Comment On The Frankenserver

"Hey Ryan! Glad I got ahold of you, have a minute to lend a hand?" spoke a surprisingly jovial voice on the other end on the NOC’s emergency support "bat phone". It was the company's email admin, Jeff. [expand full text]
« PrevPage 1 | Page 2Next »

Re: The Frankenserver

2012-11-01 14:32 • by shepd (unregistered)
I know of no country on the planet apart from Best Korea where a private company can't build themselves a gaming server if they want to. They don't even need to use junk. They can *gasp* use the customer's used-to-be-own money to buy brand new high end parts (after they have provided the customer with the requested service/product, of course).

Sure, it eats into profits (although in this case very little profit, just electricity/bandwidth since the employees aren't doing anything with their time), so if you only motivation in life is money, perhaps somewhere else might make more sense for you.

Re: The Frankenserver

2012-11-01 14:42 • by n_slash_a (unregistered)
394010 in reply to 393983
OldCoder:
Sebastian Buchanan:
Sorry but just because everyone else is in on it doesn't make it right. I would have immediately started looking for another job as well as perhaps making anonymous tip off to the police.

That aside, how did he know it was Jeff on the other-end of the phone? It could have been a hacker impersonating Jeff and getting him to identify where the servers were so that he could create a backdoor into the building.

It has all the elements of social engineering:
-out of the blue call
-someone identifying themselves as an employee who just needs a quick favor
-jovial
-strange request from wrong person
-person doesn't seem to know their way round the server room
-strange box hidden away

Sorry but he should have at the very least demanded the request be sent in email (if he really is the email administrator that shouldn't be a problem), NOT over the phone. Phones are what hackers mainly use. The email woudl need proper authorization through digital signing to make sure it was the actual email administrator. Of course I would have been tempted to demand the admin come round in person (with security pass) for such an odd request.

Note that if the request is fairly ordinary and common there is no problem, it's only odd requests like the above.


Not at all. The caller knew where the rack was, knew what the server was called, knew how to guide Ryan to the rack. He obviously knew all about the box.

Now, he might have been a disgruntled former employee, I grant you that...

I disagree, most large companies (like the one in the article) have a global database you can use to look up employee's phone numbers, email, ect... If Ryan was unsure of the caller he could have just looked him up. However, the article seemed to imply that Ryan knew Jeff. Or possibly that the "emergency phone" wasn't connected to the outside world.

That being said, one should always be alert for the type of criminal activity you are describing.

Re: The Frankenserver

2012-11-01 14:49 • by chubertdev
394011 in reply to 394000
F:
Sebastian Buchanan:

...
Telling the police that some mystery man called you up and told you to activate the bobm is not going to sound very convincing.


Even if you can pronounce it.


someone set us up the bobm

Re: The Frankenserver

2012-11-01 15:22 • by Jason (unregistered)
Just because the top slot is labelled "1" doesn't mean it's filled first. The rack can still be filled bottom up; the frankenserver had to be at the top, however, because it was being hidden by the false frontage of the cooling unit that is at the top.

Re: The Frankenserver

2012-11-01 15:25 • by PedanticCurmudgeon
394016 in reply to 394011
chubertdev:
F:
Sebastian Buchanan:

...
Telling the police that some mystery man called you up and told you to activate the bobm is not going to sound very convincing.


Even if you can pronounce it.


someone set us up the bobm
all your baes are belong to us

Re: The Frankenserver

2012-11-01 17:01 • by Michael (unregistered)
Nothing seems to have changed over the years. I used to work in Investment Banking IT over 12 years ago and one day I followed one of the infrastructure guys into the engine room. I spotted a rack with a label on it saying "Big 1". I asked what machine that is and my colleague replied "Oh, don't tell anyone, this is where we have the mp3-collection.". The perks of the infrastructure department: massive pipe and control over the firewalls. Those were the days.

Re: The Frankenserver

2012-11-01 17:27 • by anon (unregistered)
394019 in reply to 393972
anonymous:
TRWTF is that the submitter's company refers to rack position 1 as "row 1". Don't they have multiple rows of racks?

TRRWTF is that the submitter's company calls the top position of the rack position 1. Don't they load the rack from the bottom up?


That was probably all made up by the anonymization. The gist is "there was a weird server where it wasn't supposed to be."

Re: The Frankenserver

2012-11-01 18:47 • by Swampcritter (unregistered)
Reminds me of the days working at a FedEx data center.

Nearly 1,500 Solaris SunFire servers and this one little 'Linux' server who was running inside the shell of one. Contained on this box was one QuakeWorld Team Fortress (MEGA-TF) environment with hundreds of maps. All of the SAs, managers, network and development teams, at different FedEx sites would engage in a huge PvP war and it was up to the NOC team members to keep an eye on the box to make sure all was well.

I miss those days.

Re: The Frankenserver

2012-11-01 22:43 • by Bad guy (unregistered)
I remember that when we leave one of my previous company, we had a server named "Warcraft".

No, that's not a game server... It's a standby-production one that holds all kinds of important function like secondary email server, secondary fax server, secondary web server that would be automatically failoverred when the main one is defunc.

Dunno if there would be clueless staff who dump it because of that name... afterall the whole IT team left in one go and we just left some paper documents and we have no way to know whether the new comers have spent time to read them.

Re: The Frankenserver

2012-11-02 01:11 • by Gibbon1 (unregistered)
394025 in reply to 393965
Wyte:
Makes me feel good about our company's testing rack that has a server clearly labeled "Minecraft" on the front.


Well that's one way to make sure the monkeys leave the automated build server alone.

Re: The Frankenserver

2012-11-02 04:47 • by ysth (unregistered)
394027 in reply to 393992
PedanticCurmudgeon:
Your not too bright, are you?

His not too bright *what*?

Re: The Frankenserver

2012-11-02 05:03 • by dkf
394028 in reply to 393995
Anonymous Bob:
You take the pension... I'll take my 401k.
Actually, it'll be Wall Street that takes both of them. Watch and see…

Re: The Frankenserver

2012-11-02 07:01 • by Nagesh
394035 in reply to 393992
PedanticCurmudgeon:
Sebastian Buchanan:
If someone WAS being an abusive troll to me I would just ignore them.
I find that highly unlikely. Your not too bright, are you?


You're! Even bad English speaker like Nagesh know this.

Re: The Frankenserver

2012-11-02 11:04 • by DWalker59
I'm glad he found his notebook and pen unmuted.

Re: The Frankenserver

2012-11-02 13:49 • by jay (unregistered)
So some employees took some obsolete spare parts and assembled a computer from them, which they then use to play computer games from home.

As ethically questionable actions go, this seems pretty low on the list. The parts would presumably have been thrown away anyway, so it's not like they're stealing something that the company wanted to keep. Indeed, they haven't removed the parts from the building, so if there was a need for them for some actual company work, they could just dismantle the game machine to pull the parts. If they're accessing it from home, that's presumably non-work hours. So where's the ethical violation? That they took up a few cubic feet in the server room for their game machine? I guess they're using some bandwidth, maybe that ends up costing the company something.

I'd put this on the same level as, "Two employees spent 20 minutes chatting about sports instead of working" or "Employee used company-owned pen and piece of paper from company-owned notepad to make a shopping list".

If my boss happens to read this, let me emphasize that I am speaking purely hypothetically here. Personally, I would never dream of taking a company-paid-for paper clip home, or of spending working time reading thedailywtf.com.

Re: The Frankenserver

2012-11-02 14:06 • by jay (unregistered)
394071 in reply to 393982
Sebastian Buchanan:
Sorry but just because everyone else is in on it doesn't make it right. I would have immediately started looking for another job as well as perhaps making anonymous tip off to the police.

That aside, how did he know it was Jeff on the other-end of the phone? It could have been a hacker impersonating Jeff and getting him to identify where the servers were so that he could create a backdoor into the building.

It has all the elements of social engineering:
-out of the blue call
-someone identifying themselves as an employee who just needs a quick favor
-jovial
-strange request from wrong person
-person doesn't seem to know their way round the server room
-strange box hidden away

Sorry but he should have at the very least demanded the request be sent in email (if he really is the email administrator that shouldn't be a problem), NOT over the phone. Phones are what hackers mainly use. The email woudl need proper authorization through digital signing to make sure it was the actual email administrator. Of course I would have been tempted to demand the admin come round in person (with security pass) for such an odd request.

Note that if the request is fairly ordinary and common there is no problem, it's only odd requests like the above.


Well, you're assuming that he didn't recognize the caller's voice. Or, I suppose, that voices over the phone are distorted enough that someone could be impersonating a known employee.

But even assuming he was in a proper security mindset and was suspicious, how would it help a hacker for him to reboot a server? I can certainly see being suspicious of requests that could readily lead to a crime. Like, if someone calls and says he forgot his password and please reset his password and tell him the new value, I'd be very cautious about complying with such a request even if I thought I recognized the person's voice. Or if someone asked me to take a piece of valuable equipment outside and meet him in the parking lot with it so he can take it home, I'd be reluctant to do that unless there was some established company practice for borrowing equipment, etc.

I suppose anything odd COULD be part of a crime. But anything routine-sounding could be part of a crime, too. Indeed, if I was going to steal from my employer or vandalize company property for some reason, I would think I'd go to a little effort to make everything look routine, precisely so that I did not attract attention.

For that matter, if you do something calmly and confidantly enough, few people would be suspicious. I recall once I was banging away on my computer as usual when a stranger walked up and told me that the company was upgrading all the computers. So he loaded a number of our computers on a cart and wheeled them out. My only question at the time was what I was supposed to do about the data on my hard drive, to which he replied that they would be copying everything on our hard drives to the new computers. After he left it occurred to me: How do I know this guy actually works here and that he isn't a thief who just stole half a dozen computers, and we all helped load them on a cart so he could carry them out! Of course he came back an hour or so later with the new computers, it was all legit. But why did we just take that for granted?

Re: The Frankenserver

2012-11-02 15:37 • by Dann of Thursday (unregistered)
394076 in reply to 393991
Sebastian Buchanan:
PedanticCurmudgeon:
Sebastian Buchanan:
pathetic troll attempt
1/10. Would not flame even with someone else's keyboard.


Wow why don't you just make up what I said? Oh wait, you did. I never said the words you attribute to me and never would. As a rule I don't insult and name-call. Therefore I would never utter the phrase "pathetic troll attempt" even if it fit. If someone WAS being an abusive troll to me I would just ignore them.



This is the funniest troll I have ever read, no lie. It almost got me for a second. It's just so delightfully meta!

Re: The Frankenserver

2012-11-03 11:48 • by F (unregistered)
394087 in reply to 394071
jay:
Sebastian Buchanan:

[...]
It has all the elements of social engineering:
-out of the blue call
-someone identifying themselves as an employee who just needs a quick favor
-jovial
-strange request from wrong person
-person doesn't seem to know their way round the server room
-strange box hidden away
[...]


Well, you're assuming that he didn't recognize the caller's voice. Or, I suppose, that voices over the phone are distorted enough that someone could be impersonating a known employee.

But even assuming he was in a proper security mindset and was suspicious, how would it help a hacker for him to reboot a server?
[...]


Social engineering requires taking account of the possibility that you won't succeed at first try. If your initial request is, say, to have the admin password reset, then a failed attempt gives the whole game away. So ask for something else first, and when that request is granted you know you've got your victim hooked.

Rebooting the server is the first request. His willingness to do it shows he believes the hacker's false identity. The hacker, having successfully requested a more significant task, can then go on to request an apparently less significant one - such as resetting his "forgotten" password.

Re: The Frankenserver

2012-11-04 11:07 • by DavidTC (unregistered)
394090 in reply to 394087
Rebooting the server is the first request. His willingness to do it shows he believes the hacker's false identity. The hacker, having successfully requested a more significant task, can then go on to request an apparently less significant one - such as resetting his "forgotten" password.

First, you will notice reading the story that Jeff did not 'identify himself as an employee'. He didn't identify himself at all, so presumably, it was someone that Ryan identified from voice, and thus presumably was someone calling that he worked with all the time. So pretending that this could have been some hacker calling up is absurd...Ryan knew damn well who it was.

Second, Ryan was the graveyard shift in charge of the server room, which meant rebooting servers was his job. This wasn't someone calling up asking for something outside of Ryan's scope, or some request to do something weird...Ryan is _supposed_ to sit there and take 'out of the blue' calls (from recognized people) to reboot servers that have fallen over.

Now, he'd been asked to reboot a server that did not, apparently, officially exist, and was well hidden. Which was very odd, but it was a server in the server room, and thus entirely under the scope of his job.

The only caveat is the the _email_ guy is asking him to reboot a server that, as far as he knows, isn't an email server. Of course, it could _be_ a email server, he has no idea. He _does_ know it can't be one of the critical servers.

At this point, Ryan _either_ has some crazy conspiracy theory that requires some very important server being hidden physically and documentation-wise, which rebooting will somehow break, and the trusted email admin is actively attacking the company with his unwitting help, leaving a very obvious trail back to the email admin (As opposed to him walking into the server room and breaking CORPSRV1818 secretly, or just sabotaging, duh, the _email_.)...or there's simply some random unimportant server in a very odd place that Ryan doesn't know about which has stopped working.(1) One of those is only the choice of people with paranoia delusions.

1) Which doesn't mean he shouldn't attempt to figure out what the server is for afterwards...perhaps Jeff is running some sort of illegal server and someone should be informed. It's just that it obviously isn't any sort of social engineering, and the mere act of rebooting it will not harm anything, _and_ is within the scope of Ryan's job. (After all, if it was a mission critical server that should not be rebooted, it should be _documented_.) So he was entirely correct to say 'Uh, what was it I just rebooted?' and worry about whether or not this was authorized until he learned that, apparently, it was 'unauthorized' via the very top levels of the company. (Which, yes, is stupid, but that is unrelated to any worries about a social engineering attack.)

Re: The Frankenserver

2012-11-04 18:00 • by Bill C. (unregistered)
No wonder their pathetic attempts at social engineering fall down flat. When real social engineers see a mail server they use a femail client. And vice versa.

Re: The Frankenserver

2012-11-04 22:04 • by Rex (unregistered)
Reminds me of the time my team upgraded a certain nation's Air Defense operations centre many, many years ago. It was the first time their system had an intranet (instead of point-to-point async connections), several days before commissioning and 'go-live' we found that the techs had installed Wolfenstein and were running it during the nightshift. Needless to say, that got deleted fairly quickly!

Re: The Frankenserver

2012-11-05 12:31 • by Richard (unregistered)
394171 in reply to 393972
TRRRWTF is that they called it position _1_. By any decent indexing system, it should be _0_.

Re: The Frankenserver

2012-11-05 19:10 • by Anonymous (unregistered)
Haha, we call ours the "collaboration server".

Re: The Frankenserver

2012-11-08 13:28 • by bob nelson (unregistered)
394521 in reply to 394021
mmmm... quake
while we did always have netquake and qw servers at my jobs in the past, my favorite was the public facing qw server we had running at my high school.

Re: The Frankenserver

2013-01-25 16:43 • by That guy (unregistered)
400043 in reply to 393972
He says in Rack N, row 1.
« PrevPage 1 | Page 2Next »

Add Comment