• cheese (unregistered) in reply to EatenByAGrue

    to be fair he only originally went in for a checkup

  • ROTFL (unregistered) in reply to Fred

    --repeatuntil sense==true

  • Gerald (not this Gerald though) (unregistered) in reply to the beholder
    the beholder:
    He backed off when his brother and business partner told him it was impossible for such a small company as theirs, but I surely wanted to attend the reunion where he told it to the customer.And I always wondered how he would suggest us to create our own GPS. Maybe we should start by launching our own satellite?

    I'm curious how long ago this was as it seems pretty doable today simply by accessing GPS for location data and using a provider like AT&T or Verizon's cellular network to upload the data in real-time back to a service.

  • Xenon Xavior (unregistered) in reply to bbot
    bbot:
    Wow.

    Wow wow wow wow wow.

    I've never commented before, but this inspired me to speak up.

    Too bad you didn't have anything useful to say :(

  • Hatterson (unregistered) in reply to Quirkafleeg
    Quirkafleeg:
    Me:
    IPv6.
    … except for the fact that, once again, it identifies only the network interface (spoofable) and not the user.

    On the up-side, NAT isn't an issue. All who've said to use the likes of SSL certificates, I'm agreeing.

    Last time I checked an IPv4 address (like say 10.1.23.97) doesn't provide any user information either.

    The client was sold an "IP-based authentication system." IPv6 would certainly be a solution.

  • (cs)

    I'm no IT security expert or anything, but my jaw actually dropped when I got to the punchline. I almost said "WTF?" out loud.

  • (cs)

    I guess it isn't a TOTAL loss... they still needed a single person to access the system while any other computer on the network would be denied access. This was just a very convoluted way to do it.

    This, of course, begs the question, what if someone else accesses the computer while this user is away from the desk?

  • NewbiusMaximus (unregistered)
    “Now just so we’re clear,” Craig responded, “by ‘impossible’, you actually mean ‘a big pain in the ass’, but you’re a smart guy who can make it happen, right?” That drew a few chuckles from the handful of other coworkers who joined them in the conference room, but Gerald just sighed. “No, Craig, by impossible, I mean impossible. Not doable. Can’t be done. Im-poss-i-ble. Well I mean, unless you can somehow change the underlying structure of the way everyone communicates on the Internet.”
    Poor Gerald. Now he's going to be remembered by management as the guy that says things are impossible when they're not.
  • (cs)

    Knock, knock Who's there? HIPAA Hippa who? I'm sorry I can't tell you that. It's confidential information

  • filo (unregistered)

    Hey, at least it is scalable!

    Perhaps Craig could get of his lazy butt and sell some more licenses and a nice big juicy support contract to boot. And Gerald can get a raise.

  • filo (unregistered) in reply to filo
    filo:
    Hey, at least it is scalable!

    Perhaps Craig could get off his lazy butt and sell some more licenses and a nice big juicy support contract to boot. And Gerald can get a raise.

    Fixed it before the grammar nazis get involved

  • (cs) in reply to Ernie
    Ernie:
    And noooo one bothered to ask at any point "how many clients would need to be logged in at once?" for session reasons? Or for failover? Or for any other countless reasons?

    I feel this issue would have come up at one point or another.

    I'll bet it did...in the initial sales call. However if the solution was simple, there wouldn't have been a need for an expensive add on. The sales rep gets a percentage based commission.

  • Anonymous (unregistered) in reply to NewbiusMaximus
    NewbiusMaximus:
    “Now just so we’re clear,” Craig responded, “by ‘impossible’, you actually mean ‘a big pain in the ass’...
    Poor Gerald. Now he's going to be remembered by management as the guy that says things are impossible when they're not.
    True. In this business you never say "impossible"; you just say "yeah, that'll take about 800 man hours, give or take". Manager spits out coffee, you shrug, the problem goes away.
  • BentFranklin (unregistered)

    I laughed. I learned, Good wtf!

  • Buffled (unregistered) in reply to bbot
    bbot:
    Wow.

    Wow wow wow wow wow.

    I've never commented before, but this inspired me to speak up.

    I'm sorry - are you speaking or barking?

  • bsaksida (unregistered)

    I wonder how would they react with suggestion of using Password Manager

  • Basil (unregistered)
    If Steven Hawking were under the British NHS, he'd never have been allowed to live!

    Yeah, a daft argument for sure...but then again, try living under the NHS with Hawking's condition when you aren't a Cambridge University genius.

    Some are more equal than others.

    PS. Pi = 3 and Vi is better than Emacs. PPS. Windows is more inherently secure than *nix. PPPS. Stallman is ghey.

  • Foobix (unregistered) in reply to Anonymous

    I don't know whether they made money on the deal but the funny part is that the salesdroid was right and the dev guy was wrong. "Impossible" really did just mean "PITA I-dun-wanna".

  • Sean (unregistered)

    Most of these comments are idiotic. So what if this implementation was for one user. At least now SSO is a feature of the product and someone paid you do add it to the product.

    Remember,everything a customer asks for enhances the product. Developer's job is to solve problems for clients, and if a client pays for a feature before its in the product...well then they just paid you to developer that feature, instead of you spending your own money.

    Sean

  • dguthurts (unregistered) in reply to dkf
    dkf:
    Justice:
    I wish I could call shenanigans on this, but it's entirely too believable.
    Agreed. It's even possible that the one person at the customer wasn't actually officially responsible, but instead was just someone in an administrative position that was determined to dig their heels in. The stupid thing is that there wasn't some kind of existing single-sign-on structure already in place on the customer side that could have just been leveraged. Or maybe there was but some admin (probably on the customer side too) decided they didn't want to support it. As it is, too many on the customer side seem to think that the best technique involves thought transfer and pixie dust.

    Believeable. Happened to us. (I submitted a similar WTF last year as IPA for One) Except in our case it was University of YourStateHere that "didn't want to manage student turnover." Turns out it was one professor.

  • damnum (unregistered) in reply to Xenon Xavior
    Xenon Xavior:
    bbot:
    Wow.

    Wow wow wow wow wow.

    I've never commented before, but this inspired me to speak up.

    Too bad you didn't have anything useful to say :(

    Oooh, ooh! Me too! Keep that irony dripping down the board!

  • Zaid Pirwani (unregistered)

    Being a regular reader here, the only thing I can think is.... HOW LUCKY SHE MIGHT BE, GETTING HER OWN PRIVATE IP BASED LOGGING SYSTEM........

  • Todd Peak (unregistered) in reply to the beholder
    the beholder:
    One place I once worked at was a company that created a sort of device to attach to trucks and forklifts, and it would log all their activities: current speed, gear, the time it was turned on and off, and whatnot. I'm sure there must be a simple name for this device...
    A tattler
  • Anon (unregistered) in reply to bsaksida
    bsaksida:
    I wonder how would they react with suggestion of using Password Manager

    Probably something similar to this:

    Have the user log-in once, and then store an authentication cookie on the computer for as long as possible...the client vehemently rejected the idea, saying that their employees couldn’t be bothered with having to remember yet another login, even if only temporarily.

    Using a password manager would require entering the password at least once, which is unacceptable. Unless you get somebody else to do it for you.

    Perhaps that would have been the easier solution? The one person at the client site didn't want to have to enter a password, so hire a temp to enter the password for them every time they use the site.

  • (cs) in reply to PITA
    PITA:
    My laptop has a fingerprint scanner - can't I use that to log on to the system? No, someone may chop your fingers off and steal your password!

    Can't the justice system use tracking bracelets to track their parolees? No, some crazy bitch might saw the guy's arm off!

  • haero (unregistered) in reply to Basil
    Basil:
    If Steven Hawking were under the British NHS, he'd never have been allowed to live!

    Yeah, a daft argument for sure...but then again, try living under the NHS with Hawking's condition when you aren't a Cambridge University genius.

    Some are more equal than others.

    PS. Pi = 3 and Vi is better than Emacs. PPS. Windows is more inherently secure than *nix. PPPS. Stallman is ghey.

    Damn straight. One of the most damaging myths perpetrated by western culture is that of equality.

    The world needs all kinds of thinkers, all kinds of brains, all kinds of baristas, construction workers, perverts, doctors, scientists, and on and on and on.

    But in no fucking way is that single mom flipping burgers at Wendy's equal to Stephen Hawking. She deserves the basic amenities of life, until she voluntarily secedes from humanity, but that's about it.

  • Tod (unregistered)

    How did this pass HIPAA review? It doesn't prevent unauthorized access to patient records since it only checks the computer (hardware) not the user. Computers aren't authorized, people by virtue of their positions and jobs are.

  • sino (unregistered) in reply to Anon
    Anon:
    This WTF actually had a punch line! WTF!
    Justice:
    I wish I could call shenanigans on this, but it's entirely too believable.
    Wow, community endorsement!

    I think this is gonna work, guys:

    1.) Let Bowytz "creative up" the first draft/wall-of-text (as he obviously did here) 2.) Have Alex proof-read and strike (most of) the useless cruft (he is quite good at succinct) 3.) ??? 4.) A real WTF, quick and entertaining to read, and jaw-droppingly painful! PROFIT!!

  • sino (unregistered) in reply to sino
    sino:
    Anon:
    This WTF actually had a punch line! WTF!
    Justice:
    I wish I could call shenanigans on this, but it's entirely too believable.
    Wow, community endorsement!

    I think this is gonna work, guys:

    1.) Let Bowytz "creative up" the first draft/wall-of-text (as he obviously did here) 2.) Have Alex proof-read and strike (most of) the useless cruft (he is quite good at succinct) 3.) ??? 4.) A real WTF, quick and entertaining to read, and jaw-droppingly painful! PROFIT!!

    Whoops, missed one:
    schmitter:
    I think I just threw up in my mouth a little.
    Hooray! :D/

  • A guy.. (unregistered) in reply to dkf

    I used to work IT for a large state University. At said University, we used a particular Groupware solution. Said Groupware solution is a terrible, terrible piece of software, particularly as a mail server - in my neck of the woods, we actually ran a Unix mailserver between it and the public internet just so we could throttle incoming connections and protect it somewhat from world outside.

    Everyone hates this solution.

    Why do we run it? Because the Dean's secretaries all got together and decided they liked the way it let them manage the Dean's calendars. And that was that.

  • (cs) in reply to Frz
    Frz:
    Your IP here:
    Because it's totally impossible to spoof the source IP address /sarcasm

    While it might be possible to get a single TCP Packet trough with a spoofed IP it becomes next to impossible when challenging the client ie.

    • Request -- Challenge -- Send Challenge back

    Done - nearly unspoofable... That is unless you have hardware access to any router/wire in between the two endpoints...

    And at that point, its not exactly "spoofing" is it? If you've subjugated a major router on an autonomous system, it IS your IP address now. (Indeed, its your whole CIDR subnet.)

  • Tom (unregistered)

    No one suggested a post-it note?

  • (cs) in reply to the beholder
    the beholder:
    a sort of device to attach to trucks and forklifts, and it would log all their activities: current speed, gear, the time it was turned on and off, and whatnot. I'm sure there must be a simple name for this device, but I have no idea what it would be in english.
    That sounds like what we would call a tachometer.
  • CiH (unregistered) in reply to Tod
    Tod:
    How did this pass HIPAA review? It doesn't prevent unauthorized access to patient records since it only checks the computer (hardware) not the user. Computers aren't authorized, people by virtue of their positions and jobs are.

    Wow (not a bark/World of Warcraft). Good point. This article is actually testimony of the commission of a federal crime.

    In all seriousness, the proper authorities should be informed.

  • Someone (unregistered) in reply to Gerald (not this Gerald though)
    Gerald (not this Gerald though):
    ... to upload the data in real-time back to a service.

    I'll create a GUI interface using Visual Basic... see if I can track an IP address.

  • Ford Prefect (unregistered) in reply to steenbergh
    steenbergh:
    Sales people, together with customers, will be the first ones up against the wall when the revolution comes!

    Actually, in another copy of the guide, that was sent from the future, it said that Sales people, together with customers were the first ones up against the wall when the revolution came.

  • Your IP here (unregistered) in reply to savar
    savar:

    And at that point, its not exactly "spoofing" is it? If you've subjugated a major router on an autonomous system, it IS your IP address now. (Indeed, its your whole CIDR subnet.)

    Well, yes, if you do it at the WAN level. But remember from the article, they're also worried about 'malicious employees'. If somebody with access the the LAN wants to get access, it's easy, particularly if the 'authorized' computer is down. Just statically assign the 'authorized' IP and connect. Or if anything tricky is being done with the DHCP server, just spoof the 'authorized' MAC or hostname, whatever the DHCP & co. are using for assignment. And so on...

    Depending on the network, you also don't necessarily have to get into ISP systems for MITM. Local gateways will do fine.

  • joe.edwards (unregistered) in reply to ROTFL
    ROTFL:
    --repeatuntil sense==true
    Be careful, you'll start an infinite loop.
  • (cs) in reply to Your IP here
    Your IP here:
    savar:

    And at that point, its not exactly "spoofing" is it? If you've subjugated a major router on an autonomous system, it IS your IP address now. (Indeed, its your whole CIDR subnet.)

    Well, yes, if you do it at the WAN level. But remember from the article, they're also worried about 'malicious employees'. If somebody with access the the LAN wants to get access, it's easy, particularly if the 'authorized' computer is down. Just statically assign the 'authorized' IP and connect. Or if anything tricky is being done with the DHCP server, just spoof the 'authorized' MAC or hostname, whatever the DHCP & co. are using for assignment. And so on...

    Depending on the network, you also don't necessarily have to get into ISP systems for MITM. Local gateways will do fine.

    A lot of Windows-based systems are secured so users can't assign their own IP. There's a lovely WTF all of its own here, though: if you plug a DHCP router into a port on a network, almost all normal Windows Server DHCP configurations will automatically hand control over to that router. Hey presto, IP control.

  • Spike (unregistered)

    TRWTF is that Gerald accepted "VPNs are inherently insecure" as a valid criticism.

  • Basil (unregistered)
    But in no fucking way is that single mom flipping burgers at Wendy's equal to Stephen Hawking

    Yeah. That miserly fucker never cooks anyone a burger. Lazy bastard. I'm never inviting him to my summer grill-outs.

  • (cs) in reply to Anthony
    Anthony:
    Zolcos:
    They didn't like the idea of relying on headers, becuase headers can be faked. But they're cool with relying on cookies?!
    Well, what got me, is the header was generated at the firewall. So even if someone internally faked the header, wouldn't it be overwritten? And if they faked it from outside of the firewall, couldn't you just check the source IP and see it wasn't from their secure network?
    No, you see they would be using the HTTP header to covertly send an SSL certificate.
    Anon:
    Perhaps that would have been the easier solution? The one person at the client site didn't want to have to enter a password, so hire a temp to enter the password for them every time they use the site.
    +1
  • BCS (unregistered)

    One person signing on is not what most people think of when they say "single sign on"!

  • (cs) in reply to Spike
    Spike:
    TRWTF is that Gerald accepted "VPNs are inherently insecure" as a valid criticism.

    Swing and a miss. Take a clue from the quotes in the article.

  • NewbiusMaximus (unregistered) in reply to Anonymous
    Anonymous:
    NewbiusMaximus:
    “Now just so we’re clear,” Craig responded, “by ‘impossible’, you actually mean ‘a big pain in the ass’...
    Poor Gerald. Now he's going to be remembered by management as the guy that says things are impossible when they're not.
    True. In this business you never say "impossible"; you just say "yeah, that'll take about 800 man hours, give or take". Manager spits out coffee, you shrug, the problem goes away.
    Or, sometimes, they say, "Well, the customer is only willing to pay for about half that." And then Gerald and his team get paid for 300 hours of playing Farmville or reading The Daily WTF and maybe 100 hours of coding and batting the same stupid issues back and forth to the customer. (And then another 200 hours of "overtime" to fix those really really hard issues that came up during the course of the job.)
  • Anon (unregistered) in reply to davedavenotdavemaybedave
    davedavenotdavemaybedave:
    Your IP here:
    savar:

    And at that point, its not exactly "spoofing" is it? If you've subjugated a major router on an autonomous system, it IS your IP address now. (Indeed, its your whole CIDR subnet.)

    Well, yes, if you do it at the WAN level. But remember from the article, they're also worried about 'malicious employees'. If somebody with access the the LAN wants to get access, it's easy, particularly if the 'authorized' computer is down. Just statically assign the 'authorized' IP and connect. Or if anything tricky is being done with the DHCP server, just spoof the 'authorized' MAC or hostname, whatever the DHCP & co. are using for assignment. And so on...

    Depending on the network, you also don't necessarily have to get into ISP systems for MITM. Local gateways will do fine.

    A lot of Windows-based systems are secured so users can't assign their own IP. There's a lovely WTF all of its own here, though: if you plug a DHCP router into a port on a network, almost all normal Windows Server DHCP configurations will automatically hand control over to that router. Hey presto, IP control.

    Maybe if you're talking about some workgroup full of Windows XP machines... But any Windows PC/server that is a member of Active Directory will only accept DHCP addresses from authorized DHCP servers. (authorized in Active Directory).

    Microsoft solved the problem of "rogue" DHCP servers a long time ago..

  • sac (unregistered) in reply to A guy..
    A guy..:
    I used to work IT for a large state University. At said University, we used a particular Groupware solution. Said Groupware solution is a terrible, terrible piece of software, particularly as a mail server - in my neck of the woods, we actually ran a Unix mailserver between it and the public internet just so we could throttle incoming connections and protect it somewhat from world outside.

    Everyone hates this solution.

    That would not be Lotus Domino/Notes. right?

  • Some Wonk (unregistered) in reply to bob171123
    bob171123:
    PITA:
    My laptop has a fingerprint scanner - can't I use that to log on to the system? No, someone may chop your fingers off and steal your password!

    Can't the justice system use tracking bracelets to track their parolees? No, some crazy bitch might saw the guy's arm off!

    The parolee loses his arm in a logging accident. What do you do?

  • Basil (unregistered)
    The parolee loses his arm in a logging accident. What do you do?

    Put it in a large jar of formaldehyde and force him to carry it around under his remaining arm? That'll teach him to be so careless with chainsaws.

  • (cs) in reply to bbot
    bbot:
    Wow.

    Wow wow wow wow wow.

    I've never commented before, but this inspired me to speak up.

    And what an inspirational comment it was, too.

Leave a comment on “The Single Sign On”

Log In or post as a guest

Replying to comment #301598:

« Return to Article