Weekly Roundup: GoDaddy Can Phish Off Edition

It was a Christmas dream come true. Right before the holiday, GoDaddy sent all of its employees the following email:

Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!… To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.

Over 500 of them promptly clicked through, no doubt thrilled at the prospect of additional help at a time when their spouses or other family members were likely suffering from uncertain employment or no work at all.

They didn’t get a bonus. Instead, they got a written warning that they had fallen afoul of a so-called “phishing” message created by GoDaddy security staff to test awareness of identity theft via fraudulent email, and a notification that they had all been re-enrolled in a computer security course.

Merry Christmas! But I’ve seen (and done) worse…

GoDaddy pointed out that “phishing tests” are common across Corporate America, and they are right; every major company for which I’ve worked has occasionally sent one to its employees. These tests don’t accomplish anything except gratifying the DeVry graduates on the IT Security teams, which over the past decade have managed to become the most powerful tech department in many firms. GoDaddy also pointed out that many real phishing emails play on people’s hopes and dreams; who among us has not briefly hoped against hope that the friendly Nigerian prince trying to get $50M out of his country was real?

In this case, however, the plain fact is that GoDaddy did not need to humiliate its employees in this fashion. This sort of thing is part and parcel of what they call “late-stage capitalism” on Reddit, and it’s animated by the unshakeable belief that the perceived needs of the corporation, however vague and unimportant, take immediate precedence over the dignity, safety, or happiness of its people. I’d expect nothing less from GoDaddy, which is probably the worst webhosting company and registrar in the entire world.

That being said, treating your people like trash around the holidays is a long and well-respected tech-firm tradition. On December 24, 2000, your humble author was finishing up his day as a sysadmin/DBA for a firm called SubmitOrder.com when I heard a chorus of email beeps around me, followed almost immediately by some weapons-grade grumbling. Apparently one of our vice presidents decided it was important to let all the employees know that

SUBMITORDER.COM IS AN “AT-WILL” ENTITY IN WHICH EMPLOYEES MAY BE TERMINATED AT ANY TIME, WITH OUR WITHOUT CAUSE

at approximately 6:15PM… on Christmas Eve. I don’t know what the desired effect of the email was, but the practical effect was that we all stopped what we were doing and went home, including the database team which had been planning to work the holiday to ensure a successful Jan 1 rollout of a new schema.

When we came back to work on the 26th, the email was the subject of constant discussion, to the point that the prankster in me thought it might be worthwhile to shake up this hornet’s nest even further. The most vocal critic of the Christmas Eve missive had been a twentysomething contract UNIX admin named Ben. I liked Ben, but I also knew he was highly emotional and prone to hilarious outbursts, so I penned a fake email to him, supposedly from the same Vice President as before, titled

New Year’s Changes — Get Out, You Contractor Filth.

The body of the email alleged that the UNIX contractors were stealing from the company, that they were all fired immediately, and that SubmitOrder.com would probably attempt to prosecute them after their termination. I connected via telnet to our spectacularly stupid Lotus Notes server and promptly tricked it into accepting the faked-up email as real. In two minutes, or less, Ben would get that email, I’d watch him get it, and the fun would begin.

Unfortunately for me, at that precise moment another VP decided to call my desk and ask me some questions about the Jan 1 database rollout. So I was on the phone, facing away from Ben, when he got the email, at which point he stood up, yelled “FUCK THIS BULLSHIT!”, took his IBM Model M keyboard, and smashed his own monitor with it before running out of the office, keyboard in hand, screaming, “WHERE THE FUCK DOES $VP_IN_QUESTION SIT?” I dropped the phone and chased after him, catching him in the hallway leading to the executive suites. That led what you might call a “tough conversation” in which I briefly thought Ben was going to also hit me with the keyboard.

Luckily for me, another contractor actually got fired that afternoon, so Ben took that dude’s monitor and nobody ever mentioned the incident again — until today, that is. It was neither the first, nor the last, time for me to pull a prank that caused major violent disruption in the workplace, but that’s a tale for another time.

I think GoDaddy should give all 500 or so of the people who clicked on their fake email an actual $650 holiday bonus. Total cost to the company would be thirty-five grand. Compared to the more than twenty million dollars a year the firm paid Danica Patrick for… nothing, this would be money well spent. In fact, GoDaddy could give all of its employees that bonus for a total cost of under five million dollars, or One Quarter Of A Danica.

Don’t look for that to happen. It would send the wrong message. It would make GoDaddy look like a company with a moral code rather than one with a shareholder responsibility. In the meantime, if you’d like to send the company a Christmas message of your own, consider moving your domain registrations from GoDaddy to GANDI.

* * *

For Hagerty, I wrote about lying with pictures.

34 Replies to “Weekly Roundup: GoDaddy Can Phish Off Edition”

  1. Avatarstingray65

    Nice discussion about the Tacoma vs. F-250 photograph, but missing one important element. A 1998 2WD Tacoma with a 2.4 liter 4 cylinder and automatic was EPA rated at 19 city and 22 highway, which any number of 4WD F-150s with turbo V-6 or diesel power can meet or beat (F-250s are not rated by the EPA). The tougher CAFE standards since 1998 have forced automakers to improve the efficiency of their vehicles by investing in aluminum bodies, turbo-motors, diesels, 10 speed automatics, and better aerodynamics, etc. that allow a much larger and more capable truck of today to use the same amount of fuel as a penalty box small truck of 20+ years ago, which will actually encourage more buyers to buy “more capability” than they need since it doesn’t increase operating costs like it used to – its something called rebound effect in economics.

    As for Go Daddy and Danica – that sponsorship is probably the only reason I have heard about Go Daddy because showing her “Go Daddy” car crash during a race was almost always featured on the NASCAR highlight reels, so it might have been money well spent.

    Reply
    • AvatarLynnG

      Jack, as stingray65 points out Danica while being sponsored at the tune of $25M produces revenue for the sponsor through bringing attention to the brand. As with any other endorsement the “eyes” you bring to the product determines the value of the endorsement. Think Shaq and Dollar General Insurance 🙂 🙂
      On your AC#87 why did you bury your lead “Its a big tent. Let’s not forget how big it is…and let’s not let them forget either.” This is the most important point of the article. What is the saying, “it’s not being phycotic when they really are out to get you” or something like that. However the issue is stove piping automotive interest. For example, the various national car clubs have been working to organize together for years and it never seems to work out. Many club’s national events have become very hard to manage not only due to size but the lose of dedicated members (aging out) over time. Members still want to participate but they want someone else to do the work and it takes a lot of work to put on a national event. Therefore, while I know that over time our hobby and ability to drive what we want will be under attack, it will be incrementalism that does us in. Our club members in Endland are already sounding the alarm that in the coming years gas for their cars will become harder and harder to find (incremental change). First it will just become more and more expensive, next it will be available at fewer and fewer locations, next you will need a special license to even buy gas (letting them deside if you should have the ability to buy gas no matter the price), lastly it will disappear. You can see this in here in the US in Arlington County VA where the uni-party wants everyone walking, biking, or on busses. They have systematically narrowed roads as traffic volume has increased, moved sidewalks out into the middle of intersections to make it real hard to turn right at intersections, put up lights mid-block for no other reason then to snarl traffic, reduced lanes at the base of interstate off ramps from three to one lane to back up traffic on the ramp and the interstate, put up 8 inch curbs to damage motorist wheels and tyres, and try getting the Arlington PD to take a report when the tyres of your Tahoe or Surburban get slashed, they say call your insurance company, it is a non-punishable to attack someones full size SUV (while not as bad as the District of Calamity where they imposed a huge tax on any full size truck based SUV and oh you do not want to own a HUMMER over in DC. I do not think there are any left as the ” progressive citizens” will spray paint them and slash their tyres in broad daylight. It made the local news until everyone sold there HUMMERS….).

      Reply
      • AvatarDisinterested-Observer

        “Jack, as stingray65 points out Danica while being sponsored at the tune of $25M produces revenue for the sponsor through bringing attention to the brand. As with any other endorsement the “eyes” you bring to the product determines the value of the endorsement. Think Shaq and Dollar General Insurance ”

        This is, of course, very, painfully, true. What it ignores, and what people who believe Jeff Bezos’ obscene compensation is justified ignore is that it exists under the current tax and legal regime. There is no reason to think that what is should be.l

        Reply
  2. AvatarBailey Taylor

    We had a seriously crazy attorney in our town, and I could imitate his voice almost perfectly. In the days before cell phones and caller ID I had quite a bit of fun with other attorneys. However like you, in one situation it went way further than I expected.

    Reply
    • Jack BaruthJack Baruth Post author

      It’s okay, I ended up referring Ben on another gig and he made some serious money, so we are square.

      Reply
  3. Avatarkamember

    Daily reminder that the overlords use dehumanization both as a means and an end.
    In this case it’s corporate abuse but it applies even more to the wokies.
    Facing censorship, doublespeak, and all around disingenuous power grabs, integrity and courage are still relevant. Neither spoiled middle management strivers, nor pink hatters can cope with the word ‘no’. Don’t grant power to the labels affixed by the nomenklatura. But also, stand up, like some families who started suing school systems – and could use support. The lunacy is an example of ‘minority rule’. Opposing it might require to be intransigent with the intransigent.

    That’s for the tactical. On a strategic level, I’ve noticed a sense of people giving up (even as new conversations that transcend traditional political camps are becoming noticeable).
    Remember the stereotype of the Soviet population. Conformist, dreary, guarded, rarely smiling. The illiberal forces dehumanize, those who are more equal than the others keep changing the rules, so you can never be secure, always watching over your shoulder, unable to afford the luxury of joy.

    Have you noticed the cult-like self-seriousness of the wannabe aristocracy? The inability to muster humor beyond disparaging dissenting views? The crying, complaining. They are miserable. Negativity is the message, the product, and the goal.
    Smile. Please, smile. Not in a dumb #blessed way, but find reasons to love life. Call it having your dignity, pursuing your ambitions, counting your blessings, or whatever fits your worldview. Life has a 100% IFR, that’s what makes it worth living. ‘We’ owe it to those who were at Valley Forge and in Normandy.

    This being one of the less automotive articles seemed like as good a moment as any. And to my point, prank=humor+skin thickening. This one involving livelihood might have been a bit much, but ‘Ben’ suffered no harm, so there…

    In times when 2+2 is ‘licherly’ a point of debate, no surprise that a super duty apple is compared to a subcompact orange.

    Reply
    • AvatarCitationMan

      Kamember,
      I just walked the Cowpens Battlefield in South Carolina. We absolutely owe it to the men who came before us, like those who did their duty at Cowpens, and at Kings Mountain three months prior. Two battles that each lasted only an hour, but changed the course of our history. Humbling beyond belief to read their stories.

      Reply
  4. Avatarstingray65

    Jack – do you think you could work some of your old magic and create an official press-release from the Biden campaign that can be sent to all the major media with the following statement: “Due to the unprecedented voter fraud that I have unfairly benefited from, I have today conceded the presidential race to President Donald Trump, who has my full support and best wishes for his 2nd term. In the spirit of national unification I also ask President Trump to consider pardoning me, Hunter, and my brother James for any legally questionable activities we might have been involved with in China, Ukraine, and Russia, and as an expression of good will I also promise to fully cooperate with the Durham investigation into Democrat collusion with Russia during the 2016 election.” It would be great fun to see the media heads explode and journalist keyboards fly all over the world.

    Reply
    • AvatarFred Lee

      Back in the 90s when my pimply-faced college friends and I first learned how to hablo SMTP, we thought it was fun to send fake e-mails to and fro from various luminaries.

      Finally one of us penned an email from “president@whitehouse.gov”, with something tasteless about the Oklahoma City bombings. It got forwarded around amongst all the friends and then to a couple people outside the friend circle, one of whom brought it to the attention of the college administration.

      I’m amazed to say that the school actually did an investigation into the email, found the IP from which it had been sent, the PPP connection which was using that IP, and then it was a quick job to find the dorm room assigned to that PPP connection and the MAC address of the computer. The student got a stern talking to from school administration.

      A lot of ridiculous effort for a tasteless but harmless prank, but the lesson we all learned that day is that you don’t even pretend to be the President! Or if you do, at least spoof your MAC address and connect to the legacy equivalent of a ghetto VPN — send your packets via an AppleTalk router in a different dorm.

      Reply
      • Avatardejal

        I use fake e-mails in programs that generate e-mails when run. Makes it easier for outlook to sort into folders if the user thinks it’s useful. I have me on every e-mail list of every program I’ve written. I can get a couple of hundred of them a day. Intermixed with people generated ones. Probably not cool that the company allows it, but they do and I did.

        Reply
  5. AvatarRyan

    It’s no secret this field is filled with grifters, charlatans, and straight up idiots. When they say that there’s a “talent shortage”, they mean quality talent.

    DeVry might be a little generous, I know for a fact some have barely passed High School and transitioned into “Security” after a short stint at a help desk or similar. These “professionals” are lucky to understand even basic concepts such as the OSI model or basic Linux administration.

    That said, some people I’ve encountered with “security degrees” have been just as stupid. Most times, these people end up in audit/compliance where they subject people to phishing exercises and endless CBT. I’d almost prefer the “other” CBT if it meant not taking another awareness module..

    Reply
  6. AvatarNoID

    I saw a (mint!) 9th-gen Ford F-350 parked beside a current-gen F-350 at a campground this year, and the difference was stark but nothing so serious as to have me voyage to the Island of Misplaced Virtue and burn my ships on the shore the way so many modern automotive journalists have.

    And the thing about curb weights remaining the same is important. These trucks are class-limited to 10k (Class 2) and 14k (Class 3) GVWR and the engineers fight for every pound of mass savings, since a pound out of the truck’s curb weight is a pound they can add to the payload claim.

    Reply
  7. AvatarBon Ivermectin

    Yeah, that was “NOT COOL”, but it puts things in perspective.

    Speaking of technology, my 2011 vintage ThinkPad W520s now sometimes overheat when running Windows VM’s (which I need to do occasionally for one employer) and always overheat on long Zoom meetings.

    Is PRC-based and documented spyware installer Lenovo still the best choice (P-series or X1 carbon), or are there better options like Dell (very bulky in past experience) or System76?

    Reply
    • Jack BaruthJack Baruth Post author

      System76 for real work, Razer for gaming, I think.

      My Lenovo Y900 has been a real tank and worth five times what I paid for it — but Lenovo is a crummy company.

      ALTHOUGH… given a choice between living under Chinese Communist Party rule or rubbing my own face in the dirt before a Diversity Council of The Current Year, I vote CCP. Their social credit system gives you points for keeping your neighborhood clean and telling your neighbors the truth. OUR social credit system is based on the number of absurdities you can repeat with a straight face.

      Reply
      • Avatardejal

        Harvard. Wicked smaaaaat people there.

        “The webinar panelists used the term ‘birthing person’ to include those who identify as non-binary or transgender because not all who give birth identify as ‘women’ or ‘girls,’” explained the tweet. “We understand the reactions to this terminology and in no way meant for it to erase or dehumanize women.”

        Reply
      • AvatarBon Ivermectin

        Thanks, Compaq Deskpro…I may give that a try. Sad that we have devolved to the point where 10 year old laptops are better than new.

        Thanks, Jack. Will look further into System76.

        Reply
  8. Avatarhank chinaski

    When penning a prank like that, especially one so craftily delivered, it should end in a glaringly obvious tone, i.e. ‘babbabooey’. You started with one, and he missed it, saying much for the organization. BS filters weaken as rage builds, and assume that there’s at least one guy in any organization on a razor’s edge. A small subset of those guys may be packing.

    Nice parallel on the $600 ‘stimulus checks’, btw.

    Reply
  9. AvatarDaniel J

    They started this crap with my company about 6 months go. There were so many problems with it…

    1. Corporate sends us so many emails and 99 percent are junk. So when a phishing email comes in and they make it believe its from the company or a reliable source, I ignore it in typical fashion.
    2. So then hey they get on my case for not “reporting” the email as phishing to them. I tell them that I most of their practice phishing emails get ignored simply because I ignore most if not all corporate emails They want me to report the emails as phishing but…
    3. The “phishing” drop down in OWA doesn’t always work. The email has to be manually reported as spam or phishing to cyber security. So using the tools provided doesn’t even work…

    Reply
  10. Avatardejal

    Where I work has done crap like that with the e-mails.

    So, now, I tag anything as “Suspicious” Using a addon button in Outlook. Including stuff I know not to be, but come outside the company. Dumb ass thing, the company has outsourced so much HR stuff, that a lot of legit stuff is from outside places. HTF are we supposed to know?

    The first couple of times I’d send a separate E-mail to Security stating “You tried to screw us over in the past, I’m not taking any chances”. Now, I just hit the “Suspicious” button.

    The company uses Kevin Mitnick | KnowBe4 for security training. Wrist slashing time.

    Reply
  11. AvatarCJinSD

    Is there a business school class about composing psychopathic managerial emails? I was a contractor at Bear Stearns twenty years ago. Pre-September 11, the investment banks were already downsizing, which they might have been calling right-sizing. IT people were being laid off by the thousands, some of it related to having brought a bunch of people back to address Y2K concerns. Moral was low, and fights over office real estate had been replaced by empty seats.

    Into this depressed environment was sent an email from above to raise our spirits. It reassured us that all was still well with the Bear, and that even though obsolete people with embarrassing skill sets were being shown the door by the thousands; the bank was still hiring people with valuable ones. Best of all, we were ordered to smile. Seeing stressed out and discouraged worker bees was a real bummer for the Managing Directors.

    This email pretty much killed productivity on a global scale at the bank. It was also eventually leaked to the business press, naturally. I’m not sure what path the email took to becoming a public humiliation for BS, but the investigation did reveal that a woman who briefly operated under the misapprehension that she was my boss had forwarded the email to a non-BS address off campus. Amazingly, I don’t think she lost her job even though she was a consultant.

    Reply
    • AvatarNoID

      I had something like that happen to me in a global, virtual “town hall” meeting with our global director. Having had some experience with a new process we were adopting, and that experience having shown me that our roll-out was perhaps not as seamless as management had thought, I asked the question of whether we were using industry-standard handbooks and training materials to implement this process or if it was all being brewed internally. I was met with a wishy-washy answer delegated to the local head by the global director, and answer which did not give me any confidence whatsoever that we really knew what the heck we were doing corporately, followed by a serious plea/request from the global director for us to PLEASE replace any individualized Google avatars with photos of our smiling faces. We probably spent twice as long discussing the avatars than we did my actual question, ostensibly because I was one of the hold-outs on the smiling face decree.

      Long story short, in an audience of over 200 people, my global director thought making sure we had proper avatars was more important than making sure the roll-out, implementation, and regular usage of a new process. A process which they all thought took “fifteen minutes” but the rest of us had slogged through in multiple hours-long meetings. That waste of time and lack of understanding at the working level was less important than making sure everyone saw my ugly face instead of a beautiful sports car when I spoke online.

      Reply
      • Jack BaruthJack Baruth Post author

        I’ve devoted a lot of thought to this “we need to see your face” bullshit in corporate America. And I’ve come to believe it’s about submission and control.

        For the past twenty years I’ve refused to smile for corporate IDs over perhaps 20-25 contracts. Smiling in this case is meant to be a sign of debasement, like dogs or monkeys being pushed around by an “alpha”.

        For all purposes where *I* upload the photo to a corporate system, I use a photo of the recording artist Father John Misty. Nobody has ever bothered to question it.

        Reply
  12. Avatarhank chinaski

    Odd. Hagerty doesn’t exist when my VPN random’ed to Mother Russia.

    Anywhoo, I also hold an animosity to trucks, and especially the RRs and Mercs. As you’ve written regarding your two-wheeled encounters, as a sports car driver (in the classical definition), they can’t see you, drive like they don’t care about you if they can, and know you’d be at most an unpleasant speed bump to them when the nannies fail and physics takes over.

    Reply
    • AvatarFred Lee

      I dunno, I’m pretty sure the truck bros see me every time they decide to roll-coal on me when I’m on my bicycle or with the top of my car off.

      Reply
  13. AvatarPower6

    Oh that is so horrible. I can imagine the security weenies being so proud they cooked that phish test up! Hard to justify the tools if you can’t get some click throughs!

    Heck I’m a CISSP myself, but only so I can talk practical security to our clients. Some have been very concerned about phish testing this way, which I hadn’t really anticipated. Further we have been focusing more on attacking the filtering issues because I realized it’s largely fruitless to try to train the users, it’s not really their job unless they are in finance or some other heightened responsibility.

    On big companies screwing workers, I once worked for a firm that got bought up by BestBuy. As part of the switchover, they found payroll was off between the 2 companies, they were 2 weeks in arrears vs our 1 week in arrears or something. The solution? Stiff the entire 600 employees a week of pay to bring it on schedule. We had a lot of people that was a big deal for. The mgmt could not have cared less about those concerns.

    Reply
    • AvatarNoID

      Hold up…were they stiffed, or was the pay simply deferred? If they well and truly were refused the pay that is utter bullcrap.

      Reply
  14. AvatarNoID

    My biggest pet peeve is when someone accidentally (or a system inadvertently) sends an e-mail intended for a singular or small audience to one or more large internal mailing lists, and people Reply All to ask to be removed from the chain of communication. This is shortly followed by more people who Reply All to the original sender to alert them of their sin, and further people who Reply All asking for people to stop Replying All, and MORE people who Reply All to tell people how to filter all the Replies All.

    I really want these reply chains to be used to determine who gets laid off during the next economic downturn.

    Reply
    • AvatarCJinSD

      I remember those! Every tinpot VP and MD in the company emailing EVERYONE to tell them to stop doing what they’re doing, ad infinitum. Morgan Stanley had thousands of vice presidents when I was there, and every stinking one of them thought they were special relative to the other ones who were sending exactly the same cease and desist orders that they were.

      Reply
    • Jack BaruthJack Baruth Post author

      Mine doesn’t have it. Some of the other powertrain options do, I think. And you can’t turn it off for good.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.