When Eve was tempted by the serpent and ate from the tree of knowledge, God was furious. In spite of his omniscience, God didn't find out that Eve had screwed up until he found Adam and Eve holding leaves and squirrels in front of their swimsuit areas in shame. Still, it was a failure of security on God's part — the tree was just sitting there, waiting for its fruit to be eaten.

The Adams and Eves of IT (developers (and it's a lot more Adams than Eves)) and Gods (System Administrators) still have a relationship like our early ancestors in the gaddah da vidah. But this time the sysadmins are smarter and do their best to verify that you're allowed near the tree (if you're in the Gods or Serpents groups in Active Directory). This analogy is falling apart fast, but on with F. B.'s story!

F. B. worked at a big company that, due to its size, was closely monitored and regulated. It had security requirements, procedure guidelines, and layer upon layer of IT security policies. This is a good thing, too, because there existed one central repository of virtually every nugget of information about the entire company; the Collaboration System (similar to SharePoint).

The administrators did a good job of separating users by job functions. As a developer, F. B. could only see files and lists that were relevant to his work. An accountant's home page would look almost totally different. A sysadmin's screen would show everything.

Well, his curiousity got the best of him, and F. B. decided to peek into the cookie set by the collaboration tool. Strangely, all it held was a username. In the format "Firstname|Lastname". So he did what any of us would do — he changed his username to an administrator's.

Now that his cookie was set with Armondo A. Administrator's name, he could see everything. All company knowledge was at his fingertips. Accounting data, HR information, payroll, client lists, everything. He could eat that digital apple and know it all. And right after he logged in, he remembered that his activity could be traced via audit trails. F. B. was exposed, and much like Adam and Eve, he immediately worked to cover his ass. F. B. fired off an email to the help desk to alert them about the glaring security hole.

Furious, Herbert from the help desk responded with "Hacking internal web sites is not permitted." (Who knew, right?) He continued, "This is grounds for termination, and I'll be speaking with management about this." The help desk guy did all but print the email out, attach it to a brick, and lob it into F. B.'s cubicle.

F. B. didn't know what to do; he could try to get to management first and explain the issue more fully or sit tight and wait to see how management responded. After all, Herbert Helpdesk probably emailed management already.

As it turned out, Herbert had emailed management and recommended that F. B. be terminated, or, if possible, executed. So F. B. was naturally nervous when he saw an email from the CIO appear in his inbox.

Thank you for finding and reporting this. This was a VERY serious security hole, especially considering that we have visitors on our intranet regularly. We've now fixed the issue.

It appears God was smiling on F. B. that day.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!