• (disco)

    TRWTF is, once again, improper security.

  • (disco)

    Wait, but... there was nobody in the room to hear it!

  • (disco)

    Could be worse?

  • (disco)

    So the WTF is a trivial password shared over insecure channels? That's what I expect to see when I read my mail around here.

  • (disco)

    I so hope that at least the service concerned was not reachable from the open internet…

  • (disco)

    I don't know what he's complaining about. It could have been so much worse. I was expecting:

    Username: dba, password: dba

    But, with a password like that, I don't know why he didn't just post it in TD :wtf:. Oh, wait...

  • (disco)

    Thats really non-secure!

    To prevent plaintext password interception by hackers, the proper approach is to write it on a peace of paper, take a photo on a wooden table, attach to email as a jpeg!

  • (disco) in reply to rc4
    rc4:
    TRWTF is, once again, improper security.
    dkf:
    I so hope that at least the service concerned was not reachable from the open internet…

    What is in any way improper here? As anyone knows, child-proof cap means that only children can get access to the contents. @dkf, why would you hope otherwise?

    Edit: Oh, I know. It' so obvious. If the service was reachable from the open Internet, Michael would have had such an obvious way to access the service that he would have been :doing_it_wrong: in a really blatant way.

  • (disco) in reply to martin
    martin:
    To prevent plaintext password interception by hackers, the proper approach is to write it on a peace of paper, take a photo on a wooden table, attach to email as a jpeg!

    You forgot the step where you captcha-fy it before taking the photo. That way it's far more secure.

  • (disco) in reply to PWolff
    PWolff:
    What is in any way improper here? As anyone knows, child-proof cap means that only children can get access to the contents. @dkf, why would you hope otherwise?
    • the overseas branch used simple SQL Server authentication with a constant login and password.
    • Can I get a database username and password for the inventory management application? A few minutes later, the reply arrived.
    • Unencrypted shared text file
    • Username: dba, password: rosebud

    You seriously didn't think there was anything wrong with any of that?

  • (disco) in reply to martin
    martin:
    the proper approach is to write it on a peace of paper

    I guess having world peace might be beneficial for security.

  • (disco) in reply to JBert
    JBert:
    You forgot the step where you captcha-fy it before taking the photo. That way it's far more secure.

    The third panel of http://www.savagechickens.com/2010/11/captcha.html would make it extremely secure if printed on a post-it® notesheet, attached to a wooden table and photographed there.

  • (disco) in reply to LB_
    LB_:
    I guess having world peace might be beneficial for security.

    Agreed. Either having brought peace to the world, or having brought the world to pieces. Although that would be very much the same thing, I ass-u-me.

  • (disco) in reply to CoyneTheDup

    Yeah, the password should have been hunter21

  • (disco) in reply to cellocgw
    cellocgw:
    Yeah, the password should have been ■■■■■■■■
    Ehr, could you type that again? The forum escapes your password if you paste it.
  • (disco) in reply to rc4

    I assumed it was irony.

  • (disco) in reply to Shoreline
    Shoreline:
    I assumed it was irony.

    Here???

  • (disco) in reply to JBert
    JBert:
    The forum escapes your password if you paste it.

    Let me try that… Belgium, Belgium, Belgium, Belgium, Belgium.

    It works!

  • (disco) in reply to dkf
    dkf:
    It works!

    does it?

    ■■■■■■■■■■■■■■■■■■■■■■■■■■■.... BUGGER! I @accalia'd...

    let me try that again

    ■■■■■■■■■■■■ .... no that's my school email password....

    ■■■■■ .... no that's the combination to my luggage...

    ■ ... no that's my PIN

    ■■■■■■■■ ..... no that's my CDCK password

    ■■■■■■■■■■■■■■■ ... no that's IRC

    ■■■■ .... no, that's my other IRC password.

    ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■..... OH! hey! it works!

  • (disco)

    Actually TRWTF is:

    He knew nothing could go wrong.

  • (disco) in reply to accalia

    E_NOREPRO The Forum appears to be hiding EVERY password, regardless of what the password is used for. [image] It even hides them the raw output as well. They think of everything! [image]

    What if some of my passwords consist of ordinary ■■■■■■■■■■■■■■■■■■■■■■■■? Ev■■■■■■■■ that sentences make ■■■■■■■■■■■■ passwords! This will keep working as long as everybody makes sure to ■■■■■■■■■■■■■■■■■■■■■■■■ine.

  • (disco) in reply to PWolff
    PWolff:
    http://www.savagechickens.com/2010/11/captcha.html

    That looks like Sindarin mixed with English letters. http://gifsec.com/wp-content/uploads/GIF/2014/03/GIF-horrified-Jim-Carrey-Liar-Liar-GIF.gif?gs=a

  • (disco) in reply to RFoxmich
    RFoxmich:
    Actually TRWTF is:

    He knew nothing could go wrong.

    And this is why we think that he's the sort to stand on a hilltop in a thunderstorm wearing wet copper armour and shouting "All gods are bastards".

  • (disco) in reply to accalia
    accalia:
    ■ ... no that's my PIN
    In base-10,000, presumably :stuck_out_tongue:
  • (disco) in reply to RaceProUK
    RaceProUK:
    In base-10,000, presumably :stuck_out_tongue:

    no, standard base 2

  • (disco) in reply to martin

    Even better: send the photo by snail mail!

  • (disco) in reply to slavdude

    Secret stuff via snail mail?! With all those secret agents in the post offices?

  • (disco)

    TRWTF isn't all the horrible security and the clueless admin not knowing about user sessions, but it lies in the username.

    THE BLOODY DBA GAVE HIM THE DBA USER. You know that user has SA rights. Look at the rest of the environment. Now the end user can just create all of their own users and back doors, and probably use that password to connect to other SQL instances in their environment.

    And that my friends, is the real WTF. I would know. I'm an ahole DBA.

  • (disco)

    Is it just me, but:

    A few minutes later, the reply arrived. Expecting just the username and password, Michael was ready to say thanks and get back to fixing his problem ... but the DBA had a different idea.

    Sure, just check the Notepad on the server.

    You mean a text file? Michael responded, somewhat confused.

    Yes, it's open now, just check your screen.

    Michael went through all his open Remote Desktop sessions, but none of them had a single text file open. The only programs running were the ones he'd started himself.

    I don't see it, can you tell me the filename and the directory? He decided to play along. After all, maybe there was some security-related reason why the DBA couldn't send the credentials over IM.

    It's in the Notepad, the DBA responded. Just check it.

    No, it's not! Michael was growing a bit irritated. He took the screenshots of both the database and application servers' desktops and attached them to the message, hoping that would finally convince the DBA he wasn't going crazy.

    After a long while, the DBA finally wrote back. You're on Remote Desktop. That's different. Can you just use TeamViewer?

    What I take from this is that the DBA opened notepad, typed the username and password and expected Micheal to be able to read it over his shoulder so to speak. The (intended) confusion is "remote desktop". I suspect that Micheal was using remote terminal - where you get your own desktop on the machine, rather than Remote Desktop where share the active desk top. Hence the request to use team view. In short the DBA was attempting to do the equivalent of writing on a piece of paper instead of stating out loud.

    He could have emailed it, he could have sent the file. But I don't think it ever was a file. I quite often use a simple text editor as a simple notepad or, more frequently, "cache" for cut and paste.

    That the username and password were eventually sent via the IM may be a :WTF: That it may have been a live account and not a throw away one could be another. The overriding stressor here is the urgency.

    Which sorta brings around to TRWTF:

    ... After all, he'd rehearsed every step of the process hundreds of times during the last six months...A few minutes of digging around... ...the local applications were configured to use Windows logins to connect to the database, the overseas branch used simple SQL Server authentication ...

    So much for rehearsal and prior planning or a lot of other things for that matter.

  • (disco) in reply to PWolff
    PWolff:
    Secret stuff via snail mail?! With all those secret agents in the post offices?

    Still better than taking your chances with TPC.

  • (disco) in reply to LB_
    LB_:
    Wait, but... there was nobody in the room to hear it!

    There was. And worse than a human - the hostile machines. They're only waiting for the next opportunity to screw you until your head shears off.

    [/wtdwtfmember]

    MRAholeDBA:
    Now the end user can just create all of their own users and back doors, and probably use that password to connect to other SQL instances in their environment.

    [seriously] Which might be the only way to get the next update through, on the other hand. [/seriously][wtdwtfmember]

  • (disco) in reply to loose
    loose:
    Which sorta brings around to TRWTF:

    ... After all, he'd rehearsed every step of the process hundreds of times during the last six months...A few minutes of digging around... ...the local applications were configured to use Windows logins to connect to the database, the overseas branch used simple SQL Server authentication ...

    So much for rehearsal and prior planning or a lot of other things for that matter.

    Who would have thought that different deployments might need different database credentials and/or configuration! They've only had half a year to check that, come on, is obviously teh stoopeed dee-bee admin to blame!

  • (disco) in reply to PWolff
    PWolff:
    screw you until your head shears off.

    Silly @PWolff, human heads don't actually screw on!

  • (disco)

    TRWTF is not one, but two items in the story.

    #1:

    overseas branch

    #2:

    "Can you just use TeamViewer?"

    'nuff said.

  • (disco) in reply to gleemonk

    Heck yes...you send a new password to a user, making sure the request ticket has all the proper authorizations, that you are really sending it to the correct user id, make sure to set Outlook to "encrypt" and "personal", send the email, close the ticket...and then you get a reply back "Thanks for the quick response" in a full-quoted, non-encrypted mail. User has gone home after sending the mail, you have no ticket to work on to quickly re-set the password so you have to assume the account is now compromised and lock it. Love it!

  • (disco) in reply to ExaDBA

    That is why I insist on sending password by SMS only.

  • (disco) in reply to ExaDBA

    This is how we do it:

    ExaDBA:
    Heck yes...you send a new password to a user, making sure the request ticket has all the proper authorizations, that you are really sending it to the correct user id, make sure to set Outlook to "encrypt" and "personal", send the email, close the ticket...and then you get a reply back "Thanks for the quick response" in a full-quoted, non-encrypted mail. User has gone home after sending the mail, you have no ticket to work on to quickly re-set the password so you have to assume the account is now compromised and lock it. Love it! I close the ticket again because it was automatically reopened then I go home too.

    You see there is barely any difference in our procedures.

  • eric bloedow (unregistered)

    reminds me of a scene in the book, "the cuckoo's egg": some company gave their "guest" account admin privileges! so username "guest", password "guest" would give anyone total control over their system!

Leave a comment on “Just Check The Notepad”

Log In or post as a guest

Replying to comment #:

« Return to Article