Comment On The Fully Automated Manual System

Alex Papadimoulis:

The reports
would then be entered, line by line, into the direct deposit vendor's
web application by any one of the six data entry clerks hired for this
process.

Who
are obviously much more trustworthy than the developers commissioned
for the project.  Why is it that the developer is always the
security risk, but the minimum wage temp is no threat to sensitive
information??

Wow this sounds painfully familiar... except that the excuse wasnt security in my case: it was because "we want people to feel needed".

Anonymous:

Wow this sounds painfully familiar... except that the excuse wasnt security in my case: it was because "we want people to feel needed".

 To feel needed?  In a really boring job typing in numbers?  Unbelievable... everyone I know says that's gotta be the most boring job ever.
 

"We apologize, but the fully automated payroll system will not be operational today. All of our data clerks have called in sick."

Ah, yes.  Another good old case of people thinking they know better than everyone else about everything.

And just to get this out of the way so nobody else in the thread feels like they have to:

OMG DO U THINK THE CTO'S NAME WAS PAULA?!?!??1/1/1/eleven

I was ready to say that payroll is a nightmare that you shouldn't consider doing in-house - mainly due to the ever-changing specifications (tax, social security etc) imposed by government - but that turned out not to be the problem.

Yep, I reckon you could run another DailyWTF site just with security issues. What is it that makes otherwise sensible people (I've met a few) shut down their brains when it comes to security issues?

Obviously, they need to send 5000 copies of each fax, to ensure it gets entered correctly.

 

(Captcha: "stfu".  Yeah, I probably should have.) 

And that, my friends, is why the CTO makes the big bucks.  I mean without him we might have computers running amok, accessing bank accounts, depositing money.  The programmers would probably be skimming money off the top with the rounding or some such thing.

 Typos causing wrong amounts to be paid here and there we can deal with, I mean it's just money, but getting that human element out of the picture is unacceptable.
 

(A side WTF, while writing this I hit the backspace key and it did the 'back button' action, but when I went back forward everything seemed to work fine.  arrrg)

The article title is a bit misleading.  It sounds like they at least managed to implement something like a 90 percent automatic system, which was still a major improvement over the fully manual system.

 

Why don't they just quietly re-add the VPN link to the vendor, keep faxing the reports to keep up appearances, and pay the data entry clerks to look busy and help keep the CTO in the dark?  (Data entry clerks are relatively cheap.)

 

At times like this I wonder if security should really be a public matter.......

Pap:

Maybe the CTO recently watched Superman III.

: D

 He saw while he was learning VB4.
 

Alex Papadimoulis:

A quick trip to his office would show his latest pride and joy: a Microsoft-Certified Visual Basic 4.0 Expert certificate from a little more than a decade ago.

First sign of an incompetent nincompoop. These are the folks who pride themselves in certs, awards, cutlery and other crap of no tangible value. They're good at having lunches and jumping on stages.
 

Captcha: stfu [WSCaptcha is resonant with my bullshit meter]

CTO = Chief Training Officer

They should be shot on sight and left in the aisle with their suggestions and "real world" scenarios.

Another beyooootiful idea is to automate something like this and then only allow manual inputs....

Anonymous:

Alex Papadimoulis:

The reports
would then be entered, line by line, into the direct deposit vendor's
web application by any one of the six data entry clerks hired for this
process.

Who
are obviously much more trustworthy than the developers commissioned
for the project.  Why is it that the developer is always the
security risk, but the minimum wage temp is no threat to sensitive
information??

 Not to mention that fax is suddenly more secure than VPN.  Wonder if digits ever get transposed while entering the phone number they're faxing too....
 

Anonymous:

Alex Papadimoulis:

The reports
would then be entered, line by line, into the direct deposit vendor's
web application by any one of the six data entry clerks hired for this
process.

Who
are obviously much more trustworthy than the developers commissioned
for the project.  Why is it that the developer is always the
security risk, but the minimum wage temp is no threat to sensitive
information??

Um, because developers -are- in fact more dangerous, because of the skills and knowledge we have?  At one of my current clients, a fortune 50 company whose commercials you would recognize in an instant, I have implemented a back door mailout system to get files I need for the work we do for them, because the operational hurdles that they impose with their security procedures have prevented us from getting what we need - a mail account so that I can send and recieve files while I am working on the system.  They won't do this, but they leave an internal security hole open big enough to drive a truck through.  Their departmental mail server has an open relay on it, which works just fine for my needs (it's behind the firewall, so this isn't visible to the world, but if any PC in the building gets botted, this server is toast. 

If I were malicious, I could really cause some harm. It would be a rare data clerk would ever pose the hazard that I do, because they don't have the knowledge to exploit a system weakness. 

 

Anonymous:

Yep, I reckon you could run another DailyWTF site just with security issues. What is it that makes otherwise sensible people (I've met a few) shut down their brains when it comes to security issues?

That reminds me of one of my favorite anecdotes from Rinkworks' Computer Stupidities site (paraphrased):

Customer: "I lost the password to this very important secured document."
IT Guy: "I can probably get around that for you.  Can you e-mail it to me?"
Customer: "No, it's very secure so I won't even keep the file on the server, much less e-mail it around.  I keep it on a floppy."
IT Guy: "It would be much safer on the server than on a floppy.  Floppies corrupt easily and on the server it would be backed up."
Customer: "I don't WANT it backed up, it's so confidential that for legal reasons I don't want any copies.  Come down to my office to get past the password, there will be a security guard here to watch you."

It turned out that the guy had the password written on a Post-It sticky note attached to the floppy disk that had fallen off and gotten lost.  He didn't even have it memorized.

Alex Papadimoulis:

The reports would then be entered,
line by line, into the direct deposit vendor's web application by any
one of the six data entry clerks hired for this process.

 

Scribes are the way of the future! Maybe you should join us in the 14th century.

This is not unlike the story written in one of the Dilbert books when the company purchased laptops for the employees, but fearing of theft they decided to attach them to the desks permanently with a chain.

Anonymous:

Anonymous:

Alex Papadimoulis:

The reports
would then be entered, line by line, into the direct deposit vendor's
web application by any one of the six data entry clerks hired for this
process.

Who
are obviously much more trustworthy than the developers commissioned
for the project.  Why is it that the developer is always the
security risk, but the minimum wage temp is no threat to sensitive
information??

Um, because developers -are- in fact more dangerous, because of the skills and knowledge we have?  At one of my current clients, a fortune 50 company whose commercials you would recognize in an instant, I have implemented a back door mailout system to get files I need for the work we do for them, because the operational hurdles that they impose with their security procedures have prevented us from getting what we need - a mail account so that I can send and recieve files while I am working on the system.  They won't do this, but they leave an internal security hole open big enough to drive a truck through.  Their departmental mail server has an open relay on it, which works just fine for my needs (it's behind the firewall, so this isn't visible to the world, but if any PC in the building gets botted, this server is toast. 

If I were malicious, I could really cause some harm. It would be a rare data clerk would ever pose the hazard that I do, because they don't have the knowledge to exploit a system weakness. 

They probably couldn't write a program to do it, but they could make a large withdrawal with the information on a direct deposit report.

I worked on a similar system about 15 years ago. The mainframe folks were threatened by these new PC thingys, so our system couldn't replace any of the mainframe functionality. The end result of our VB + SQL Server client-server system was 80 column records in a flat text file that had to be entered into the mainframe.

The really funny thing is that when Month End comes around, we have to project our billable time ahead several hours (usually at least 4, sometimes 12) so we can get the faxes out to billing so that they can have time to enter them in.  Nevermind the fact that I touch anywhere from 4-10 projects a day...and the minute those things get faxed, they're wrong.  We probably over and under bill clients at month-end.

TB3:

I worked on a similar system about 15 years ago. [ .... ]. The end result of our VB + SQL Server client-server system was 80 column records in a flat text file that had to be entered into the mainframe.

Anonymous:

Anonymous:

Alex Papadimoulis:

The reports
would then be entered, line by line, into the direct deposit vendor's
web application by any one of the six data entry clerks hired for this
process.

Who
are obviously much more trustworthy than the developers commissioned
for the project.  Why is it that the developer is always the
security risk, but the minimum wage temp is no threat to sensitive
information??

Um, because developers -are- in fact more dangerous, because of the skills and knowledge we have?  At one of my current clients, a fortune 50 company whose commercials you would recognize in an instant, I have implemented a back door mailout system to get files I need for the work we do for them, because the operational hurdles that they impose with their security procedures have prevented us from getting what we need - a mail account so that I can send and recieve files while I am working on the system.  They won't do this, but they leave an internal security hole open big enough to drive a truck through.  Their departmental mail server has an open relay on it, which works just fine for my needs (it's behind the firewall, so this isn't visible to the world, but if any PC in the building gets botted, this server is toast. 

If I were malicious, I could really cause some harm. It would be a rare data clerk would ever pose the hazard that I do, because they don't have the knowledge to exploit a system weakness. 
 

It depends on what kind of danger you fear of. If it's about deliberate destruction or theft, then yes, developers are a great risk. So are DBAs and syadmins. That's why you generally want to keep them happy and avoid those who are obviously greedy or short-tempered.

On the other hand, management is much more dangerous. They tipically use their office laptops at home, use Windows but have no time for installing the latest patches, have little or no technical knowledge, have access for many systems, sometimes visit strange websites (nudge-nudge) and say things like "I want to read my emails at home but VPN is too complicated for me". They're the ideal source of worms and viruses at a company.

 
(What if I send a spoofed fax to the data input clerks. Do they always check the sender?)
 

But see. because of our knowledge we will *always* be dangerous. Your story shows that even when "proper" security is implemented the smart developers will get around it. So, if they are dangerous they will be, regardless of crap. You're better off just trusting them and going with what's best.

** Martin 

Anonymous:

Anonymous:

Alex Papadimoulis:

The reports would then be entered, line by line, into the direct deposit vendor's web application by any one of the six data entry clerks hired for this process.

Who are obviously much more trustworthy than the developers commissioned for the project.  Why is it that the developer is always the security risk, but the minimum wage temp is no threat to sensitive information??

 Not to mention that fax is suddenly more secure than VPN.  Wonder if digits ever get transposed while entering the phone number they're faxing too....
 

No problem.

Whenever I have a fax to send that is of a "highly sensitive nature", I fold the paper before inserting in to the fax machine.   That way, if the transmission gets intercepted it cannot be read.  Afterall, there is no way to electronically UNFOLD a fax!

 

rmg66:

When did SQL Server come out?

1988, made for OS/2 and developed jointly by MS and Sybase

There was an NT version in 1993, but the major rewrite was for SQL Server 6.0 in 1995.

 -cw

 

Anonymous:

Customer: "I lost the password to this very important secured document."
IT Guy: "I can probably get around that for you.  Can you e-mail it to me?"
Customer: "No, it's very secure so I won't even keep the file on the server, much less e-mail it around.  I keep it on a floppy."
IT Guy: "It would be much safer on the server than on a floppy.  Floppies corrupt easily and on the server it would be backed up."
Customer: "I don't WANT it backed up, it's so confidential that for legal reasons I don't want any copies.  Come down to my office to get past the password, there will be a security guard here to watch you."

It turned out that the guy had the password written on a Post-It sticky note attached to the floppy disk that had fallen off and gotten lost.  He didn't even have it memorized.

Arrrgh my eyes, it burns !

biziclop:

(What if I send a spoofed fax to the data input clerks. Do they always check the sender?) 

Reminds me of what happened at my (Fortune 500) company. We have some data entry clerks who need to actually contact each of our vendors (some of which we no longer even do business with) and verify/obtain information on where we send purchase orders and payments, as well as information like their Federal Tax ID (TIN/SSN), which appears at the top of W-9s. I don't know what we use their Tax ID for, but it's supposed to be public.

Well, yesterday, one of the clerks said the person she spoke with refused to give out any of this information on the phone because it was "privileged information" (it's not... we want to know where to send our money to) and that it was only given to verified trusted parties.  So our clerk sent them a fax with a pre-made form requesting the same information be faxed back, then called to follow up on it.  The person replied "I don't give out that information to unverified individuals who fax it to me."  So our clerk replies back, "Unverified? But I faxed it using our official [company_name] letterhead!"

Back in the early 90's I wrote an integrated Payroll/ HR application
using Clipper on DOS!  Actually received a US patent (Well the
company I worked for did) on a software process within the application.
(Pretty BS but I didn't have to pay for it).  Once everything is
running, you have any 2 really busy times of the year.  At year
end when all the tax law changes for federal and all the states happen
and the start of the new year for reporting and W-2 generation.

I haven't work for that company for 6 years but I heard they just moved to a outside provider last year.

You will never know pressure until you have printed 600 United Steel Workers check wrong and lived to tell the tail!!!

 

 

Developers would have so fewer nightmares if they'd only grow a spine (or learn to back things up with facts).

Sounds like one of my current clients.

I wrote an automated system to transfer amounts to the client to be deducted from employee's paychecks. Each pay cycle, they receive a file and were supposed to deduct the specified amount. Three months into using the system and we finally figured out why the deductions were not matching what the employees expected: The client was manually keying in the deductions, which they found laborious, so they just set the deduction amount to be the same each pay cycle and were ignoring the files we were sending.

I believe this happens more often the people think.  At my old company which advertised itself as an "Technology Leader" in the industry had an automated ordering system for their clients.  What really happened after a client ordered something from the company, is that a sales rep would get the printed forms that was the order.  Then they walk it down to the Ordering Department so the order dept. reps can input it the whole order by hand. 

 As far as I know, they are still doing that today. 
 

Anonymous:

Alex Papadimoulis:

The reports would then be entered, line by line, into the direct deposit vendor's web application by any one of the six data entry clerks hired for this process.

Who are obviously much more trustworthy than the developers commissioned for the project.  Why is it that the developer is always the security risk, but the minimum wage temp is no threat to sensitive information??

I guess you're hoping the minimum wage temp is too stupid to  know how to use such valuable information :-P

biziclop:

(What if I send a spoofed fax to the data input clerks. Do they always check the sender?)

I'm sure it looks just like the incoming orders scene in Red October every time a fax comes in.

 I CONCUR SIR!
 

Anonymous:

I believe this happens more often the people think.  At my old company which advertised itself as an "Technology Leader" in the industry had an automated ordering system for their clients.  What really happened after a client ordered something from the company, is that a sales rep would get the printed forms that was the order.  Then they walk it down to the Ordering Department so the order dept. reps can input it the whole order by hand. 

 As far as I know, they are still doing that today. 
 

I know a better one. Imagine a company with over one million customers. Imagine a web-based order form, 4 pages long, they ask for everything except your shoe size.Then your data is stored in a database and a contract is printed and sent to you via snail mail, so you can sign it. It's almost sensible until this point.

 
But only your name and address is present on the printed contract, you have to fill out the rest again and send it back, where the clerks type it into another database and tada.wav. When I asked them why this braindead process, I got the reply:it's some legal issue. However, nobody seemed to know what kind of law forbids printing a normal contract, but everybody was pretty sure there has to be a law for it.

Pap:

Well, yesterday, one of the clerks said the person she spoke with refused to give out any of this information on the phone because it was "privileged information" (it's not... we want to know where to send our money to) and that it was only given to verified trusted parties.  So our clerk sent them a fax with a pre-made form requesting the same information be faxed back, then called to follow up on it.  The person replied "I don't give out that information to unverified individuals who fax it to me."  So our clerk replies back, "Unverified? But I faxed it using our official [company_name] letterhead!"

<off-topic rant>The German justice minister has introduced a bill that will threaten anyone who writes or even just obtains "hacker tools" with a jail sentence. Ostensibly, and given the general total and utter incompetence of our justice minister, this will include stuff like network sniffers. Writers of anti-virus software could go to jail for "obtaining" malware through honey-pots. Admins could go to jail for merely downloading a Linux live CD that contains a network sniffer, let alone using the sniffer to help harden the company network. On the other hand, since German laws are utterly meaningless to about 98.6% of the world population, the law will do exactly zilch to stop a malicious hacker in let's say China or Pakistan from using the same network sniffer to find an exploitable hole in a German company network.</off-topic rant>

Anyway, what I wanted to say is that in order to understand security, you have to have the ability to think like a potential intruder. You have to know your enemy to an extent. I'm not saying that you have to have broken into a system, cracked a license key or whatever, but you should be aware of as many potential ways to attack security as possible. So there is an extensive amount of "dual use" knowledge. In this case, if your clerk had spent just a tiny weenie amount of imagination on potential ways to break her "authentication by letterhead" approach, she would have immediately recognised that any f*cking loser who has ever come to possess a piece of paper with that letterhead on it (and be it by pulling it out of a recycling bin) can easily copy the letterhead and cause all sorts of fake stuff to be taken for real. By discouraging or even penalizing any kind of activity, software or thought process (Orwell anyone?) that could be used in illegitimate ways, you are thus making it increasingly easy for the bad guys to bypass your insufficiently scrutinized security measures. And that's one reason why our justice minister is a retarded dolt.

Anonymous:

Alex Papadimoulis:

A quick trip to his office would show his latest pride and joy: a Microsoft-Certified Visual Basic 4.0 Expert certificate from a little more than a decade ago.

First sign of an incompetent nincompoop. These are the folks who pride themselves in certs, awards, cutlery and other crap of no tangible value. They're good at having lunches and jumping on stages.
 

Captcha: stfu [WSCaptcha is resonant with my bullshit meter]

As opposed to all those competent nincompoops?

51 years ago, of course.  He transposed the 1 and the 5.

Gotta love that highly-secure and oh-so-reliable manual data entry.  I got into an argument with my phone company once about an entry on my phone bill, something about an expensive call to Zimbabwe or somewhere equally remote (I'm in Canada).  Of course I've never called Zimbabwe, and I'm pretty sure no one else in my house did either.  After several rounds back and forth, the phone company mentioned in passing that that particular entry on my phone bill was not automatically generated like all the rest, but had been entered by hand.  Yet they refused to contemplate the possibility that an error had occurred during the manual data entry phase.  As far as they were concerned, once it was in the computer, it was 100% reliable, no matter how it got there.  Computers don't lie, you see.

I never did resolve the issue with them, but I didn't pay that part of my bill either, and eventually I moved and just left the argument behind.

 

Big companies often have people with misplaced or personal/political views of security.

On a consulting job, our team needed to occasionally log into a test unix server over an internal network to restart a process or to change parameters.

We requested access using VNC (originally from AT&T).

Initially they denied the access because VNC was considered a third-party (not IBM or Microsoft) application.

However, VNC was already on the approved list and was used on the highly-secure production systems for the same purposes.

Then then said we could not use VNC, but we could have physical access to the test servers in the same room with the production servers - all we needed to do was to ask one of the administrators to use their access cards and codes to let us into the production server room.

We could usually ask an administrator to perform test server changes rather than let one of us into the room - we certainly did not want to go into secure areas in case some intrusion occurred around the time we were in the server room.

Anonymous:

I believe this happens more often the people think.  At my old company which advertised itself as an "Technology Leader" in the industry had an automated ordering system for their clients.  What really happened after a client ordered something from the company, is that a sales rep would get the printed forms that was the order.  Then they walk it down to the Ordering Department so the order dept. reps can input it the whole order by hand. 

 As far as I know, they are still doing that today. 

I have a similar story. At my old company, we dealt with a certain Canadian national police agency that shall remain nameless (although there is only one). When people get arrested or need background checks, they get fingerprinted and the cards are mailed to the agency, where they get queued up for human fingerprint matching experts to process, then the results are mailed back. This process typically takes 6-8 weeks. The government spent millions of taxpayer dollars implementing a system that is supposed to accept fingerprint images electronically, match them against their database, and reply electronically within minutes. After the system when into production, the turnaround time was still 6-8 weeks. Why? As soon as the electronic fingerprints are received by the agency, they print them out on a printer, process them the same way they do for cards that are mailed in, then someone manually constructs the electronic reply.

 For all that money, the vendor only implemented the part of the system that accepts fingerprints electronically and sends the replies. The part that does the fingerprint matching (which is really the most important part) will cost tens of millions of dollars more. It would be funny if my taxes weren't paying for this.

 

Anonymous:

 Not to mention that fax is suddenly more secure than VPN.  Wonder if digits ever get transposed while entering the phone number they're faxing too.... 

This is exactly what happened at a Canadian bank. They were faxing customer's confidential information to a scrapyard in Virginia instead of their internal central fax unit, and this went on for 3 years! Here is a link to the full story.

BrownHornet:

This is exactly what happened at a Canadian bank. They were faxing customer's confidential information to a scrapyard in Virginia instead of their internal central fax unit, and this went on for 3 years! Here is a link to the full story.

That's it.  I'm keeping my life savings under my mattress from now on.

Well, at least it's better than printing out the report, putting it on a wooden table, taking a picture... etc.

Anonymous:

At times like this I wonder if security should really be a public matter.......

I guess it depends whose money it is.

BrownHornet:

I have a similar story. At my old company, we dealt with a certain Canadian national police agency that shall remain nameless (although there is only one). When people get arrested or need background checks, they get fingerprinted and the cards are mailed to the agency, where they get queued up for human fingerprint matching experts to process, then the results are mailed back. This process typically takes 6-8 weeks. The government spent millions of taxpayer dollars implementing a system that is supposed to accept fingerprint images electronically, match them against their database, and reply electronically within minutes. After the system when into production, the turnaround time was still 6-8 weeks. Why? As soon as the electronic fingerprints are received by the agency, they print them out on a printer, process them the same way they do for cards that are mailed in, then someone manually constructs the electronic reply.

 For all that money, the vendor only implemented the part of the system that accepts fingerprints electronically and sends the replies. The part that does the fingerprint matching (which is really the most important part) will cost tens of millions of dollars more. It would be funny if my taxes weren't paying for this.

I hope after the automatic matching is done that the system outputs a set of close matches and a RCMP fingerprint expert selects the final match.

Is there a site for code wtfs?  This is boring.

 

Maybe the CTO was afraid the programmers would realize how useless he was, and hard-code his paycheck at $0.00.

BrownHornet:

...

After the system when into production, the turnaround time was still 6-8 weeks. Why? As soon as the electronic fingerprints are received by the agency, they print them out on a printer, process them the same way they do for cards that are mailed in...

 Please tell me that someone, at one point, puts the printout on a wooden table and takes a picture of it.

BrownHornet:

 For all that money, the vendor only implemented the part of the system that accepts fingerprints electronically and sends the replies. The part that does the fingerprint matching (which is really the most important part) will cost tens of millions of dollars more.

 

Yeah, but that's the really hard part! 

Anonymous:

"We apologize, but the fully automated payroll system will not be operational today. All of our data clerks have called in sick."

 Am I the only one that thinks this is f**king hilarious?!?!?