- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
#/usr/bin/comment
Accepting payment to write the first comment
Admin
Nothing unexpected here. Social engineering is the most widespread weakness of security systems.
Admin
I'm pretty sure that management's scolding of the night staff is not sufficient to stop a social engineering attack.
Admin
So it's a variant of the old barroom tale -- "I'll bet you $100 I can get that woman to take off her blouse here in the bar." ... "I'll give you $50 to take off your blouse."
Admin
Or bet the bartender $500 you can pee into a glass 3 m. away without missing a drop in the bar and bet people $1000 that you can pee all over the bar and bartender and he will still be happy.
Admin
Isn't physical access security the first step to system security? So in a way this guy is a super hacker and did the first access any would be attacker would attempt. If you can gain someone on the "inside" who can login to the system you don't need to waste time breaking into the system.
The real WTF is that they don't have physical access security setup for their servers...
And the 2nd WTF is why this website is so SLLOOWWW today :(
Admin
I would hope that the contract (was there one?) would specify the terms on how the Super Hacker would approach the challenge.
Admin
I'm guessing the "super hacker" did not receive the reward, or did he? Well if he had a clever contract, but I don't think this trick does work very often ...
Admin
Admin
Right. So?
Admin
Well, he found an exploit. Clearly, that "someone" shouldn't had access to the server room. And the server should have a good enough SAI so that unless you were physically there you couldn't perform a MDoS on it (Manual Denial of Service).
Admin
Wow, that was really quite the snarky exit. I wonder if that's what really happened, or if the drama was anonymized...
Admin
Wait, if he had to pay an employee to pull the plug doesn't that mean he could neither find a security hole, nor gain physical access himself? And if that's true, then how did he put the python "script" into the system? (More social engineering but with the managers? "Hey, here is the fix, just copy it onto your system.")
Admin
Creating a file and shutting down a computer require different access levels, you know.
Admin
I could understand the super hacker just telling the janitor to unplug the computer. Claiming to be an authority figure would have been social engineering.
But just offering $10 is not social engineering. It's a complete lack of morals.
Admin
Well, if it turns out that less than 2/3 of the sorts of women who hang around in bars are willing to remove their blouses for $50 then the pot odds are against you.
Admin
If she doesn't, there's plenty of other girls at the bar, some drunker than others.
Admin
After rereading this, I guess the the fix could be a WTF... Yet, if someone would LOOK at the "code" in the fix; the problem could actually be fixed... Which is seems this happened so there still isn't a WTF in this story :/
Admin
So they took down the main web server for the night? Didn't that affect business?
Admin
He should be advertising himself as a "social engineer" and not a "hacker". There is a huge difference.
Some people are both, but being as he was introduced around the office by the boss before "bribing" an employee to unplug the server, I suspect this guy was neither.
Perhaps if no one in the office had known he was hired, and no one suspected an attack was imminent...
Admin
Why do you assume you can only ask one women? If even one women at the bar will take off her shirt for $50 you will be paid as long as you're persistent (and at least one women will be walking around without a shirt).
Admin
ROFL! In the words of Kevin Malone: "That... was... awesome!"
Admin
Depends on how many times you're willing to be slapped (or kneed in the groin) for a measely $50.
Admin
whoa! another super believable story! i'm laughing so hard!
Admin
The whole Super Hacker thing is overblown but he is a good consultant if he tries all methods to shut down the server.
Now the management firm was a little daft in setting this up. This seems like a dumb way to reward a consultant. After all, why not just have the janitor pull the plug and then stop. Have you found any other vulnerabilities? Probably not. So the web site could still be open to attack.
To say paying someome $10 to pull the plug and calling that an immoral attack is pretty dumb, too. After all, anything that brings down your server can prove a boon to the competition. All methods of attack must be defended against.
Admin
Admin
I hate to break it to you, but Kevin Malone didn't coin that expression.
Admin
Well, if your objective is a denial of service attack on their business, offering $10 for an inside job seems like a likely path of attack.
Admin
When Mike asked around the office for the person(s) responsible for removing the power source from our server box to come forward, no one owned up. Though its believed among my peers that some of the cleaning staff know who was responsible, social engineering worked in his favor by approaching a lower level staff member (cleaner most likely) and making out to be an authority figure claiming that he was running diagnostic tests and he needed someone to shut down the server box by removing the power source in say five minutes, and he would give them $10 for their effort (seeing as how its outside their work requirements as a cleaner). Though the term 'super-hacker' has become some what of a nickname for someone slacking off at work :p.
Capcha: sino
Admin
Admin
Ask the woman first.
Admin
[quote user="Kiefer Rodriguez] the term 'super-hacker' has become some what of a nickname for someone slacking off at work :p. Capcha: sino[/quote]
So if we're reading and replying to WTF at work does that make us super-hackers? C00l my sk1lz are L337
Admin
Wow, what a steaming pile of bullshit that story is.
Admin
Who cares about the math? You might see boobies.
Admin
[quote user="Pete Repete"][quote user="Kiefer Rodriguez] the term 'super-hacker' has become some what of a nickname for someone slacking off at work :p. Capcha: sino[/quote]
So if we're reading and replying to WTF at work does that make us super-hackers? C00l my sk1lz are L337 [/quote]
Missed quote mark is epic.
Admin
This story was about as believable as it was unpredictable. As soon as the first paragraph was read, I didn't have to continue because I knew how it ended. Seems like the same author of the http://thedailywtf.com/Articles/The-Defect-Black-Market.aspx story is up to it again.
Admin
The real wtf is that the she-bang is wrong...
Admin
Are you talking about Irish Girl??
Captcha => jugis...I wonder if the "i" is supposed to be there??
Admin
Hmmm.
Best summary of SEO (Search Engine Optimization) I've seen so far.
Admin
How many people out there notice that ;)
Fix not working => Get the money back :D
Admin
Then BAM!!!! Headshot!
Admin
Wow! A happy story on WTF, where everyone gets exactly what they deserve!
Admin
A variant on that one that loses you less money probably:
Bet a woman (in a bar, hopefully drunk) $20 that you can take off her bra without touching her shirt or breasts. If she accepts the bet, give her a good groping, and pay the woman her $20 :)
Admin
Why would you conclude that? Getting someone to pull the plug is probably just the first thing he tried, and, it worked, so he was due $3500. Why would you expect him to do more work?
Admin
I'm disappointed.
When I started reading it, I thought the boss got duped by a real hacker posing as a security expert, and would do some trivial thing to prove he was a consultant, only to gain permanent access to their financials or something.
Admin
For those of you claiming the story to be a work of fiction, I can assure you the story is genuine. The shebang line should have been '#!/usr/bin/env python' but I was in a rush when submitting the story and could not locate the actual .py file, and in my haste didnt bother to actually think anyone would care about the shebang line, the script did have more to it (details of the operations it was claiming to undertake etc) but cut them out to save space and to make it easier to understand for any non-programmer TDWTF readers (As if you dont understand the code - You wont get the joke). Management (remember, were quite a small ISP operation, no more than 30-40 workers) did not bother to write up a contract for the security audit, nor bother to check his credentials (remember- small business).
And believe it or not, management rarely read bugfixes, patches, etc for their content, they just want to know everything works.
Capcha: transverbero ..Cmon! Thats not even a word! :P
Admin
That's the price to keep the place decent!
Admin
Man, that's some Kevin Mitnick shit.
Admin
Admin
Wait, what bars are you going to where women willingly take off their blouses and how do we get there?