- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I have about 20 years of experience, so let me put this clear : you will NEVER convince me to use an MS-OS as a server.
I have a Linux server with an uptime of 3.5 years, so obviously it's not getting kernel patches. The thing is in a data-center accessible from the internet and doing it's job non-stop 24/7 without anything in front of it to protect it. The logs show multiple attempts at hacking it, but no success yet.
Of course there's been security exploit on Linux and other Unix, but the damage that can be done is nowhere near what happen when Windows is exploited. And the number of bugs affecting Windows that permit a REMOTE UNAUTHENTICATED user to gain ADMIN rights is just unbelievable !
MS built a house with cardboard and then try to put steel bars in the windows
Come back when you have enough experience using something else then your toy OS
Admin
Wait, what?!
So Adams crew were the ladies who ran the front office in the server room?Admin
See, boss lives in a fantasy-land and only pays attention to what's in front of the eyes. If the problem is "people hacking the server" and the only person the boss sees hacking the server is you, the boss assumes you are the problem.
If you don't try to get approval for fixing the problem, or you do but get ignored, the boss will probably fire you anyway the instant anything bad enough happens because it was your responsibility to get it fixed. Even if the boss was the obstacle.
Your best bet is to give a clear report on the situation and risks without performing some kind of live demonstration to an authorized superior who is not the almighty boss, and then to get them to put it in writing and sign it when they say this doesn't need fixing, preferably somewhere on your report. Try to make sure you have demonstrated initiative and that it was superiors who blocked your way. This way, with any luck, when shit hits the fan, someone else gets to be the fall guy.
[image]Admin
Admin
Admin
Admin
Sure, you know that now. Would you know that on your first gig out of helldesk?
Admin
TRWTF is the commented out bit marked "had to cut this for reasons of space..."
1: It's the internet dude, you can use as much space as you like.
b) Commenting the text out doesn't actually help "cut space" in terms of bandwidth, it just wastes it.
iii/ If the reader's attention is the key metric that you're trying to preserve, you should maybe try editing the story until it's comprehensible and then start worrying about its length. Readers tend to have more attention for stories they don't have to translate into a human-readable form.
• There is no point D.
Admin
Admin
Admin
ctrl-f undecidedly
Was not disappointed
Admin
I ran into this behavior, around 1999-2000: I ran an anonymous FTP (upload only) for good reasons. Eventually it was discovered by the Giga-uploaders and put to use, despite no one else being able to download the data; the FTP account was write-only until an admin approved the upload.
After 2 rounds of this, they started uploading to folders with HA/HA/HA, and odd character set folder names. All deleted anyway. Finally I just shut off anonymous FTP.
It is fully believable that the uploaders would have trashed the unsecured C: drive after they found that they were discovered and had their crap deleted.
Admin
Otherwise, for reasons of space, I suggest this: "New guy, stupid boss, porn, fired. Fill in the rest, you know the drill."
Admin
Admin
Then you check for people who repeatedly 24-hour-temp in from the same address, and perma-whitelist those. Then you add a script to check how long a whitelisted IP was unused and remove them if it's been long enough (a month?).
After a while you wind up with a fully scripted system of whitelisting people into your FTP server which ultimately relies on folks logging into the company network before they get FTP access. With you checking the kinks every now and then.
This way boss thinks everything is cool beans while you've got a semi-secured system rolling. And then when you find your next job, you get to see your scripts on WorseThanFailure.com
Admin
Admin
I agree with you. Of course there are those IT administrators out there that still think of themselves as god and keeper of things server related. When in fact, if they just did their job and approached things in a reasonable manner - instead of using shock and awe tactics - their point would get across in a much more meaningful way.
Admin
And where is the WTF?
The companies FTP was misued by some sceners for sharing their stuff. Probably some warez group or what ever.
Adam did not fix the hole, but only deleted the site of the sceners. This resulted in important company data getting lost due to retaliation by the group.
If I were Adams Boss, I would have fired him too for having handled the case that stupidly.
Admin
FTFY
Admin
Admin
TRWTF are companies with an IT department.
Admin
Admin
Admin
Agreed... It's not like having [Un|Lin]ux is an impenetrable fortress of best-practices (TM). It's a process called hardening, and if you disable every unnecessary service and/or (amongst other things), then you're reducing your surface area. Windows or Unix: if you keep telnet running with a shitty password, you're f*cked either way.
Argument parallel to VB.NET vs. C#, or how PHP is unsecure (don't use PHP, but I know better than to spout unfounded BS like that)...
Admin
I'm pretty sure you can't tell whether a Dessert Eagle is loaded just by looking at it.
I'm also pretty sure he could get fined for disturbing the peace.
Your not too bright, are you?
Admin
Admin
Admin
Admin
Admin
I'm considered a very funny guy in my country, but when I write my funny stuff in English, it's so.... unfunny!
Admin
Admin
Thanks for the upgrade, buddy.
There is a grain of truth in some of that. So which forum regular was that anyway?
Admin
At work they once had a department meeting to demonstrate the necessity to install the patches. This was years ago before M$ invented the auto-install that reboots your computer while you're at lunch, causing loss of unsaved data. Anyway it was a skit that began with two guys in the company who had just finished installing a new server but then decided to wait over the weekend to secure it.
Next scene was two hackers who had just discovered the new server and began exploiting its security holes to create an account and decrypt the passwords. They ran rootkit software against it, and discovered that it actually had already been compromised from outside.
That in itself was probably a better demonstration than the skit itself was.
Admin
I would. I read this site.
Admin
Admin
Here in Hyderbad, it is making the best to be finding holes in server BEFORE we implement production release. It is bad to be exploited when already released to wild. You could be losting your data this ways.
Admin
In case you can’t tell, this is a grown-up place. The fact that you insist on using your ridiculous grammer clearly shows that you’re too young and too stupid to be using English.
Go away and grow up.
Sincerely, Bert Glanstron
Admin
Admin
Admin
Admin
okay, so what if you don't have web access?
Admin
I mean webserver access.
Admin
In that case,
Get yourself a nice open source FTP server and modify the source code so the FTP server will spike any and all files it has to phone home to your server when opened for your periodic whitelist while making sure that it gives checksums/filesizes that match the original uploaded file. After a while, you just switch over to whitelists because hopefully everyone will be trading and running files which inform your server they are authorized users of your server. I'm sure you can fit web content or something into a word doc, exe file, etc.
Admin
It would be hard to have a fully loaded .45 cal desert eagle in his top drawer as they didn't produce a .45 cal version...
Admin
TRWTF is trying to explain anything computer related to management.
Admin
Clearly, it was Nagesh's undecidedly NSFW material that Brian found.
Admin
Although the Article gives the impression of a large organisation, it doesn't definitively say it. Smaller organisations (especially ones where IT is not their main industry - nor even used significantly, by the sounds of it - Web Page + Financial Information sounds like a company that feels they need a Web Page (probably that still says 'under construction' and uses computers for basic HR (paying empolyees and the like, and keeping customer invoices (probably in excel format)). Certainly they should use multiple servers, but given IT is probably an afterthought for them (and aside from all else is probably allocated very little budget), there should be little surprise that they do everything on a single box.
Admin
TRWTF is that the server used windows.
Admin
Is there some sort of anonymizer on this article? This is ot the first post about Brian, yet I'm sure the name was Philip on my article....
Admin
Once you have got a few admin job where the personal require active directory and permission settings and other stuff only windows handle (not even SAmba) you will have understood that for all what windows did wrong, there are some functionality that people think are very valuable and are not available under linux/unix.
Most of the time I use linux/unix/irix whatever X is fit for the job. But sometime the requirement FORCE to use a window server.