Comment On That's Not Part of Our Testing

The real WTF is people calling it "Warez".

He must hate those "An error has occured - please contact your network administrator" messages.

Foot in mouth is SOP here too

So... the WTF is that "Initrode" has an incompetent person as its network admin.

Yeah logs are cool - I once had a boss ask me to investigate why our dual isdn internet connection was dialing every 5 minutes all hours of the day. This had been going on for months (I had just joined) and was costing the company lots of money. It was made clear that a disciplinary hearing would ensue once the culprit was found.

A quick scan of the proxy logs revealed the source - the boss's PC. Turns out she had installed some spyware-laden desktop buddy thing and that was keeping the connection open.

Disciplinary hearings did not ensue.

TheRealWTF:

The real WTF is people calling it "Warez".

More importantly, how is it pronounced? I spent my youth calling it "WAR-ezz" and then I hear people mentioning it as "WEAR-z"

DeLos:

TheRealWTF:

The real WTF is people calling it "Warez".

More importantly, how is it pronounced? I spent my youth calling it "WAR-ezz" and then I hear people mentioning it as "WEAR-z"

The second one, as in "Peddling my wares", as in some shady guy offering to sell you knock-off imitation watches for a fraction of the price of the expensive kind.

DeLos:

TheRealWTF:

The real WTF is people calling it "Warez".

More importantly, how is it pronounced? I spent my youth calling it "WAR-ezz" and then I hear people mentioning it as "WEAR-z"

It's from "software" not "softWAR".

it's wear-z like in software

ObiWayneKenobi:

DeLos:

TheRealWTF:

The real WTF is people calling it "Warez".

More importantly, how is it pronounced? I spent my youth calling it "WAR-ezz" and then I hear people mentioning it as "WEAR-z"

The second one, as in "Peddling my wares", as in some shady guy offering to sell you knock-off imitation watches for a fraction of the price of the expensive kind.

I initially called it "WAR-ezz" too until finally my cousin (who was also calling it that) said "Oh I heard the other day that it's 'WEAR-z'"

I still think of it as "WAR-ezz" even though I know better. And though I never really participated in warez, just hearing that brings back memories of the late 90s :)

yosh:

it's wear-z like in software

softwear?

Wait a minute. Just because you can use your network's web proxy server to look at the web, that doesn't mean that any one from the web can use your network web proxy, does it?

WAR-ezz?? That is the real WTF.

Mememe:

Wait a minute. Just because you can use your network's web proxy server to look at the web, that doesn't mean that any one from the web can use your network web proxy, does it?

Oh, nevermind, I guess the point is that he used the proxy from outside the network without tunneling.

Mmm. Penetration testing.

The correct spelling is 'juarez'.

WhiskeyJack:

Mmm. Penetration testing.

Penetration testing in Juarez! That brings back fond (fondle?) memories of my youth.

What can I say... The internet is for porn!

Ola:

The correct spelling is 'juarez'.

I doff my cap to you, good sir.

DeLos:

TheRealWTF:

The real WTF is people calling it "Warez".

More importantly, how is it pronounced? I spent my youth calling it "WAR-ezz" and then I hear people mentioning it as "WEAR-z"

LOL! I took a jaunt across the border into Juárez last time I was visiting El Paso.

Edit - damn someone beat me to it.

Floris: Welcome to Lestercorp. How may we meet your filing needs?
Craig: No, no. Um... my name's Craig Schwartz. I have an interview with Dr. Lester.
Floris: Oh. Please have a seat, Mr. Juarez.
Craig: Schwartz.
Floris: Pardon?
Craig: Schwartz.
Floris: I- I'm sorry. I have no idea what you're saying to me right now.

Satanicpuppy:

Ahh, the open proxy. There is specialty software that just scans for their sweet innocence.

I'd say "TRWTF is that they didn't notice that 90% of their bandwidth went away" but the sort of person who sets up an open proxy can be expected to miss it.

You'd be surprised really. When one of the more annoying viruses of the the early 21st century was passing around my university (I'd don't recall which). A friend of mine tore it apart and found one of the first places it went to download more copies of itself was my university. At first we thought that was a mistake, then Mcafee reported the same address as a "Block to avoid virus" so did Trend, and Norton... Then the network slowed to a halt a few hours later. We called the head of our tech department. We were told surely we looked at something wrong, and we couldn't possibly find any of this out. (You know, Virus information pages aren't usually..oh idunno, free) Anyway, long story short, a few more hours later, they locked off the entire network to "make security upgrades" (read: find the the poor sucker who's computer was a 'bot)

Ben4jammin:

You might be surprised at how many such devices get hooked up and no one bothers to test them.
When I was a student years ago at a 2-year college, it only took a few days for us computer savvy types to realize that they were running an open email relay. Meaning, you could send it all the email you wanted and it would dutifully send it out---with no authentication. So anyone could use it.
Finally, they got a tech instructor who was security minded and he reconfigured it. After it had been in place for about 2 years.

That makes me quite angry that idiots can get network jobs, but people who ALMOST know what they are doing (like me) can't seem to make it past the HR screen. dammit.

Satanicpuppy:

Ahh, the open proxy. There is specialty software that just scans for their sweet innocence.

I'd say "TRWTF is that they didn't notice that 90% of their bandwidth went away" but the sort of person who sets up an open proxy can be expected to miss it.

Logs are your friend. Everyone screws up, but it's trivial to diagnose and fix if you check your logs. I was dealing with an admin at another corporate property and I noticed that >80% of their traffic was coming from 3 machines that were in a subnet reserved for desktops...Obvious virus/spyware activity.

I called the guy, and said, "Hey you need to check out 127.0.0.1, its using way too much bandwidth."

He replies instantly, "That's a kiosk machine, it just gets a lot of heavy use, there is nothing wrong with it."

The conversation goes down hill from there. He won't check it, and he's convinced that the traffic is normal user crap.

So I call our boss, and I get us all together, and I start busting out logs. This is our internal file server, this is our email server, this is the proxy for the entire server room...and THIS (imagine a graph as long as all the others put together and multiplied by 2) is a kiosk machine.

Expression on his face was classic.

Gotta check those logs.

I don't get this! Isn't 127.0.0.1 the localhost??

AntonioCS:

Satanicpuppy:

Ahh, the open proxy. There is specialty software that just scans for their sweet innocence.

I'd say "TRWTF is that they didn't notice that 90% of their bandwidth went away" but the sort of person who sets up an open proxy can be expected to miss it.

Logs are your friend. Everyone screws up, but it's trivial to diagnose and fix if you check your logs. I was dealing with an admin at another corporate property and I noticed that >80% of their traffic was coming from 3 machines that were in a subnet reserved for desktops...Obvious virus/spyware activity.

I called the guy, and said, "Hey you need to check out 127.0.0.1, its using way too much bandwidth."

He replies instantly, "That's a kiosk machine, it just gets a lot of heavy use, there is nothing wrong with it."

The conversation goes down hill from there. He won't check it, and he's convinced that the traffic is normal user crap.

So I call our boss, and I get us all together, and I start busting out logs. This is our internal file server, this is our email server, this is the proxy for the entire server room...and THIS (imagine a graph as long as all the others put together and multiplied by 2) is a kiosk machine.

Expression on his face was classic.

Gotta check those logs.

I don't get this! Isn't 127.0.0.1 the localhost??

That was the alternative to giving our or REMEMBERING the actual IP address - you don't need it and it isn't required for the story.

codehead:

What can I say... The internet is for porn!

KATE: The internet is really really great
TREKKIE MONSTER: For porn
KATE: I’ve got a fast connection so i don’t have to wait
TREKKIE: For porn
KATE: Huh? There's always some new site,
TREKKIE: For porn!
KATE: I browse all day and night
TREKKIE: For porn!
KATE: It's like i’m surfing at the speed of light
TREKKIE: For porn!
KATE: Trekkie!

TREKKIE: The internet is for porn
KATE: Trekkie!
TREKKIE: The internet is for porn,
KATE: What are you doing!?
TREKKIE: Why you think the net was born? Porn! Porn! Porn!

SomeCoder:

I initially called it "WAR-ezz" too until finally my cousin (who was also calling it that) said "Oh I heard the other day that it's 'WEAR-z'"

I still think of it as "WAR-ezz" even though I know better. And though I never really participated in warez, just hearing that brings back memories of the late 90s :)

I grew up back in the days when computer mags (in fact in that day they were just electronics mags) printed huge programs for you to type in - sometimes spread over more than one issue.

My brother and I would share the load with one of us reading the code out and the other typing. As "quote" or "double quote" are too much of a mouthful when reading large amounts of text we tended to call them "diddits", so you got lines like:

100 print (diddit)Your score is(diddit);PTS;(diddit)(space)points(diddit)

Sometimes I still think of them that way, but these days it tends to become " instead (yuck!)

Ridiculously common. We had the same problem the first time we set up a proxy for a NATted network. Took about 2 months then I saw all sorts of weird-ass shit flying through our proxy.

Amazingly, most of it was coming from financial institutions during business hours.

TheRealWTF:

...
That was the alternative to giving our or REMEMBERING the actual IP address - you don't need it and it isn't required for the story.

According to http://tools.ietf.org/html/rfc3330 the IP '192.0.2.0' is reserved for documentation, much like example.com.

You didn't know, I didn't know. Now we know.

I worked at a games company a few years ago, and I found that the sysadmin at our other studio had accidentally (read incompetently) set up a PS2 devkit as a DNS.

At another very large company I work at, we had one of those isipid trojans that were all the rage in the late 90s hit our machines. A day or so later one of the tech support guys was praised for saving the company by wiping out the trojan from the network. I had a quick look at various logs and found he was initially responsible for bringing the trojan in in the first place...

yet another Matt:

TheRealWTF:

...
That was the alternative to giving our or REMEMBERING the actual IP address - you don't need it and it isn't required for the story.

According to http://tools.ietf.org/html/rfc3330 the IP '192.0.2.0' is reserved for documentation, much like example.com.

You didn't know, I didn't know. Now we know.

I knew but I said it didn't matter.

DeLos:

TheRealWTF:

The real WTF is people calling it "Warez".

More importantly, how is it pronounced? I spent my youth calling it "WAR-ezz" and then I hear people mentioning it as "WEAR-z"

I always thought the incorrect "WAR-ez" pronunciation was kind of funny, because how do you pronounce "Gamez"? "GAY-mez"!

Let's rethink this...

The guy reads his logs. They guys notices that there is new activity in the logs. He identifies the activity as being "of interest". The new activity Apparently coincides with the arrival of the testing team.

So far, it sounds to me like the guy is not borderline incompetent.

The security team identifies a major config problem. The organization was smart enough to bring in a security team.

Is this really a WTF? I deal with people every day who are putting forth good effort, but lack skills. Fine. Give me that any day over the people who are lazy, or unmotivated, or sure they already know, or just not interested. The guy admitted that he was the one-how many people do you know who would just walk away and avoid further discussion?

I know there's a lot I don't know.

Satanicpuppy:

When one of the more annoying viruses of the the early 21st century was passing around my university (I'd don't recall which).

So it's true what they say about American universities: students smoke so much pot that they don't always know where they are.

Ola:

The correct spelling is 'juarez'.

Its spelt 'Warez' but its pronounced 'Throatwarbler Mangrove'.

The real WTF is that he was running a proxy server in the first place. Why does anyone need a proxy server? Do they not have a router that supports NAT?

Pffttt.... A few years back, either late 2003 or early 2004 I was researching an error message on a particular copy/print/scanner that has a web interface. I dutifully copied the error message into Google and one of the first page results was the exact error message. On another printer. Connected to the Internet. Completely open. At the University of Pennsylvania.

Losing bandwidth is one thing, these guys were setup to lose reams of paper. BTW, a quick scan of the IP range yielded a number of computers and other printers. All accessible. Several with open shares. I shudder to think of the number of viruses and worms on that network.

y3kproblem:

Satanicpuppy:

When one of the more annoying viruses of the the early 21st century was passing around my university (I'd don't recall which).

So it's true what they say about American universities: students smoke so much pot that they don't always know where they are.

I guess that's about as common as the non-americans who can't master the "Quote" tag.

yet another Matt:

According to http://tools.ietf.org/html/rfc3330 the IP '192.0.2.0' is reserved for documentation, much like example.com.

Clarification: It's the entire address range 192.0.2.0/24. Nice to know. Thanks for the reference! This will be useful in future stories, I'm sure.

AntonioCS:

I don't get this! Isn't 127.0.0.1 the localhost??

Well, tell everyone your server's IP address, and we'll security test it for free. The IP 127.0.0.1 (localhost) here means anonymous.

ObiWayneKenobi:

The second one, as in "Peddling my wares", as in some shady guy offering to sell you knock-off imitation watches for a fraction of the price of the expensive kind.

Juan wants warez from Juarez. Juarez Warez at the wharf sold Juan his warez. Where's Juarez, Juan?

.. for a couple of reasons. Firstly, in the grand scheme of security snafus, it's not really a big deal. Host out on the internet listening on the wrong interface or with borken firewall rules. See it a lot.

Secondly, though, I have yet to meet proxy server logs that don't contain source IP addresses.. or, for that matter, a way of gleaning who accessed what via a proxy server that wasn't "looking at the proxy server logs"..

I also don't understand why security folk are looking at logs from a box they don't have IP addressing information for - or why they couldn't just find it out themselves. Internal (or not so much) internet-access Proxy server IP addresses shouldn't be anything any pentester needs to ask anyone for. If (s)he does, either the network in question is in the 99th percentile (this one plainly isn't), or they're in the wrong job!

I'm guessing this has been badly obfuscated to make it less obvious who this was, but either way - meh.

This reminds me of when I was commissioned to set up a proxy/firewall at a company, specifically setting it up to block pr0n, as well as blocking internet access to bot-infested PC's. The bot lockdown was successful, but I had to turn off the porn filter, because it was also blocking Hotmail for some reason. However, it seems like the porngoers didn't realize they were being logged, and kept on with their merry porn.

1 month later, I found the problem with hotmail (it was blocking passport ... guess which regex did that!) and after removing the offending regex, the filter worked. Along with this, I changed the acl page to show a big RED page stating "You're trying to watch porn! And we logged it, sucker!!!".

Even p0rn access attempts went down to zero after I did this!

halber_mensch:

ObiWayneKenobi:

The second one, as in "Peddling my wares", as in some shady guy offering to sell you knock-off imitation watches for a fraction of the price of the expensive kind.

Juan wants warez from Juarez. Juarez Warez at the wharf sold Juan his warez. Where's Juarez, Juan?

Heh. "Warez" in Spanish is pronounced "WAR-ezz", but Juarez is pronounced "WHO-R-ezz".

I use "WARE-z" for Warez, though.

I fondly remember seeing an episode of CSI: Miami where they trace down the villain by his IP address, and then they flash the IP on the screen: 359-dot-something. I laughed and laughed and sent emails about it to all my friends. Who, curiously, did not seem to find an IP of 359-dot-something to be an incredibly hilarious idea. Even when I explained to them why that was an impossible IP. I just don't understand some people, no sense of humor.

Later it occurred to me that perhaps the absurd IP was deliberate, to make sure they didn't use anyone's real IP. Like the way all phone numbers on TV start "555".

The problem with proving things by technical means like logs is that people who don't understand them just ignore you.

Years ago I was working on a project where another organization was supposed to be giving us documents as PDF files, and one of the requirements was that they had to create thumbnails for all the pages. If you're not familiar with Acrobat, this is easy to do: there's a menu pick to do it for the entire document. But they routinely sent us documents with some pages with no thumbnails.

They insisted that this must be a bug in Acrobat and there was nothing they could do about it. So I opened several of their PDF files in a hex editor. The nature of PDF is that it includes a sort of history log of all changes made to the document. I was not only able to show that they had modified the document after creating the thumbnails and then failed to re-run the thumbnail creation, but to show exactly what pages were added and the exact date and time they did so. I carefully documented all of this.

Their reply was, "No, that's not right. We didn't do that." Period, end of story. My company's management accepted their denial over the documented log files, and treated the whole problem as unsolvable.

Which reminds me -- totally irrelevant to the present discussion but amusing -- this same organization once was seriously behind on a promised delivery date. So rather than, say, work really hard to meet the promised date, they instead put together a lengthy document explaining why it was impossible to live up to their promises, and they sent us a bunch of copies of this document. And then they charged us $7 each in printing costs for this document. So rather than paying any sort of penalty for failing to live up to the terms of a contract, they charged us extra to listen to their excuses.

danixdefcon5:

1 month later, I found the problem with hotmail (it was blocking passport ... guess which regex did that!)