• Yoda (unregistered)

    This sounds awfully familiar.

  • David T (unregistered)

    And what the hell does "Gertrude herself had made the decision to shut down SMTP over wireless when it was discovered that Microsoft Exchange used the same IP address, an uncommon security vulnerability." mean?

  • davesol (unregistered)

    TRWTF is the IT team. Instead of fixing the problem they've disabled a piece of functionality that loads of people would find useful

  • Pista (unregistered)

    Yet another Hanzo story - lousy as the other so far.

    Captcha: similis. Boy, this time Akismet got it right - the Hanzo stories are similar(ly lousy).

  • (cs) in reply to David T
    David T:
    And what the hell does "Gertrude herself had made the decision to shut down SMTP over wireless when it was discovered that Microsoft Exchange used the same IP address, an uncommon security vulnerability." mean?
    It looks like some text generated by a bot. It seems to have lots of relevant words in an order that creates a valid sentence, but the overall sentence doesn't seem to make sense in the context where it is used.
    davesol:
    TRWTF is the IT team. Instead of fixing the problem they've disabled a piece of functionality that loads of people would find useful
    Yeah, I'm on the side of the professor, even if he doesn't understand authentication.
  • jaggerbush (unregistered)

    Agreed on TRWTF being the IT department. Would make sense for them to temporarily disable the service while they implement a fix, but the story reads as follows:

    1. Crap, we have an issue.
    2. Let's "fix" the issue by just disabling the core functionality that created it.
    3. Mark the ticket resolved.
    4. Crap, we've been called out for not really fixing it.
    5. Let's explain to them why we can't give them the basic internet functionality that they want rather then fixing the problem, or at least letting them know we're trying to fix the problem.
    6. ?
    7. Profit.
  • Tony (unregistered)

    Sounds very much like an IT department that's forgotten it exists to provide services not simply follow 'security procedure'.

    Then compounded with a complete failure to communicate their reasoning with the users of their service, and not caring that they've done so.

    I'm 100% with the professor. I'd sack the lot of 'em :p

  • QJo (unregistered) in reply to TarquinWJ
    TarquinWJ:
    David T:
    And what the hell does "Gertrude herself had made the decision to shut down SMTP over wireless when it was discovered that Microsoft Exchange used the same IP address, an uncommon security vulnerability." mean?
    It looks like some text generated by a bot. It seems to have lots of relevant words in an order that creates a valid sentence, but the overall sentence doesn't seem to make sense in the context where it is used.
    Nailed it. Gertrude's a robot. Or an android. Hanzo hasn't twigged to this. Unless he built Gertrude and believes she's real. Or that he built Gertrude and pretends she's real. Whichever, he may be as deluded about her existential status as he is of his professional skills. Either way, this is disturbing old stuff.
  • (cs)

    Gone are the days when true experts simply called themselves programmers, and could solve problems by editing a few bytes in working memory, instead of quasi-intellectuals pretending to be a Japanese martial arts (assuming ninjutsu was meant, as the word ninjitsu seems novel), masking their laziness as a Zen attitude.

  • Millennium (unregistered)

    I'm kind of confused. If the vulnerability comes from the fact that Exchange and SMTP are using the same IP address, could this not be fixed by moving one or the other to a different host? Who's committing the WTF here?

  • (cs)

    I'd be interested to know more about this IP-address vulnerability.

  • Nick (unregistered)

    Can someone explain this Exchange vulnerability?

  • Le Forgeron (unregistered) in reply to Millennium
    Millennium:
    I'm kind of confused. If the vulnerability comes from the fact that Exchange and SMTP are using the same IP address, could this not be fixed by moving one or the other to a different host? Who's committing the WTF here?

    I'm afraid the issue about the "same ip address" was that whatever the system from which the email was initially sent, the logged ip address was always the same. Making email-spoofing rather easy and not detectable.

    Mail from legitimate Dean (or whatever): To All, the university is to be closed for Xmas from 21 December to 2 January. Happy holidays. email address of sender as [email protected]

    Mail from prankster (using their own device, not even the Dean's one): To All, previous message about Xmas was erroneous, it will be closed from 21 December to 14 January. same email of sender.

  • (cs)

    If Microsoft Exchange makes it impossible to send e-mail over Wi-Fi, the problem is insisting on using Microsoft Exchange. An IT department insisting on using Microsoft Exchange because they do not know how to set up anything else, and refuse to learn, is ignorance and incompetence.

    We have similar nonsense at my workplace, where they refuse to provide an IMAP gateway so incoming e-mails can be read on non Windows computers.

    (Although I find it hard to believe that Microsoft Exchange makes it impossible to send e-mail over Wi-Fi)

  • (cs)

    a person cant be a ninjitsu.

    its like a person being a fighting, or a cooking, or a fishing.

  • Franky (unregistered)

    Hanzo - the same kind of guy who complains at NotAlwaysRight about customers who don't want to put up with demotivated drones (in contrast to those who are really wrong).

  • Black Bart (unregistered) in reply to Le Forgeron
    Le Forgeron:
    Millennium:
    I'm kind of confused. If the vulnerability comes from the fact that Exchange and SMTP are using the same IP address, could this not be fixed by moving one or the other to a different host? Who's committing the WTF here?

    I'm afraid the issue about the "same ip address" was that whatever the system from which the email was initially sent, the logged ip address was always the same. Making email-spoofing rather easy and not detectable.

    I don't buy this either - they should just use SMTP Auth. I hate to say this Hanzo, but I'm with the Professor here.

  • anonymous (unregistered)

    The story itself is a TRWTF. At best I can believe is the story is redacted to a total piece of mess, otherwise the IT dept is the TRWTF. It would be totally unacceptable that using WIFI cannot send email.

    "SMTP over wireless when it was discovered that Microsoft Exchange used the same IP address"

    Does it mean that the same source IP address is observed on WIFI? If yes, then the network design itself would be a TRWTF either. I think a university campus network should be large enough NOT to use NAT, but rather proper routing to allow WIFI accessing the campus core network.

    captcha: minim, does it mean that the IT got minim skills?

  • Andy P (unregistered)

    Every last one of these "Hanzo" stories are inane and deeply, deeply smug. Not remotely funny or interesting - just annoying. Hanzo himself bragging to us about how smart he is and how he's the living embodiment of Sun Tzu and how retarded everyone else is compared to his own incredible intellect. It's all just desperate and pathetic. Please stop printing them.

  • Rudyard (unregistered) in reply to Algorythmics
    Algorythmics:
    a person cant be a ninjitsu.

    its like a person being a fighting, or a cooking, or a fishing.

    I'm a Kipling, if that helps.

  • Auditor of Reality (unregistered) in reply to Andy P

    Sun Tzu would be "The Art of War". Book of Five Rings is from Miyamoto Musashi.

  • Auzy (unregistered)

    I'm another one who actually agrees with the professor here.

    Sending emails via SMTP+Wifi is major/critical functionality and disabling it is a hack which doesn't fix the root problem. You'd never do something like that in a business environment, so why would it be acceptable in a Uni?

    Even worse, you don't go and break emails, without a good explanation to your staff/students. They just laugh off the issue, but don't actively try to manage it, or solve the issue fully.

    Good to see that they published the university though (so at least Employers can probably avoid hiring Hanzo on their own team)

  • (cs)

    I call shenanigans. If the story had even a germ of truth, Hanzo would either be going through the uni's internal disciplinary system to deal with the bullying, abusive professor - who may well be correct on the technicalities, but is still an arsehole - and/or being constructively dismissed, or simply suing over the clear and unjustifiable defamation involved in the 'editorials'.

  • Paul Neumann (unregistered) in reply to Auditor of Reality
    Auditor of Reality:
    Sun Tzu would be "The Art of War". Book of Five Rings is from Miyamoto Musashi.
    I love Miyamoto Musashi in "The Iron Chef". That character always taking a bite out of an onion, pepper or some other crazy food before the show. What talent!
  • I forgot how to tdwtf (unregistered)

    He might go by Hanzo, but others probably call him Fatso. And Gertrude isn't even real, she's just a device to make us think Hans is smart. Please no more Hanzo. Hanzo harakiri.

  • Andrew (unregistered) in reply to Andy P
    Andy P:
    Every last one of these "Hanzo" stories are inane and deeply, deeply smug. Not remotely funny or interesting - just annoying. Hanzo himself bragging to us about how smart he is and how he's the living embodiment of Sun Tzu and how retarded everyone else is compared to his own incredible intellect. It's all just desperate and pathetic. Please stop printing them.

    TRWTF is Hanzo. I thought that was the point of all these posts, like some kinda self-posting WTF.

  • (cs) in reply to Andy P
    Andy P:
    Every last one of these "Hanzo" stories are inane and deeply, deeply smug. Not remotely funny or interesting - just annoying. Hanzo himself bragging to us about how smart he is and how he's the living embodiment of Sun Tzu and how retarded everyone else is compared to his own incredible intellect. It's all just desperate and pathetic. Please stop printing them.

    This. Not to mention that the self-proclaimed genius is the WTF himself at least in this story.

    I can write better English than that author. And it's not my native language. A lot of sentences just plain make 0 sense. TRWTF are the authors English skills and considering his name seems German it wouldn't surprise me that he is Hans.

  • Ian (unregistered)

    One way I imagine this might've occurred would be if the Exchange machine was running NAT for the wireless network. That would be trwtf.

  • (cs) in reply to TGV
    TGV:
    Gone are the days when true experts simply called themselves programmers, and could solve problems by editing a few bytes in working memory, instead of quasi-intellectuals pretending to be a Japanese martial arts (assuming ninjutsu was meant, as the word ninjitsu seems novel), masking their laziness as a Zen attitude.
    It's worse than that, of course. Not only is Hanzo claiming to *be* a martial art (rather than practicing one), but he's even claiming to be the wrong one. The Book of Five Rings is about being a good *samurai*, and therefore has rather less than nothing to do with being a ninja.

    Oh, and the question of -jitsu versus -jutsu is a bit of a distraction, seeing as how however you want to romanize it, the word was originally written in kanji: 忍術

  • Baffled (unregistered)

    Is something lost in translation here?

  • Andrew (unregistered)

    TRWTF is horizontal scrolling.

  • Mike Dimmick (unregistered)

    My guess about the bizarre comment about SMTP and Exchange being on the same IP address is that the Wi-Fi network doesn't connect directly to the wired LAN, it presents a different subnet to the Wi-Fi users and there's a Network Address Translator in between the two. The comment would make a kind of sense if the NAT is set up to map its entire incoming port space onto a single server, rather than being able to map specific ports to specific servers.

    Given that Outlook uses RPC to connect to Exchange, and that Windows defaults to dynamically allocating any port to RPC (client connects to TCP 135, the RPC Endpoint Mapper, and is then told what port the server is actually using), they probably mapped the entire port space to the Exchange server rather than limiting the RPC port space and only mapping that range. Being able to access the Exchange server likely trumped access to other servers.

    Limiting the dynamic RPC port range was introduced in NT 4.0. The bypass mechanism, RPC over HTTP(S), was added in Exchange Server 2003 and Outlook 2003, so they probably don't have that yet. It's also possible to configure static port assignments, documented in http://support.microsoft.com/kb/270836 .

    I can easily believe that CS professors don't understand the complexities of NATs, firewalls, RPC and dynamic port allocation. The ivory-tower network is completely open and fully routed to allow any protocol to hit any device.

    Exchange has used SMTP as its server-to-server transport protocol since Exchange 2000, but it's possible that the University are still stuck on Exchange 5.5. If they do have Exchange 2000 or later, it could be that relaying isn't permitted on the Exchange server's SMTP server - default is off for Exchange 2003 and later.

  • MrBester (unregistered) in reply to Rudyard
    Rudyard:
    Algorythmics:
    a person cant be a ninjitsu.

    its like a person being a fighting, or a cooking, or a fishing.

    I'm a Kipling, if that helps.
    Not really, having never kippled.

  • Jo (unregistered)

    Just enumerating:

    • Hanz is not a German forename. (They used to be regulated.)
    • Gertrude is... marginal. Unusual, to say the leaste.
    • There is no Hesse University in Dresden. I can't find any Hesse University in Germany at all.
    • The description of the technical side of the WTF was inadequate. Which means you can't learn from the story (which is one of the major plusses of thedailywtf.com) and you can't really judge how valid the reasoning between disabling the service is.
    • TRWTF is using a different authentication scheme for wired and Wifi. Either you have your credentials or you don't; what if the professor connects his laptop to the jack of a colleague?

    To be fair: The quote from the Book of Five Rings may sound like it's from The Art of War by Sun Tzu, but it isn't, it is in fact from Five Rings.

  • (cs) in reply to Baffled
    Baffled:
    Is something lost in translation here?
    +1
  • (cs)

    When I was in grad school, I worked for the greater campus IT, which was quite well-run by people who mostly knew what they were doing. However, the CS department had its own IT department (because obviously, CS people would 'know better' than campus-wise IT what's useful for things) and that department was full of the biggest, most arrogant, ego-tripping assholes who had no idea what they were actually doing.

    My 'favorite' recollection from that was when one of the IT admins decided to security-test the 'wall' command (for those who don't remember, it broadcasts a message to every logged-in user) by logging in to random boxes and then piping /dev/random into it, thus screwing up everyone's terminals and causing a lot of confusion. I complained about this, and the admin's response was that "since wall runs setUID we have to test it for buffer overruns."

    Okay... if you really must, why not test it on an isolated system? Oh, but he "needed" to test it on a system where people were using it.

    If he had such a concern, and since there's no reason for an end-user to run it anyway, why not just set permissions to only allow people in the admin group to run it? No response to that.

    They also loved to occasionally remind me that they could monitor my web browsing traffic (including every time I accidentally looked at a 'shock site') and whenever email broke (which was often) they'd complain about me complaining about broken email, instead of just fixing email.

    They also had this ridiculous notion of package management; instead of using one of the many symlink-farm-maintaining package systems out there, they decided to hand-roll a ridiculously cumbersome package management system that required that you log in using tcsh (which is TERRIBLE) and where every single installed application had a different wrapper script to add it to your PATH and LD_LIBRARY_PATH and so on. It took about two seconds per application. So logins consisted of waiting about 10 minutes while it slowly listed out every single package you had loaded into your environment. Their reason for this was that it made things slightly easier for them to upgrade custom-built software on the OS, and they didn't trust any of the existing package managers for reasons.

  • (cs)

    Why are perfectly valid comments being deleted? Just because they happen to criticise the article (which is crap, let's face it) is no reason to remove them...

  • Catalyst (unregistered)

    Since we seem to have one of these "Hanzo" stories every other day now, we're really approaching the "Daily WTF" pretty quickly.

    The whole story looks like a fake to me. If the author were german or had at least lived somewhere near Dresden, we would know that Dreseden is not in Hesse, and that there is no such thing as a "Hesse University" at all. Secondly, while I know a few anglophone people who think that the name in question is spelled "Hanz", the name is actually "Hans".

    About this story: "same IP address"? Huh? Same as what? Did they mean "same port"?

    Sorry, but this is far below TDWTF standard.

  • anonymous (unregistered)

    I never complained about decreasing TDWTF quality and etc, because I usually think it's just troll-speak...

    ... but I must agree now... this story was totally stupid, pointless, and not a shade of WTF. And by the way, I love people-related WTF!

    Please, don't post this kind of crap! Don't post, if there's nothing noteworthy.

  • TV Tropes (unregistered)

    So, Hanzo is clearly this: http://tvtropes.org/pmwiki/pmwiki.php/Main/CreatorsPet

  • anonymous (unregistered)
    1. The fuck does "made the decision to shut down SMTP over wireless when it was discovered that Microsoft Exchange used the same IP address" mean?

    2. "I don’t think that accomplished much," Gertrude said. "I think you just made him more confused than he started." No shit. (If Hanzo did as well explaining it to him as he did explaining it to us, I'm not the least bit surprised.)

    3. Ignoramuses, all of them! Just this week I met with some of the staff in the IT department. When I confronted them about the business with campus WiFi, they gave me the go-around! Then they threw buzzwords in my face to hide the fact that they don’t know what they’re doing! It is a shame that we continue to fund a department of fools!
      We love scrolling!

  • (cs) in reply to anonymous
    anonymous:
    We love scrolling!
    That's the royal "we", I take it.
  • QJo (unregistered)

    My sympathies are with the professor, but in that situation I would probably not deliberately dog the IT dept off by means of a flame war. But I would certainly demand an explanation as to the real reason why the kit could not be arranged for the benefit of the users. If there is a technical issue, then the IT department ought to be able to propose a solution -- even if that solution is "implement a completely different communication infrastructure". Saying "Sorry, the software's no good" is not really a long-term solution.

  • Micky (unregistered) in reply to TV Tropes
    TV Tropes:
    So, Hanzo is clearly this: http://tvtropes.org/pmwiki/pmwiki.php/Main/CreatorsPet

    Yup. Remember the comics we had to live with a while back? I don't think any lessons were learned from that debacle.

  • Valued Service (unregistered)

    The problem is that he's viewing the professor as an enemy and not a customer.

    As much as you hate to serve people that are jerks, you have to manage this situation gracefully.

    A simple post to the paper that there is a vulnerability that needs to fixed before restoring the service would have been better than allowing the professor to continue ranting.

  • anonymous (unregistered)
    Gertrude herself had made the decision to shut down SMTP over wireless when it was discovered that Microsoft Exchange used the same IP address, an uncommon security vulnerability (Wouldn't they also use the same IP address over wired LAN?). It made perfect sense to Hanzo and the others at IT, but apparently not to Professor Geiss or anybody else.

    FTFY

  • Anomaly (unregistered)

    "Professor, this is Hans M"

    Just thought I'd point out...

  • jmeltzer (unregistered)

    Agree with everyone else. The professor is right, and the IT department needs to be fired.

  • (cs) in reply to Black Bart
    Black Bart:
    Le Forgeron:
    Millennium:
    I'm kind of confused. If the vulnerability comes from the fact that Exchange and SMTP are using the same IP address, could this not be fixed by moving one or the other to a different host? Who's committing the WTF here?

    I'm afraid the issue about the "same ip address" was that whatever the system from which the email was initially sent, the logged ip address was always the same. Making email-spoofing rather easy and not detectable.

    I don't buy this either - they should just use SMTP Auth. I hate to say this Hanzo, but I'm with the Professor here.

    The only thing I can think of-- ignoring the fuzzy description given in the article-- is that their version of Exchange allowed a different sender address to be provided in MAIL FROM, which is compliant with the RFCs but should not be allowed in an enterprise email solution. Any properly authenticated sender could spoof another user on the system. They'd be caught in the logs, but only after the spoofed message had already gone out.

  • Lunkwill (unregistered)

    The professor may have put it in an arseholish way but basically he was right: if Exchange uses SMTP AUTH and still allows email spoofing due to some trivial NAT issue, the problem is Exchange and the IT "ninj[iu]tsus" had better come up with a solution instead of simply disabling email. Which might be to replace Exchange, but more likely simply calling someone who isn't too dumb to configure it. Please, no more of that Hanzo crap!

Leave a comment on “Authenticated Authentication”

Log In or post as a guest

Replying to comment #:

« Return to Article