The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

CERIAS Blog

Page Content

Malicious Compliance: A story

Share:
I recently saw an account of malicious compliance recounted in r/eddit and quoted in a Mastodon thread
Not allowed to work from home so I don't
My job recently told me that even during the snowstorm we got earlier this week, I am not allowed to work from home at all. Even though I work in IT and do everything remotely, they want me in the office.
So I deleted Teams and my email off my phone. I am no longer available after hours.
My boss tried to call me for something urgent last night and couldn't reach me. He asked why today and I explained to him what I was told.
I am not allowed to work from home.

It prompted me to think of several instances where I have engaged in behavior that might be described as malicious compliance; I prefer to think of them as instances of "security compliance education." Here's one such instance that my students see enjoy hearing about.

In 2000, we got some funding from a US federal agency (which will be unnamed) to explore for potential vulnerabilities in a commercial printer/copier combination. My technical point of contact (POC) told me that we didn't need to file any reports until we had some results. Apparently, he didn't convey this to the agency business person because the contract specified a long, convoluted monthly report. I was forcibly reminded of this requirement a week after the contract was finalized, even though it was in the midst of the winter break, and absolutely nothing had happened -- or would happen, for at least another month.

I grumbled a bit but compiled the report with basically "nothing to report" and "nothing spent" in the various sections and uploaded it via FTP to their designated site as a PDF.

Now, it is important to this story that my standard computers for use at the time were Sun workstations and Macintosh systems. Most of the research we did was on these systems, and our papers and reports were produced using LaTeX. We avoided Windows because it was usually so buggy (blue screens) and so prone to security problems. We also avoided Word because (a) it was (and is) annoying, and (b) it was a common vector for computer viruses. Thus, my monthly report was produced using LaTeX.

Two weeks into the semester, I got an email from some clerk at the sponsoring agency noting that the monthly report must be submitted as a Word document; the contract specified Word and only Word, and I must submit the report as a Word document, with no deviation allowed. I placed a call to my POC, and he indicated, apologetically, that he could not alter the terms as they were standard for the agency involved: everyone had to abide by them.

Grrrrr....

So, after a little thought,1 I produced the next monthly report in LaTeX as before. I produced a PDF of the report and printed it. Then, I scanned each sheet individually into a graphic file (.pic, as I recall). I then rebooted one of our Windows machines2 into MS-DOS and loaded up the oldest version of MS Word I could locate. After consulting the manual, I created a document where each page contained an image -- the corresponding image for that page of the report I had prepared. I saved it out to disk (it was huge), and uploaded it to the sponsor FTP site. Yes, it was basically a huge file of graphic images, but it was technically a Word file.

The next day I got an automated response noting the submission. Three days later, I got an email asking if the report was what I actually intended to upload. I responded that yes, it was. I indicated it had all the required information and was most definitely a Word document. I also alerted my POC about the upload (he was amused).

Another few days later and I got email from the original person who had complained about the PDF now complaining they were having difficulty with the file. I responded that the contract required Word, and that is what I used -- I wasn't responsible for their IT issues.

In month 3, I went through the same procedure but didn't have the email exchanges. Purdue then got an email from the agency business office stating that they were altering their standard business practices to allow all contractor reports to be submitted in Word -or- PDF. Would we mind submitting PDF henceforth? I briefly weighed the idea of continuing my production of Word versions of the report but decided that changing the business practices of a whole federal agency was enough.


Footnotes:
1. Someone once asked me why I didn't send them a Word document with some mischevious macros. I replied "USC 18 § 1030" (that's the Computer Fraud and Abuse Act).

2. Microsoft was a CERIAS partner at the time. When their rep visited, he saw that the lab was equipped with only Sun machines and Macintoshes. A few weeks later, we had several nice servers with Windows preinstalled delivered to the CERIAS lab. All our existing systems were named after mythical and fictional places (e.g., Amber, Oz, Dorsai, Uqbar), and we wanted to continue that scheme. We collectively decided to name the new machines Hel, Tartarus, and Niflheim. When he next visited and saw the machines, with nametags attached, he smiled a little. Two weeks later, we got another three, and they got related names; I can't recall exactly, but I think they were Underworld, Mictlan, and Jahannam). At his next visit, he remarked he could send us a lot more machines. I said we'd find a home for them, and welcome the chance to engage more of our philosophy, history, and literature faculty in the process.

All that said, we actually had a great working relationship with MS, and they hired a lot of our graduates. The machines did get a lot of use in experiments and classes.