• Wyrd (unregistered)

    I have a solution to the problem. What he should do is wait until approx. one year after his contract with them expired then

    1. go to a nearby library and anonymously verify that it's still easy to break in
    2. go to a nearby hackerz den and anonymously inform them exactly how to break in and exactly why it really ought to be done right now.
    3. (optional) after the hackers do enough damage, go to a nearby major news outlet and anonymously inform them that a bunch of hackers just broke in to <oh-so-important-site> and how easy it was for them to do it because the suits in charge did not take security seriously.

    That should pretty much take care of the security issues for that site. Yes, I realize it's a rather hard road, but well, sometimes that's what it takes. It would have been nice if they'd listened at the original meeting.

    -- Furry cows moo and decompress.

  • Wyrd (unregistered) in reply to I don't see it..
    I don't see it..:
    I'd lay Jim off. Exactly what sort of attacker is he trying to defend against? I suspect what Paul meant (or actually said) was 'we cannot guard against malice by system administrators'.

    Encrypting the database would probably quarter performance for no gain. If they've already got shell access, there's no reason they cannot look at the initialisation scripts to find the decryption key rendering it moot anyway.

    If they can modify files on the database server they have full access. You cannot guard against a malicious admin - don't even try, you'll only annoy them. They are responsible for the data, not you.

    For all you know, a rogue admin has made a SAN snapshot and done any and all kinds of brute force attacks in an isolated virtual machine - and there's nothing you can do to detect this.

    Long story short: I'm not seeing the 'security vunerability' that Jim thinks he found. It's like complaining that if a home owner removes the lock to his front door, the door is no longer secure.

    (And an encrypted file system? There's a good chance that an attacker would still see the data via the mounted encypted volume - so they wouldn't even have to decrypt it! And obivously encryption doesn't protect against SQL injection.)

    If an admin really went malicous, they'd just stick a key logger on everyone's machines rather than bothering with this, anyway.

    I think actually that it is possible to guard against malicious admins. Not all admins have to have the same level of authority, and even when an admin has near god-like power over a system you can still break up key segments to different admins in different areas such that it would require the collusion of several to do real damage. (duh)

    I wouldn't bother calling you out on this except that, in TFA, it was very clear that this was one of those Ultimate Security style situations where it's actually appropriate to secure the servers with lots and lots of paranoia. Or at least that's how they were handling their physical security.

    To not apply the same level of paranoia in securing the electronic access as you do to the physical access is naive, lazy and foolish at least and egregiously incompetent at worst.

    IMHO, anyway.

    -- Furry cows moo and decompress.

  • rycamor (unregistered) in reply to jimicus
    jimicus:
    rycamor:
    3. Exactly WHAT is J. Random Web User doing in the Unix shell anyway? Until we get to the bottom of this, that is TRWTF.

    Irrelevant - you don't need a Unix shell to do damage at root level, you just need some means of accessing data. In any case, the word "cookie" doesn't necessarily prove it's a web application.

    The 'psql' command mentioned in the story is a shell command. There is no other way to use it. And, the example (psql –d xxxxxx-db-name) will only work if you are logged in to the server itself, not connecting remotely from another instance of psql. The story makes no sense, unless this is a situation where users get some sort of shell access to the server.

  • (cs) in reply to rycamor
    rycamor:
    jimicus:
    rycamor:
    3. Exactly WHAT is J. Random Web User doing in the Unix shell anyway? Until we get to the bottom of this, that is TRWTF.

    Irrelevant - you don't need a Unix shell to do damage at root level, you just need some means of accessing data. In any case, the word "cookie" doesn't necessarily prove it's a web application.

    The 'psql' command mentioned in the story is a shell command. There is no other way to use it. And, the example (psql –d xxxxxx-db-name) will only work if you are logged in to the server itself, not connecting remotely from another instance of psql. The story makes no sense, unless this is a situation where users get some sort of shell access to the server.

    To be fair, Alex & Co. often "anonymize" and "embellish" the stories to a certain extent. This does sometimes cause them to no longer A) make any sense and/or B) be funny.

  • (cs) in reply to slinger
    slinger:
    No, really - Month/Day/Year IS A WTF. Somehow I find Day/Month/Year to be better structured way of representing the date. Anyway, I realize that people who use Month/Day/Year are the same people who measure their height with "FEET".
    As opposed to the ones who use Day/Month/Year and measure their weight in stone?
  • Eric (unregistered) in reply to rycamor
    rycamor:
    jimicus:
    rycamor:
    3. Exactly WHAT is J. Random Web User doing in the Unix shell anyway? Until we get to the bottom of this, that is TRWTF.
    Irrelevant - you don't need a Unix shell to do damage at root level, you just need some means of accessing data. In any case, the word "cookie" doesn't necessarily prove it's a web application.

    The 'psql' command mentioned in the story is a shell command. There is no other way to use it. And, the example (psql –d xxxxxx-db-name) will only work if you are logged in to the server itself, not connecting remotely from another instance of psql. The story makes no sense, unless this is a situation where users get some sort of shell access to the server.

    It still doesn't matter if that one example is a shell command or not. The point of encrypting a database is to prevent someone from being able to use any data that they take, regardless of how they get it.

    I'm no expert, but I know that one of the bigger concerns of security is contingency. It's not always enough to ask IF someone can get your data, since there's plenty of ways to do that, especially if the application communicates directly over a network; you need to be ready for WHEN someone gets your data, and THAT is why important data should be encrypted.

  • a brit (unregistered) in reply to lyml
    lyml:
    the real WTF is the american date system, two point seventyfive should have been what he said

    CAPTCHA: tristique

    Sorry - they got it right. Except the year. That should come first.

    Oh it should be minus signs. So 2009-08-22

    or in daft form: 1979

  • sysKin (unregistered)

    I think there's a simple explanation for that.

    See, the firm was in the business of "building a security system" not "keeping stuff secure".

    If an employee is asked for a password to get a file, that's security. If he needs to make a retina scan, that's even better security.

    Whether the files are also accessible without such measures is not the firm's business - after all, if a client chooses to not use his security it's his loss.

    It's like buying a painting and then keeping it covered. Painting's there, painter's job is done, you can't blame him.

    See? makes perfect sense.

  • McSteve (unregistered) in reply to You-do-not-want-to-know
    You-do-not-want-to-know:
    They has chosen this company because they were also used to manage the maps for another company, ..

    .. a nuclear reactor based power plant.

    As interesting as your story is, I have to call B.S. on this supposed shocking ending. Let's face it: it's a map database, just a map database; it's not the system that positions the control rods in the reactor. The company sounds like a bunch of screw-ups, but it's not really relevant that one of their other customers happens to be a utility that runs a nuke plant.

    Should we suddenly fear the incompetence of a company that reloads soda machines when we learn that the same company services the employee break room at a nuke plant?

  • (cs)

    Beg pardon? I would have twigged far earlier that something was up.

    all electronic devices (iPods and cell phones) had to be approved by management before they could be brought in. This was serious security.
    That last sentence is not true. It is not "serious" by any count.
    With security stopping just shy of cavity searches at the beginning of the day
    Like perhaps, a blanket ban on iPods and cell phones? Allowing some after looking at them is simply not secure.
  • (cs) in reply to rsynnott
    rsynnott:
    Hold on, an _encrypted_ database? Certainly you want authentication, and login from controlled areas, but encrypted? Is this common? I can see it just about COULD be done (at least for data; NOT indexes), but it seems like a lot of overhead for dubious benefit.

    Judging from the command line ‘psql –d xxxxxx-db-name’ I thought he meant "password-protected", not "encrypted". If you make that substitution in the story, it seems more reasonable.

  • Bobble (unregistered)

    This kinda reads like the Brokeback Mountain of WTFs.

    “You know, most engineers would’ve stopped that sentence a word earlier,” Mike replied with a chuckle. “I got you something from CompUSA. Come over here and get it, lover.”

    “Point three six, then I'll have to quit you.”

  • Anonymoose (unregistered) in reply to OldCoder
    OldCoder:
    Julius Caesar:
    Sean:
    I've been raised saying "January 3rd" or "September 22nd" all my life therefore it's natural to write 1/3 or 8/22. If I had been raised to say "the 3rd of January" or "the 22nd of September" then I'd probably write 3/1 and 22/8 as well.
    Uh, BTW do you realize that September 22nd is the same as 9/22?
    Nah. His months start at zero.
    Wait... does that mean his months go to 11?
  • (cs) in reply to bohica61
    bohica61:
    Judging from the command line ‘psql –d xxxxxx-db-name’ I thought he meant "password-protected", not "encrypted". If you make that substitution in the story, it seems more reasonable.

    This.

  • grammernazee (unregistered) in reply to Anonymoose
    Anonymoose:
    Wait... does that mean his months go to 11?
    This so deserves to be blued. Nice one.
  • Jon H (unregistered) in reply to Sean
    Sean:
    I've been raised saying "January 3rd" or "September 22nd" all my life therefore it's natural to write 1/3 or 8/22. If I had been raised to say "the 3rd of January" or "the 22nd of September" then I'd probably write 3/1 and 22/8 as well.

    Then you should write "10:11" for "ten past eleven" because you probably have been raised to say "ten past eleven" all your life.

  • petere963 (unregistered) in reply to clickey McClicker

    The English speaking world uses 6 Jan 2009 as well - its just the Americam spoeaking world that gets it the wrong way round ....

  • Corey (unregistered) in reply to Jon H
    Jon H:
    Sean:
    I've been raised saying "January 3rd" or "September 22nd" all my life therefore it's natural to write 1/3 or 8/22. If I had been raised to say "the 3rd of January" or "the 22nd of September" then I'd probably write 3/1 and 22/8 as well.

    Then you should write "10:11" for "ten past eleven" because you probably have been raised to say "ten past eleven" all your life.

    Sorry, but nobody over here talks like that. It's "eleven ten."
  • (cs)

    Reminds me of the time i pointed out to my Boss that his beloved app could have payment skipped by adding CCAuth=true to the query string....

    I was told to "Not to worry about it."

  • petere963 (unregistered) in reply to petere963
    petere963:
    The English speaking world uses 6 Jan 2009 as well - its just the Americam spoeaking world that gets it the wrong way round ....

    petere963 here, disregard that, I suck cocks.

  • NH (unregistered) in reply to danixdefcon5
    danixdefcon5:
    Sean:
    lyml:
    the real WTF is the american date system, two point seventyfive should have been what he said

    CAPTCHA: tristique

    I've been raised saying "January 3rd" or "September 22nd" all my life therefore it's natural to write 1/3 or 8/22. If I had been raised to say "the 3rd of January" or "the 22nd of September" then I'd probably write 3/1 and 22/8 as well.

    I say "January 5" in English as well, however I write 5/1 because I'm used to writing full dates, where 5/1/2009 makes sense, but 1/5/2009 doesn't.

    Bleh, I now use the ISO standard anyway: 2009-01-05.

    And it's a lot easier to do a text sort on ISO dates.

  • Me (unregistered)

    How about this: The next time you find a security hole like that, walk up to some hacker community and give them the intel. Done!

  • (cs) in reply to grammernazee
    grammernazee:
    Zylon:
    That ".36" nonsense managed to turn a neat little WTF into nothing but an incredibly lame joke with an excruciatingly long setup.
    Agreed. Even a true geek wouldn't "store" a date as a decimal number. Apart from anything else, 0.36 could be 4/11 or 5/14 or 8/22 or 9/25 or 10/28 (and yes, I'm sad and not busy enough, and had time to work them all out!). Either he's a git, or this story is lame, or both. Oh and also, of course US date format is dumb; it's not "boring" to point that out - it's just one of the joys of not being 'merican, and not having to write things backwards. Mind you, the German language is equally daft "zwei-und-zwanzig", what's that all about?!
    It's about twenty past two ...

    An interesting example of bilateral cultural bias there: I'd have thought a Grammar Nazi (which seems to be the universal term of opprobrium for people who actually try to get things right, rather than for nit-picking anal retentives) would have taken a broader view of Germanic languages in general.

    I mean, "eleven, twelve"/"elf, zwolf"/"elva, tolv," what's that all about?

    This response actually led me to look up a relevant article, for which many thanks. Turns out that almost all languages, beyond those that count as "one, two, many," pick a point on the cardinal scale where the numbering system becomes "big-endian." Quite a few of them start immediately there's a need to take the socks off. German happens to wait until three figures, but even German submits at that point.

    French is predictably weird. It waits until 17 before going the obvious way, and even then manages to make the 80s and 90s pointlessly complicated (unless you're a Quebecois, in which case the French will, predictably again, laugh at you).

    But, as I say, the really odd thing is this 11/12 business. Languages in general take the sensible approach of stringing new numeric compounds together at basal powers; why Germanic languages differ in this respect is beyond me.

    Oh, and I suspect that "zwei-und-zwanzig" is a by-product of excessive saliva. You might be able to say "zwanzig-zwei" without covering your inamorata with spittle; I can't.

  • Brady Kelly (proudly in Jo'burg) (unregistered) in reply to Capt. Obvious
    Capt. Obvious:
    damoxdefcon5:
    I say "January 5" in English as well, however I write 5/1 because I'm used to writing full dates, where 5/1/2009 makes sense, but 1/5/2009 doesn't.
    I say January 5th, 2009, so 1/5/2009 makes sense to me.

    That said, for all filenames, I prefer YYYY-MM-DD. Screw the people in the year 10,000

    So, what's wrong with YYYYY-MM-DD?

  • grammernazee (unregistered) in reply to pink_fairy
    pink_fairy:
    An interesting example of bilateral cultural bias there: I'd have thought a Grammar Nazi (which seems to be the universal term of opprobrium for people who actually try to get things right, rather than for nit-picking anal retentives) would have taken a broader view of Germanic languages in general.
    I admit to being nit-picking and anally retentive. I'm not complaining here, just commenting on the quirkiness of saying "Hundert zwei-und-zwanzig", ie ordered 1-3-2.
    pink_fairy:
    French is predictably weird. It waits until 17 before going the obvious way, and even then manages to make the 80s and 90s pointlessly complicated (unless you're a Quebecois, in which case the French will, predictably again, laugh at you).
    And Belgians too. Actually, almost all French-speakers except in France say octante and nonante, I think.
    pink_fairy:
    Oh, and I suspect that "zwei-und-zwanzig" is a by-product of excessive saliva. You might be able to say "zwanzig-zwei" without covering your inamorata with spittle; I can't.
    Interesting point, but I don't think the issue is that logically driven. I wonder if any regular German speakers have thought of using "zwanzig-zwei" in a sort of punk way, in the same way that text-speak and "yooof" spelling are partially a rebellion against the establishment.
  • (cs) in reply to grammernazee
    grammernazee:
    pink_fairy:
    An interesting example of bilateral cultural bias there: I'd have thought a Grammar Nazi (which seems to be the universal term of opprobrium for people who actually try to get things right, rather than for nit-picking anal retentives) would have taken a broader view of Germanic languages in general.
    I admit to being nit-picking and anally retentive. I'm not complaining here, just commenting on the quirkiness of saying "Hundert zwei-und-zwanzig", ie ordered 1-3-2.
    pink_fairy:
    French is predictably weird. It waits until 17 before going the obvious way, and even then manages to make the 80s and 90s pointlessly complicated (unless you're a Quebecois, in which case the French will, predictably again, laugh at you).
    And Belgians too. Actually, almost all French-speakers except in France say octante and nonante, I think.
    pink_fairy:
    Oh, and I suspect that "zwei-und-zwanzig" is a by-product of excessive saliva. You might be able to say "zwanzig-zwei" without covering your inamorata with spittle; I can't.
    Interesting point, but I don't think the issue is that logically driven. I wonder if any regular German speakers have thought of using "zwanzig-zwei" in a sort of punk way, in the same way that text-speak and "yooof" spelling are partially a rebellion against the establishment.
    Go on, look at the linked article -- I dare you.

    I'm hoping to head out to French Polynesia and the more exotic bits of Outre-Mer later in the year. Also, possibly, Guadeloupe and Martinique -- two of the only five interesting islands in the Caribbean, the downsides to the others being dreariness (Cuba), violence (Jamaica) and I'm-no-oilman-me, and shut the fuck up with the banging on cans (Trinidad).

    I'll test your assertion then. I'd love to test it against Flemmischers, but I assume they don't give a damn either way.

  • (cs) in reply to pink_fairy
    pink_fairy:
    An interesting example of bilateral cultural bias there: I'd have thought a Grammar Nazi (which seems to be the universal term of opprobrium for people who actually try to get things right, rather than for nit-picking anal retentives) would have taken a broader view of Germanic languages in general.

    I mean, "eleven, twelve"/"elf, zwolf"/"elva, tolv," what's that all about?

    A remnant of the old base-12 number system.

    This response actually led me to look up a relevant article, for which many thanks. Turns out that almost all languages, beyond those that count as "one, two, many," pick a point on the cardinal scale where the numbering system becomes "big-endian." Quite a few of them start immediately there's a need to take the socks off. German happens to wait until three figures, but even German submits at that point.

    French is predictably weird. It waits until 17 before going the obvious way, and even then manages to make the 80s and 90s pointlessly complicated (unless you're a Quebecois, in which case the French will, predictably again, laugh at you).

    A remnant of the old base-20 number system. That should not be surprising to english speakers beyond the age of three score and ten. Concerning non-french speakers of almost french languages, I heard "huitante" and the like several times in switzerland, but they always corrected themselves quickly after a raised eyebrow.

    But, as I say, the really odd thing is this 11/12 business. Languages in general take the sensible approach of stringing new numeric compounds together at basal powers; why Germanic languages differ in this respect is beyond me.
    I don't think it's odd, just a little inconvenient. It's natural that all numbers up to your base have individual primitive names. Of course they shouldn't have survived the switch to base 10.
    Oh, and I suspect that "zwei-und-zwanzig" is a by-product of excessive saliva. You might be able to say "zwanzig-zwei" without covering your inamorata with spittle; I can't.
    But that can't be the reason for the greek undeka, dodeka, can it?
  • Lumberg (unregistered) in reply to Kerio
    Kerio:
    when you are a pow4h government agency, there's no limit to the security you can get

    well, apparently there's no security, either :(

    would the performance really decrease by storing a relational database on a truecrypt disk?

    There wouldn't really be any point. A Truecrypt filesystem's encryption is only effective when you unmount the system and remove the decryption key from the host machine. From the point of view of a hacker communicating with a DB server that accesses this filesystem, the data would appear to be unencrypted.

  • Me (unregistered) in reply to ricecake
    ricecake:
    clickey McClicker:
    Also...I write dates 6 Jan 2009. No confusion or accidental "unit conversions." People ask if I'm in the military because they apparently use that format. I tell them no and it's nice to be paid well too.
    I don't see how "January 6, 2009" (or even "Jan 6, 2009") has any more potential for confusion than "6 Jan 2009", unless the other person doesn't speak English and doesn't know what "Jan" or "January" are.

    Regardless, I also use ISO-8601 date format whenever I can.

    Bah, just use UNIX time and forget about it

  • nobody (unregistered)

    Alex fix your CAPTCHA.

  • eric bloedow (unregistered)

    come on, this is a company that MAKES security programs to guard against hackers, and it never one occurred to a single one of the higher-ups to protect THEMSELVES against hackers?! WTF indeed. some of the comments reminded me of a terrifying story, which one of the authors called "THE most frightening story i've ever heard"...a book called "@ Large". it's the story of how a retarded kid, yes, LITERALLY retarded, using a few simple hacker tricks he picked up on the internet, a simple computer, and lots of time, hacked into hundreds of companies and stole thousands of people's passwords...seriously, he hacked into a internet provider's company computers and set up a program to steal the passwords of every user...and it stole SO MANY that it filled the entire hard drive and crashed the system! and until that crash, NOT A SINGLE EMPLOYEE NOTICED THE BREACH IN SECURITY! perhaps the scariest part was when an FBI man asked the hacker if he had ever found a system he couldn't break into, and he said no.

  • SomeName (unregistered)

    Just report it anonymously to some government institution claiming management refuses to fix the security issues (also show how to hack it) and watch it all burn.

  • (nodebb)
    Comment held for moderation.

Leave a comment on “Curiosity, Ignorance, Malice”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article