- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
to be fair he only originally went in for a checkup
Admin
--repeatuntil sense==true
Admin
I'm curious how long ago this was as it seems pretty doable today simply by accessing GPS for location data and using a provider like AT&T or Verizon's cellular network to upload the data in real-time back to a service.
Admin
Too bad you didn't have anything useful to say :(
Admin
The client was sold an "IP-based authentication system." IPv6 would certainly be a solution.
Admin
I'm no IT security expert or anything, but my jaw actually dropped when I got to the punchline. I almost said "WTF?" out loud.
Admin
I guess it isn't a TOTAL loss... they still needed a single person to access the system while any other computer on the network would be denied access. This was just a very convoluted way to do it.
This, of course, begs the question, what if someone else accesses the computer while this user is away from the desk?
Admin
Admin
Knock, knock Who's there? HIPAA Hippa who? I'm sorry I can't tell you that. It's confidential information
Admin
Hey, at least it is scalable!
Perhaps Craig could get of his lazy butt and sell some more licenses and a nice big juicy support contract to boot. And Gerald can get a raise.
Admin
Fixed it before the grammar nazis get involved
Admin
I'll bet it did...in the initial sales call. However if the solution was simple, there wouldn't have been a need for an expensive add on. The sales rep gets a percentage based commission.
Admin
Admin
I laughed. I learned, Good wtf!
Admin
Admin
I wonder how would they react with suggestion of using Password Manager
Admin
Yeah, a daft argument for sure...but then again, try living under the NHS with Hawking's condition when you aren't a Cambridge University genius.
Some are more equal than others.
PS. Pi = 3 and Vi is better than Emacs. PPS. Windows is more inherently secure than *nix. PPPS. Stallman is ghey.
Admin
I don't know whether they made money on the deal but the funny part is that the salesdroid was right and the dev guy was wrong. "Impossible" really did just mean "PITA I-dun-wanna".
Admin
Most of these comments are idiotic. So what if this implementation was for one user. At least now SSO is a feature of the product and someone paid you do add it to the product.
Remember,everything a customer asks for enhances the product. Developer's job is to solve problems for clients, and if a client pays for a feature before its in the product...well then they just paid you to developer that feature, instead of you spending your own money.
Sean
Admin
Believeable. Happened to us. (I submitted a similar WTF last year as IPA for One) Except in our case it was University of YourStateHere that "didn't want to manage student turnover." Turns out it was one professor.
Admin
Admin
Being a regular reader here, the only thing I can think is.... HOW LUCKY SHE MIGHT BE, GETTING HER OWN PRIVATE IP BASED LOGGING SYSTEM........
Admin
Admin
Probably something similar to this:
Using a password manager would require entering the password at least once, which is unacceptable. Unless you get somebody else to do it for you.
Perhaps that would have been the easier solution? The one person at the client site didn't want to have to enter a password, so hire a temp to enter the password for them every time they use the site.
Admin
Can't the justice system use tracking bracelets to track their parolees? No, some crazy bitch might saw the guy's arm off!
Admin
The world needs all kinds of thinkers, all kinds of brains, all kinds of baristas, construction workers, perverts, doctors, scientists, and on and on and on.
But in no fucking way is that single mom flipping burgers at Wendy's equal to Stephen Hawking. She deserves the basic amenities of life, until she voluntarily secedes from humanity, but that's about it.
Admin
How did this pass HIPAA review? It doesn't prevent unauthorized access to patient records since it only checks the computer (hardware) not the user. Computers aren't authorized, people by virtue of their positions and jobs are.
Admin
I think this is gonna work, guys:
1.) Let Bowytz "creative up" the first draft/wall-of-text (as he obviously did here) 2.) Have Alex proof-read and strike (most of) the useless cruft (he is quite good at succinct) 3.) ??? 4.) A real WTF, quick and entertaining to read, and jaw-droppingly painful! PROFIT!!
Admin
Admin
I used to work IT for a large state University. At said University, we used a particular Groupware solution. Said Groupware solution is a terrible, terrible piece of software, particularly as a mail server - in my neck of the woods, we actually ran a Unix mailserver between it and the public internet just so we could throttle incoming connections and protect it somewhat from world outside.
Everyone hates this solution.
Why do we run it? Because the Dean's secretaries all got together and decided they liked the way it let them manage the Dean's calendars. And that was that.
Admin
And at that point, its not exactly "spoofing" is it? If you've subjugated a major router on an autonomous system, it IS your IP address now. (Indeed, its your whole CIDR subnet.)
Admin
No one suggested a post-it note?
Admin
Admin
Wow (not a bark/World of Warcraft). Good point. This article is actually testimony of the commission of a federal crime.
In all seriousness, the proper authorities should be informed.
Admin
I'll create a GUI interface using Visual Basic... see if I can track an IP address.
Admin
Actually, in another copy of the guide, that was sent from the future, it said that Sales people, together with customers were the first ones up against the wall when the revolution came.
Admin
Well, yes, if you do it at the WAN level. But remember from the article, they're also worried about 'malicious employees'. If somebody with access the the LAN wants to get access, it's easy, particularly if the 'authorized' computer is down. Just statically assign the 'authorized' IP and connect. Or if anything tricky is being done with the DHCP server, just spoof the 'authorized' MAC or hostname, whatever the DHCP & co. are using for assignment. And so on...
Depending on the network, you also don't necessarily have to get into ISP systems for MITM. Local gateways will do fine.
Admin
Admin
A lot of Windows-based systems are secured so users can't assign their own IP. There's a lovely WTF all of its own here, though: if you plug a DHCP router into a port on a network, almost all normal Windows Server DHCP configurations will automatically hand control over to that router. Hey presto, IP control.
Admin
TRWTF is that Gerald accepted "VPNs are inherently insecure" as a valid criticism.
Admin
Yeah. That miserly fucker never cooks anyone a burger. Lazy bastard. I'm never inviting him to my summer grill-outs.
Admin
Admin
One person signing on is not what most people think of when they say "single sign on"!
Admin
Swing and a miss. Take a clue from the quotes in the article.
Admin
Admin
Maybe if you're talking about some workgroup full of Windows XP machines... But any Windows PC/server that is a member of Active Directory will only accept DHCP addresses from authorized DHCP servers. (authorized in Active Directory).
Microsoft solved the problem of "rogue" DHCP servers a long time ago..
Admin
That would not be Lotus Domino/Notes. right?
Admin
Admin
Put it in a large jar of formaldehyde and force him to carry it around under his remaining arm? That'll teach him to be so careless with chainsaws.
Admin
And what an inspirational comment it was, too.