is already well possible: https://news.ycombinator.com/item?id=47544562

[snk]

You mean, Karen lied?

[perching_aix]

No, that is not what I meant. If anything, the blogpost author might have, but that's not what I mean either.

It is entirely possible for both parties to have simply missed thinking of this. Or for me to be missing or misunderstanding something.