“Secret” just like those emails I get from HR asking my opinions about management that are completely anonymous, but don’t forward this email or share the link with anyone else because it’s just for me…
This is only tangentially related (email links encoded with trackers) but when I ran the technology for a school, our district network security officers ran a web security literacy audit by sending out a fake phishing email. Obviously, I was supposed to tell my staff to not click on anything in the email, and then forward it to me, or the district network security officers.
So, I sent an email to my campus, telling them to not click their link, and simply forward their emails to me. I pretty quickly suspected that the email was part of an internal audit, which was all but confirmed by the fact that they used a Google ad campaign generator that was hosted on our district domain. I also confirmed that every email link had unique identifiers in them, including the recipient’s employee ID, which I found extra funny.
So, I then got to work clicking on everyone’s links. It went to a suspicious-looking login screen, similar to our portal, that then took us to a video about network security that was embedded on our district website, and then that forwarded to a Google Form in which we were supposed to fill out our names, and answer some questions based on the video. For the login screen, I rotated through the network security officers’ employee IDs, and used passwords such as “OopsiePoopsieSuchARiskyClicky1!”
When I saw the Google Form, I then created a Google Sheet with everyone’s links, and then split the users into a separate column that had a randomized order so that the user info was unlikely to align with the link. Then, I used that to submit incorrect user info on each form so that it wouldn’t match my collected email address, and the reported email tracker ID. I also used the sheet to match tracker IDs with incorrect employee IDs, and clicked all of those links. I did this from my phone, my Chromebook, and my MacBook. I also was traveling to NJ that weekend, so I did the same thing, only from my phone, a few times in NJ, and wherever my layover was.
I had such a hard time containing my laughter when I got a call on Monday from the lead network security officer. He explained how they were at first concerned that my campus was the only one where 100% of the recipients failed the security test. Not only did everyone seem to click their link, they did it multiple times. The security officers then checked if the page was loading properly, because they couldn’t figure out why people would keep following a phishing link. Then the security officers were really concerned that something went wrong with their collection methods, because every click came from the same few IP and MAC addresses; even worse, the user info from the Google forms didn’t align with the tracker IDs on their source Google Sheet. After that, they were really confused that everyone kept clicking their email links over the weekend, and that some of the recorded IP addresses were from out of state, but didn’t appear to be associated with a VPN. Finally, they looked at all the form submissions, and saw that over 98% of the form submissions all recorded the same logged in email address: mine.
So, they called my manager to ask why I would do such a thing, and my manager said, “that’s just what TheFartographer does.” So they called my department’s assistant director, who also explained, “that’s just what TheFartographer does.” Then, my department supervisor proactively called them to explain “that’s just what TheFartographer does.” During my call, I found out that I accounted for nearly 2000 submissions, which impressed me because we only had around 100-150 employees at my campus. We have around 30,000 employees throughout our district, so the network security team thought that around 7% of our users failed the security audit, but then found out that the number was closer to 1%. I was told that they eventually all had a good laugh about it, but then asked me to please never do that again.
I’ve sat in mid and upper level executive meetings about this stuff.
They 100% know exactly who did what review, it’s not secret no matter how much they swear up and down it is, if you’re high enough in the chain.
Lower middle management won’t be told who it was generally, especially if their report size is a handful. They still know exactly what was inputted though because they see the responses and can generally tell who it was based on that alone due to context hints.
Always creates a fun bit of drama, but they really don’t like that their dirty laundry gets aired.
I love these, keeps the toxic people out of management in my company. We have a yearly employee survey and the toxic people always complain about everything and everyone. They think it’s anonymous even though you have to click a link that’s emailed to you then login to the survey with your employee ID and password. Yeah dipshit it’s anonymous even though you just gave them your ID to be able to take the survey.
Me, 5 stars across the board and no additional comments. Any issues I have I take up with my manager directly and he can handle it from there with the right people.
You see, I’m the guy who gives his opinion in those. The trick is to be actionable. Don’t complain about things you can’t give direct advice on how to correct. Be kind in how you communicate and give the benefit of the doubt in all of the language.
Don’t: Your management style is shit
Do: It is difficult to complete my work with the lack of understanding on the business direction. I would like this communication to come from my direct manager.
This is the way. The main reason I don’t do something like that is results are open to everyone in management and since I know I can work with my manager I prefer to handle issues one on one.
If my manager refused to work with me, or the issue was a company wide thing, then I would give an actionable response.
I write proposals for improvements and they’ve been so well received because I present each one with an issue statement, explanation, and actionable steps to resolve the issue. Now I’m helping coworkers with ideas on how to improve and that’s something I try to reinforce, explain the issue and how it affects the company and employees, then give a way to correct the issue. If you just say here’s a problem, now fix it, you’ll get no where.
We had a system like that when I was a manager. It was anonymous but I could usually still tell who it was based off the writing style on the comments or the fact that they were complaining about things that they had already brought up to me. I didn’t retaliate against anyone though. Usually I agreed with them and they were complaining about things I had no control over
If it were something I can fix it do take action but at my level its trivial shit such as ensuring enough time is allocated to training. The stuff they really complain about is all the stuff the c suite asshats do. You know the ones that dont know us mear mortals beyond can we replace them with ai
But go ahead dont let that get in the way a good narrative you have built up in your head
Then you will know at low level it sucks. You get all the flack with no way to fix anything that’s important.
The sad part is I agree with the shitty feedback almost 100% of the time.
The rest where its most useful for the game is it helps to find out who is really really unhappy and try find a way to help them.
I wouldn’t call my reaction emotional. But then I just found out tomorrow they are pushing out another one of these stupid surveys. Where I have to spend the next 2 weeks badgering the guys into filling it out when they could be doing something way more useful.
If some has those types of concerns, they are better protected going directly up the chain with them. Anonymous feedback means management can more easily get away with retaliation by claiming ignorance.
Depends on the system! Even for anonymous polls, you still need to have unique links to ensure that people don’t take it multiple times and bias the results. Even if it can track who has (not) answered the poll, it doesn’t mean that the answers are traced back to you!
If they want they still can track you though, so this is why we need tools that we can verify how they work, e.g. open source services, maybe hosted on a external trusted provider etc
“Secret” just like those emails I get from HR asking my opinions about management that are completely anonymous, but don’t forward this email or share the link with anyone else because it’s just for me…
This is only tangentially related (email links encoded with trackers) but when I ran the technology for a school, our district network security officers ran a web security literacy audit by sending out a fake phishing email. Obviously, I was supposed to tell my staff to not click on anything in the email, and then forward it to me, or the district network security officers.
So, I sent an email to my campus, telling them to not click their link, and simply forward their emails to me. I pretty quickly suspected that the email was part of an internal audit, which was all but confirmed by the fact that they used a Google ad campaign generator that was hosted on our district domain. I also confirmed that every email link had unique identifiers in them, including the recipient’s employee ID, which I found extra funny.
So, I then got to work clicking on everyone’s links. It went to a suspicious-looking login screen, similar to our portal, that then took us to a video about network security that was embedded on our district website, and then that forwarded to a Google Form in which we were supposed to fill out our names, and answer some questions based on the video. For the login screen, I rotated through the network security officers’ employee IDs, and used passwords such as “OopsiePoopsieSuchARiskyClicky1!”
When I saw the Google Form, I then created a Google Sheet with everyone’s links, and then split the users into a separate column that had a randomized order so that the user info was unlikely to align with the link. Then, I used that to submit incorrect user info on each form so that it wouldn’t match my collected email address, and the reported email tracker ID. I also used the sheet to match tracker IDs with incorrect employee IDs, and clicked all of those links. I did this from my phone, my Chromebook, and my MacBook. I also was traveling to NJ that weekend, so I did the same thing, only from my phone, a few times in NJ, and wherever my layover was.
I had such a hard time containing my laughter when I got a call on Monday from the lead network security officer. He explained how they were at first concerned that my campus was the only one where 100% of the recipients failed the security test. Not only did everyone seem to click their link, they did it multiple times. The security officers then checked if the page was loading properly, because they couldn’t figure out why people would keep following a phishing link. Then the security officers were really concerned that something went wrong with their collection methods, because every click came from the same few IP and MAC addresses; even worse, the user info from the Google forms didn’t align with the tracker IDs on their source Google Sheet. After that, they were really confused that everyone kept clicking their email links over the weekend, and that some of the recorded IP addresses were from out of state, but didn’t appear to be associated with a VPN. Finally, they looked at all the form submissions, and saw that over 98% of the form submissions all recorded the same logged in email address: mine.
So, they called my manager to ask why I would do such a thing, and my manager said, “that’s just what TheFartographer does.” So they called my department’s assistant director, who also explained, “that’s just what TheFartographer does.” Then, my department supervisor proactively called them to explain “that’s just what TheFartographer does.” During my call, I found out that I accounted for nearly 2000 submissions, which impressed me because we only had around 100-150 employees at my campus. We have around 30,000 employees throughout our district, so the network security team thought that around 7% of our users failed the security audit, but then found out that the number was closer to 1%. I was told that they eventually all had a good laugh about it, but then asked me to please never do that again.
and if you’re in a smaller organization, any details you provide for what you’re complaining about will instantly tell them exactly who you are
Who is this complaint about?
Them
What is this complaint regarding?
Ugly
When did this incident occur?
Always
Did you try finding a solution?
No too ugly
What action do you suggest could help resolve this conflict?
Shut up
Your concerns are always anonymous, but would you like to leave your name in case someone needs to follow up with you?
Your ugly mom
I’ve sat in mid and upper level executive meetings about this stuff.
They 100% know exactly who did what review, it’s not secret no matter how much they swear up and down it is, if you’re high enough in the chain.
Lower middle management won’t be told who it was generally, especially if their report size is a handful. They still know exactly what was inputted though because they see the responses and can generally tell who it was based on that alone due to context hints.
Always creates a fun bit of drama, but they really don’t like that their dirty laundry gets aired.
Any detail will do that, really.
Doesn’t need to be a small org. The results tend to go to line managers who know all their team anyway
I love these, keeps the toxic people out of management in my company. We have a yearly employee survey and the toxic people always complain about everything and everyone. They think it’s anonymous even though you have to click a link that’s emailed to you then login to the survey with your employee ID and password. Yeah dipshit it’s anonymous even though you just gave them your ID to be able to take the survey.
Me, 5 stars across the board and no additional comments. Any issues I have I take up with my manager directly and he can handle it from there with the right people.
You see, I’m the guy who gives his opinion in those. The trick is to be actionable. Don’t complain about things you can’t give direct advice on how to correct. Be kind in how you communicate and give the benefit of the doubt in all of the language.
Don’t: Your management style is shit
Do: It is difficult to complete my work with the lack of understanding on the business direction. I would like this communication to come from my direct manager.
This is the way. The main reason I don’t do something like that is results are open to everyone in management and since I know I can work with my manager I prefer to handle issues one on one.
If my manager refused to work with me, or the issue was a company wide thing, then I would give an actionable response.
I write proposals for improvements and they’ve been so well received because I present each one with an issue statement, explanation, and actionable steps to resolve the issue. Now I’m helping coworkers with ideas on how to improve and that’s something I try to reinforce, explain the issue and how it affects the company and employees, then give a way to correct the issue. If you just say here’s a problem, now fix it, you’ll get no where.
We had a system like that when I was a manager. It was anonymous but I could usually still tell who it was based off the writing style on the comments or the fact that they were complaining about things that they had already brought up to me. I didn’t retaliate against anyone though. Usually I agreed with them and they were complaining about things I had no control over
I can confirm these are definitely confidential. In so far as your name isn’t on it. My place shows us the best and the worst comments
However we can usually tell who said what and me and my manager play a game of who said what each time it comes around.
Definitely easier than taking action, right?
You’re on the wrong side of the meme.
If it were something I can fix it do take action but at my level its trivial shit such as ensuring enough time is allocated to training. The stuff they really complain about is all the stuff the c suite asshats do. You know the ones that dont know us mear mortals beyond can we replace them with ai
But go ahead dont let that get in the way a good narrative you have built up in your head
You got really emotional there and revealed way more than anything I had in my head.
I’ve been on the other side of the meme at times but I’ve never made a game out of subordinate feedback.
Then you will know at low level it sucks. You get all the flack with no way to fix anything that’s important.
The sad part is I agree with the shitty feedback almost 100% of the time.
The rest where its most useful for the game is it helps to find out who is really really unhappy and try find a way to help them.
I wouldn’t call my reaction emotional. But then I just found out tomorrow they are pushing out another one of these stupid surveys. Where I have to spend the next 2 weeks badgering the guys into filling it out when they could be doing something way more useful.
Brother, HR is there to protect the company
If a comment comes in that’s in the companies best interest to remediate, especially potential legal issues, then they do something
These surveys are not there to make workers live better above the minimum legally required
They do not care about us
If some has those types of concerns, they are better protected going directly up the chain with them. Anonymous feedback means management can more easily get away with retaliation by claiming ignorance.
Depends on the system! Even for anonymous polls, you still need to have unique links to ensure that people don’t take it multiple times and bias the results. Even if it can track who has (not) answered the poll, it doesn’t mean that the answers are traced back to you!
If they want they still can track you though, so this is why we need tools that we can verify how they work, e.g. open source services, maybe hosted on a external trusted provider etc