The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)


Page Content

Malicious Compliance: A story

I recently saw an account of malicious compliance recounted in r/eddit and quoted in a Mastodon thread
Not allowed to work from home so I don't
My job recently told me that even during the snowstorm we got earlier this week, I am not allowed to work from home at all. Even though I work in IT and do everything remotely, they want me in the office.
So I deleted Teams and my email off my phone. I am no longer available after hours.
My boss tried to call me for something urgent last night and couldn't reach me. He asked why today and I explained to him what I was told.
I am not allowed to work from home.

It prompted me to think of several instances where I have engaged in behavior that might be described as malicious compliance; I prefer to think of them as instances of "security compliance education." Here's one such instance that my students see enjoy hearing about.

In 2000, we got some funding from a US federal agency (which will be unnamed) to explore for potential vulnerabilities in a commercial printer/copier combination. My technical point of contact (POC) told me that we didn't need to file any reports until we had some results. Apparently, he didn't convey this to the agency business person because the contract specified a long, convoluted monthly report. I was forcibly reminded of this requirement a week after the contract was finalized, even though it was in the midst of the winter break, and absolutely nothing had happened -- or would happen, for at least another month.

I grumbled a bit but compiled the report with basically "nothing to report" and "nothing spent" in the various sections and uploaded it via FTP to their designated site as a PDF.

Now, it is important to this story that my standard computers for use at the time were Sun workstations and Macintosh systems. Most of the research we did was on these systems, and our papers and reports were produced using LaTeX. We avoided Windows because it was usually so buggy (blue screens) and so prone to security problems. We also avoided Word because (a) it was (and is) annoying, and (b) it was a common vector for computer viruses. Thus, my monthly report was produced using LaTeX.

Two weeks into the semester, I got an email from some clerk at the sponsoring agency noting that the monthly report must be submitted as a Word document; the contract specified Word and only Word, and I must submit the report as a Word document, with no deviation allowed. I placed a call to my POC, and he indicated, apologetically, that he could not alter the terms as they were standard for the agency involved: everyone had to abide by them.


So, after a little thought,1 I produced the next monthly report in LaTeX as before. I produced a PDF of the report and printed it. Then, I scanned each sheet individually into a graphic file (.pic, as I recall). I then rebooted one of our Windows machines2 into MS-DOS and loaded up the oldest version of MS Word I could locate. After consulting the manual, I created a document where each page contained an image -- the corresponding image for that page of the report I had prepared. I saved it out to disk (it was huge), and uploaded it to the sponsor FTP site. Yes, it was basically a huge file of graphic images, but it was technically a Word file.

The next day I got an automated response noting the submission. Three days later, I got an email asking if the report was what I actually intended to upload. I responded that yes, it was. I indicated it had all the required information and was most definitely a Word document. I also alerted my POC about the upload (he was amused).

Another few days later and I got email from the original person who had complained about the PDF now complaining they were having difficulty with the file. I responded that the contract required Word, and that is what I used -- I wasn't responsible for their IT issues.

In month 3, I went through the same procedure but didn't have the email exchanges. Purdue then got an email from the agency business office stating that they were altering their standard business practices to allow all contractor reports to be submitted in Word -or- PDF. Would we mind submitting PDF henceforth? I briefly weighed the idea of continuing my production of Word versions of the report but decided that changing the business practices of a whole federal agency was enough.

1. Someone once asked me why I didn't send them a Word document with some mischevious macros. I replied "USC 18 § 1030" (that's the Computer Fraud and Abuse Act).

2. Microsoft was a CERIAS partner at the time. When their rep visited, he saw that the lab was equipped with only Sun machines and Macintoshes. A few weeks later, we had several nice servers with Windows preinstalled delivered to the CERIAS lab. All our existing systems were named after mythical and fictional places (e.g., Amber, Oz, Dorsai, Uqbar), and we wanted to continue that scheme. We collectively decided to name the new machines Hel, Tartarus, and Niflheim. When he next visited and saw the machines, with nametags attached, he smiled a little. Two weeks later, we got another three, and they got related names; I can't recall exactly, but I think they were Underworld, Mictlan, and Jahannam). At his next visit, he remarked he could send us a lot more machines. I said we'd find a home for them, and welcome the chance to engage more of our philosophy, history, and literature faculty in the process.

All that said, we actually had a great working relationship with MS, and they hired a lot of our graduates. The machines did get a lot of use in experiments and classes.

Three podcasts with Spaf


If you haven't reached your quota yet for hearing from Santa Spaf, here are three recent podcasts where I was interviewed on a variety of topics. One common theme: The role of people in cybersecurity. A second theme: Some future trends.

Spaf Interviewed About His New Book


In the 100th episode of CISO Stories: Discussion with Gene Spafford on some of the common cybersecurity myths and how to better cope with the changing environment. Join here.

For those of you interested in more info on the book discussed in the podcast, see this InformIT site. If you preorder now, you can get a 35% discount with code CYBERMM.

A longer info sheet is available here.

2022 ISSA Honorees


Cybersecurity and privacy have several notable professional associations associated with them. Some, such as ACM, the IEEE Computer Society, and IFIP are more generally about computing. One of the societies specifically directed to cybersecurity is the ISSA -- the Information Systems Security Association International. ISSA promotes the development and standards of the profession, globally.

Each year, ISSA recognizes individuals who have made significant contributions to the association and to the field overall. In prior years, both Professor Elisa Bertino and Professor Eugene Spafford have been recognized by ISSA: both have been inducted into the ISSA Hall of Fame, and Spaf has been named as a Distinguished Fellow of the organization.

ISSA has announced its 2022 honorees. Our congratulations to all these people for their accomplishments and this recognition!

Of particular note, three of the honorees have spoken in CERIAS seminars and events:

We also note the ISSA Education Foundation, which supports scholarships for students in the field. Two of those scholarships are in memory of individuals who were long-time friends of CERIAS, Howard Schmidt and Gene Schultz. The recent give-away of Spaf's coffee mugs raised over $1000 for those scholarships. We encourage others to consider contributing to the foundation to support worthy students. Also, the ISSAEF is an Amazon Smile participant, so that is a painless way for you to make ongoing donations (see the ISSAEF page for a link).

Get some CERIAS and Spaf Swag!


[This opportunity is now closed. You can still donate to the listed charities, though!]

Want to get some authentic CERIAS and Spaf swag? Read on!

CERIAS offices are moving in a matter of weeks. We don't want to have to box up everything, especially items we aren't likely to use any time soon (if ever) at the new location. Plus, some of these things are items we've heard people might like to have for themselves.

So.... We're going to give some of it away!

What's the catch? Well, we want to encourage people to do something good for others. And, as an institute (CERIAS) at a university (Purdue) and a life-long educator (Spaf), we thought that helping deserving students get cybersecurity education would be the way to do that.


To get some of the swag, as listed below, you need to make a donation to one of these charitable scholarships no later than August 5th, and provide proof of the donation and amount. We'll then package up your gifts and send them (we'll cover shipping inside the United States; if you are outside the U.S. we'll need to negotiate the shipping and any customs).

What charities? Only some of the best for cybersecurity students, and all established in memory of some pioneers in the field:

Rebecca Gurley Bace Scholarship ACSA/SWSIS
You may donate by sending a check to:
Applied Computer Security Associates, Inc.
c/o David Balenson
P.O. Box 1607
Olney, MD 20830-1607
Philippe Courtot/Gene Schultz/Howard Schmidt/Shon Harris Scholarships
These are all administered by the ISSA Educational Foundation.
You can donate online or by check; instructions are posted here.

We'll note here that these are also worthwhile for regular donations. As non-profits, there may be tax advantages to your donations. And be sure to check if your employer has a matching donation program!


We have established the donation. What's the swag? While supplies last:

  • From about 1995-2015, Spaf would collect coffee mugs from places he was invited to speak. This includes mugs from Facebook and Google to the NRO and NSA. The collection includes some from locations outside the U.S.A. as well. Currently, there are over 80 of these in the collection plus about 20 CERIAS coffee mugs, including some of the rare 10th anniversary mugs (from 2008).
  • CERIAS branded items that we obtained to give as speaker gifts. We have only a few of each item left, including luggage tags, T-shirts, portfolios, umbrellas, jackets, and some electronic doo-dads.
  • CERIAS/Spaf challenge coins!
  • Some first-printing, never opened, copies of Web Security, Privacy and Commerce, 2nd Edition. If you get a copy, Spaf will autograph it for you!
image image image image image image

How to Get Some

First, make a qualifying donation to one of the charities. Send proof of the donation, your address, and your shirt/hoodie/jacket size to: <>. You'll get the listed items while supplies last. If we run out of an item we will substitute an item of equal or better value.

Minimum donation Items shipped
$150 2 of Spaf's coffee mugs plus a CERIAS challenge coin
$200 An additional item of CERIAS-branded merchandise plus 1 CERIAS mug
$300 A copy of the book in addition to the above, plus an additional CERIAS item.
$500All of the above, plus 2 additional coffee mugs, plus a CERIAS logo fabric briefcase or portfolio.
In the above, items in each line include all the items in the previous rows. So, If you make a donation of $300 you will also get the items listed for $150 and $200.

Remember, these are really all extra gifts. The real value is you making a donation to a worthwhile charity to help some deserving people study cybersecurity!

Surprise Bonus!

While cleaning out the storage closet we found a dozen remaining Spaf bobbleheads. This is the last of this collector's item! image To get one, send us a check for a minimum of $100 made out to "Purdue University" with "Donation to CERIAS" on the memo line. (And, to be clear, Purdue University is also a non-profit entity.) Send the check with your return address to:

Bobblehead c/o Shawn Huddy
CERIAS -- Purdue University
656 Oval Drive
West Lafayette, IN 47907-2086