- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Yay! A happy ending!
snicker
Admin
So... the real WTF is that "Herbert Helpdesk" is a corporate drone and a shitbag who likes to get other folks fired, yes?
Admin
Makes me wonder if anything happened to Herbert Helpdesk for his incompetent response.
Admin
Hold a squirrel to your "swimsuit areas", it won't be a happy ending for long.
Although I did once know someone who called herself "Squirrel Girl". Hmmm...
Admin
Herbert better watch his back when F.B. is around now...
Admin
I'd like to know the same thing.
Maybe they stunned them first. shrug
You like a happy ending? Ory $5 dollah
Admin
Yeah I notified folks at my company of a similar security hole. Word got back to IT and I nearly got punched out -- physically. My user account got deleted along w/ my network backup volume. Plus I got accused, by Personnel, of "hacking" [sic] and misusing email.
In the end, the IT guys left the company, the software team (I'm not a member) congratulated me, and the hole did get fixed.
Would I do it again? Not a F-ing chance. Let someone else get yelled at.
for real: captcha: Darwin. How evolutionary!
Admin
It's just too bad that the web server can't keep track of this information and you have to put it in a cookie yourself...
I wonder how long F.B. was stuck in limbo. Did they have an immediate fix and do an emergency push to production?
Authentication/authorization components usually touch a lot of pages and the testing is a bitch. Who am I, what should I be seeing, and what shouldn't I be seeing?
Admin
Lesson learned? Never report network vulnerabilities. Always keep them close for your own devices. Reporting them will only get you in trouble.
Admin
Thank god for the smart CIO.
Admin
Did I misread something? He didn't get in trouble. He got kudos for finding and reporting the problem. The only person who got his panties in a knot was some help desk lackey who probably did not know what any of the big words meant.
Admin
No, you didn't misread. However, the general consensus is that finding security issues means that you've been "hacking" the network (which in most places means you'll be escorted out the building). There's a tendency to blame the messenger/reporter than actually wanting to fix the issue. Its kinda sad, but a fairly accurate representation of the world.
The only good part was that the CIO was actually competent and understood that F.B. found a serious security hole...
Admin
I am so glad he got cudos from the CIO. It would be about par if he got a flaming from him aswell though.
From experience people who don't know much about computers have a serious problem with you trying to explain to them that their system has a flaw and needs to be patched. They automatically assume that you are some master hacker and you should be punished for comprimising their system.
Admin
So the CIO is God? Well, the title does have more capital letters...
Admin
That's why you never "officially" tell IT about security holes. "Hey Bob, a friend of mine found this and asked me to tell it to you guys since I know you....is this something you care about?". Bob can then go to his manager and take credit, and since there is no papertrail, it's harder to get in trouble.
(disclaimer: I'm a network admin. I want my users to tell me about holes, regardless of through email, phone call, or face to face. If someone tells me about a hole, and want to remain anonymous, I will not tell my manager who they are. I refuse to shoot the messenger)
Admin
Guy walks into a building.
"Hey! How did you get in here? The door is locked!"
"Do you know you left the key hanging on a string by the door?"
"I'm calling the police! Breaking and entering"
Admin
I've always suspected that the Gods themselves aren't nearly as vengeful as their prophets.
Admin
Not to be a wet blanket, but given how long the hole had been present, how egregious it was, and how quickly the fix was asserted, I find myself wondering how well fixed the hole actually was... like, maybe they now use triple-encoded rot13 to encrypt the user name or something...
Admin
Wow, so their helpdesk isn't in Bangalore? That's pretty rare. In a situation like this, I'd talk personally to a close friend in the network group and avoid leaving a paper trail. It goes without saying that you should have a close friend in the network group at all times. Ah, the things I learned while working for a Fortune 500.
Admin
I think the issue here is that he didn't realize he was being logged until it was too late. The papertrail, in one sense, was already there to being with.
Admin
You obviously never heard of Squirrel Nut Zippers
Admin
Admin
NSFW:
http://www.superdeluxe.com/sd/contentDetail.do?id=D81F2344BF5AC7BB77D6A0E55069BD0A9B3A52CB005FA7D7
Admin
I hate when white hat "hacking" is used as a negative thing.
To me it is only hacking when you are doing it with less then honorable intentions..... plus is changing the value of a plain text cookie really hacking? This is almost security through obscurity.
It would be like one day I come into the office and decide to use the default security code for the system we are using to see if it still excepts it. Then coming forward to say.."Hey the alarm still takes the alarm company default code which is listed in all it's user manuals.
And then being told "Breaking into the office is grounds for termination"
Stupid... glad it went the way it should. They should have given him a bonus.
CAPTCHA: smile
Admin
I was sure that the story would end with him using his newfound admin privileges to delete the incriminating email...
Admin
By I. Ron Butterfly.
captcha: paint (umm, wtf?)
Admin
mmm weird ending, i was actually half expecting the following additional paragraph.
The next morning after F. B. went to work, feeling real happy about what happened, he found his passkey wasn't working anymore and the security guard informs him that he has been fired for hacking and the CIO only thanked him yesterday so F.B. wouldn't destroy or take any company property or cause a scene.
Admin
If it excepts the default code, that's a good thing... right?
Admin
IT people should be fired, not F.B.
Admin
The real WTF is why management actually acted rationally.
Admin
Now there's the real WTF.
Admin
A few decades ago, I got nearly strung up for causing what they thought was serious hacking. I got called to the manager's desk one morning, with my supervisor and the system mangler there, everybody looking deadly serious. They started grilling me as to what I was doing the day before and why. Puzzled. I had done my work and went home at 5pm. It was like I'd murdered someone right there in the room, so I was a little freaked. Finally, I got them to show me the "evidence" against me. A printout of really high process statistics. My process had racked up something like billions of hours of cpu time, io, etc etc. The numbers were so high that I was surprised they thought one user could actually rack that much up in 24 hours, let alone 8 hours.
The only thing different that I could remember doing the day before was shutting down my X-terminal without logging out first. I finally soothed them enough that they let me go back to my desk (rather than immediately walking me to the police station), so I tested my theory. I closed the Xwindows without logging off the machine. Logged back on and checked, and the process was still there, detached, and going nuts. No idea what it was doing, but at least I was able to show them right there.
Of course there were no apologies offered.
Admin
Apologies for what? You were still the bonehead who sucked up all their clock cycles.
What did you want them to say? "We're sorry for thinking you are evil, when you are obviously only stupid."
Admin
I can't believe you guys actually think it got fixed, probably just made the cookie a read-only file, that'll fix it....
Admin
In rare cases, it's possible for management to overreact to the point of actually bringing criminal charges. Google for "just another convicted perl hacker". The takeaway from that episode seems to be: Get it in writing before you poke around dark corners.
Admin
I'm not sure I see how jcw was being stupid; if I run an xterm and then close it without typing "exit" or ^D I expect any associated processes to get terminated too, not detach and start calculating pi. Is there some mystic *NIX-fu I'm lacking here? Is the defined behavior for bash on receiving SIGHUP actually to spawn a SETI@Home process?
Admin
That actually is still Breaking and entering. You can be charged with it. Just because you can get in, doesn't mean you should.
Admin
If you mean "WHY the F" does it need to be like that, I totally agree.
If I see somebody walking away from their luxury car and leaving the door open, I'd tell them. If the real world worked like what passes for 'security' in many organisations I'd then be locked up, interrogated and convicted of attempted car theft.
WTF??
(BTW, I have worked for some seriously secure organisations, and I'm happy to say in all of those, bringing anything like this to the security officers attention was a good thing. As long as you didn't play around with it too much before you told them, obviously...)
Admin
Google for "just another convicted perl hacker". The takeaway from that episode seems to be: Get it in writing before you poke around dark corners.
Randall Swartz wasn't fired for white hat hacking. He was fired because he was told to stop doing something, he promised to stop, and then he went and did it again. He's a fucking idiot.
Yeah, Intel over-reacted, but that doesn't alter the fact that he's a fucking idiot.
Admin
But that has a defined origin. From the ever-present Wikipedia:
Off topic...
What the heck is up with this squashed half-width compose page?! All my replies today have been in this constricted box. Grr...
Admin
The only hack here was the system itself.
Admin
I had to try really hard to keep myself from laughing after reading that. I need to add a page to my blog to log these gem replies.
Admin
I once saw a survey of the most popular passwords used by systems adminstrators. The number one most popular password quoted was "god".
Crash Magnet
Admin
I'm still gobsmacked by the "visitors on our intranet" bit. Please tell me that doesn't mean what I think it could mean.
But yeah, similar story (only I'm the "God" role here) - discovered one day that a team of elite highly-paid consultants (who had - naturally - been swanning around the office acting like they owned the place) had left the Oracle "sys" password at the default.
For those who don't know, in Oracle (at least up to 8i, where my familiarity ends), "sys" is one of the ultra super users with access to everything.
And the default password? "change_on_install".
Admin
Admin
no. You saw the film Hackers.
Admin
Admin
The only reason the CIO cared so much and acted so quickly is that the top brass hate it when the peons know how much they make.
Admin
Happened to me. And I didn't even use the privilege violation, I just said, hm, what happens if I put /bin/sh into this configuration line. At the shell prompt, I told the admin -- and they threatened to call the polizei.
Admin
It is if you have something like the following line in your .bashrc:
A few decades ago was the big BSD-vs-SysV-vs-POSIX split about signal handling, where one side went with signal handlers that handle multiple signals, and the other went with signal handlers that fire only once per signal, then revert to their default behavior (which is usually to terminate the program) automatically.
Programs written on one side of the divide were ported to the other without taking this into account, or even worse, operating systems were quietly converted from one behavior to the other without providing compatibility glue at the application level. The result was that anyone who tried to do something graceful on receipt of a SIGHUP (terminal disconnected) or SIGPIPE (network socket disconnected) was buggered. Since almost nobody does any real QA on software these bugs appeared throughout the industry, and with shared libraries it can appear retroactively in previously bug-free software.
At one point in the 90's I was grepping sources for "signal.*SIG" because most of the time there was a spinning bug there waiting to happen.