• (cs) in reply to pcooper
    pcooper:
    I'm pretty sure that management's scolding of the night staff is not sufficient to stop a social engineering attack.
    At least not if the price goes all the way up to, say, $20.00 !!!
  • SomeCoder (unregistered) in reply to n9ds
    n9ds:

    Wait, what bars are you going to where women willingly take off their blouses and how do we get there?

    Well, I'm sure this applies at most strip clubs that also offer alcohol :)

  • (cs) in reply to SomeCoder

    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!

  • Spoe (unregistered) in reply to n9ds
    n9ds:
    Andrew:
    Frank Butcher:
    So it's a variant of the old barroom tale -- "I'll bet you $100 I can get that woman to take off her blouse here in the bar." ... "I'll give you $50 to take off your blouse."
    Ask the woman first.

    Wait, what bars are you going to where women willingly take off their blouses and how do we get there?

    Follow the Girls Gone Wild bus?

  • Jennifer (unregistered)

    Such an obvious urban legend.

  • (cs) in reply to Jennifer
    Jennifer:
    Such an obvious urban legend.
    Says someone with a woman's name online!
  • (cs) in reply to snoofle
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the pointless arguments you want!

    FTFY.

  • (cs) in reply to snoofle
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!

    My guess is that snoofle isn't married.

  • (cs) in reply to untalented_newbie
    untalented_newbie:
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the pointless arguments you want!

    FTFY.

    EXACTLY!

    thx

  • (cs) in reply to snoofle
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!
    You mean see both of them? Fantastic!!! Do they come in different shapes and flavors too?
  • thatoneguy (unregistered) in reply to rumpelstiltskin

    ??? What a ridiculous comment! You would expect him to do more because you pay a security consultant to conduct a thorough examination of your enterprise and to provide you a comprehensive report listing any and all vulnerabilities found. In this case, it appears you also pay him a bonus if he is able to exploit any of those vulnerabilities - and that's fine, but that's not all you're paying for.

    The way you present the situation, it's like taking your broken-down car to a mechanic and having him say, "oh look, your window-roller-upper is broken - that'll be $75 please." Totally ridiculous!

    The reason this story is so obviously bullshit is that it went that extra mile trying to be clever by including the python script. Any actual consultant who did that would be sued for whatever the consultant equivalent of "failing due diligence" is. Think about it: he told them he "patched" the system. Yet clearly, his patch didn't do anything. People get sued for that. In the real world, he would continue his analysis and produce a report that may show many vulnerabilities, but one of the vulnerabilities would be that an unscrupulous individual has access to the power cord.

    That's the real world. The person who made up this story is probably about 15 and has read too many dilbert cartoons.

  • Michael (unregistered) in reply to thatoneguy
    thatoneguy:
    ??? What a ridiculous comment! You would expect him to do more because you pay a security consultant to conduct a thorough examination of your enterprise and to provide you a comprehensive report listing any and all vulnerabilities found.
    Not for $3,500 you don't.
  • ChiefCrazyTalk (unregistered) in reply to snoofle
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!

    Nope, could only see 2 in that case.

  • rumpelstiltskin (unregistered) in reply to thatoneguy
    thatoneguy:
    ??? What a ridiculous comment! You would expect him to do more because you pay a security consultant to conduct a thorough examination of your enterprise and to provide you a comprehensive report listing any and all vulnerabilities found. In this case, it appears you also pay him a bonus if he is able to exploit any of those vulnerabilities - and that's fine, but that's not *all* you're paying for.

    That's not the article I read. You may imagine that is what a security audit involves, but according to the story, this guy got paid to do one thing and one thing only- stop the server. He stopped the server, he got paid. And, I'll add, he didn't get paid much, and he does work for little itty bitty companies, so what he offered to do and what he was expected to do could both be just about anything.

  • James (unregistered)

    Awesome, totally awesome......

  • Sigivald (unregistered) in reply to akatherder

    But just offering $10 is not social engineering. It's a complete lack of morals.

    What's the difference?

    (And no, I'm not joking.

    "Social engineering" is plain lying - it's just as "immoral" as bribery, and in a security test context, that your janitor can be bribed is just as bad (or irrelevant) a problem as someone giving out a password because of a clever lie.

    Every time I hear some amoral lackwit say "hey, it's just social engineering as an excuse for being a lying douche, I want to see him get hit by a bus.

    [Doing it without being a douche, as an object lesson in not trusting people over the phone and giving out information, is another matter. But that requires not abusing the information, and then telling everyone involved what happened and promoting a "fix".])

  • LEGO (unregistered) in reply to snoofle
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!

    I take it you have never been married... :-)

  • Bob N Freely (unregistered) in reply to rumpelstiltskin
    rumpelstiltskin:
    thatoneguy:
    ??? What a ridiculous comment! You would expect him to do more because you pay a security consultant to conduct a thorough examination of your enterprise and to provide you a comprehensive report listing any and all vulnerabilities found. In this case, it appears you also pay him a bonus if he is able to exploit any of those vulnerabilities - and that's fine, but that's not *all* you're paying for.

    That's not the article I read. You may imagine that is what a security audit involves, but according to the story, this guy got paid to do one thing and one thing only- stop the server. He stopped the server, he got paid. And, I'll add, he didn't get paid much, and he does work for little itty bitty companies, so what he offered to do and what he was expected to do could both be just about anything.

    Exactly. TRWTF here was that the company gave him a task which could be most easily accomplished by circumventing physical security. A better test would have been to put some data file in a supposedly protected location on the server and ask him to email you the contents of the file. He still might be able to get an insider to just give him the file, but I guarantee it will require more than a $10 bribe to the janitor.

    Of course, even that isn't a thorough audit, but you get what you pay for.

  • (cs) in reply to snoofle
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!
    "Waddiamean, quit looking at other women's boobs, honey? We're married. I've got permission now."
  • (cs) in reply to Mr Ascii
    Mr Ascii:
    Frank Butcher:
    FredSaw:
    So it's a variant of the old barroom tale -- "I'll bet you $100 I can get that woman to take off her blouse here in the bar." ... "I'll give you $50 to take off your blouse."
    If she accepts youre up $50 If she refuses youre down $100
    You ask her FIRST. If she takes the $50, you tell her to wait for your signal, then go look for takers on the $100 bet. If you don't get takers, you either rescind the offer or pay her the $50 for the fun of it.

    If she catches on to your plan, she'll want to cut out the middle man....go to the potential suckers before you do("if you give me $100 I'll take my top off" -- who wouldn't pay?) Then she gets your $50 for doing it and all the guys pay her their $100.

  • (cs) in reply to Bob N Freely
    Bob N Freely:
    TRWTF here was that the company gave him a task which could be most easily accomplished by circumventing physical security. A better test would have been to put some data file in a supposedly protected location on the server and ask him to email you the contents of the file. He still might be able to get an insider to just give him the file, but I guarantee it will require more than a $10 bribe to the janitor.

    If you're running a public facing website, that downtime is something you need to protect against. Give the guy a bonus for both, but don't voluntarily give him special access to the building/employees/etc until after he tries.

  • Anony Moose (unregistered)

    Lots of people are claiming it must be false, but let's be honest here: there's a lot of people out there who think that getting "hackers" to break into their server is a great way to test security.

    Sure, it's a scheme that has somewhat limited merit (or is usually just flat out stupid) but a manager writing a stupid contract and a contractor taking advantage of the actual wording of the task seems quite plausible.

    And the start of the story suggested management had a less than complete technical understanding of their systems - and that's hardly unusual.

    Still, the other real WTF is an important server being hosted at the company office, instead of renting space in a managed datacenter. By the time you can justify hosting your own servers, you can also justify a manager in charge of the department who knows what they're doing, a full time experienced team of administrators, and some actual physical security. Without that, some idiot slicing the network connection while fixing a leaking pipe is a bigger concern than "hackers".

  • Chasion (unregistered)

    As the person above me said, alot of people are claiming this to be fake, But I beg to differ; If management only cares about the result, not the method (which is all too common), then its plausible. Im not saying anyone who says this story is bullshit is a moron, But if you don't have something like this happen at least once in your career, then you must be an accountant or something.

    To sum up- I think this story is true, but hard to comprehend, believe it or not; a small company wont usually draw up contracts for short-term work, and a scam artist wont hesitate to be daring.

  • 5up3rH4k3r (unregistered) in reply to Frank Butcher
    Frank Butcher:
    FredSaw:
    So it's a variant of the old barroom tale -- "I'll bet you $100 I can get that woman to take off her blouse here in the bar." ... "I'll give you $50 to take off your blouse."
    If she accepts youre up $50 If she refuses youre down $100
    You're doing it wrong.
  • Zach (unregistered) in reply to Jivlain
    Jivlain:
    me:
    Frank Butcher:
    If she accepts youre up $50 If she refuses youre down $100

    Right. So?

    Well, if it turns out that less than 2/3 of the sorts of women who hang around in bars are willing to remove their blouses for $50 then the pot odds are against you.

    Then find the drunks ones and all of a sudden the odds are 2/3 for you :)

  • C_Boo (unregistered) in reply to Zach
    Zach:
    Jivlain:
    me:
    Frank Butcher:
    If she accepts youre up $50 If she refuses youre down $100

    Right. So?

    Well, if it turns out that less than 2/3 of the sorts of women who hang around in bars are willing to remove their blouses for $50 then the pot odds are against you.

    Then find the drunks ones and all of a sudden the odds are 2/3 for you :)

    I look for suckers like both of you when I'm wanting to score free drinks for an evening. The point of bar bets isn't to take a chance, it's to trick a drunk out of his money after you've stacked the deck in one way or another. Read some of the other posts and you probably still won't see what I mean.

  • eric76 (unregistered)

    The next time, he'll pay the janitor $10 to shut the air conditions off over a three day weekend.

  • TraumaPony (unregistered) in reply to diaphanein
    diaphanein:
    Rob:
    Why do you assume you can only ask one women? If even one women at the bar will take off her shirt for $50 you will be paid as long as you're persistent (and at least one women will be walking around without a shirt).

    Depends on how many times you're willing to be slapped (or kneed in the groin) for a measely $50.

    In other words, it depends how many women are willing to go to jail for assault.

  • SimHacker (unregistered)

    As a junior network administrator at a small local ISP, Kiefer R.'s job is pretty mundane. Aside from the occasional bandwidth problem investigating, cable laying, and spline reticulating, there's not too much excitement.

    Hahahahahaha. Reticulating Splines! Brillant! I love it!

    Wait... is there more?

  • sf (unregistered) in reply to snoofle
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!
    Well two at least (if you're lucky.)
  • (cs) in reply to EJ_
    EJ_:
    Andrew:
    Frank Butcher:
    FredSaw:
    So it's a variant of the old barroom tale -- "I'll bet you $100 I can get that woman to take off her blouse here in the bar." ... "I'll give you $50 to take off your blouse."
    If she accepts youre up $50 If she refuses youre down $100

    Ask the woman first.

    A variant on that one that loses you less money probably:

    Bet a woman (in a bar, hopefully drunk) $20 that you can take off her bra without touching her shirt or breasts. If she accepts the bet, give her a good groping, and pay the woman her $20 :)

    But first you need to bet someone else a larger sum that she'll happily let you do that (basically a variation on the bartender one)

  • Jake (unregistered) in reply to Zylon

    yah... it was totally chris farley

    <shameless>http://grapethinking.com</shameless>

  • Jake (unregistered) in reply to Zylon

    yah... it was totally chris farley

    <shameless>http://grapethinking.com</shameless>

  • Jeff Grigg (unregistered) in reply to Kiefer Rodriguez

    The description said, "he'd only get paid if the server was shut down while he was not in the office."

    So he snuck in after hours with the cleaning staff, and pulled the plug, right? So he was in the office when he pulled the plug, right?

    So he didn't really "do it." At least, not as described.

    However, he did demonstrate how an outsider could crash your web server! ;->

    (...and maybe walk off with some of your equipment, too! ;-)

  • codemonkey (unregistered)

    Why on earth do the cleaners have access to the server room to be able to unplug it in the first place. Are the servers located in the janitors broom closet?

    Thats the WTF!!!

  • NeoMojo (unregistered) in reply to ChiefCrazyTalk
    ChiefCrazyTalk:
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!

    Nope, could only see 2 in that case.

    Perhaps you prefer the triple breasted whore of eroticon 6...

  • Miklos Hollender (unregistered)

    I don't see much wrong with it. I know a security consultant who arrives at a company, goes to the receptions, says "I'm from KPMG to make an IT security audit. Where's the server room?" If they just point down to the corridor, and he is able to walk in, then they've failed it already.

  • Quango (unregistered) in reply to Kiefer Rodriguez
    Kiefer Rodriguez:
    For those of you claiming the story to be a work of fiction, I can assure you the story is genuine.

    I don't doubt the story. I think the "super hacker" earned his money. He demostrated quite clearly that the servers were at risk because they were not in a secured location.

  • Quango (unregistered) in reply to Jeff Grigg
    Jeff Grigg:
    The description said, "he'd only get paid if the server was shut down while he was not in the office."

    So he snuck in after hours with the cleaning staff, and pulled the plug, right? So he was in the office when he pulled the plug, right?

    So he didn't really "do it." At least, not as described.

    However, he did demonstrate how an outsider could crash your web server! ;->

    (...and maybe walk off with some of your equipment, too! ;-)

    But he would not need to pay someone $10 to remove the power cord.

  • JoeMuc2008 (unregistered) in reply to Kiefer Rodriguez

    still wondering how humorous the management was. He didn't actually earn the 3500$, but did they pay him anyway?

  • (cs)

    Lame articles lead to super shit comments. And yes, this is one of them. Dear lord.

  • matt (unregistered)

    The only thing cooler than the Super Hacker is Mr. Rodriguez' name. I'm not joking.

  • (cs)

    The consultant did everything perfectly and quite frankly earned his money. He planned and successfully executed a DoS attack within the first day of being hired.

    Further, he showed that physical security was easily compromised. Sure he only paid the cleaning guy $10 to pull a power cord. But that shows he could have gotten a job with the cleaning company... Just use your imagination.

    What's worse, someone gaining electronic access that can be monitored and tracked or someone you don't know physically standing in front of the machine(s)?

  • Jay (unregistered) in reply to Rob
    Rob:
    Why do you assume you can only ask one women? If even one women at the bar will take off her shirt for $50 you will be paid as long as you're persistent (and at least one women will be walking around without a shirt).

    But you have to deduct from your net profit the medical bills incurred when some number of women turn out to have large boyfriends standing nearby.

  • (cs) in reply to Lev
    Lev:
    Lame commenters like me lead to super shit comments. And yes, this is one of them. Dear lord.

    FTFY.

  • Jay (unregistered) in reply to thatoneguy
    thatoneguy:
    The reason this story is so obviously bullshit is that it went that extra mile trying to be clever by including the python script. Any actual consultant who did that would be sued for whatever the consultant equivalent of "failing due diligence" is. Think about it: he told them he "patched" the system. Yet clearly, his patch didn't do anything. People get sued for that. In the real world, he would continue his analysis and produce a report that may show many vulnerabilities, but one of the vulnerabilities would be that an unscrupulous individual has access to the power cord.

    That's the real world. The person who made up this story is probably about 15 and has read too many dilbert cartoons.

    The first obvious flaw to this comment is the assumption that no one would ever do anything for which he might be sued. As, in fact, people are routinely sued every day, it stands to reason that some people DO sometimes do things for which they can be sued.

    I'm not a lawyer, but I would think that whether the contractor in this case could be sued would depend on whether they actually had a written contract and what it said, or what a judge decided about any verbal contract.

    Unless the contract (written or verbal) required him to fix any problems found, then writing a useless script does not violate the contract.

    Anyway, as many posters here have already pointed out, "social engineering" attacks are probably the most common way to break into systems, and demonstrating that he could bribe his way in for $10 is arguably the sort of thing that he was paid to do.

    Hey, did the janitor or whomever know that the consultant was getting $3500 for this? I would have negotiated for a higher percentage of the cut. If he replied that others would do it for $10, I could threaten to inform management of the bribery attempt and thus thwart the plan.

  • (cs) in reply to Frank Butcher
    Frank Butcher:
    FredSaw:
    So it's a variant of the old barroom tale -- "I'll bet you $100 I can get that woman to take off her blouse here in the bar." ... "I'll give you $50 to take off your blouse."
    If she accepts youre up $50 plus you saw free boobs If she refuses youre down $100
  • dude... (unregistered)

    ... if you can get that girl ...

    Man learn to read

  • PublicLurker (unregistered) in reply to snoofle
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!
    Haven't been married very long huh? :-)
  • (cs) in reply to ChiefCrazyTalk
    ChiefCrazyTalk:
    snoofle:
    You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!

    Nope, could only see 2 in that case.

    You're obviously looking at the wrong gf (gif?) or the wrong wife. Try getting shit-faced drunk first. At that point, you may wish to check out goatse on the intertubes ... but keep a bucket handy.

Leave a comment on “The Super Hacker”

Log In or post as a guest

Replying to comment #:

« Return to Article