Bizarre Simpson-eque Ethical Dilemma

Discussion in 'Miscellaneous' started by Collingwood Nick, Sep 15, 2013.

  1. Collingwood Nick

    Collingwood Nick Vice Admiral Admiral

    Joined:
    Jan 28, 2002
    I'm in a bit a quandary at the moment. A truly bizarre set of circumstances has arisen at work and I'm not sure what to do.

    I work in hospitality, for a franchisee of a national chain of about one hundred outlets. Without giving too much away, they use a custom point of sale system that has been written in a scripting language and that resides on each store's local server. I have explored this system because that's what I do, even when I'm not supposed to do it. And I have found a lot of vulnerabilities, back doors, passwords, everything. Why would anyone write a POS system in a scripting language and then leave the code on the server for anyone to see. I don't know. The company that created it are real amateurs, they don't even bother encrypting the passwords.

    Which is great for me, because it turns out that this IT company uses the same password to access each of the 100 stores. And because they never thought of coding in any sort of access logs, nobody ever knows when I access another outlet's computer system.

    Yes I know it's dodgy as and ethically questionable. That is a problem I have to face every day as I can't resist the temptation to stick my nose in where it doesn't belong.

    So anyway I was accessing another stores server yesterday for kicks and I made an astonishing discovery. I found clusters of paid up orders that had been cancelled late at night, every night, around the same time, by the same person. In other words, an employee of this franchisee has been stealing money from the shop, for the past two months.

    So you see the dilemma? I want to report this, but I can't do it without admitting to my own wrongdoing.

    It's just like the episode of the Simpsons where Bart wagged school and wound up being a witness to the trial of the mayor's nephew.
     
  2. auntiehill

    auntiehill Fleet Admiral Admiral

    Joined:
    Feb 7, 2006
    Location:
    Hillsville
    Isn't there some way you can report it anonymously?
     
  3. Tosk

    Tosk Vice Admiral Admiral

    Joined:
    Jan 7, 2001
    Location:
    On the run.
    ^That's what I would do. Send an anon-email to the store in question that basically says, "I don't expect you to take my word for it, but it would be in your best interest to check up on what X does with customer orders."
     
  4. Kommander

    Kommander Commodore Commodore

    Joined:
    Mar 22, 2005
    Location:
    Detroit
    Point out these suspicious order cancellations, all the security flaws you found, and then ask for a raise.
     
  5. Christopher

    Christopher Writer Admiral

    Joined:
    Mar 15, 2001
    By coming clean, you have an opportunity to a) stop a thief from stealing the company's money and b) alert them to some serious security problems in their computer system, both of which could benefit them. Under the circumstances, they might be inclined to forgive the lesser transgression.

    Besides, if you know this person's stealing and you don't report it, that could be interpreted (validly or not, I don't know, but it could be) as being an accessory, which would be an even worse position to be in if you were found out. Trying to hide one's mistakes often leads to worse consequences.

    As a rule, Bart Simpson isn't a good role model. I think even he fessed up at the end.
     
  6. Robert Maxwell

    Robert Maxwell so far this is a dumb future Premium Member

    Joined:
    Jun 12, 2001
    Location:
    comments 2 my butt
    I'd check your country's computer fraud/abuse laws. In the US, you'd be doing time in federal prison for admitting to any of that, whether you found someone else's illegal behavior or not.

    I'd send an anonymous tip and do whatever it takes not to have it traced back to you.
     
  7. Allyn Gibson

    Allyn Gibson Vice Admiral Admiral

    Joined:
    Oct 16, 2000
    Location:
    South Pennsyltucky
    I have some background in retail loss prevention. Here's my advice.

    1) Document five or six of the cancellation incidents. Depending on what you can pull, you definitely need dates and times. You need amounts. (I'm assuming these orders are being canceled for cash.) Transaction numbers will be a definite plus.

    2) If your company has an anonymous tip line, use that. Every retail company I worked had one. If your company doesn't have an anonymous tip line, write up the details you have and mail it anonymously to your corporate office, ATTN: Loss Prevention.

    3) Stop digging around in other stores' computers. :)

    I disagree vehemently with Christopher that coming clean completely will benefit you. LP will take a dim view of you taking advantage of security holes to look at the software and in other people's computers, because they'll want to know everything that you did and they've unlikely to believe that all you did is look.

    Your best play there is to wait about three months and then send the corporate office another anonymous letter, this one explaining the security holes and how they can be taken advantage of. You may even want to go so far as to have it mailed from another city (and that's easily accomplished on the 'net -- you write the letter, and have someone in another city mail it for you) so it can't be connected back to your location or the earlier anon letter that outed the thief in the other store.

    That's my advice. Out the person anonymously.
     
  8. Christopher

    Christopher Writer Admiral

    Joined:
    Mar 15, 2001
    Your vehemence is wasted, then. I did not say "will"; I said "might."

    And even if it doesn't benefit him personally, that doesn't mean it isn't still the right thing to do. Letting someone else get away with wrongdoing just to protect yourself is never right.


    And has it occurred to anyone that a person's anonymity on a public bulletin board is not absolute? There are ways to identify posters through their ISPs, or by subpoenaing a board's registration records. So just by confessing the act on this board, Collingwood Nick, you may have already potentially exposed yourself. Perhaps you should consider talking to a lawyer instead of taking advice from a bunch of strangers online. At least then your conversations would be privileged.
     
  9. -Brett-

    -Brett- Rear Admiral Rear Admiral

    Joined:
    Jun 22, 2001
    Is he stealing enough to make blackmail worthwhile? :devil:
     
  10. Collingwood Nick

    Collingwood Nick Vice Admiral Admiral

    Joined:
    Jan 28, 2002
    I appreciate the advice everyone. Of course I don't have to do anything at all, I can just forget what I have learned and worry about my own store. But that doesn't sit right with me. Might be time to draft an anonymous letter.

    I weighed up the risks before posting this and decided they were acceptable.
     
  11. Collingwood Nick

    Collingwood Nick Vice Admiral Admiral

    Joined:
    Jan 28, 2002
    Yes, actually, more than enough. But I don't have the ability or the balls to even try that. :klingon:
     
  12. Scroogourner

    Scroogourner Admiral Admiral

    Joined:
    Sep 4, 2008
    Location:
    Sojourner
    If you can access things truly anonymously, start "uncancelling" some of those transactions. Eventually the person in the wrong will be found out when they can't explain the books not balancing and the security holes revealed at the same time.
     
  13. Collingwood Nick

    Collingwood Nick Vice Admiral Admiral

    Joined:
    Jan 28, 2002
    I had thought of that. It is true that the POS software itself doesn't record logins or actions, but the computer still has server logs and even if the franchisee doesn't know to look at them, the police will if they become involved.

    And unusual entries in the server logs linked with unusual transaction activity might lead them to the conclusion that a hacker is responsible, not an in store thief.

    I had thought of a whole heap of schemes based around 'logging in and changing something' but that can only lead to more trouble for me.

    I'm looking at an anonymous phone call to the store owner. He is the person who is losing money in all this.
     
  14. Saga

    Saga Rear Admiral Rear Admiral

    Joined:
    Sep 6, 2008
    Location:
    VA
    my advice to you is to start drinking heavily.
     
  15. Collingwood Nick

    Collingwood Nick Vice Admiral Admiral

    Joined:
    Jan 28, 2002
    Great success. The thief is going to lose his job tomorrow, the franchisee is grateful for the information I provided (and mildly embarrassed that he had been stooged for so long), and Nick escapes with a thank you instead of a visit to the police station.

    Sometimes it pays to put self interest aside and do the right thing. Who knew?
     
  16. Allyn Gibson

    Allyn Gibson Vice Admiral Admiral

    Joined:
    Oct 16, 2000
    Location:
    South Pennsyltucky
    The important thing is, you were giving bad advice, no matter how you couched it, because you were speaking from a position of no experience. In such a case, vehemence is never wasted.

    On another note, I'm glad the situation worked out. :)
     
  17. Christopher

    Christopher Writer Admiral

    Joined:
    Mar 15, 2001
    Umm... (raises hand) ;)
     
  18. Collingwood Nick

    Collingwood Nick Vice Admiral Admiral

    Joined:
    Jan 28, 2002
    By the by, that bit about not poking around in other stores computer systems again - yeah, that's good advice. I'd hate to put myself in this position again.
     
  19. StolenThunder

    StolenThunder Poster Premium Member

    Joined:
    Sep 24, 2001
    Location:
    Scotland
    Good story!

    Did you put on a voice for the phone call? Hear any unusual clicking?
     
  20. Roger Wilco

    Roger Wilco Admiral Admiral

    Joined:
    Nov 27, 2004
    I'm unclear how that employee's scam works exactly. Could you explain it to me like I'm an idiot (which I may be, because I really don't get it)?

    Anyway, nice that it had a good ending apparently.

    eta: if it's just people paying for things and the employee pocketing the money himself and then cancelling the orders, I don't understand how he/she could ever think to get away with it.