Comment On In the Garden of Admin

Yay! A happy ending!

he found Adam and Eve holding leaves and squirrels in front of their swimsuit areas

*snicker*

So... the real WTF is that "Herbert Helpdesk" is a corporate drone and a shitbag who likes to get other folks fired, yes?

Makes me wonder if anything happened to Herbert Helpdesk for his incompetent response.

AbbydonKrafts:

Yay! A happy ending!

he found Adam and Eve holding leaves and squirrels in front of their swimsuit areas

*snicker*

Hold a squirrel to your "swimsuit areas", it won't be a happy ending for long.

Although I did once know someone who called herself "Squirrel Girl". Hmmm...

Herbert better watch his back when F.B. is around now...

Beowulff:

Makes me wonder if anything happened to Herbert Helpdesk for his incompetent response.

I'd like to know the same thing.

The cow says....:

Hold a squirrel to your "swimsuit areas", it won't be a happy ending for long.

Maybe they stunned them first. *shrug*

You like a happy ending? Ory $5 dollah

Yeah I notified folks at my company of a similar security hole. Word got back to IT and I nearly got punched out -- physically. My user account got deleted along w/ my network backup volume. Plus I got accused, by Personnel, of "hacking" [sic] and misusing email.
In the end, the IT guys left the company, the software team (I'm not a member) congratulated me, and the hole did get fixed.

Would I do it again? Not a F-ing chance. Let someone else get yelled at.

for real: captcha: Darwin. How evolutionary!

It's just too bad that the web server can't keep track of this information and you have to put it in a cookie yourself...

I wonder how long F.B. was stuck in limbo. Did they have an immediate fix and do an emergency push to production?

Authentication/authorization components usually touch a lot of pages and the testing is a bitch. Who am I, what should I be seeing, and what shouldn't I be seeing?

Lesson learned? Never report network vulnerabilities. Always keep them close for your own devices. Reporting them will only get you in trouble.

Thank god for the smart CIO.

Matt:

Lesson learned? Never report network vulnerabilities. Always keep them close for your own devices. Reporting them will only get you in trouble.

Did I misread something? He didn't get in trouble. He got kudos for finding and reporting the problem. The only person who got his panties in a knot was some help desk lackey who probably did not know what any of the big words meant.

Monkey sees you now:

Matt:

Lesson learned? Never report network vulnerabilities. Always keep them close for your own devices. Reporting them will only get you in trouble.

Did I misread something? He didn't get in trouble. He got kudos for finding and reporting the problem. The only person who got his panties in a knot was some help desk lackey who probably did not know what any of the big words meant.

No, you didn't misread. However, the general consensus is that finding security issues means that you've been "hacking" the network (which in most places means you'll be escorted out the building). There's a tendency to blame the messenger/reporter than actually wanting to fix the issue. Its kinda sad, but a fairly accurate representation of the world.

The only good part was that the CIO was actually competent and understood that F.B. found a serious security hole...

I am so glad he got cudos from the CIO. It would be about par if he got a flaming from him aswell though.

From experience people who don't know much about computers have a serious problem with you trying to explain to them that their system has a flaw and needs to be patched. They automatically assume that you are some master hacker and you should be punished for comprimising their system.

So the CIO is God? Well, the title does have more capital letters...

That's why you never "officially" tell IT about security holes. "Hey Bob, a friend of mine found this and asked me to tell it to you guys since I know you....is this something you care about?". Bob can then go to his manager and take credit, and since there is no papertrail, it's harder to get in trouble.

(disclaimer: I'm a network admin. I want my users to tell me about holes, regardless of through email, phone call, or face to face. If someone tells me about a hole, and want to remain anonymous, I will *not* tell my manager who they are. I refuse to shoot the messenger)

Guy walks into a building.

"Hey! How did you get in here? The door is locked!"

"Do you know you left the key hanging on a string by the door?"

"I'm calling the police! Breaking and entering"

I've always suspected that the Gods themselves aren't nearly as vengeful as their prophets.

Not to be a wet blanket, but given how long the hole had been present, how egregious it was, and how quickly the fix was asserted, I find myself wondering how well fixed the hole actually was... like, maybe they now use triple-encoded rot13 to encrypt the user name or something...

Wow, so their helpdesk isn't in Bangalore? That's pretty rare.
In a situation like this, I'd talk personally to a close friend in the network group and avoid leaving a paper trail. It goes without saying that you *should* have a close friend in the network group at all times. Ah, the things I learned while working for a Fortune 500.

I think the issue here is that he didn't realize he was being logged until it was too late. The papertrail, in one sense, was already there to being with.

The cow says....:

AbbydonKrafts:

Yay! A happy ending!

he found Adam and Eve holding leaves and squirrels in front of their swimsuit areas

*snicker*

Hold a squirrel to your "swimsuit areas", it won't be a happy ending for long.

Although I did once know someone who called herself "Squirrel Girl". Hmmm...

You obviously never heard of Squirrel Nut Zippers

Obvious Troll:

I've always suspected that the Gods themselves aren't nearly as vengeful as their prophets.

Well, most of of the stories I heard about Sodom and Gomorrah usually begins with "God is really, really farked up about these little free towns, where everybody's having fun and spreading STDs". Not sure that any prophets took upon this, but hey, who knows. The RSS on blog.prophetactions.com/abraham was down at this time, and God got all the credits.

EmmanuelD:

Obvious Troll:

I've always suspected that the Gods themselves aren't nearly as vengeful as their prophets.

Well, most of of the stories I heard about Sodom and Gomorrah usually begins with "God is really, really farked up about these little free towns, where everybody's having fun and spreading STDs". Not sure that any prophets took upon this, but hey, who knows. The RSS on blog.prophetactions.com/abraham was down at this time, and God got all the credits.

NSFW:

http://www.superdeluxe.com/sd/contentDetail.do?id=D81F2344BF5AC7BB77D6A0E55069BD0A9B3A52CB005FA7D7

I hate when white hat "hacking" is used as a negative thing.

To me it is only hacking when you are doing it with less then honorable intentions..... plus is changing the value of a plain text cookie really hacking? This is almost security through obscurity.

It would be like one day I come into the office and decide to use the default security code for the system we are using to see if it still excepts it. Then coming forward to say.."Hey the alarm still takes the alarm company default code which is listed in all it's user manuals.

And then being told "Breaking into the office is grounds for termination"

Stupid... glad it went the way it should. They should have given him a bonus.

CAPTCHA: smile

I was sure that the story would end with him using his newfound admin privileges to delete the incriminating email...

in the gaddah da vidah

By I. Ron Butterfly.

captcha: paint (umm, wtf?)

mmm weird ending, i was actually half expecting the following additional paragraph.

The next morning after F. B. went to work, feeling real happy about what happened, he found his passkey wasn't working anymore and the security guard informs him that he has been fired for hacking and the CIO only thanked him yesterday so F.B. wouldn't destroy or take any company property or cause a scene.

Demaestro:

It would be like one day I come into the office and decide to use the default security code for the system we are using to see if it still excepts it.

If it excepts the default code, that's a good thing... right?

IT people should be fired, not F.B.

The real WTF is why management actually acted rationally.

Jon:

...
If someone tells me about a hole, and want to remain anonymous, I will *not* tell my manager who they are. I refuse to shoot the messenger)

Now there's the real WTF.

A few decades ago, I got nearly strung up for causing what they thought was serious hacking. I got called to the manager's desk one morning, with my supervisor and the system mangler there, everybody looking deadly serious. They started grilling me as to what I was doing the day before and why. Puzzled. I had done my work and went home at 5pm. It was like I'd murdered someone right there in the room, so I was a little freaked. Finally, I got them to show me the "evidence" against me. A printout of really high process statistics. My process had racked up something like billions of hours of cpu time, io, etc etc. The numbers were so high that I was surprised they thought one user could actually rack that much up in 24 hours, let alone 8 hours.

The only thing different that I could remember doing the day before was shutting down my X-terminal without logging out first. I finally soothed them enough that they let me go back to my desk (rather than immediately walking me to the police station), so I tested my theory. I closed the Xwindows without logging off the machine. Logged back on and checked, and the process was still there, detached, and going nuts. No idea what it was doing, but at least I was able to show them right there.

Of course there were no apologies offered.

jetcitywoman:

Of course there were no apologies offered.

Apologies for what? You were still the bonehead who sucked up all their clock cycles.
What did you want them to say? "We're sorry for thinking you are evil, when you are obviously only stupid."

I can't believe you guys actually think it got fixed, probably just made the cookie a read-only file, that'll fix it....

In rare cases, it's possible for management to overreact to the point of actually bringing criminal charges. Google for "just another convicted perl hacker". The takeaway from that episode seems to be: Get it in writing before you poke around dark corners.

anon:

jetcitywoman:

Of course there were no apologies offered.

Apologies for what? You were still the bonehead who sucked up all their clock cycles.
What did you want them to say? "We're sorry for thinking you are evil, when you are obviously only stupid."

I'm not sure I see how jcw was being stupid; if I run an xterm and then close it without typing "exit" or ^D I expect any associated processes to get terminated too, not detach and start calculating pi. Is there some mystic *NIX-fu I'm lacking here? Is the defined behavior for bash on receiving SIGHUP actually to spawn a SETI@Home process?

nobody:

Guy walks into a building.

"Hey! How did you get in here? The door is locked!"

"Do you know you left the key hanging on a string by the door?"

"I'm calling the police! Breaking and entering"

That actually is still Breaking and entering. You can be charged with it. Just because you can get in, doesn't mean you should.

Grant D. Noir:

Jon:

...
If someone tells me about a hole, and want to remain anonymous, I will *not* tell my manager who they are. I refuse to shoot the messenger)

Now there's the real WTF.

If you mean "WHY the F" does it need to be like that, I totally agree.

If I see somebody walking away from their luxury car and leaving the door open, I'd tell them. If the real world worked like what passes for 'security' in many organisations I'd then be locked up, interrogated and convicted of attempted car theft.

WTF??

(BTW, I *have* worked for some seriously secure organisations, and I'm happy to say in *all* of those, bringing anything like this to the security officers attention was a good thing. As long as you didn't play around with it *too* much before you told them, obviously...)

<i>Google for "just another convicted perl hacker". The takeaway from that episode seems to be: Get it in writing before you poke around dark corners.</i>

Randall Swartz wasn't fired for white hat hacking. He was fired because he was told to stop doing something, he promised to stop, and then he went and did it again. He's a fucking idiot.

Yeah, Intel over-reacted, but that doesn't alter the fact that he's a fucking idiot.

KattMan:

You obviously never heard of Squirrel Nut Zippers

But that has a defined origin. From the ever-present Wikipedia:

The band's name comes from the Squirrel Brand's Nut Zippers, a peanut and caramel candy for sale since the mid-20s.

Off topic...

What the heck is up with this squashed half-width compose page?! All my replies today have been in this constricted box. Grr...

Demaestro:

To me it is only hacking when you are doing it with less then honorable intentions..... plus is changing the value of a plain text cookie really hacking? This is almost security through obscurity.

The only hack here was the system itself.

misha:

if I run an xterm and then close it without typing "exit" or ^D I expect any associated processes to get terminated too, not detach and start calculating pi. Is there some mystic *NIX-fu I'm lacking here? Is the defined behavior for bash on receiving SIGHUP actually to spawn a SETI@Home process?

I had to try really hard to keep myself from laughing after reading that. I need to add a page to my blog to log these gem replies.

I once saw a survey of the most popular passwords used by systems adminstrators. The number one most popular password quoted was "god".

Crash Magnet

I'm still gobsmacked by the "visitors on our intranet" bit. Please tell me that doesn't mean what I think it *could* mean.

But yeah, similar story (only I'm the "God" role here) - discovered one day that a team of elite highly-paid consultants (who had - naturally - been swanning around the office acting like they owned the place) had left the Oracle "sys" password at the default.

For those who don't know, in Oracle (at least up to 8i, where my familiarity ends), "sys" is one of the ultra super users with access to everything.

And the default password? "change_on_install".

I forgot my posting name:

nobody:

Guy walks into a building.

"Hey! How did you get in here? The door is locked!"

"Do you know you left the key hanging on a string by the door?"

"I'm calling the police! Breaking and entering"

That actually is still Breaking and entering. You can be charged with it. Just because you can get in, doesn't mean you should.

Trespassing, yes. Breaking is a hard sell.

Crash Magnet:

I once saw a survey of the most popular passwords used by systems adminstrators. The number one most popular password quoted was "god".

Crash Magnet

no. You saw the film Hackers.

Rich:

in the gaddah da vidah

By I. Ron Butterfly.

captcha: paint (umm, wtf?)

Wait a minute... that sounds like rock and/or roll music.

The only reason the CIO cared so much and acted so quickly is that the top brass hate it when the peons know how much they make.

Happened to me. And I didn't even use the privilege violation, I just said, hm, what happens if I put /bin/sh into this configuration line. At the shell prompt, I told the admin -- and they threatened to call the polizei.

misha:

Is there some mystic *NIX-fu I'm lacking here? Is the defined behavior for bash on receiving SIGHUP actually to spawn a SETI@Home process?

It is if you have something like the following line in your .bashrc:

trap 'cd ~/SETI@Home && boinc -redirectio &' HUP

A few decades ago was the big BSD-vs-SysV-vs-POSIX split about signal handling, where one side went with signal handlers that handle multiple signals, and the other went with signal handlers that fire only once per signal, then revert to their default behavior (which is usually to terminate the program) automatically.

Programs written on one side of the divide were ported to the other without taking this into account, or even worse, operating systems were quietly converted from one behavior to the other without providing compatibility glue at the application level. The result was that anyone who tried to do something graceful on receipt of a SIGHUP (terminal disconnected) or SIGPIPE (network socket disconnected) was buggered. Since almost nobody does any real QA on software these bugs appeared throughout the industry, and with shared libraries it can appear retroactively in previously bug-free software.

At one point in the 90's I was grepping sources for "signal.*SIG" because most of the time there was a spinning bug there waiting to happen.