Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
  • Articles

    The bad boss - what is a bad boss and what can you do about it?

    Employees don’t leave organizations, They leave bad bosses. We have all heard it and we all probably have a bad boss experience or two in our career. But what is a bad boss really? Are they just terrible monsters that tear organizations apart, or are they just people like you and me?
    Just as people are different, so are our perception of what a bad boss is. What I consider to be a bad boss, may not be a bad boss to you. It all depend on who we are as individuals and what we currently need. Regardless of who we are though there are three mental types that everyone dislikes and those are psychopaths, narcissists and machiavellians. This is how Birgit Schyn, Barbara Wisse and Stacey Sanders describe these types in their article Shady Strategic Behavior: Recognizing Strategic Followership of Dark Triad Followers:
    “Narcissists have a strong sense of entitlement and a constant need for attention and admiration. They are arrogant and consider themselves to be superior to others. “Machiavellians are sly, deceptive, distrusting, and manipulative. They are characterized by cynical and misanthropic beliefs, callousness, a striving for … money, power, and status, and the use of cunning influence tactics. In contrast to narcissists, Machiavellians do not necessarily have to be the center of attention and are satisfied with the role of puppeteer, unobtrusively pulling the strings.
    Psychopaths “are unlikely to consider the needs and wishes of others and are unafraid of crossing moral boundaries. … By creating chaos in the organization, as well as in coworkers’ personal lives, they can pursue personal agendas without detection. They do not only enjoy hurting people, they strategically use humiliation and bullying to direct other people’s attention away from their hidden selfish activities. … psychopaths are often viewed as the most malevolent ones of the Dark Triad.”
    We call these collectively Dark Triad personalities and when you encounter them there is very little you can do but to leave the organization. These are not bad bosses, they are bad people with mental issues that can hurt you, so stay away from them whenever possible.
    These are not the bad bosses we are looking for however, because there is another group, that is far more difficult to handle than the Dark Triad bosses. I am of course talking about the Sudden Asshole Bosses and the Micro Management Boss. These are people that actually are very good people, but they suffer from insecurities and inexperience as leaders.
    These are usually people that others like because they are caring, well-spoken and often action driven people that listens and take care of problems in a way that make everyone happy. Then when they get appointed to a leadership perspective they change overnight to become a controlling asshole of a boss.
    Why do good people become bad bosses?
    My personal experiences and observations is that this happens to new and inexperienced people due to a shift in the direction of care. By that I mean that as an employee my direction of care is usually towards my co-workers. That would be the other employees. As a person moves up and become a manager you have new responsibilities to people above you in the hierarchy. That means that you naturally shift your direction of care upwards.
    This is nothing bad, but if you add stress and the feeling of not being a hundred percent sure of what you are supposed to do as a manager, then the need for control start to take over. As we know stress does not help with maintaining a kind a generous disposition, so that does not really help the situation either.
    We also tend to adopt behavior from those that we work with. If a new manager are unfortunate to have others around them that belong to the Dark Triad, or that have fallen into the trap of micromanagement, then it becomes natural to be drawn into that. This is not because they want to be bad bosses, but because they need something to cling to as managers very rarely get any leadership training before they are tossed into the new roles as managers.
    People that feel insecure, or that are in a position where they feel they have to live up to certain expectations due to their gender, religion, sexuality or race, they are more prone to this in my experience. Not because they are any worse or better than others, but because they fear failure or letting down others more. Fear is a great motivator, unfortunately it often motivates good people to become bad bosses...
    How do we get bad bosses to become good bosses?
    Most Sudden Assholes and Micro Managers tend to get over the initial shock of becoming a manager. With time, they will again shift their direction of care to the people they are in charge of. They will learn how to navigate the minefield of leadership and distance themselves from behavior that is detrimental to the people under their care. They will also realize that micromanagement is not a healthy or sustainable way of working and as they feel more secure in their roles as leaders that need will dissipate.
    As people feel more secure they will also realize that the very reason they were chosen for leadership in the first place was because they are awesome. More often than not it is also because they add something to the company that is missing. For this reason it does not make sense to conform to what already exist. Many leaders blossom greatly when they realize this and a lot of people transcend from bad bosses to amazing bosses.
    For some however the bad boss attitudes get stuck. These are people that need help to break free from the bad boss loop. In my experience there are three things that seem to work well on most people:
    Time - One of the bane of new managers is stress. Helping your manager to reduce stress is a great way to help them get over the hurdles of transition from bad boss to great boss. Be proactive in providing information and take care of problems and you will quickly see a transition in attitude.
      Proximity - Being away from the people you are supposed to lead make bad bosses feel more connected to other bad bosses instead of the people you are responsible for. Break this by asking the bad boss to spend more time with the team. Don't let them hide in a closed room, bring them out in the open and in close proximity of the team. The bonds will naturally reforge with the team and the bad influence from other bad bosses will be reduced.
      Respect - Even if you are getting treated like crap and you are frustrated, show respect to your boss. Remember that they are probably struggling badly with things you have no idea of and with a show of respect you can ease that stress. Also remember that they are human and that the goal is to help them over the speed bumps of being a bad boss so they can become great bosses. Showing respect reduce their insecurities and remind them how awesome you are as well. I am not saying this is easy or even feasible in some cases, but just remember that bosses are people just like you and me and they have things going on in their lives you probably have no idea of.
    I know of one middle manager that was pretty much ambushed by several teams that gave him hell for almost 30 minutes before he broke down crying and told them that he had cancer and did not know how to deal with that.
    A woman I read about a while back was struggling because she was gay and was afraid that people would find out and she would be fired, only to find that everyone already suspected it and loved her regardless.
    Some are struggling with addiction, others with family issues such as divorces or deaths in the family. Some are struggling with bigotry from higher up in the company, some have asshole bosses of their own to deal with. Others may have illnesses or suffer from anxiety. There are a million reasons why someone may behave poorly in certain times of their lives.
    Just be open to the possibility that bad bosses may just be amazing bosses trapped inside their insecurities, bad company and a stressed out mind.
    You may hold the key they need to break free.

    Value Stream Management - another top down approach to ROI?

    Value stream management, probably most noticeably introduced as a part of the SAFe framework in nothing new. It is a simple visualization of the value creation process connected to the financial aspects. In short, it is a way to organize work based on finance and perceived value to the end user. This approach is another top-down version and as such it comes with both positive aspects and negatives. If handled correctly it can be mostly positive however.
    Let us begin by setting the stage for what Value Streams actually are: artificial constructs designed to match value with cost. In a sense that is the same as a line organization that continuously create value, but with a specific value in mind that is not tied to IT structures such as systems.
    This is where the first problem usually start to show itself: what is value and to whom?
    If you have spent any time with Agile or Lean evangelists then you know they will talk about the end users experience as the one and only metric of importance. I find that to be a naive and narrow point of view because as a company you are in the business of making money. That means that the metrics that matters is what do we benefit from as a company. In order for the company to benefit you usually want end user satisfaction, but it is not the only metric.
    There is no benefit for the company if the end user is satisfied, but the company lose money because of it.
    In order to set any form of metric to measure value you need multiple perspectives and this is very difficult when you have experts that either focus on end user satisfaction or company profit. The answer is in the middle, but very few companies have the capability to bridge the gap and find that value.
    Defining what value is
    What happens is that value often are defined in services rather than value. Customer support for example or E-commerce. In some cases it even is split into business areas such as countries or brands. Neither is probably what constitute a value stream, but then again value streams are artificial constructs that still are very poorly defined other than "what drives value" in a typical theoretical abstract manner.
    My advice for this is to define what value are you driving and how will the company benefit from it. This is something almost all companies already have as it is a part of Portfolio management. Everything that you have a budget for already have value creation as part of the metrics used to motivate the funding. The only thing you need to do is to take your portfolio and sort the items in there into recurring areas. You can do that with a simple card sorting activity because if you work with Portfolio management you probably already have this in place in a way and you just need to challenge the structure a bit.
    It is worth mentioning that value streams are not organizations or departments. They are time limited artificial structures that you should treat as long term project or programs. Eventually these value streams will change, in fact you should have a process to re-evaluate value streams annually or at least bi-annually to verify that the value creation are still in line with what you expect from a value stream.
    Value Streams live on top of systems
    This is as true for Value Streams as it is for programs and projects. All IT organizations are system based and no matter what financial body you place above it should live above the system structure. What I mean by that is that each system should have one truth when it comes to documentation and competence. So financial bodies that touch the system will "borrow" competence from that system and they will share documentation with other financial bodies that touch that system. This prevents fragmentation of information and duplication of technical roles such as architects and test.
    It is common that when you define value streams that you will define entire systems as part of that value stream. This makes sharing systems less of an issue, but you should still keep in mind that the value stream is more or less hiring that system to deliver value and that other can, and usually will, have reason to pass through that system as well.
    Measuring Value. Actual value.
    When you start working with the value stream you will have certain things that you measure to see how well you deliver value. If you have defined the value  correctly as suggested above, then you will get multiple points of value to combine into the actual value. This is where it is common that companies realize that they do not have the tools to actually collect the metrics. In some cases they get the metrics, but do not know how to combine them into actual value.
    My advice here is to make sure that you define value the same throughout the company. Don't use arbitrary points of measurement like t-shirt size or story points because they will be useless at scale. You also need to measure cost, for real. Most companies only start to measure cost after the requirement phase, which provide a very skewed perspective as there are a lot of costs involved in defining a need.
    So start measuring all aspects of the processes before the need hit the development team and you will probably be amazed about how much time is spent defining the need. Ideation, meetings, workshop, decisions, estimations, technical solution design and requirement analysis easily add up to 50-500 hours of work for even small needs. I have seen features that added only a visual effect on the side with negligible value cost well above $50.000 just in meeting costs to argue about the correct implementation.
    You also need a way to translate other arbitrary measurements such as customer satisfaction into something useful. Hopefully you already have a template for this if you work with ROI from CRO, or at least you have some way to measure how an increased customer satisfaction also increase profit for the company.
    When you measure actual value and not just a part of the value creation, then you usually will have very different results than if you only measure single points.
    Value Streams. For real.
    Like I said, value streams are nothing new and most organizations already have it based on either financial value or customer value. The trick is to combine the two into value streams that give you the real answer to the big question: what creates value for the company and how do we improve that.
    Combining soft values such as feelings with hard values such as money is no easy feat however. As you dive into the esoteric and abstract world to try to combine the intangible with hard realities you should expect to fail initially. There are no magic formulas for working with value streams, which is why you should be aware that this will probably be a very expensive exercise of futility unless you truly commit to making it work.
    If you commit and you find that sweet spot between measuring too much and not measuring enough, then I firmly believe you will have a big advantage compared to your competitors. If you also work with predictive activities to test theories before you commit to them, use predictive data analysis and engage with the end users to drive decisions, then you are a winner, regardless of what field your business operates in.
    Just don't throw in Value Stream Management as some form of magic bullet, because it is not.
    You will not be the best in the world by adding a new way of training, you still need to put in the hard work. This is true for sports and it is true for business processes as well. You do the work and you commit to it. Or you fail.
    Commit, or fail.

    Linkedin adds pronouns and video - is it really what we need?

    LinkedIn has recently announced some additions to their services that has been received with some skepticism. While I understand the thought behind adding a more permanent version of Stories and the debated gender pronouns, I don't think it will benefit the users. The only change I really liked was the Live Broadcaster showing the broadcast in the banner.
    Pronouns

    Pronouns are heavily debated all over the world, even if it is mostly affecting lives of people in the US and Canada it seems. While I see why adding it can be a good thing for those that think these things are important, I fear they will add another roadblock for gender fluid individuals. I know for a fact that some companies will not hire anyone putting anything other than he or she in there. I also know for a fact that some companies will not hire anyone with he or she in there, but they are far less if I should venture a guess.
     
    Cover Stories
    Video cover stories is next and it is an extension of the existing stories. The current stories only exist for a day, but Cover Stories are supposed to be a more permanent. It is kind of the old video presentations that was popular back in the days. Until it turned out that people were discarded as candidates based on physical attributes before anyone even looked at their resume. I fear this will have a similar effect and I see several people already have addressed this and how it goes against the trend of having less identifiable data to determine the best candidates.
     
    Live Broadcaster
    Now this was a pretty cool feature, even if it may not be the ultimate experience for anyone wanting to view a broadcast. Whenever you broadcast your banner in your profile will start showing your broadcast instead of the image. Not only does in look cool, but hopefully it will draw some people to your broadcast. I hope this also will bring in more people trying out broadcast.

     
    My Thoughts
    Will these new feature make it easier to get a job or find new candidates? No, it will not. It will be nice toys for people that are already doing great at interviews and for people who love video presentations. In some areas where presentation skills are important it will add value, but in every area where the job is to focus and build things it will probably not be very useful.
    Pronouns are something I still don't understand how it is supposed to work as it is arbitrary labels that can not be discerned visually, making them kind of pointless unless you already know the person. It makes a lot of people uncomfortable and I think it will be something that can lead to exclusion or getting hired based on virtue signalling. Neither of those options will do the gender fluid any favors.
    I also think that some companies might demand that their employees either add video and/or pronouns, or forbid them. This is because both can add or reduce the chance of getting contracts for the companies. That can cause some bad situations and cause discomfort among the employees.
     
    On the upside you have a great new tool to promote yourself using video. This is great for some groups and I think a lot of people will love to add that to their otherwise dry resume. It is also a great way for young people that don't have a resume yet to still show their enthusiasm and their passion for their chosen field.
    For anyone who really feel that pronouns are important it is great that this feature now is added. I know that some people will feel a great relief over this and to be honest, what harm can it possibly do if it is voluntary? If it helps the gender fluid community feel more at ease, then I am all for it.
    The Live Broadcaster feature...yeah, it is all good.
     
    While I do see some concerns for these features I think it is great that LinkedIn experiment. Try out new features and see which ones are appreciated and which ones that are not. As they are optional it gives the users the power to decide what they want to use and what they don't want to use, which is great.
    Overall I give these changes 2 thumbs up and some fingers crossed that they will work out fine for the people that use them and that they will improve the chances of finding work instead of the opposite.
    What are your thoughts?

    Insight free with JSM Premium - Jira Service Management just got a lot better!

    Yesterday I got a mail announcing that Insight, the powerful CMDB tool from Mindville that was recently acquired by Atlassian is going to be included in the Jira Service Management Premium & Enterprise plans. This is a huge announcement and I very much look forward to seeing this rolled out in the coming weeks.
    If you don't know what Mindville Insight is then you can check it out here. In short, it is a tool that allow you to manage all your assets and configuration items in an easy to overview database. With the connection to Jira Service Management and Jira Software Insight give you all the information you need in one overview.
    We will write more about Insight later to show you it's many features.

    Jira Work Management - What is it and why do you want it?

    Atlassian recently announced a reboot of their Jira Core, which was practically unused by everyone due to its lack of unique features. The reboot comes with a new name, Jira Work Management, and a new setup focused on business teams. This is a great change and it will make Jira a bit more interesting for business teams in the future.
    Four views to rule them all
    Jira Work Management focuses around three main views: Board, List View, Timeline and Calendar. There are of course other features as well, such as a form builder experience as in Jira Service Management and the ability to pick a background color. The focus is on these four views however and they will determine how the business teams will react to this reboot.
    The List View

    The list view will appeal to anyone who spend a lot of time in Excel, or if you use something like Asana or Tasks in Teams. Inline editing and individual settings for the visual changes are big selling points, even if I foresee a bit of confusion when the views differ from user to user.
     
    Timeline View

    The timeline view is pretty much a slightly watered down version of the Roadmaps feature in Jira Software. It will work well for team level, just like Roadmaps in Jira Software, but not much more.
     
    Calendar view

    The Calendar view is nice, even though I am not so sure how useful it actually is. if we could tie it to our tasks in Outlook, then maybe the calendar would be more useful, but for now I think it will be more of a glance tool, just like the list and timeline views. I could be wrong though and I would need to try it out to test it out for real.
     
    Board View

    The board view is the only view that existed in Jira Core as well and it looks pretty much the same. This is very similar to Trello and it will be a nice alternative to Teams that are used quite a lot for this kind of view for many business projects.
    Conclusion
    The four views will pretty much satisfy most need from a business team, but my question is how these boards will tie in with the steering products Advanced Roadmaps and Align? I see this as a common theme with Atlassian lately with the same concern for Next-Gen projects and so on. It's something I will bring up in another article though.
     
    Introducing Forms

    It is interesting to see that forms are moving out from Jira Service Management as a way to create input and display forms. I think this will probably show up in Next-gen projects down the road as well. It is a good change and I think it makes perfect sense to make input and output presentation in this way.
     
    Background color

    Adding a background color to your project will not make or break the customers' appreciation of it, but it is a nice icing on the cake. I don't see what the point is to restrict to standard colors when you could just add a color option to the surrounding text as well and let users add whatever color they want. I foresee images coming soon as well, just as for Trello.
     
    So why do you want this?
    Adding business teams into Jira are a good thing. Earlier it has been a bit difficult to convince them to join, but I think that the List View will be a big selling point to be honest. Maybe even the Calendar, even if I am not seeing it at the moment.
    Having the business teams in Jira means that you can bring in a lot of processes that currently live outside of Jira. This will allow easy management of early project/program planning, procurement processes, staffing, legal and security management and not to mention brick and mortar projects such as store building.
    This is of course the first release of Jira Work Management and it will very likely evolve quite a bit in the coming year or so. For now, it is also free for all Jira owners, so once you get access to it, I suggest you take some time to check it out and see what it can do for you and your organization.
    You can sign up on the waiting list here:
    https://www.atlassian.com/software/jira/work-management
     

    The Proxy Organization - five ways to battle a wasteful culture

    As organizations grow it will always increase the number of middle managers to stay organized. If the organization assign the wrong type of managers you may notice that that number start to grow a lot. You may also notice that the level of trust that exist between the different areas drop as well. This is what I call The Proxy Organization, and it is very damaging for your company.
    Every organization forms a hierarchy. This is how we make sense of the world around us. We define structures such as responsibilities and mandates to make sure we know our place in the organization. In an organization where these structures start to be confusing or poorly defined you often see the number of people between the leaders and the people that make things happen grow. This is because not only is it very difficult to handle a poorly defined workload, you also start to have meetings for everything. Not to take decisions, but to form consensus since it is not clear who should take the decisions.
    The more meetings you have, the less time you have to think about what happen in the meetings and the more help you need to go to more meetings. And so you enter into a running organization. Meetings happen all day and without time to reflect you start to make poor decisions and reduce time to communicate outside the meetings. So you hire more people to handle that, but soon they also get sucked into the meetings, and they need to hire more people.
    As these people start to get more and more stressed they feel the need to attend more and more meetings to keep up to date with everything that happens. As stress sets in the need for control grow. We introduce KPI's that are designed, not to make teams work better together, but to make the team accountable if anything goes wrong. We implement restrictions and control points in our systems to "ensure" people work "correct". Morale drops and segregation begin to foster a "we vs them" attitude.
    Slowly the organization split into silos, and we have more managers than people actually working. The managers spend all their time forming a biological proxy network with a single purpose to receive and send information in the endless meetings. People start to get sick from stress and start to leave the organization as the distance between the workers and leadership is made up of dozens of proxy positions all focused on control from a top-down perspective.
     
    Sound familiar?
    This is a very common thing as companies grow, and it is actually not that hard to turn around. It will require a lot of effort, and it will take time, but you will save a ton of money long term and most importantly you will stop hurting your staff.
     
    Step 1: Define roles.
    The first thing you should always do is define the roles in your organization. Make sure all roles are clearly defined, following a standard that is the same in all areas of the company. Don't make up roles like scrum manager or other combined roles. Stick to proper roles that are the same across the globe. You are not unique, so stop making up unicorns because you don't live in an imaginary fantasy world. Define responsibilities and mandates for all roles, so everyone knows what is expected of them.
    To avoid a situation where you pretty much play the whisper game and just forward information you define what input and output for each role. Every role should have some value passed in the output that is higher than the value they receive in the input. If the role does not add value, then consider why that role exists in the first place. If it actually reduces the value, then remove that role.
    In this step you should also match the role definition with the skill and experience of the manager(s) that hold that role. You will often find that you have the wrong person in certain roles, and you should try to match the roles with the people to get the best result. Never put a manager in a position on the merit of being with the company a long time. That is not the right experience to promote.
     
    Step 2: Define decision processes
    Endless meetings often come from poorly defined decision processes. So set clear decision processes that either comes as part of the portfolio process, or inside the teams if the team and product owner are given mandate. If everyone knows what need to be decided and the process to get that decision, the number of meetings are reduced drastically.
    Defining the decision processes also prevent "ghost projects" that are driven in isolation without coordination elsewhere in the organization.
     
    Step 3: Define information flows
    One of the reasons why proxy organizations exist is because the information flow is poor. By that I do not mean that you don't have information flowing, I mean that it is difficult to get the information you need. This is just as common with an overwhelming information flow as with an underwhelming one.
    Make sure that information is properly classified, so it is easy to find the type of information each person need or is interested in. Also make sure you make the information easy to overview with short snippets that I can drill down if I want. Lastly make sure the information is both sent in regular intervals when it is information that affect the whole organization, but also, so I can subscribe to get information of my choosing.
    If you do this right, then confusion and uncertainty is reduced. This lead to less stress and better decisions from everyone as they are better informed.
     
    Step 4: Define Meeting guidelines
    In a proxy organization meets are used as crutches by managers that are afraid to take decisions. Either because they don't understand what they are supposed to take a decision on, or because they feel unsure on their mandate, so they seek to get as much approval from others as possible.
    In Step 1 you make sure that you have the right people in the right position. This alone will help mitigate the endless meeting syndrome. Next you require every meeting to have a set agenda, what outcome should come from the meeting and most importantly a cost for the meeting. This will discourage meetings that are not really necessary, or that people that actually just want to have control join without having any impact on the desired outcome.
    The last thing to do in this step is to set  limit on meetings. If all you do is going to meetings, then what do you actually produce in value? Everyone need time between meetings to reflect and take care of the actions undoubtedly coming up in the meetings. Enforce 30 minutes waiting between meetings and 2 periods each week with 2-4 hours of consecutive meeting free time. Sometimes it can be a good idea to have this hard blocked in the calendar for everyone in the company, especially during the change process.
     
    Step 5 : Introduce bottom-up evaluations
    In most organization evaluations of people's performance within the organization is done top-down. To best understand the performance of the people in your organization you should also have the opposite represented. As a manager your job is to ensure that those below you in the hierarchy have what they need to be successful. In a Proxy organization this is often forgotten and a blame and punish attitude is used towards those below you in order to look good to those above you. This should be removed and introducing bottom-up evaluations is a good way to do that.
    This should be done often as a way to determine where in the organization people are running off to meetings instead of taking care of their people. It will also indicate where you have the wrong people in place or where people have too much responsibility to manage.
     
    Don't think you can change your organization "organically"
    While these five steps seem easy to implement they are not. This is not something you can throw into your organization in the form of "read this article and make it happen" kind of activity. This is something you need an organized change management process for, and it will cost money and time. As with all change you must commit to it and pay the price short term to enjoy the benefits long term.
    It will hurt, and it will not be an easy journey to stop running in an eternal meetings based proxy organization, but it will be worth it. If not for the financial gain, then for the well-being of the people.

    Affinity 1.9 is here - all apps get new features and improvements

    Serif, the company behind the popular apps Affinity photo, Affinity Designer and Affinity Publisher announced their big 1.9 version release yesterday. All apps, on all platforms, are getting new features and several improvements to start off the new year. The 1.9 version release is available for free.
     
     
    There are some great new features in this release, and it is clear that the Affinity series are aiming to position itself as a competent and financially attractive alternative to Adobe.
    Here are some highlights from the 1.9 release available now:
    Affinity Photo
    liquify adjustments as live, maskable layers. substantial improvements to its RAW engine new linked layer functionality, path text a new mode to control the stacking of astrography images Affinity Designer
    a new contour tool ability to place linked images and resources reducing file size simplifying collaborative working Affinity Publisher
    IDML import will be noticeably faster the new Package feature Placed PDFs can now be set to ‘passthrough’ ...and much, much more!
     
     
    All Affinity apps are currently available with 50% discount as an initiative to support the creative community during COVID-19, from affinity.serif.com.

    Security flaw in Sudo - Heap-Based Buffer Overflow allow root access

    A new security flaw has been identified in the sudo software. Sudo, which is installed by default in many operating systems, is by default setuid root. This means that any shortcomings can lead to local users being able to obtain root permissions.
    Over the years, sudo has also become larger and more features have been added. This has i.a. led to OpenBSD now having an option called doas.
    Yesterday, the American security company Qualys reported that they had identified a vulnerability in sudo (CVE-2021-3156). The vulnerability allows a local user to exploit a heap vulnerability and thus become rooted. The bug has been around since 2011 and is found in the standard configuration. It is important to point out that it is included in the standard configuration, as many vulnerabilities discovered in sudo require special configurations.
    The vulnerability is found in the set_cmnd () function and can be most easily triggered by using sudoedit and the following command:
    sudoedit -s '\' `perl -e 'print "A" x 65536'` And if you are vulnerable, you get a segfault. Please note that you need a local account but not a member of sudoers or similar. And that not all installations have sudoedit, such as macOS.
    Video from Qualys showing vulnerability:
     

    Logokit Phishing Kit allow near instant websites using JavaScript

    A new report from the security company RiskIQ inform of a new phishing kit that use JavaScript to manipulate the DOM, which allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction.  This Phishing kit,  called LogoKit has seen a significant upswing in usage over the last month.
    Phishing has been on the rise lately, following the increased usage of data communication in the wake of COVID-19. This new phishing kit seem to have attracted attention lately due to its flexibility and very fast application compared to building websites manually  as is the common practice.
    This is both interesting and scary as it allows for very fast and dynamic application for bad elements and since it looks quite real and have your email already filled in, chances are that a lot of people will fall for this. Fortunately you often can see in the URL that something is not right. In LogoKit you can often see your email in the url, which look something like this:
    phishingpage[.]site/login.html#victim@company.com Sadly this is not a sure way to detect  phishing attack as there are other ways to forward data, but if you see this then at least you know to look at the page you entered a bit more carefully.
    LogoKit has seen a big increase in usage in the last month with over 700 unique domains running it. Targeted services range from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and interestingly enough Cryptocurrency exchanges. So be alert (as always) when accessing your external cloud services and portals.
     
    RiskIQ have concluded that this is a threat on the rise due to it's simplicity and ease of use.
     
×
×
  • Create New...