• Fritz (unregistered)

    It'd be good if there was some way to stop frist comments. They're soooo tedious.

  • moz (unregistered)

    The last set of comments do, of course, start here.

  • (cs)

    To be fair they did at least fix it a few months down the line, all the stripe readers where changed to enabled reading of the second track and all the ID cards where re-issued to include a random number on the second track.

    This way you did at least have to be in possession of a card in order to clone it, where as before, you only had to know someone's staff/student ID number... which is printed on the card, and wage slips, and their mail etc..

  • Reruns (unregistered) in reply to Zacrath

    Strange that a 2013 posting would get comments; while being a rerun.

  • (cs) in reply to Reruns
    Reruns:
    Strange that a 2013 posting would get comments; while being a rerun.
    That's why I decided to "rerun" the featured comment.
  • (cs)

    I'm shocked! Hanzo was the most popular with me!!

  • Pippo (unregistered) in reply to nonpartisan

    [quote user="nonpartisan"]I'm shocked! Hanzo was the most popular with me!![/quote

    Hanzo rulez!

  • Valued Service (unregistered)

    It's a shame.

    Schools could be the source for security ideas/talent by testing their students to access the system and improving it every year.

    Instead, they punish students for thinking creatively, with the concern that knowledge is power, they withhold knowledge, thus being the antithesis to their primary function, to teach.

    Ironic.

    And teachers wonder why they aren't valued by society.

  • Anon (unregistered) in reply to Valued Service
    Valued Service:
    It's a shame.

    Schools could be the source for security ideas/talent by testing their students to access the system and improving it every year.

    Instead, they punish students for thinking creatively, with the concern that knowledge is power, they withhold knowledge, thus being the antithesis to their primary function, to teach.

    Ironic.

    And teachers wonder why they aren't valued by society.

    This may shock you, but just like the bad-developer-apologists say, you either teach what you're told, or you get fired.

  • Edcode (unregistered)

    Very Funny

  • (cs)

    Universities are notorious for this. As repositories for groupthink, they are as anti-intellectual as you can imagine.

  • El Guaco (unregistered)

    I'm no lawyer, but just because you can exploit a system, doesn't mean you should do so, even if your intention is honorable.

    If you see your neighbor's house, and he left his window unlocked, it would be ethical to remind him to lock his windows, but it would be unethical to crawl through the unlocked window without your neighbor's permission then tell him about it later in order to demonstrate his lack of home security. One is helpful, the other is trespassing.

    If Egon only examined the contents of his own card and speculated how he might exploit it, then he is most likely legally safe. If he created a duplicate as a proof of concept, he crossed an ethical and perhaps legal line.

    That's not to say the Uni didn't over-react.

  • (cs) in reply to Pippo
    Pippo:
    nonpartisan:
    I'm shocked! Hanzo was the most popular with me!!
    Hanzo rulez!
    Actually, the funniest part of the Hanzo stories is reading the comments of everyone railing against Hanzo and Hanzo stories. That's entertainment!
  • Stuart (unregistered)

    Shit like this makes me so mad.

  • (cs) in reply to El Guaco
    El Guaco:
    If Egon only examined the contents of his own card and speculated how he might exploit it, then he is most likely legally safe. If he created a duplicate as a proof of concept, he crossed an ethical and perhaps legal line.

    That's not to say the Uni didn't over-react.

    Crossing an ethical line by copying a fucking magstripe card? Are you fucking nuts? He did not abuse the security system in any way - abuse would be to actually enter an area he was not allowed in, or to use someone else's benefits. None of that has happened. The people who fired him were idiots. I'd like to see some names, really. This story stinks, and whoever signed off on firing the protagonist should be publicly shamed. Seriously.

  • Jameos (unregistered)

    While I applaud the general I'm-a-hacker-and-I-don't-give-shit attitude, why have people not learned that ANY security flaw should be reported anonymously? I love it when people throw a shit-fit over being fired for stuff like this.

  • anonymous (unregistered) in reply to El Guaco
    El Guaco:
    I'm no lawyer, but just because you *can* exploit a system, doesn't mean you *should* do so, even if your intention is honorable.

    If you see your neighbor's house, and he left his window unlocked, it would be ethical to remind him to lock his windows, but it would be unethical to crawl through the unlocked window without your neighbor's permission then tell him about it later in order to demonstrate his lack of home security. One is helpful, the other is trespassing.

    If Egon only examined the contents of his own card and speculated how he might exploit it, then he is most likely legally safe. If he created a duplicate as a proof of concept, he crossed an ethical and perhaps legal line.

    I'm curious how you suppose Bill was able to determine that Egon had actually created a duplicate card. It would be rather hard for Eglon to SHOW Bill a proof-of-concept duplicate card OVER THE PHONE.

  • foo AKA fooo (unregistered) in reply to Kuba
    Kuba:
    El Guaco:
    If Egon only examined the contents of his own card and speculated how he might exploit it, then he is most likely legally safe. If he created a duplicate as a proof of concept, he crossed an ethical and perhaps legal line.

    That's not to say the Uni didn't over-react.

    Crossing an ethical line by copying a fucking magstripe card? Are you fucking nuts? He did not abuse the security system in any way - abuse would be to actually enter an area he was not allowed in, or to use someone else's benefits. None of that has happened. The people who fired him were idiots. I'd like to see some names, really. This story stinks, and whoever signed off on firing the protagonist should be publicly shamed. Seriously.
    Rather a legal line, but that's only because legal lines are drawn very tightly in certain countries these days, and generally don't have much to do with ethics. AKA, CYA security. We see time and again how well that works. Well, it works great as long as you have someone else to fire, right?

  • LB (unregistered)

    The only reason he could have reasonably expected anything other than being fired is because they ignored so many other offenses that would have cost his job anywhere else.

    Companies will sometimes hire security consultants to try to break through their security in order to report vulnerabilities to them, but anyone who does so on their own without being asked to is simply breaking in.

    Egon had no business trying to clone his security badge. Of course he'd be fired for that. Now if he'd come across the problem legitimately, while doing something he should be or at least had permission to be doing, that would be a different matter. In that case, he wouldn't get fired and might even be thanked for finding the problem. But finding a security problem while trying to break their security just points out that he's trying to break their security.

  • (cs)

    "We don't have any security issues. No one on staff is aware of any security issues with our cards". A true statement: anyone else who figured out the problem has been fired, and [the person speaking] has momentarily compartmentalized the issue and is at the moment not aware of it.

    And because we're not aware of it, we can't be blamed if someone discovers it.

  • Valued Service (unregistered) in reply to LB
    LB:
    The only reason he could have reasonably expected anything other than being fired is because they ignored so many other offenses that would have cost his job anywhere else.

    Companies will sometimes hire security consultants to try to break through their security in order to report vulnerabilities to them, but anyone who does so on their own without being asked to is simply breaking in.

    Egon had no business trying to clone his security badge. Of course he'd be fired for that. Now if he'd come across the problem legitimately, while doing something he should be or at least had permission to be doing, that would be a different matter. In that case, he wouldn't get fired and might even be thanked for finding the problem. But finding a security problem while trying to break their security just points out that he's trying to break their security.

    Except that he's at risk by the system.

    If he did nothing, and then someone else copied his card and bought food, he'd have a right to sue. I don't understand why society is so bent on being reactionary instead of proactive.

  • Valued Service (unregistered) in reply to Valued Service

    This right here is the same mindset that says citizens shouldn't have guns to defend themselves with.

    But what if the bad people?!?

    We can't allow people to attempt to subvert the system in order to determine security flaws so the system can be strengthened.

    Allowing people the power to participate in protecting themselves allows nefarious power. Power should be centralized, so when it fails, everyone is at risk because a small subset of the community wasn't more proactive.

    But what if the bad people?!?

    No, you can't have your own lawyer to ensure your rights are protected and the law is correctly interpreted, just trust us. If we let that happen, some criminals would be able to get away with crime.

  • Valued Service (unregistered)

    So, Valued Service...

    You're saying someone should have the right to hire a trusted third party to test the security of a system that puts them at risk?

    Yes, yes I am.

  • Slapout (unregistered)

    You know, if someone had just discovered a major vulnerability in my system, he'd be the last person I'd want to upset.

  • Jeremy (unregistered) in reply to Valued Service
    Valued Service:
    This right here is the same mindset that says citizens shouldn't have guns to defend themselves with.

    But what if the bad people?!?

    We can't allow people to attempt to subvert the system in order to determine security flaws so the system can be strengthened.

    Allowing people the power to participate in protecting themselves allows nefarious power. Power should be centralized, so when it fails, everyone is at risk because a small subset of the community wasn't more proactive.

    But what if the bad people?!?

    No, you can't have your own lawyer to ensure your rights are protected and the law is correctly interpreted, just trust us. If we let that happen, some criminals would be able to get away with crime.

    Way to painfully shoe-horn that issue in. Not to mention, is it really the "anti gun" people "afraid of the bad people?"

    Pretty sure anti-gun people aren't the ones that are dead certain that any moment now their lives are going to be put at risk by some boogeyman.

  • anonymous (unregistered) in reply to Jeremy
    Jeremy:
    Pretty sure anti-gun people aren't the ones that are dead certain that any moment now their lives are going to be put at risk by some boogeyman.
    The thing I love the most about school shootings is that they serve as a painful reminder to all you ignorant fools that your lives CAN be put at risk at any moment.
  • baldheadedguy (unregistered)

    Of course, TRWTF here is that the poor guy didn't think to counter the firing with: "If you fire me, I will go public with this information."

    Perhaps he would've been able to keep his job at that point. :-)

  • nocry (unregistered)

    Seems the deadbeat finally got what was coming after crossing the line x number of times.

  • Rich (unregistered)

    I know this is a repost, but even the first time i thought of Randal Schwartz

    Advice: even though you think it's whitehat, it's technically hacking (err, cracking, wtf it is this week). PointyHairedBosses that you laugh at because of "potato chip vs computer chip" will not understand the whitehat/blackhat divide.

    CYA. Get Auth.

  • (cs) in reply to Rich

    This is not technically hacking. The concept even looking at what's on a magnetic strip in your possession is hacking is absurd. It didn't say he copied it.

  • Confused (unregistered) in reply to Rich
    Rich:
    I know this is a repost, but even the first time i thought of Randal Schwartz
    When Intel bought McAfee, was that because Intel decided that Schwartz was right? Wouldn't it have been cheaper for Intel to buy Stonehenge?
  • Captain Oblivious (unregistered)

    This story is pretty absurd. You wouldn't need a "proof of concept" to point out the security flaw here. All you would have to do is take a look at your own id card and see that it is keyed to your university id number.

    Somebody compared this to climbing in your neighbor's window to remind them to lock their windows. This is almost literally like reading a badge you the college lent you and noticing it has your social security number on it.

    So the question is, why didn't Egon lawyer up? He even had his boss's support.

  • (cs)

    File this under:

    No good deed goes unpunished.

    Of course when the object of the clone is your ex-wife's ATM card, it becomes closer to "duty".

  • Meep (unregistered) in reply to LB
    LB:
    The only reason he could have reasonably expected anything other than being fired is because they ignored so many other offenses that would have cost his job anywhere else.

    Companies will sometimes hire security consultants to try to break through their security in order to report vulnerabilities to them, but anyone who does so on their own without being asked to is simply breaking in.

    Egon had no business trying to clone his security badge. Of course he'd be fired for that. Now if he'd come across the problem legitimately, while doing something he should be or at least had permission to be doing, that would be a different matter. In that case, he wouldn't get fired and might even be thanked for finding the problem. But finding a security problem while trying to break their security just points out that he's trying to break their security.

    Trying to read a security badge is not an invasive action. Say the university had the numbers written on the badge in an "encrypted" form, and you looked at it and realized the number was simply written backwards. Your reading it, without taking any steps to decrypt it, is just applying common sense.

    What he did was simply decode the magstripe, which is simply reading by another means. Acts that prohibit tampering such as CFAA only prohibit decryption, not decoding.

  • Hannes (unregistered) in reply to anonymous
    anonymous:
    The thing I love the most about school shootings

    So, that means there are other things you "love" about school shootings?

  • gnasher729 (unregistered) in reply to anonymous
    anonymous:
    Jeremy:
    Pretty sure anti-gun people aren't the ones that are dead certain that any moment now their lives are going to be put at risk by some boogeyman.
    The thing I love the most about school shootings is that they serve as a painful reminder to all you ignorant fools that your lives CAN be put at risk at any moment.
    And here I was thinking that school shootings are a painful reminder of the dangers of owning guns. I saw photos of one guy playing with guns as a little child, no wonder his brain got all mushy and then he started shooting people. No guns in the home and this wouldn't have happened. If the guy hadn't been surrounded by guns all his life he would never have thought of shooting people.
  • awergh (unregistered) in reply to gnasher729
    gnasher729:
    anonymous:
    Jeremy:
    Pretty sure anti-gun people aren't the ones that are dead certain that any moment now their lives are going to be put at risk by some boogeyman.
    The thing I love the most about school shootings is that they serve as a painful reminder to all you ignorant fools that your lives CAN be put at risk at any moment.
    And here I was thinking that school shootings are a painful reminder of the dangers of owning guns. I saw photos of one guy playing with guns as a little child, no wonder his brain got all mushy and then he started shooting people. No guns in the home and this wouldn't have happened. If the guy hadn't been surrounded by guns all his life he would never have thought of shooting people.
    There's an interesting article on cracked.com (http://www.cracked.com/article_20396_5-mind-blowing-facts-nobody-told-you-about-guns.html) that challenges the idea that "if they didn't have guns they'd just use something else". Among other things, it shows the rate of suicide decreasing when coal-gas ovens became less common (and apparently most gun related deaths are self-inflicted - I know, who'da thunk it - gun owners are crazy paranoid suicidal dicks....)

    Of course, I'm never sure how serious anything on cracked.com is.....

  • Con-text or Pro-text? (unregistered) in reply to Jeremy
    Jeremy:
    Pretty sure anti-gun people aren't the ones that are dead
    Sure they are. The pro-gun people are too.
  • Don (unregistered) in reply to gnasher729
    gnasher729:
    anonymous:
    Jeremy:
    Pretty sure anti-gun people aren't the ones that are dead certain that any moment now their lives are going to be put at risk by some boogeyman.
    The thing I love the most about school shootings is that they serve as a painful reminder to all you ignorant fools that your lives CAN be put at risk at any moment.
    And here I was thinking that school shootings are a painful reminder of the dangers of owning guns. I saw photos of one guy playing with guns as a little child, no wonder his brain got all mushy and then he started shooting people. No guns in the home and this wouldn't have happened. If the guy hadn't been surrounded by guns all his life he would never have thought of shooting people.
    Rubbish. The amount of guns is not a cause of violence; up until 2001 the highest gun count in the world was Switzerland, in fact adults were practically required to own at least one gun and be proficient in it's use. Up until 2001, there had been no mass shootings in Switzerland, ever, and since 2001 changes were made due to a single mass shooting instance. In America, which up until 2001 was 2nd/3rd place; by 2001 had over 13 mass shootings. So it has nothing to do with how many guns per person, or access to guns per person.

    To sum up, mass shooting isn't a factor of guns per person, it's a factor of being depraved, mentally ill, or American...

  • Ozz (unregistered) in reply to Don
    Don:
    gnasher729:
    anonymous:
    Jeremy:
    Pretty sure anti-gun people aren't the ones that are dead certain that any moment now their lives are going to be put at risk by some boogeyman.
    The thing I love the most about school shootings is that they serve as a painful reminder to all you ignorant fools that your lives CAN be put at risk at any moment.
    And here I was thinking that school shootings are a painful reminder of the dangers of owning guns. I saw photos of one guy playing with guns as a little child, no wonder his brain got all mushy and then he started shooting people. No guns in the home and this wouldn't have happened. If the guy hadn't been surrounded by guns all his life he would never have thought of shooting people.
    Rubbish. The amount of guns is not a cause of violence; up until 2001 the highest gun count in the world was Switzerland, in fact adults were practically required to own at least one gun and be proficient in it's use. Up until 2001, there had been no mass shootings in Switzerland, ever, and since 2001 changes were made due to a single mass shooting instance. In America, which up until 2001 was 2nd/3rd place; by 2001 had over 13 mass shootings. So it has nothing to do with how many guns per person, or access to guns per person.

    To sum up, mass shooting isn't a factor of guns per person, it's a factor of being depraved, mentally ill, or American...

    Bear in mind too that, with one exception (the Gabby Giffords shooting) all the shootings in the U.S.A. in which more than three people were killed happened in places where guns were banned.

  • Juan Perez (unregistered)

    Here in Chile, we have a national ID number, called the RUT (Tributary unique role number, maybe)

    When i was studying in the university, we used our RUT as user, and its 4 first digits as password to access to the web services.

    Someday, working with a friend in our thesis, we obtained a list with the RUT of every teacher, administrative, dean, everybody who worked there, from a public network shared folder... so, we tried to access to the grades system (called the teachers system, forbidden for a student) using the rut and 4 first digits from a teacher and it worked. We showed to that teacher (who was my computer science teacher), and he phonecalled to the Big Chiefs. it was thursday.

    tuesday, i met with the IT Director. I worked with him in my thesis, so we started talking. He told me that every one on IT worked fri, sat, sun, mon to check what "the hackers" could have done with the access via RUT, as the CS teacher told, and he was thinking the big chiefs would fired him. So i told him what we did ("I am the haxx00r" i said), thrice... he was relieved, because we saved his ass (and his chief knew me and my friend, so they could believe that).

    End of year... he quitted (before he got fired).

    I know my engrish sucks. damn google translate.

  • anonymous (unregistered) in reply to Hannes
    Hannes:
    anonymous:
    The thing I love the most about school shootings

    So, that means there are other things you "love" about school shootings?

    Yes, I also love the fact that they rile up the anti-gun crowd on account of their not being school beatings, school acid attacks, school stabbings, school poisonings, school burnings, school bombings, or any of the aforementioned in malls, movie theatres, busses, airports, or any other non-school setting where people are found.

    The common element there was "where people are found", by the way.

  • ¯\(°_o)/¯ I DUNNO LOL (unregistered) in reply to El Guaco
    El Guaco:
    If Egon only examined the contents of his own card and speculated how he might exploit it, then he is most likely legally safe. If he created a duplicate as a proof of concept, he crossed an ethical and perhaps legal line.
    LB:
    Egon had no business trying to clone his security badge.
    I'm sorry, but I missed the part that said he actually made a duplicate card of any sort. Could you please point it out to me?

    He just read the contents of the stripe and decoded what was on it (with no encryption or anything) and found out it was his student ID number.

  • CyberUppie (unregistered)

    I had a similar experience at 'The Brick'. I was trying to get the new mouse working on the front desk system, so I ran the add new hardware wizard, which caused the cash drawer to pop open. Nothing disappeared from the drawer (I had alternate access to it as part of my job, so no concern there). I immediately closed the drawer, and reported the situation to the office manager, and the next day, was rewarded the by being fired for "not fitting in". Funny thing is, everyone loved my work ethic, and were all equally surprised for the reason of my termination.

  • Biff (unregistered) in reply to Zacrath

    Which just goes to show you the correct response to a security vulnerability is to find a student patsy and sell IDs on the open market. At the least keep your mouth shut.

    The real WTF is that Ebon didn't sign up for a night class, get a student ID, and proceed to collect "severance" from the PTB.

  • Norman Diamond (unregistered) in reply to Biff
    Biff:
    Which just goes to show you the correct response to a security vulnerability is to find a student patsy and sell IDs on the open market.
    The correct response to a security vulnerability is to advertise the stolen IDs in the Side Bar WTF forum. Akismet loves those, unlike some of our legitimate postings in the main forum.
  • Salagir (unregistered)

    A few comments on top : "And teachers wonder why they aren't valued by society." "Universities are notorious for this."

    May I remind you that this behavior was done by many companies. This isn't specific at all to school.

    As for the opened window metaphor, Egon didn't enter the house, he clearly only pointed that the window was opened. The article mentions no copy, no hack, as someone say, just reading.

  • Emperor_Z (unregistered) in reply to nocry

    His job rarely required him to do anything. If he performs all of his required duties, but still has lots of time to spend how he chooses, how is he a deadbeat?

Leave a comment on “Classic WTF: The Firing Offense”

Log In or post as a guest

Replying to comment #:

« Return to Article