Once, I saw the employees get frustrated in a nominally high security environment with the contractors not being able to even directly access their dev env without scheduling a visit days in advance (the contractors were all hours away) while having the employees stare over their shoulder the entire time. They were trying to debug an issue that sometimes came up in dev/prod but not in the contractors' local copy of dev.
The employees set up TeamViewer on their "dev" server and promised the contractors in writing that this all had sufficient permission, this was a dev server, and the credentials on the dev server were not going to get them into anything else that might be troublesome by mistake.
The last of those three statements was accurate. As you might imagine, TeamViewer on a nominally tightly controlled network was not even in the same hemisphere as acceptable...
...and while debugging, the contractors made an incompatible DB schema change on dev to see if it fixed something, only to get a nasty surprise when the employees ran to them within an hour or so asking what they had done, because by "dev" they meant "prod".
I don't really have a great moral for this story, other than maybe "netsec/infosec teams need to actually work with other teams and not just be opaque sources of fiats, or people are going to work around them to get things done instead of trying to work with them, and that's going to end poorly for everyone."
I did a stint contracting for Goldman Sachs a while back. I can relate. Don't think I can say anything more without a team descending on my house from a black helicopter, though.
I once worked at a tiny startup where we were trying to sell a dataset to GS. Before we could even send a sample, they sent over some boilerplate forms for us to sign. I remember two distinct stipulations - anything we sent them was immediately and forever their property, AND they had the right to drug test any of our employees. We ended up not signing so there was no deal. My boss said it was their way of getting rid of us.
That's the scary, and perhaps most immoral, part about Google. More so than other megacorps, it relies on a shadow workforce of contractors to do core parts of its work. It's quite the caste system, and most Google FTEs are oblivious or choose to ignore it.
I know a Google contractor who was denied access to a lactation room at her office (she's the type of contractor who works full-time alongside regular employees). When she tried to fix that, she got sent into an infinite loop of support tickets being bounced around between different departments claiming it was the other one's responsibility. Literally no one was able to fix that for her. Her manager was on a different continent, and wasn't able to help either.
