• Sanderman (unregistered)

    What he should have done, was try to formulate the problem they were trying to solve with this weird feature and find an appropriate solution, instead of just saying it's impossible. Suggesting an alternative solution that has the desired effect would have helped his credibility a lot more than a simple denial.

    The problem was not authentication using ip, but easy and secure access to the system without having to login. If he had looked around, he would indeed have found the answer in certificates and other solutions.

  • MG (unregistered) in reply to Ferdinand
    Ferdinand:
    and the obvious solution would have been:

    tape the password to the screen

    No, no, no. You have it all wrong.

    First, install a slot-feed scanner and write a small glue app to insert keystroke messages to the foreground application. Then pipe the output of the scanner to the OCR app to the glue app. Print out the credentials on a piece of paper. Ever time the user needs to log in, just have her scan the sheet.

    Simple!

  • James (unregistered)

    The only comment I have when things like this come up is:

    Was she hot?

    --Jim

  • MG (unregistered) in reply to haero
    haero:
    The world needs all kinds of thinkers, all kinds of brains, all kinds of baristas, construction workers, perverts, doctors, scientists, and on and on and on.

    Especially nude female baristas. Maybe one will accept a single sign-on?

  • TheCoderMan (unregistered)

    If the hot data entry chick ain't happy ain't nobody happy.

  • Burnin'B (unregistered)

    The company can advertise this new feature and charge extra for it, emphasizing just how amazing and useful it is and how none of their competitors have it.

  • (cs)

    All she really needed was a barcode scanner and a couple of new tatoos.

  • True that (unregistered) in reply to Ford Prefect
    Ford Prefect:
    steenbergh:
    Sales people, together with customers, will be the first ones up against the wall when the revolution comes!

    Actually, in another copy of the guide, that was sent from the future, it said that Sales people, together with customers were the first ones up against the wall when the revolution came.

    Don't forget the public telephone cleaners...

  • John (unregistered) in reply to Tom
    Tom:
    No one suggested a post-it note?
    Yes. Several people have so far, and I'm only halfway through the comments!

    I wonder how many more will?

  • BS (unregistered)

    I call bullsh*t. In all this work nobody did a capacity planning?

  • Anonymous (unregistered)

    What about a USB authentication card or something? They make those right? USB drive has a certificate on it, and when they need to "login" they stick the USB drive in the slot and the program reads the data and off they go. Doesn't tie the person in to a single computer or IP either.

  • Janine (unregistered) in reply to NewbiusMaximus
    NewbiusMaximus:
    Anonymous:
    NewbiusMaximus:
    “Now just so we’re clear,” Craig responded, “by ‘impossible’, you actually mean ‘a big pain in the ass’...
    Poor Gerald. Now he's going to be remembered by management as the guy that says things are impossible when they're not.
    True. In this business you never say "impossible"; you just say "yeah, that'll take about 800 man hours, give or take". Manager spits out coffee, you shrug, the problem goes away.
    Or, sometimes, they say, "Well, the customer is only willing to pay for about half that." And then Gerald and his team get paid for 300 hours of playing Farmville or reading The Daily WTF and maybe 100 hours of coding and batting the same stupid issues back and forth to the customer. (And then another 200 hours of "overtime" to fix those really really hard issues that came up during the course of the job.)

    FMD I thought you were looking over my shoulder, and shut down my facebook screen!

  • (cs) in reply to Anon
    Anon:
    bsaksida:
    I wonder how would they react with suggestion of using Password Manager

    Using a password manager would require entering the password at least once, which is unacceptable. Unless you get somebody else to do it for you.

    No. Reread the article:

    ...saying that their employees couldn’t be bothered with having to remember yet another login, even if only temporarily

    So using a password manager (KeePass, RoboForm, whichever) should be an acceptable solution, simply because it doesn't increase the number of logins. If that user has only one login to remember, then you're replacing one login with one login. If they have more than one, then you're REDUCING the number of logins, even with adding this new system into the mix.

    Either the problem user is absolutely brilliant (4+ standard deviations above average performance) or knows who on the hospital board has been siphoning money or using empty wards to shoot porn. Getting rid of them for a more flexible user would be the cheapest solution. Getting a site license for RoboForm Pro (disclaimer: happy customer, not associated with the company) would be similarly cheaper and easier than this WTF.

  • EngleBart (unregistered) in reply to Your IP here
    Your IP here:
    Because it's totally impossible to spoof the source IP address /sarcasm
    Especially if you store it in a cookie!
  • See Sharper (unregistered)
    They also assigned Gerald and team to develop the much-needed feature: an IP-based authentication system that would allow users of their Software-as-a-Service product to access the system without ever needing to log in
    We need to unionize, then press for legislation that whenever a customer, sales dolt, or manager tells us in technical terms how to fix the problem, we get to shoot them. Yes, I know the world will run out of bullets before idiots, but maybe at least a few of the brighter ones will hear something in the news and decide to back the frack off.
  • Rourke (unregistered)

    This is why I insist on interviewing an actual user of the proposed system/feature before starting anything. Taking specs from the salesgimp is a surefire way to deliver something no-one wants

  • h143570 (unregistered)

    This is a typical the case of inaccurate user requirements gathering.

  • Shea (unregistered)

    Typical - to require solid security without passwords. VPNs and all the PKI/encryption stuff: hackable. Having to remember a password: unthinkable. I'm not sure how much the client actually knew about security.

    I don't mind that it was only one user that wanted it, but only as long as they got to charge the company $30k+ for the feature. Hope it was worth it...

  • Lod (unregistered) in reply to Jaime

    in which case you use arpspoof, and you're quite usefully any IP on the local (broadcast) network that you'd like to be. Or in between any two. Or you're the router, as far as the other machines on the network know. Granted this is limited to the local side, but that seems to be one of the areas this half assed scheme is supposed to be addressing.

  • RobHogarth (unregistered)

    I dont think anyone has mentioned that there is plenty of SingleSignOn solutions around.

    Windows ADFS is part of the OS and is totally seamless when setup correctly. That's what I use.

  • VRSpock (unregistered) in reply to RHuckster

    What if someone access that computer via Remote Desktop, VNC, etc. This passed HIPPA compliance certification????

  • Anonymous (unregistered) in reply to Todd Peak
    Todd Peak:
    the beholder:
    One place I once worked at was a company that created a sort of device to attach to trucks and forklifts, and it would log all their activities: current speed, gear, the time it was turned on and off, and whatnot. I'm sure there must be a simple name for this device...
    A tattler
    AKA "snitch"
  • James (unregistered) in reply to Foobix

    Or it means "This will is not possible except with an inelegant, long winded method that will do what other easier methods do, but badly"

  • Herby (unregistered)

    I just looked it up and the IP address of 10.1.23.97 is none other than Paula Bean!

  • Thomas Cabernoch (unregistered)

    Funniest, best-written piece I've read on this site. I felt some visceral anger in sympathy with the narrator as I read the final lines. All too typical of the excess wrought in the name of HIPA and SarBox.

  • (cs) in reply to See Sharper
    See Sharper:
    We need to unionize, ...

    Why, are we ionized?

  • Anon (unregistered) in reply to Paddles
    Paddles:
    Anon:
    bsaksida:
    I wonder how would they react with suggestion of using Password Manager

    Using a password manager would require entering the password at least once, which is unacceptable. Unless you get somebody else to do it for you.

    No. Reread the article:

    ...saying that their employees couldn’t be bothered with having to remember yet another login, even if only temporarily

    So using a password manager (KeePass, RoboForm, whichever) should be an acceptable solution, simply because it doesn't increase the number of logins. If that user has only one login to remember, then you're replacing one login with one login. If they have more than one, then you're REDUCING the number of logins, even with adding this new system into the mix.

    No, you re-read what I wrote, and then re-read the article (especially the part about not wanting to have to remember a password even temporarily. Somebody's got to put the password in their somewhere.

    Also, fix your sarcasm detector before you post. Perhaps you forgot the password?

  • Clive Holloway (unregistered)
    1. add a cert signing server that you control to the client's browser
    2. install an SSL in the client's browser
    3. done

    (assumes over https, which for HIPAA stuff should be a given)

  • Quirkafleeg (unregistered) in reply to Anon
    Anon:
    Somebody's got to put the password in their somewhere.
    That's an unusual place to put a password…
  • lesle (unregistered) in reply to bbot
    bbot:
    Wow.

    Wow wow wow wow wow.

    I've never commented before, but this inspired me to speak up.

    On the Internet, no one knows you're a dog.

  • Bryan (unregistered) in reply to CiH
    CiH:
    Tod:
    How did this pass HIPAA review? It doesn't prevent unauthorized access to patient records since it only checks the computer (hardware) not the user. Computers aren't authorized, people by virtue of their positions and jobs are.

    Wow (not a bark/World of Warcraft). Good point. This article is actually testimony of the commission of a federal crime.

    In all seriousness, the proper authorities should be informed.

    VRSpock:
    What if someone access that computer via Remote Desktop, VNC, etc. This passed HIPPA compliance certification????

    These exactly! The whole way it was done is a little weird but considering that data it protects this huge wtf HIPPA issue.

    I work for a large EMR company and this couldn't get through a design review session for that issue alone. The user must authenticate on their own, not some damn computer.

    captcha: damnum

  • the beholder (unregistered) in reply to Gerald (not this Gerald though)
    Gerald (not this Gerald though):
    I'm curious how long ago this was as it seems pretty doable today simply by accessing GPS for location data and using a provider like AT&T or Verizon's cellular network to upload the data in real-time back to a service.
    This was about 6-7 years ago, before GPS became the hype. It is not that hard to that today, but there is no way in hell that we would manage it back then within these constraints: - Deadline in a couple of months as with every project there, no matter how big or small; - Only two developers. Those were me (a part-time intern) and my ex-boss; - Zero knowledge about the data from the cellular network; - Your solution would require changes that would heavily raise the cost on hardware. The price of each device was already settled when the airhead owner promised cake. - We couldn't stop supporting the current customers to dedicate ourselves to a new project. I already said there were WTFs plenty out there and so we could only dream of a week with just two or three bugs reports.

    To top it off, the language of choice at that shop was VB. Nuff' said.

    Todd Peak:
    the beholder:
    I'm sure there must be a simple name for this device...
    A tattler
    Cad Delworth:
    That sounds like what we would call a tachometer.
    Could be any. I'm still not sure because the only tachometers I know of log information by some sort of mechanical action, and they don't log things like brake press, oil pressure or external sensors. Just speed and RPM.
  • the beholder (unregistered)

    Alex, I used to have a TDWTF user, but I don't want to enter my login and password to be able to edit my comments. I also don't want to type captchas anymore. Can you change the way TheDailyWTF authenticates me?

    And don't even suggest me to use cookies. They're just too insecure, untrendy and high-fat.

  • Cheong (unregistered) in reply to PITA
    PITA:
    My laptop has a fingerprint scanner - can't I use that to log on to the system? No, someone may chop your fingers off and steal your password!
    At least you should (hopefully) know when your finger is chopped off.

    When you reply on private IP to logon, if someone manually set the IP when the main user's computer is off, that person can logon the server.

    That said, the ticket server should probably move in the user's room and have a direct physical connection to the user's machine. The said ticket server should only listen on the "LAN" interface.

  • Cheong (unregistered) in reply to Cheong
    Cheong:
    PITA:
    My laptop has a fingerprint scanner - can't I use that to log on to the system? No, someone may chop your fingers off and steal your password!
    At least you should (hopefully) know when your finger is chopped off and invalidates that.

    When you reply on private IP to logon, if someone manually set the IP when the main user's computer is off, that person can logon the server.

    That said, the ticket server should probably move in the user's room and have a direct physical connection to the user's machine. The said ticket server should only listen on the "LAN" interface.

  • (cs) in reply to Anon
    Anon:
    davedavenotdavemaybedave:
    Your IP here:
    savar:

    And at that point, its not exactly "spoofing" is it? If you've subjugated a major router on an autonomous system, it IS your IP address now. (Indeed, its your whole CIDR subnet.)

    Well, yes, if you do it at the WAN level. But remember from the article, they're also worried about 'malicious employees'. If somebody with access the the LAN wants to get access, it's easy, particularly if the 'authorized' computer is down. Just statically assign the 'authorized' IP and connect. Or if anything tricky is being done with the DHCP server, just spoof the 'authorized' MAC or hostname, whatever the DHCP & co. are using for assignment. And so on...

    Depending on the network, you also don't necessarily have to get into ISP systems for MITM. Local gateways will do fine.

    A lot of Windows-based systems are secured so users can't assign their own IP. There's a lovely WTF all of its own here, though: if you plug a DHCP router into a port on a network, almost all normal Windows Server DHCP configurations will automatically hand control over to that router. Hey presto, IP control.

    Maybe if you're talking about some workgroup full of Windows XP machines... But any Windows PC/server that is a member of Active Directory will only accept DHCP addresses from authorized DHCP servers. (authorized in Active Directory).

    Microsoft solved the problem of "rogue" DHCP servers a long time ago..

    Nope. All a rouge DHCP server has to do is set up an Active Directory domain and authorize itself. Really. The XP machine doesn't know what domain it is a member of at the time it acquires an IP address, so it will take any domain's word that a DHCP server is authorized.

  • (cs) in reply to davedavenotdavemaybedave
    davedavenotdavemaybedave:
    Your IP here:
    savar:

    And at that point, its not exactly "spoofing" is it? If you've subjugated a major router on an autonomous system, it IS your IP address now. (Indeed, its your whole CIDR subnet.)

    Well, yes, if you do it at the WAN level. But remember from the article, they're also worried about 'malicious employees'. If somebody with access the the LAN wants to get access, it's easy, particularly if the 'authorized' computer is down. Just statically assign the 'authorized' IP and connect. Or if anything tricky is being done with the DHCP server, just spoof the 'authorized' MAC or hostname, whatever the DHCP & co. are using for assignment. And so on...

    Depending on the network, you also don't necessarily have to get into ISP systems for MITM. Local gateways will do fine.

    A lot of Windows-based systems are secured so users can't assign their own IP. There's a lovely WTF all of its own here, though: if you plug a DHCP router into a port on a network, almost all normal Windows Server DHCP configurations will automatically hand control over to that router. Hey presto, IP control.

    It's hard to count the number of subtle misunderstandings this post conveys.
    1. "DHCP router" is a confusing term as DHCP is a totally separate service from routing. In big networks, DHCP is usually handled on servers that don't route. This terminology smells of someone whose experience with DHCP ends with a cable modem.
    2. A workstation getting an IP from an unauthorized alternate source is not a flaw of the "Windows Server DHCP configurations", it could only be a flaw in the workstation design. Fortunately, a Windows workstation (any version back to Windows 3.1) will prefer to get an IP from the source that it got its last IP from. It will only consider a second source if the current source doesn't respond.
    3. "hand control over to that router" is incorrect. What control is ceded to the router? Sure, the router gets to be a router and routes packets, but the router can't really do anything nasty to the workstation other than refuse to deliver traffic. Sure, the router could position itself in the middle for a MITM attack, but IPSEC and SSL will both render that position useless. If you are not protecting sensitive traffic with a transport layer solution like IPSEC or SSL, or using an application that provides similar benefits, than you deserve to be MITM'd. Getting in the middle is the easy part of a MITM attack.
    4. Any well-managed network is scanning for unauthorized DHCP sources. They don't do it just for security, one moron employee that buys a wireless router and plugs it in becomes a potential trouble spot. This is often a bad situation for network guys because, due to point #2, the problem usually doesn't become evident immediately. A travelling worker with a laptop is usually the first victim, often at a stressful time, like when setting up for a big presentation. The Windows Server Resource Kit comes with a DHCP scanning tool for exactly this purpose.
  • Crusty (unregistered) in reply to WhiskeyJack
    WhiskeyJack:
    bbot:
    Wow.

    Wow wow wow wow wow.

    I've never commented before, but this inspired me to speak up.

    And what an inspirational comment it was, too.

    I bet this'll be the last time bbot comments here :)

    Bbot, here's what you do: next time include a random link to xkcd...http://xkcd.com/482/, f'rinstance.

    If the story includes code, then write a marginally clever snippet in the style of the story that prints "frist".

    For bonus points include "brillant" somewhere in your text.

    All the Bozo's on this bus will then accept you as one of their own.

  • Crusty (unregistered) in reply to kindall
    kindall:
    See Sharper:
    We need to unionize, ...

    Why, are we ionized?

    +1

  • Tim (unregistered)

    I have been reading this site for a while, and this has truly been, one of the biggest WTF's I have seen.

  • Shinji (unregistered) in reply to My Name Is Missing

    Yep except at my company we drop in a note to the supervisor when the sales rep sells something we don't do. We uphold our support scope for the customers. If they ask why we respond with "legal".

  • Correct answers are (unregistered)
    1. Kerberos
    2. Client Certificates
    3. SPNEGO
  • (cs)

    When did this story happened? Because if it is any time recently, I must express my fear that in few years this will become standard....

  • (cs) in reply to Cad Delworth
    Cad Delworth:
    the beholder:
    a sort of device to attach to trucks and forklifts, and it would log all their activities: current speed, gear, the time it was turned on and off, and whatnot. I'm sure there must be a simple name for this device, but I have no idea what it would be in english.
    That sounds like what we would call a tachometer.
    YOU might call it that, but the rest of the English speaking world wouldn't. A tachometer typically displays RPMs.
  • (cs)

    The only SaaS with a USB dongle

  • (cs) in reply to mfah
    mfah:
    java.lang.Chris;:
    Steve the Cynic:
    Code is the most flexible and adaptable construction material known to man.

    Nope. Lego is. Or maybe plasticine.

    Pffffffft. Meccano.

    Stickle Bricks. Rigid construction with just that slight amount of flexibility.

  • Brent (unregistered) in reply to Steve the Cynic
    Steve the Cynic:
    No, it's not impossible. It's software, of course it's possible. (I'm being deadly serious here. Code is the most flexible and adaptable construction material known to man.)

    Some things are truly impossible. I have a friend who was once asked to write a program to verify that given pieces of code would halt.

  • (cs) in reply to chrismcb
    chrismcb:
    Cad Delworth:
    That sounds like what we would call a tachometer.
    YOU might call it that, but the rest of the English speaking world wouldn't. A tachometer typically displays RPMs.
    At least tell us the right answer!
  • Casey (unregistered)

    Whats funny, is that some old main frame security schemes are based solely on terminal ID.

  • A. Coward (unregistered)

    That story reminds me painfully of a project we're working right now, of financial nature. A large part of the implementation is loading (migrating, in theory) various types of deals from the customer's existing system into our new shiny one.

    So, hacking and polishing like mad, complying with their fantasies (scope creep, anyone?), 3 months into the project, we get to know that, actually, currently they have just 1 (ONE) deal in their old system. One.

    PS. No, it's not like we hadn't ask for examples of their data before: they had refused to give them to us, so we "make a general solution, not having any preconceptions about the nature of data".

Leave a comment on “The Single Sign On”

Log In or post as a guest

Replying to comment #:

« Return to Article