The big mistake here was editing an engineering statement to say something false.
If you're an honest person, assume that your job under that director (and probably at the company entirely) was over as soon as they asked you to make a fraudulent engineering statement. Even if they backpedaled when you resisted, you're not a team player with them, and you're a threat to someone very dishonest.
At that point, options:
* just leave;
* consult a labor attorney (you can get a free initial consultation); or
* go above the director's head, probably (in a small company) to the owner/CEO, whatever attorney is on staff or they retain, or HR (though, you're still probably over at the company, even though they'll diplomatically pretend that you're not, because you are in 100% corporate butt-covering territory now, in a place that puts someone very dishonest as a director).
> though, you're still probably over at the company, even though they'll diplomatically pretend that you're not
If you're professional about it (be factual, straightforward, and don't do a burn-the-world email blast), I wouldn't assume this to be true. Sometimes companies simply make bad high-level hires and are happy about exposing and terminating them.
Or sometimes not. But the vast majority of CEOs want to know when their direct reports are lying to them and would be happy about this outreach.
One thing that I would just highlight with your options: be extra sure to save receipts for everything - that means screenshots, even with an external camera if you're worried about corporate spyware.
If you have everything well-documented, the likeliest outcomes look pretty good for you:
1. If you bring up the issue to HR or to a higher-level exec and they are competent, they will immediately either address the problem with the director or fire them for cause.
2. If you bring up the issue and they are shitty and try to fire you, it's honestly like free money for you if you have good evidence. If they're not complete idiots they'll settle in a heartbeat because their number one priority will be damage control.
Do not lie to the government, even if you are following orders. In the US, federal and state law differ, but most have some variant of the federal false claims statute: https://www.law.cornell.edu/uscode/text/18/287
> Whoever makes or presents to any person or officer in the civil, military, or naval service of the United States, or to any department or agency thereof, any claim upon or against the United States, or any department or agency thereof, knowing such claim to be false, fictitious, or fraudulent, shall be imprisoned not more than five years and shall be subject to a fine in the amount provided in this title.
This has been interpreted very broadly to encompass pretty much anything you submit to the government in support of the government paying you or your company money.
Probably nobody will notice, and you probably won’t get prosecuted. But this stuff comes to light all the time if something goes sideways, or if the government is investigating something else.
If the boss said "put that we pen tested" couldn't op argue that he was answering to the best of his knowledge given the information the director gave him. As long as he had the email receipts, or would there be an argument that he should have known differently and shouldn't have replied on the other directors assertion that it had been pen tested.
> "we did pen testing when we launched, but haven't done it since".
Well… was it before you joined the company?
You tell them in that case that was before your time and you quote your boss.
I’m not sure why you replied no to begin with, if you didn’t know. You should have asked your boss about it first and take his word.
During the zoom call, you can simply reply that your boss told you so and ask him to produce the old report if it’s still in his possession.
Anyways I think these tests (iso 27001) should be held regularly to mean anything.
Being compliant in 2021 doesn’t hold the same “level of guarantee” in 2023.
And that last part is up to your client’s policy.
Do they need a recent third party audit or whatever… you should ask them questions and check with your boss if it’s worth the spending.
If I was going to get fired it’d be for telling the truth. Saying no is allowed. If they fire you for telling the truth and there is evidence to support your position then sue the fuck out of them for unfair dismissal.
Since your comment references sueing, I’m going to assume you’re in the US, where almost all employment is “at will”. They can dismiss you for any reason as long at it’s not a protected one. Telling the truth and being a jerk is not a protected status, so you won’t be getting anywhere with that lawsuit.
This is IMHO why programming/IT should be treated as a "real Engineering" in some cases, or at least have one of the devs (head of the project?) have a proper degree.
I studied a different Engineering, and in multiple courses the emphasis was in the actual approval/signing. The only practical difference between a technician and the Engineer in many cases was that the Engineer could actually sign off the project (or not). And thus it was made very clear that signing a document like in this Workplace question would be a big deal, since the responsibility was theirs to make sure things were compliant.
My first real software engineering job came more from that tradition, where our division started as a startup of EEs and CEs, serving mil/aerospace/datacomm. So I started as a Software Technician I (and there was also a Technician II, before Engineer I). There were signoff matrices, etc.
People were scrappy, making ambitious new things happen, but honest.
Sheltered by lucky upbringing and early career experiences, I was shocked the first time I encountered someone in industry doing something dishonest.
In the current "tech" industry, I'm no longer shocked, just frequently disappointed in what I see throughout much of the industry.
I recently realized that some pretty ordinary tech ethics today is what, decades ago, was the stereotype of an "MBA". It was also a stereotype that "engineers" didn't trust "business people". Today, seems there's less cultural distinction between the groups, at least the stereotypes.
I was in a similar position once, but it was an audit questionnaire about our usage of software - we only had one production instance licensed, not the backup instance or development instances. My director wanted me to state that we only used the one instance, I refused and said I'd leave the pertinent sections blank (for the director to fill in), but I wasn't going to lie about our usage.
That's when I started looking seriously for a new job, and had left the company within a month, a few months later they went out of business after they had to pay hundreds of thousands of dollars in back licensing fees since the vendor had evidence that their software product had been used beyond the single production instance.
I think if they'd been upfront about the usage, the company would have negotiated a fair license fee going forward without pushing for past usage to be paid too.
I would go with "I was not present for any penetration testing at launch, and I'm unable to find any reports related to it. However, penetration testing done that long ago would have little current value anyway. What I will do is talk to my leaders and get regular penetration testing scheduled, and get that schedule to you asap".
> However, penetration testing done that long ago would have little current value anyway. What I will do is talk to my leaders and get regular penetration testing scheduled, and get that schedule to you asap".
Just leave that out. No point in saying it other than to make more trouble and work for yourself.
I wouldn't put that t exactly like that, but I would talk to the director and put something similar.
Most compliance frameworks like SOC 2 have a requirement for an annual pen test, so if the pen test was over a year old it wouldn't matter anyway. Best approach would just be to talk to the director and say something along the lines of "Our next pentest is scheduled for date XYZ and we can send you those results upon completion".
People who tend to freak out in situations like these where "let's lie" is their go-to, when an honest approach is possible that will likely get the job done, scare me.
The OP isn't an engineer, but this really highlights the difference between real engineers and software developers who like to pretend they're engineering.
If the OP was an engineer, the answer would be lose their license and never work again in the field.
Yes. This. In my past in situations like this I have given the sales team the line “I can answer truthfully or you can write your own answer to the customer.”
Sounds like a "winning move" did not exist from the start for this poor fellow. Either your director fires you for speaking the truth or you possibly become accomplice in fraud. All you can do is cut your losses. If they go into that zoom meeting I hope they won't toe the company line. Getting fired, or losing the customer seems like the least worst option.
It's actually not clear to me if the director is also their boss. It's written as if they are but not spelled out anywhere I can see.
And this is why the tech industry management is so hated. The OP gave an ethical example but it happened to me in a different way.
I was being pushed to release a small feature during the holiday season. While we were on track to release it, the CTO announced that we should not release anything during the holidays so that customers can take a breather and that our company is not responsible for their failures. So, we waited to roll it out until after the holiday since the CTO himself asked us to exercise caution.
Come review time, my manager berates me for not releasing fast and for "constantly missing deadlines". I asked why the CTO is asking us to exercise caution and why he is asking us to push. I asked what would happen if there were to be an outage during the holidays.
This infuriated the manager and he had it for me for a long time. And he was only furious because I caught his BS. The only reason he wanted me to go faster was to make himself look good. But if something were to fail and if the CTO checked, I was to be the fall guy.
Aside from the "all managers are not like this" trope, can anyone tell me why engineers should trust such managers when they play such games with us?
ignoring the legal implications. if you have a choice do you really want to spend you life lying for other people so they can pretend to be successful? you could actually do something with yourself instead.
If a secretary had combined the answers from different people into a single document and gave it to the boss, would they also be guilty of fraud if they didn't believe all the answers?
OP didn't write the incorrect answer, OP didn't attach their name to it (as far as I know), and OP didn't send it to the client.
ehhhh. Lots of hyper-conservative responses there (which is understandable, it's asking for legal advice). But assuming this is part of an RFP response, "embellishment" of answers is par for the course, and I understand the frustration of the director.
First, there's always a good chance nobody on the client side actually cares about this. RFPs tend to come with hundreds of questions, most of which are put in as requirements by completely detached departments to make them feel important, but don't actually matter. If something is important, it can be negotiated. For example, if the pen test is important, you can get the client to agree to sign the contract with a clause that says if they don't get pen tests results by X date the contract is void.
Second, well, what is a pen test, really? If you ever called one of your APIs to validate that your authorization or authentication code works, or you've validated that your AWS security groups are blocking external traffic to your database, congrats, you've performed a "pen test"! The client won't consider that sufficient, of course, but it's a justification for an answer on an RFP, at least. If they want more details, as they do in this case, they can always schedule a follow-up call or ask to see the pen test results document.
This situation reads like an engineer who needs a bit of business/sales experience more than anything. In their discussion with the client, you can start with "we've currently only done in-house penetration testing, but are looking to contract an external vendor to do penetration testing by X date." Assuming you've done any testing, this is a true statement, and the client can determine if that's sufficient.
The real solution to this is to get SOC2/ISO27001 certification, though, which makes a lot of these RFP headaches go away.
Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.
It doesn't matter if the client doesn't really care. That's just a rationalization, plain and simple. No different in kind from, "well the bank teller doesn't really care if I rob the bank because it's not their money, and the money is insured anyway, so is it really even robbery?" Only different in degree (to be fair, an enormous degree; just to illustrate).
A pen test is a real thing. "What is a pen test really?" is another rationalization. There may be many flavors of pen test, but fabrications are fabrications. One of the most important part of pen tests is that they are external. It's like saying, "what is an audit really? We have accountants and they check our books for anomalies." Just doing your job as an engineer and looking for bugs is not a pen test. In the same way that being careful and rereading your own changes is not a code review.
This reads up me like an engineer committed to their work. I think they should be proud of themselves for not going along with this. I think the problem is that management isn't doing their job properly. They're cutting corners because they fucked up and didn't make sure a pen test happened or listen to their technical people. This is a strategic necessity for the company that would have been so easy to accomplish and should have been foreseen. They're trying to rule by dictate and it could destroy their career if this ends up in court. Even now, they could get some kind of rush job done - but no, they choose to endanger the company and the people in it instead.
Imagine being a lawyer or a paralegal and getting your hands on those emails in discovery. They didn't only demand their engineer lie, they did it in writing. The engineer is not the problem here.
>>This situation reads like an engineer who needs a bit of business/sales experience more than anything.
Your post reads like a salesperson hand-waving away actual situations of consequences in favour of a quick buck. There is literally no embellishment in this scenario, it's outright lying. He didn't say "well we tested security in some things but it wasn't up to a great stabdard", he said "we didn't do any pen testing" and when asked he said the opposite.
lol there's no ambiguity here. I love it when otherwise "street-wise" salespeople get challenged with very obvious scenarios they all of a sudden become postmodern philosophers.
"I mean, what does it even mean to COMMIT fraud? I mean, did I really "commit" to it if I did it once but gave it up after? Hmmm? Ever ask yourself these deep kinds of questions?"
Give me a break. Some sales people are so deep into a near-sociopathic lifestyle of "sales" that they are just pathological liars in the most literal sense. They don't even see themselves weaving deception.
I don't actually like this answer but there's likely some truth to it.
I am reminded that when I bought a house in my twenties, at the scheduled closing there was some detail that was incorrect. There was a line in the document where we had to say something like "Yes, x paper is in hand." In reality, I think we were still waiting for it.
And when I was like "But this isn't true. Shouldn't we wait until we have this?" the banker said "That's your call."
So it was lie about it because the paperwork wasn't going to go through if it said anything other than "Why, yes, we absolutely have that!" or delay closing on the house, which could mean losing it. So I signed.
And it never came up again. No one ever called and said "But what about blah?"
If you are knowledgeable about the bureaucratic process, you may know which check boxes must be checked off, true or not, to file it and in most cases don't actually matter. If you aren't knowledgeable, you are seriously gambling.
So in reality, this kind of thing does go on, like it or not. And if you are too pedantic, you can't get things done. Things will grind to a halt while you dot every I and cross every T.
If a client tells you what they need, you don't get to decide what the client needs.
The sort of "business/sales" you're referring to may work well for someone not interested in building long-term relationships for repeat customers, but you're describing the exact type of fratboy used car salesman that I avoid doing business with whenever possible.
If the engineer has a problem now, they'll have a complete mental breakdown during a standard SOC/ISO certification.
However, the director also does not seem politic enough to maintain plausible deniability, if they're saying "what the fuck, just sign your name uncritically on this statement" vs guiding them towards a long, detailed, qualified, technically-truthful answer. ("We did these things on these dates" and leave it up to client to evaluate whether its sufficient/is really pen testing) Which the client would require anyway if the process moves forward. The entire situation just seems like a shitshow.
I get what your saying, but boy do I not want to live in society created by this worldview. In my opinion, this approach is antisocial. It forces everyone to write massive contracts and build bureaucratic mega processes to validate and specify every single definition in that contract because you can't ever trust your counterparty to abide by the spirit of your request.
Absolutely nothing you said in this post is true or valuable, other than your final sentence. You appear to be far too comfortable with lying to clients.
If all they said was effectively “we did some pen testing at launch” without any claim of meeting any standard or going into much detail then even the most rudimentary test/validation of the correctness of any vaguely security related code could be charitably considered to be a pen test.
In some situations, maybe. In this case, given the director swore at OP, I strongly suspect foul play.
Were we talking some light fudging, the director would have spent time explaining what the customer is asking for and worked with them to determine whether what they do supports a statement of “we do security testing.”
And if they can’t support the claim? Well, the director’s response will tell you if they’re an honest broker or not.
Honestly none of that is a pen test under almost anybodys understanding of the word.
If the request wasn't specific, you may be able to get away with arguing that way in a court, who knows.
When you tell the director it is not true, author a document that says otherwise, and then document the whole thing on the internet, by that point it is a lie not embilishment, and I'd be worried about fraud myself.
The entity conducting the pen test -- i.e. a third party with no interest in shipping the product -- is what makes it a pen test. Otherwise it's just QA.
The boss doesn't have technical expertise and will not defer to the judgment of the person who does, lacks ethics and is not going to stop their crap. It will only stop if someone else stops them, probably via tossing them in jail at some point.
Counterpoint, OP is overthinking pen test = certification. He definitely needs to talk to his boss about it, but it could be a simple matter of discussion about what pen tests were performed. If a more recent and/or external one is required, simply tell them that you will work towards that. OPs goal should be to get clarity of what the client expects as a pen test.
It's worth mentioning that there is a legal definition of fraud[1]. Fraud must be proved by showing that the defendant's actions involved (5) separate elements:
1. A false statement of a material fact is made
2. Knowledge on the part of the defendant that the statement is untrue
3. Intent on the part of the defendant to deceive the alleged victim
4. Justifiable reliance by the alleged victim on the statement
5. Injury to the alleged victim as a result
So if the local government is hacked because they thought the software provided was pen tested and it actually wasn't, congratulations, you've hit fraud bingo.
> At that point, I was confident in my personal ethical position.
Eh, what? OP knew what sales was going to do with that email. Having sales wordsmith an answer is fine, but if you think it's factually inaccurate, don't send it back to them filled out in the form.
If your employer asks you to do something and there is no moral imperative to to what is being asked, even if you do not think it is wise to do it, just do it.
If your employer asks you to do something that has some moral imperative, you need to ask yourself if doing this makes your moral standards, are you willing to compromise your moral standards or will you stand upright and be the man and face the consequences from your employer.
Either way, you will face consequences and if you fail your own moral standards you have to live with that.
Kinda wonky responses. If your boss asks you to provide them with a document that says ‘this’ and you send that back to them, how does that constitute fraud? The fraud is the one that then forwards that factually incorrect information to the client.
People go on about having a document that you signed and attested as correct, but as far as I can see nothing like that was indicated by OP.
You become party to the fraud when you take that call and make false claims. So don’t do that.
[+] [-] neilv|2 years ago|reply
If you're an honest person, assume that your job under that director (and probably at the company entirely) was over as soon as they asked you to make a fraudulent engineering statement. Even if they backpedaled when you resisted, you're not a team player with them, and you're a threat to someone very dishonest.
At that point, options:
* just leave;
* consult a labor attorney (you can get a free initial consultation); or
* go above the director's head, probably (in a small company) to the owner/CEO, whatever attorney is on staff or they retain, or HR (though, you're still probably over at the company, even though they'll diplomatically pretend that you're not, because you are in 100% corporate butt-covering territory now, in a place that puts someone very dishonest as a director).
[+] [-] justrealist|2 years ago|reply
If you're professional about it (be factual, straightforward, and don't do a burn-the-world email blast), I wouldn't assume this to be true. Sometimes companies simply make bad high-level hires and are happy about exposing and terminating them.
Or sometimes not. But the vast majority of CEOs want to know when their direct reports are lying to them and would be happy about this outreach.
[+] [-] satisfice|2 years ago|reply
Don’t write things that are not true.
[+] [-] hn_throwaway_99|2 years ago|reply
If you have everything well-documented, the likeliest outcomes look pretty good for you:
1. If you bring up the issue to HR or to a higher-level exec and they are competent, they will immediately either address the problem with the director or fire them for cause.
2. If you bring up the issue and they are shitty and try to fire you, it's honestly like free money for you if you have good evidence. If they're not complete idiots they'll settle in a heartbeat because their number one priority will be damage control.
[+] [-] rayiner|2 years ago|reply
> Whoever makes or presents to any person or officer in the civil, military, or naval service of the United States, or to any department or agency thereof, any claim upon or against the United States, or any department or agency thereof, knowing such claim to be false, fictitious, or fraudulent, shall be imprisoned not more than five years and shall be subject to a fine in the amount provided in this title.
This has been interpreted very broadly to encompass pretty much anything you submit to the government in support of the government paying you or your company money.
Probably nobody will notice, and you probably won’t get prosecuted. But this stuff comes to light all the time if something goes sideways, or if the government is investigating something else.
[+] [-] JamesBarney|2 years ago|reply
[+] [-] rq1|2 years ago|reply
Well… was it before you joined the company?
You tell them in that case that was before your time and you quote your boss.
I’m not sure why you replied no to begin with, if you didn’t know. You should have asked your boss about it first and take his word.
During the zoom call, you can simply reply that your boss told you so and ask him to produce the old report if it’s still in his possession.
Anyways I think these tests (iso 27001) should be held regularly to mean anything. Being compliant in 2021 doesn’t hold the same “level of guarantee” in 2023.
And that last part is up to your client’s policy.
Do they need a recent third party audit or whatever… you should ask them questions and check with your boss if it’s worth the spending.
[+] [-] baz00|2 years ago|reply
My current company won’t let me near customers.
[+] [-] orev|2 years ago|reply
[+] [-] dylan604|2 years ago|reply
[+] [-] franciscop|2 years ago|reply
I studied a different Engineering, and in multiple courses the emphasis was in the actual approval/signing. The only practical difference between a technician and the Engineer in many cases was that the Engineer could actually sign off the project (or not). And thus it was made very clear that signing a document like in this Workplace question would be a big deal, since the responsibility was theirs to make sure things were compliant.
[+] [-] neilv|2 years ago|reply
People were scrappy, making ambitious new things happen, but honest.
Sheltered by lucky upbringing and early career experiences, I was shocked the first time I encountered someone in industry doing something dishonest.
In the current "tech" industry, I'm no longer shocked, just frequently disappointed in what I see throughout much of the industry.
I recently realized that some pretty ordinary tech ethics today is what, decades ago, was the stereotype of an "MBA". It was also a stereotype that "engineers" didn't trust "business people". Today, seems there's less cultural distinction between the groups, at least the stereotypes.
[+] [-] Johnny555|2 years ago|reply
That's when I started looking seriously for a new job, and had left the company within a month, a few months later they went out of business after they had to pay hundreds of thousands of dollars in back licensing fees since the vendor had evidence that their software product had been used beyond the single production instance.
I think if they'd been upfront about the usage, the company would have negotiated a fair license fee going forward without pushing for past usage to be paid too.
[+] [-] SmoothBrain12|2 years ago|reply
[+] [-] paxys|2 years ago|reply
> To be clear I'm not looking for legal advice, just opinions from people who may have been in a similar situation
I'm going to go ahead and say they are going to dig themselves deeper in the hole.
[+] [-] tyingq|2 years ago|reply
[+] [-] paulcole|2 years ago|reply
Just leave that out. No point in saying it other than to make more trouble and work for yourself.
[+] [-] hn_throwaway_99|2 years ago|reply
Most compliance frameworks like SOC 2 have a requirement for an annual pen test, so if the pen test was over a year old it wouldn't matter anyway. Best approach would just be to talk to the director and say something along the lines of "Our next pentest is scheduled for date XYZ and we can send you those results upon completion".
People who tend to freak out in situations like these where "let's lie" is their go-to, when an honest approach is possible that will likely get the job done, scare me.
[+] [-] wirrbel|2 years ago|reply
And the lesson learned is to let people write their lies into documents and not do it for them.
[+] [-] closewith|2 years ago|reply
If the OP was an engineer, the answer would be lose their license and never work again in the field.
[+] [-] bradfa|2 years ago|reply
[+] [-] adeon|2 years ago|reply
It's actually not clear to me if the director is also their boss. It's written as if they are but not spelled out anywhere I can see.
[+] [-] eschneider|2 years ago|reply
[+] [-] nine_zeros|2 years ago|reply
I was being pushed to release a small feature during the holiday season. While we were on track to release it, the CTO announced that we should not release anything during the holidays so that customers can take a breather and that our company is not responsible for their failures. So, we waited to roll it out until after the holiday since the CTO himself asked us to exercise caution.
Come review time, my manager berates me for not releasing fast and for "constantly missing deadlines". I asked why the CTO is asking us to exercise caution and why he is asking us to push. I asked what would happen if there were to be an outage during the holidays.
This infuriated the manager and he had it for me for a long time. And he was only furious because I caught his BS. The only reason he wanted me to go faster was to make himself look good. But if something were to fail and if the CTO checked, I was to be the fall guy.
Aside from the "all managers are not like this" trope, can anyone tell me why engineers should trust such managers when they play such games with us?
[+] [-] montroser|2 years ago|reply
[+] [-] convolvatron|2 years ago|reply
[+] [-] Dylan16807|2 years ago|reply
OP didn't write the incorrect answer, OP didn't attach their name to it (as far as I know), and OP didn't send it to the client.
[+] [-] mjr00|2 years ago|reply
First, there's always a good chance nobody on the client side actually cares about this. RFPs tend to come with hundreds of questions, most of which are put in as requirements by completely detached departments to make them feel important, but don't actually matter. If something is important, it can be negotiated. For example, if the pen test is important, you can get the client to agree to sign the contract with a clause that says if they don't get pen tests results by X date the contract is void.
Second, well, what is a pen test, really? If you ever called one of your APIs to validate that your authorization or authentication code works, or you've validated that your AWS security groups are blocking external traffic to your database, congrats, you've performed a "pen test"! The client won't consider that sufficient, of course, but it's a justification for an answer on an RFP, at least. If they want more details, as they do in this case, they can always schedule a follow-up call or ask to see the pen test results document.
This situation reads like an engineer who needs a bit of business/sales experience more than anything. In their discussion with the client, you can start with "we've currently only done in-house penetration testing, but are looking to contract an external vendor to do penetration testing by X date." Assuming you've done any testing, this is a true statement, and the client can determine if that's sufficient.
The real solution to this is to get SOC2/ISO27001 certification, though, which makes a lot of these RFP headaches go away.
[+] [-] maxbond|2 years ago|reply
It doesn't matter if the client doesn't really care. That's just a rationalization, plain and simple. No different in kind from, "well the bank teller doesn't really care if I rob the bank because it's not their money, and the money is insured anyway, so is it really even robbery?" Only different in degree (to be fair, an enormous degree; just to illustrate).
A pen test is a real thing. "What is a pen test really?" is another rationalization. There may be many flavors of pen test, but fabrications are fabrications. One of the most important part of pen tests is that they are external. It's like saying, "what is an audit really? We have accountants and they check our books for anomalies." Just doing your job as an engineer and looking for bugs is not a pen test. In the same way that being careful and rereading your own changes is not a code review.
This reads up me like an engineer committed to their work. I think they should be proud of themselves for not going along with this. I think the problem is that management isn't doing their job properly. They're cutting corners because they fucked up and didn't make sure a pen test happened or listen to their technical people. This is a strategic necessity for the company that would have been so easy to accomplish and should have been foreseen. They're trying to rule by dictate and it could destroy their career if this ends up in court. Even now, they could get some kind of rush job done - but no, they choose to endanger the company and the people in it instead.
Imagine being a lawyer or a paralegal and getting your hands on those emails in discovery. They didn't only demand their engineer lie, they did it in writing. The engineer is not the problem here.
[+] [-] gremlinunderway|2 years ago|reply
Your post reads like a salesperson hand-waving away actual situations of consequences in favour of a quick buck. There is literally no embellishment in this scenario, it's outright lying. He didn't say "well we tested security in some things but it wasn't up to a great stabdard", he said "we didn't do any pen testing" and when asked he said the opposite.
lol there's no ambiguity here. I love it when otherwise "street-wise" salespeople get challenged with very obvious scenarios they all of a sudden become postmodern philosophers.
"I mean, what does it even mean to COMMIT fraud? I mean, did I really "commit" to it if I did it once but gave it up after? Hmmm? Ever ask yourself these deep kinds of questions?"
Give me a break. Some sales people are so deep into a near-sociopathic lifestyle of "sales" that they are just pathological liars in the most literal sense. They don't even see themselves weaving deception.
[+] [-] DoreenMichele|2 years ago|reply
I am reminded that when I bought a house in my twenties, at the scheduled closing there was some detail that was incorrect. There was a line in the document where we had to say something like "Yes, x paper is in hand." In reality, I think we were still waiting for it.
And when I was like "But this isn't true. Shouldn't we wait until we have this?" the banker said "That's your call."
So it was lie about it because the paperwork wasn't going to go through if it said anything other than "Why, yes, we absolutely have that!" or delay closing on the house, which could mean losing it. So I signed.
And it never came up again. No one ever called and said "But what about blah?"
If you are knowledgeable about the bureaucratic process, you may know which check boxes must be checked off, true or not, to file it and in most cases don't actually matter. If you aren't knowledgeable, you are seriously gambling.
So in reality, this kind of thing does go on, like it or not. And if you are too pedantic, you can't get things done. Things will grind to a halt while you dot every I and cross every T.
[+] [-] 34679|2 years ago|reply
If a client tells you what they need, you don't get to decide what the client needs.
The sort of "business/sales" you're referring to may work well for someone not interested in building long-term relationships for repeat customers, but you're describing the exact type of fratboy used car salesman that I avoid doing business with whenever possible.
[+] [-] xkcd-sucks|2 years ago|reply
However, the director also does not seem politic enough to maintain plausible deniability, if they're saying "what the fuck, just sign your name uncritically on this statement" vs guiding them towards a long, detailed, qualified, technically-truthful answer. ("We did these things on these dates" and leave it up to client to evaluate whether its sufficient/is really pen testing) Which the client would require anyway if the process moves forward. The entire situation just seems like a shitshow.
[+] [-] delusional|2 years ago|reply
[+] [-] mvdtnz|2 years ago|reply
[+] [-] l33t7332273|2 years ago|reply
[+] [-] scott_w|2 years ago|reply
Were we talking some light fudging, the director would have spent time explaining what the customer is asking for and worked with them to determine whether what they do supports a statement of “we do security testing.”
And if they can’t support the claim? Well, the director’s response will tell you if they’re an honest broker or not.
[+] [-] jabradoodle|2 years ago|reply
If the request wasn't specific, you may be able to get away with arguing that way in a court, who knows.
When you tell the director it is not true, author a document that says otherwise, and then document the whole thing on the internet, by that point it is a lie not embilishment, and I'd be worried about fraud myself.
[+] [-] miracle2k|2 years ago|reply
[+] [-] EPWN3D|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] DoreenMichele|2 years ago|reply
The larger problem:
The boss doesn't have technical expertise and will not defer to the judgment of the person who does, lacks ethics and is not going to stop their crap. It will only stop if someone else stops them, probably via tossing them in jail at some point.
[+] [-] ragestorm|2 years ago|reply
[+] [-] codelikeawolf|2 years ago|reply
1. A false statement of a material fact is made
2. Knowledge on the part of the defendant that the statement is untrue
3. Intent on the part of the defendant to deceive the alleged victim
4. Justifiable reliance by the alleged victim on the statement
5. Injury to the alleged victim as a result
So if the local government is hacked because they thought the software provided was pen tested and it actually wasn't, congratulations, you've hit fraud bingo.
Important disclaimer: IANAL
[1]: https://legal-dictionary.thefreedictionary.com/Fraud
Edit: Formatting and disclaimer
[+] [-] dehrmann|2 years ago|reply
Eh, what? OP knew what sales was going to do with that email. Having sales wordsmith an answer is fine, but if you think it's factually inaccurate, don't send it back to them filled out in the form.
[+] [-] oldandtired|2 years ago|reply
If your employer asks you to do something and there is no moral imperative to to what is being asked, even if you do not think it is wise to do it, just do it.
If your employer asks you to do something that has some moral imperative, you need to ask yourself if doing this makes your moral standards, are you willing to compromise your moral standards or will you stand upright and be the man and face the consequences from your employer.
Either way, you will face consequences and if you fail your own moral standards you have to live with that.
[+] [-] bhouston|2 years ago|reply
[+] [-] Aeolun|2 years ago|reply
People go on about having a document that you signed and attested as correct, but as far as I can see nothing like that was indicated by OP.
You become party to the fraud when you take that call and make false claims. So don’t do that.
[+] [-] runlevel1|2 years ago|reply
I think the legal term is "constructive knowledge." (IANAL)
[+] [-] jabradoodle|2 years ago|reply