- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Double WTF if those are literally the strings from the original code. "backdoor" and "secret". Yikes!
Admin
Alex,
Care to provide a link to this guy's "last place"? I'd like to...um...take a look at their website....
-ds
Admin
Highly... talented... perhaps at macrame?
<chokes>
Ouch.
Admin
Ugh...this guy calls himself an expert? I hope he's never developed anything that handles sensitive data. This is almost as bad as the COBOL.NET "security" from a few days ago. At least here it's hidden. Sort of.
Admin
As in talents of gold, perhaps?
Yech!
Sincerely,
Gene Wirchenko
Admin
And who was this "Expert"s last employer?[:D]
Admin
So how did Johannes explain to the "expert" what was wrong with this?
Does this guy still have a job?
By this logic, why bother having a password at all? That way you can never have a password related problem at all because there is no password to lose in the first place.
Admin
I guess this "expert" never heard of simple solutions to lost password problems like resetting the password or sending the user an email and having them click a link and choose a new password.
Why is that so difficult to do that one needs to use "backdoors" and "secrets"?
Let alone the fact that the user not only gets access but gets sysadmin rights! What the hell was he smoking when he came up with that at his "last place"?
Admin
Wow. All I can say is WOW. I didn't think anyone could actually think that this was an ok practice. This guy needs to be picked up by the Bush administration.
Admin
It's always possible that he really knew how bad this security hole is, and that perhaps it's an insurance policy? It's probably a bit better to claim ignorance here than to admit to leaving yourself a backdoor.
Admin
Hmm, a security expert who's never heard of a dictionary hack?
Maybe this guy has seen the new movie Firewall and wants an easy way to get in incase his family is ever heald to ransom...
Admin
What's the big deal? We did that all the time when I worked for professor Falken
on the WOPR project. As far as I know there was only one meddling kid who managed
to sneak in -- and even then, it wasn't REALLY global thermal nuclear war.
Cute kid, really.
Admin
What do they do when they forget "<FONT color=#800080 size=4>secret</FONT>" as the password!?!?
Admin
I'm wondering how many of these backdoors actually are in the wild... As long as nobody finds out, it's just fine, isn't it? :P
Admin
Actually, a dictionary hack wouldn't get this one... dictionary attacks try known user IDs and passwords. In this case, the URL to get in would be:
www.domain.com?backdoor=secret
Since the "backdoor" parameter is hidden in the code, an attack should be useless.
Of course, this kind of "security through obscurity" is cause to put the programmer in a corner with a dunce cap. With anything security related, you should assume that your attacker has your source code.
Admin
probably the same guy that uses 1234 for a pin number
Admin
lol, i hope this guy wasn't working for the FBI or something.
In an environment of medium or low security, i think it wouldn't be as bad if at least the words wasn't hardcoded. But there is a lot of better ways to proceed in cases of password lost.
Admin
So... when the user forgets his password, calls IT, is directed to use the "backdoor" fix... he now not only has a way in... but a way in with admin privilidges?? WTF?
Admin
Isn't that the sort of combination an idiot keeps on his luggage? :D
Admin
This all reminds me of a program I once did work on...
' Is the Backdoor open?
bBackDoorOpen = False
sReturnStr = Space$(81)
sIniName = App.EXEName & ".INI"
iLen = GetPrivateProfileString%("Logon", "Open", "", sReturnStr, Len(sReturnStr), sIniName)
sReturnStr = Left$(sReturnStr, iLen)
If sReturnStr = "Sesame" Then bBackDoorOpen = True
If bBackDoorOpen Then exit sub
' Do Licensing Routine... verify cd-key
--
- Lynn
Admin
No, its 1-2-3-4-5 on the luggage...
Admin
That reminds me, I need to change my PIN... 8-)
Admin
Any dictionary hacker who doesnt try "god","backdoor","root" and "admin" as possible usernames deserves a WTF of their own
Admin
Oh, come on. What are the odds someone would figure this out? Big deal.
Admin
At one job I had, we had a backdoor password that was the first three letters of the current day of the week, backwards. We had to change it to '*' because the idiot field circus couldn't remember the original backdoor. Or couldn't spell the days of the week, more likely.
Admin
YOU HAVE DISHONOURED US! COMMIT SEPPUKU, IMMEDIATELY!
Admin
A bit off topic, but...is it safe to browse this site with images on? Or will tomorrow repeat itself?
Admin
You're kidding right?
I'm going to give you the benefit of the doubt and assume that you are being funny by pretending to defend this WTF
Admin
"Would you like to play a game?"
Admin
No.. sadly I think he really thinks this is OK - you'd probably be surprised how many developers out there really believe their system will never be subjected to any hacking attempts...
Admin
I don't think that they give this out to anyone who looses their password. This is just the backdoor should the admin (who should have the ability to change everyone's password) forgets his own.
Ever been locked out of your own system because you forgot your own password? You will be glad for backdoors then. (Though even still I don't use them)
The question is: is "secret" something that Alex substituted so that we don't know the backdoor password, or is that the real backdoor password?
We ship products with backdoor passwords. They are 10 random digits, and only internal support knows them - we don't tell customers. (We only use this when there are bugs in the field, most customers will not get a login from us. In fact we recommend that customers have the machine behind a firewall so that we cannot get in ourselves unless we request it)
Backdoors are handy. However the password needs to be secure in itself.
Admin
Then they have to type in <FONT style="BACKGROUND-COLOR: #ffff00" face="Courier New">'OVERRIDE PASSWORD'</FONT> and proceed.
Admin
Pffft.... C'mon now, this is just lazy coding.
If you're going to leave an intentional backdoor, you have to at least make it look accidental. A weird, hard to find, SQL injection vulnerability is always a good choice, but you'll have to at least attempt to filter the input to get it by a thorough security audit. This is where being very clever with regular expressions comes in handy.
Or a buffer overflow is always a nice one, although it's a bit harder to get away with in these days of automated testing tools. Still, it can be done with enough cleverness.
But this guy is not even trying! No obfuscation, even! Truly a WTF for the ages.
Admin
A good backdoor should require something stronger than a password. Say, physical access to the machine, and a certificate signed by the program manufacturer.
Admin
The list of passwords the morris worm used included 'secret'.
Consequently, I wrote an app in highschool that tried a dictionary attack on the student FTP server (the list of usernames was visible by navigating to the root of the server, i.e. john doe was /jdoe, and the full list of folders was visible in /) with the morris worm dictionary (about 400 popular passwords). I had 20 accounts by morning.
Notably, two used 'banana' -- one of which was for a girl named anna, the other, a jana. And of course, one kid used 'secret'.
To all the annas and janas out there: for the love of god, don't use banana for a password.
I got independant study credit for the project, naturally.
Admin
Hank - "We ship products with backdoor passwords. They are 10 random digits, and only internal support knows them - we don't tell customers."
That is a really bad idea - If I was a customer and I found out you had a backdoor I would be really, really upset.
Admin
http://www.thedailywtf.com/default.aspx?backdoor=secret
Ah well, it was worth a try
Admin
Your sarcasm detector is apparently broken. You may want to have that checked out.
Admin
Not only does he include this nastiness, but he also uses a pet peeve pattern of mine (and a consistently great indicator of a crappy developer) -- not using a variable to store the result of a lookup (getParameter). Why, WHY do all crappy developers always do this?
Admin
That's what KeePass is for (and other utilities like it): <HTTP: keepass.sourceforge.net />
Admin
Bah, people have suspected Microsoft of having backdoors in Windows for years. Supposedly, there's also government code in Photoshop to prevent counterfeiting.
Dunno how true this stuff is, but it seems at least plausible. Backdoors may already be a fact of life in the products you use every day. Don't like it? Use FOSS. Don't like FOSS? I guess you're stuck. *shrug*
Admin
I agree, I hope the customers weren't concerned with security (like in government, aerospace, and medical industries.. to name just a few). There are other ways of hacking things besides a dictionary attack. Like disassembling your binaries (which is especially easy in Java--not that I'm saying you used Java.. but if you did..). And there are plenty of users out there smart enough to do that (just look at how little time it takes to crack the copy protection on PC video games and other apps).
Admin
I think this guy would do a heck of a job working for the Bush Administration... I think there is an opening at the head of FEMA. Or maybe he could be the IT security Admin for the dept of Homeland security [:P]
Admin
Don't you see what he was trying to do? I think he was trying to bring some "Wiki" spirit into the site.
Admin
It's intentional. That way, when users complain about the sluggishness of the backdoor component, he can cut the time it takes to use the backdoor in half but still charge for 200 hours of Quake4 -- er, work. [:D]
Admin
Oh, come on. What are the odds someone would figure this out? Big deal.
Assuming you're not trolling for humorous outrage, there are at least problems:
Admin
dang it!, they keep guessing my pin numbers![:'(]
Admin
I'm sure you missed this part
"highly talented" software developers
should've been
highly paid software CONTRACTORS
Admin
<hat tinfoil="on">
Most Https servers are probably compromised because the NSA has gotten java and .NET to put in a backdoor for the NSA. all sessions have a master secret exposed in an unsigned portion via at least two public keys (sender and receiver) and it would have been child's play for the NSA to convince java and .NET and other major players to expose the secret via the NSA public key.
</hat>
Admin
That I am pretty confident is accurate. Also most printer drivers do it. Atleast with certain versions of photoshop you can try to scan a bill on your scanner and when it loads the image it will stop you and pop up a message with some explanation of why your being stopped and who to contact to bypass this for legitimate reasons.