Comment On C'mon, There's Nothing Wrong With That!

Double WTF if those are literally the strings from the original code. "backdoor" and "secret". Yikes!

Alex,

Care to provide a link to this guy's "last place"?  I'd like to...um...take a look at their website....

-ds

Highly... talented... perhaps at macrame?







Ouch.

Ugh...this guy calls himself an expert?  I hope he's never developed anything that handles sensitive data.  This is almost as bad as the COBOL.NET "security" from a few days ago.  At least here it's hidden.  Sort of.

Alex Papadimoulis:

Johannes Nordh's employer was going through big changes. They had a new image, new managers, and most importantly, a new vision statement. They also decided that they would need a fresh team of "highly talented" software developers to help realize the company's goals.

As in talents of gold, perhaps?

While reviewing some of the new code developed, Johannes brought up a bit of a security hole he found. At my last place we always did this all the time, the new expert responded, it's a heck of a lot easier to fix problems if they ever lose the password; c'mon, there's nothing wrong with that! ...

Yech!

Sincerely,

Gene Wirchenko

And who was this "Expert"s last employer?[:D]

So how did Johannes explain to the "expert" what was wrong with this?
Does this guy still have a job?

By this logic, why bother having a password at all? That way you can never have a password related problem at all because there is no password to lose in the first place.

I guess this "expert" never heard of simple solutions to lost password problems like resetting the password or sending the user an email and having them click a link and choose a new password.
Why is that so difficult to do that one needs to use "backdoors" and "secrets"?
Let alone the fact that the user not only gets access but gets sysadmin rights! What the hell was he smoking when he came up with that at his "last place"?

Wow. All I can say is WOW. I didn't think anyone could actually think that this was an ok practice. This guy needs to be picked up by the Bush administration.

It's always possible that he really knew how bad this security hole is, and that perhaps it's an insurance policy? It's probably a bit better to claim ignorance here than to admit to leaving yourself a backdoor.

Hmm, a security expert who's never heard of a dictionary hack?

Maybe this guy has seen the new movie Firewall and wants an easy way to get in incase his family is ever heald to ransom...

What's the big deal? We did that all the time when I worked for professor Falken
on the WOPR project. As far as I know there was only one meddling kid who managed
to sneak in -- and even then, it wasn't REALLY global thermal nuclear war. 

Cute kid, really. 

What do they do when they forget "secret" as the password!?!?

I'm wondering how many of these backdoors actually are in the wild... As long as nobody finds out, it's just fine, isn't it? :P

Anonymous:

Hmm, a security expert who's never heard of a dictionary hack?

Maybe this guy has seen the new movie Firewall and wants an easy way to get in incase his family is ever heald to ransom...

Actually, a dictionary hack wouldn't get this one... dictionary attacks try known user IDs and passwords.  In this case, the URL to get in would be:

www.domain.com?backdoor=secret

Since the "backdoor" parameter is hidden in the code, an attack should be useless.

Of course, this kind of "security through obscurity" is cause to put the programmer in a corner with a dunce cap.  With anything security related, you should assume that your attacker has your source code.

probably the same guy that uses 1234 for a pin number

Anonymous:

What do they do when they forget "secret" as the password!?!?

lol, i hope this guy wasn't working for the FBI or something.

In an environment of medium or low security, i think it wouldn't be as bad if at least the words wasn't hardcoded. But there is a lot of better ways to proceed in cases of password lost.

Alex Papadimoulis:

    authTicket = AuthenticationTicket.CreateFromTemplate("sysadmin");

    authTicket.Username = username;

    authTicket.FullName = "System Administrator";

  

So... when the user forgets his password, calls IT, is directed to use the "backdoor" fix... he now not only has a way in... but a way in with admin privilidges??  WTF?

Anonymous:

probably the same guy that uses 1234 for a pin number

Isn't that the sort of combination an idiot keeps on his luggage?  :D

This all reminds me of a program I once did work on...

' Is the Backdoor open?

bBackDoorOpen = False
sReturnStr = Space$(81)
sIniName = App.EXEName & ".INI"
iLen = GetPrivateProfileString%("Logon", "Open", "", sReturnStr, Len(sReturnStr), sIniName)
sReturnStr = Left$(sReturnStr, iLen)
If sReturnStr = "Sesame" Then bBackDoorOpen = True
If bBackDoorOpen Then exit sub

' Do Licensing Routine... verify cd-key

--

- Lynn

 

No, its 1-2-3-4-5 on the luggage...

Anonymous:

probably the same guy that uses 1234 for a pin number

That reminds me, I need to change my PIN... 8-)

Any dictionary hacker who doesnt try "god","backdoor","root" and "admin" as possible usernames deserves a WTF of their own

Oh, come on.  What are the odds someone would figure this out?  Big deal.

At one job I had, we had a backdoor password that was the first three letters of the current day of the week, backwards.  We had to change it to '*' because the idiot field circus couldn't remember the original backdoor.  Or couldn't spell the days of the week, more likely.

YOU HAVE DISHONOURED US!  COMMIT SEPPUKU, IMMEDIATELY!

A bit off topic, but...is it safe to browse this site with images on? Or will tomorrow repeat itself?

Sean:

Oh, come on.  What are the odds someone would figure this out?  Big deal.

You're kidding right?
I'm going to give you the benefit of the doubt and assume that you are being funny by pretending to defend this WTF

Anonymous:

What's the big deal? We did that all the time when I worked for professor Falken
on the WOPR project. As far as I know there was only one meddling kid who managed
to sneak in -- and even then, it wasn't REALLY global thermal nuclear war. 

Cute kid, really. 

 

"Would you like to play a game?"

No.. sadly I think he really thinks this is OK - you'd probably be surprised how many developers out there really believe their system will never be subjected to any hacking attempts...

I don't think that they give this out to anyone who looses their password. This is just the backdoor should the admin (who should have the ability to change everyone's password) forgets his own.

Ever been locked out of your own system because you forgot your own password? You will be glad for backdoors then. (Though even still I don't use them)

The question is: is "secret" something that Alex substituted so that we don't know the backdoor password, or is that the real backdoor password?

We ship products with backdoor passwords. They are 10 random digits, and only internal support knows them - we don't tell customers. (We only use this when there are bugs in the field, most customers will not get a login from us. In fact we recommend that customers have the machine behind a firewall so that we cannot get in ourselves unless we request it)

Backdoors are handy. However the password needs to be secure in itself.

Anonymous:

What do they do when they forget "secret" as the password!?!?

Then they have to type in 'OVERRIDE PASSWORD' and proceed.

Pffft.... C'mon now, this is just lazy coding.

If you're going to leave an intentional backdoor, you have to at least make it *look* accidental. A weird, hard to find, SQL injection vulnerability is always a good choice, but you'll have to at least attempt to filter the input to get it by a thorough security audit. This is where being very clever with regular expressions comes in handy.

Or a buffer overflow is always a nice one, although it's a bit harder to get away with in these days of automated testing tools. Still, it can be done with enough cleverness.

But this guy is not even trying! No obfuscation, even! Truly a WTF for the ages.

A good backdoor should require something stronger than a password.  Say, physical access to the machine, and a certificate signed by the program manufacturer.

The list of passwords the morris worm used included 'secret'.

Consequently, I wrote an app in highschool that tried a dictionary attack on the student FTP server (the list of usernames was visible by navigating to the root of the server, i.e. john doe was /jdoe, and the full list of folders was visible in /) with the morris worm dictionary (about 400 popular passwords).  I had 20 accounts by morning.

Notably, two used 'banana' -- one of which was for a girl named anna, the other, a jana.  And of course, one kid used 'secret'.

To all the annas and janas out there: for the love of god, don't use banana for a password.




I got independant study credit for the project, naturally.

Hank - "We ship products with backdoor passwords. They are 10 random digits, and only internal support knows them - we don't tell customers."

That is a really bad idea - If I was a customer and I found out you had a backdoor I would be really, really upset.

http://www.thedailywtf.com/default.aspx?backdoor=secret

Ah well, it was worth a try

Anonymous:

No.. sadly I think he really thinks this is OK - you'd probably be surprised how many developers out there really believe their system will never be subjected to any hacking attempts...

Your sarcasm detector is apparently broken.  You may want to have that checked out.  

Not only does he include this nastiness, but he also uses a pet peeve pattern of mine (and a consistently great indicator of a crappy developer) -- not using a variable to store the result of a lookup (getParameter). Why, WHY do all crappy developers always do this?

"Ever been locked out of your own system because you forgot your own password? You will be glad for backdoors then. (Though even still I don't use them)"

That's what KeePass is for (and other utilities like it):

Anonymous:

Hank - "We ship products with backdoor passwords. They are 10 random digits, and only internal support knows them - we don't tell customers."

That is a really bad idea - If I was a customer and I found out you had a backdoor I would be really, really upset.

Bah, people have suspected Microsoft of having backdoors in Windows for years. Supposedly, there's also government code in Photoshop to prevent counterfeiting.

Dunno how true this stuff is, but it seems at least plausible. Backdoors may already be a fact of life in the products you use every day. Don't like it? Use FOSS. Don't like FOSS? I guess you're stuck. *shrug*

Anonymous:

Hank:

We ship products with backdoor passwords. They are 10 random digits, and only internal support knows them - we don't tell customers.

That is a really bad idea - If I was a customer and I found out you had a backdoor I would be really, really upset.

I agree, I hope the customers weren't concerned with security (like in government, aerospace, and medical industries.. to name just a few).  There are other ways of hacking things besides a dictionary attack.  Like disassembling your binaries (which is especially easy in Java--not that I'm saying you used Java.. but if you did..).  And there are plenty of users out there smart enough to do that (just look at how little time it takes to crack the copy protection on PC video games and other apps).

GoatCheez:

Wow. All I can say is WOW. I didn't think anyone could actually think that this was an ok practice. This guy needs to be picked up by the Bush administration.

I think this guy would do a heck of a job working for the Bush Administration... I think there is an opening at the head of FEMA. Or maybe he could be the IT security Admin for the dept of Homeland security [:P]

Don't you see what he was trying to do? I think he was trying to bring some "Wiki" spirit into the site.

Anonymous:

Not only does he include this nastiness, but he also uses a pet peeve pattern of mine (and a consistently great indicator of a crappy developer) -- not using a variable to store the result of a lookup (getParameter). Why, WHY do all crappy developers always do this?

It's intentional. That way, when users complain about the sluggishness of the backdoor component, he can cut the time it takes to use the backdoor in half but still charge for 200 hours of Quake4 -- er, work. [:D]

Oh, come on.  What are the odds someone would figure this out?  Big deal.

Assuming you're not trolling for humorous outrage, there are at least problems:

1. someone outside the company figures it out.  not impossible, not even that unlikely.
2. anyone who was ever employed by the company -- programmers, consultants, QA folks -- knows this information until the end of time
3. accidental publication: printouts found in trash, exposed disk mounts, sharing with partner company, etc. .

Anonymous:

probably the same guy that uses 1234 for a pin number

dang it!, they keep guessing my pin numbers![:'(]

I'm sure you missed this part

"highly talented" software developers

should've been

highly paid software CONTRACTORS

WTF Batman:

Anonymous:

Hank - "We ship products with backdoor passwords. They are 10 random digits, and only internal support knows them - we don't tell customers."

That is a really bad idea - If I was a customer and I found out you had a backdoor I would be really, really upset.

Bah, people have suspected Microsoft of having backdoors in Windows for years. Supposedly, there's also government code in Photoshop to prevent counterfeiting.

Dunno how true this stuff is, but it seems at least plausible. Backdoors may already be a fact of life in the products you use every day. Don't like it? Use FOSS. Don't like FOSS? I guess you're stuck. *shrug*

<hat tinfoil="on">
Most Https servers are probably compromised because the NSA has gotten java and .NET to put in a backdoor for the NSA. all sessions have a master secret exposed in an unsigned portion via at least two public keys (sender and receiver) and it would have been child's play for the NSA to convince java and .NET and other major players to expose the secret via the NSA public key.
</hat>

WTF Batman:

 Supposedly, there's also government code in Photoshop to prevent counterfeiting.

That I am pretty confident is accurate.  Also most printer drivers do it.  Atleast with certain versions of photoshop you can try to scan a bill on your scanner and when it loads the image it will stop you and pop up a message with some explanation of why your being stopped and who to contact to bypass this for legitimate reasons.