| « Oh, XML | 792 Octiiiiiiilion Dollars » |
As a junior network administrator at a small local ISP, Kiefer R.'s job is pretty mundane. Aside from the occasional bandwidth problem investigating, cable laying, and spline reticulating, there's not too much excitement.
One morning, Kiefer's boss said he was going to come down for a chat, so Kiefer loaded up a bandwidth monitoring utility and pretended to be busy. "Kiefer," Mike began, "I just wanted to give you a heads up. We're having a guy come down next week to run some security checks on our systems here. Particularly our main web server."
"So, you need me to show him the ropes, or..."
"Oh, ha!" Mike started laughing. "No, not at all. This guy is like some kind of Super Hacker!" he exclaimed while waving his hands dramatically. "More like he'll be showing you the ropes! Ha!" Kiefer rolled his eyes.
The Super Hacker arrived the following week. He was there only for two days while he worked on his mission — shutting down the main web server from outside the network. He'd be in the office from 9-5, where he could talk to the staff and review some of the code to find sections he might be able to exploit, but he'd only get paid if the server was shut down while he was not in the office. He didn't receive any usernames or passwords as the testing was meant to simulate an attack on the web site from an average hacker. Should he accomplish his goal, he'd earn $3,500.00. Working in the Super Hacker's favor was that the aging site was last updated in the late 90s, and almost certainly had pages that would be exploitable.
When Kiefer came in the following morning, his boss was stopped him on his way in.
"Well, our Super Hacker has done it! Turns out it must've been a pretty easy exploit," Mike said, "it hardly took him any time at all. Plus he's already patched it!"
Kiefer couldn't deny that he was impressed. "So how'd he do it?"
"I'm not sure — I haven't gotten his report yet. I should have it by the end of the day."
Kiefer's curiosity was palpable. He asked around for details on the exploit, but no one was talking. Clearly, some people knew what had happened and just weren't willing to tell. Finally, someone told Kiefer that the fix was in the form of a Python script, and that if he read the script, he'd see the exploit.
How the aptly-named Super Hacker had managed to shut down the system remotely and provide a fix so quickly intrigued Kiefer. After poking around the network, he finally found the Python file that contained the Super Hacker's fix:
#!usr/bin/python # Paying someone $10 to pull a power cord for $3500 print "(C) <Name Removed> 2008."
Of course, the fix alone wouldn't prevent future attacks using that vector, but management's scolding of the night staff would.
|
When Mike asked around the office for the person(s) responsible for removing the power source from our server box to come forward, no one owned up. Though its believed among my peers that some of the cleaning staff know who was responsible, social engineering worked in his favor by approaching a lower level staff member (cleaner most likely) and making out to be an authority figure claiming that he was running diagnostic tests and he needed someone to shut down the server box by removing the power source in say five minutes, and he would give them $10 for their effort (seeing as how its outside their work requirements as a cleaner).
Though the term 'super-hacker' has become some what of a nickname for someone slacking off at work :p. Capcha: sino |
|
For those of you claiming the story to be a work of fiction, I can assure you the story is genuine.
The shebang line should have been '#!/usr/bin/env python' but I was in a rush when submitting the story and could not locate the actual .py file, and in my haste didnt bother to actually think anyone would care about the shebang line, the script did have more to it (details of the operations it was claiming to undertake etc) but cut them out to save space and to make it easier to understand for any non-programmer TDWTF readers (As if you dont understand the code - You wont get the joke). Management (remember, were quite a small ISP operation, no more than 30-40 workers) did not bother to write up a contract for the security audit, nor bother to check his credentials (remember- small business). And believe it or not, management rarely read bugfixes, patches, etc for their content, they just want to know everything works. Capcha: transverbero ..Cmon! Thats not even a word! :P |
| « Oh, XML | 792 Octiiiiiiilion Dollars » |
