- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Well, I'm sure this applies at most strip clubs that also offer alcohol :)
Admin
You know, you guys could just get an actual gf, or even a wife, and see all the boobs you want!
Admin
Follow the Girls Gone Wild bus?
Admin
Such an obvious urban legend.
Admin
Admin
FTFY.
Admin
My guess is that snoofle isn't married.
Admin
EXACTLY!
thx
Admin
Admin
??? What a ridiculous comment! You would expect him to do more because you pay a security consultant to conduct a thorough examination of your enterprise and to provide you a comprehensive report listing any and all vulnerabilities found. In this case, it appears you also pay him a bonus if he is able to exploit any of those vulnerabilities - and that's fine, but that's not all you're paying for.
The way you present the situation, it's like taking your broken-down car to a mechanic and having him say, "oh look, your window-roller-upper is broken - that'll be $75 please." Totally ridiculous!
The reason this story is so obviously bullshit is that it went that extra mile trying to be clever by including the python script. Any actual consultant who did that would be sued for whatever the consultant equivalent of "failing due diligence" is. Think about it: he told them he "patched" the system. Yet clearly, his patch didn't do anything. People get sued for that. In the real world, he would continue his analysis and produce a report that may show many vulnerabilities, but one of the vulnerabilities would be that an unscrupulous individual has access to the power cord.
That's the real world. The person who made up this story is probably about 15 and has read too many dilbert cartoons.
Admin
Admin
Nope, could only see 2 in that case.
Admin
That's not the article I read. You may imagine that is what a security audit involves, but according to the story, this guy got paid to do one thing and one thing only- stop the server. He stopped the server, he got paid. And, I'll add, he didn't get paid much, and he does work for little itty bitty companies, so what he offered to do and what he was expected to do could both be just about anything.
Admin
Awesome, totally awesome......
Admin
But just offering $10 is not social engineering. It's a complete lack of morals.
What's the difference?
(And no, I'm not joking.
"Social engineering" is plain lying - it's just as "immoral" as bribery, and in a security test context, that your janitor can be bribed is just as bad (or irrelevant) a problem as someone giving out a password because of a clever lie.
Every time I hear some amoral lackwit say "hey, it's just social engineering as an excuse for being a lying douche, I want to see him get hit by a bus.
[Doing it without being a douche, as an object lesson in not trusting people over the phone and giving out information, is another matter. But that requires not abusing the information, and then telling everyone involved what happened and promoting a "fix".])
Admin
I take it you have never been married... :-)
Admin
Exactly. TRWTF here was that the company gave him a task which could be most easily accomplished by circumventing physical security. A better test would have been to put some data file in a supposedly protected location on the server and ask him to email you the contents of the file. He still might be able to get an insider to just give him the file, but I guarantee it will require more than a $10 bribe to the janitor.
Of course, even that isn't a thorough audit, but you get what you pay for.
Admin
Admin
If she catches on to your plan, she'll want to cut out the middle man....go to the potential suckers before you do("if you give me $100 I'll take my top off" -- who wouldn't pay?) Then she gets your $50 for doing it and all the guys pay her their $100.
Admin
If you're running a public facing website, that downtime is something you need to protect against. Give the guy a bonus for both, but don't voluntarily give him special access to the building/employees/etc until after he tries.
Admin
Lots of people are claiming it must be false, but let's be honest here: there's a lot of people out there who think that getting "hackers" to break into their server is a great way to test security.
Sure, it's a scheme that has somewhat limited merit (or is usually just flat out stupid) but a manager writing a stupid contract and a contractor taking advantage of the actual wording of the task seems quite plausible.
And the start of the story suggested management had a less than complete technical understanding of their systems - and that's hardly unusual.
Still, the other real WTF is an important server being hosted at the company office, instead of renting space in a managed datacenter. By the time you can justify hosting your own servers, you can also justify a manager in charge of the department who knows what they're doing, a full time experienced team of administrators, and some actual physical security. Without that, some idiot slicing the network connection while fixing a leaking pipe is a bigger concern than "hackers".
Admin
As the person above me said, alot of people are claiming this to be fake, But I beg to differ; If management only cares about the result, not the method (which is all too common), then its plausible. Im not saying anyone who says this story is bullshit is a moron, But if you don't have something like this happen at least once in your career, then you must be an accountant or something.
To sum up- I think this story is true, but hard to comprehend, believe it or not; a small company wont usually draw up contracts for short-term work, and a scam artist wont hesitate to be daring.
Admin
Admin
Then find the drunks ones and all of a sudden the odds are 2/3 for you :)
Admin
I look for suckers like both of you when I'm wanting to score free drinks for an evening. The point of bar bets isn't to take a chance, it's to trick a drunk out of his money after you've stacked the deck in one way or another. Read some of the other posts and you probably still won't see what I mean.
Admin
The next time, he'll pay the janitor $10 to shut the air conditions off over a three day weekend.
Admin
Admin
As a junior network administrator at a small local ISP, Kiefer R.'s job is pretty mundane. Aside from the occasional bandwidth problem investigating, cable laying, and spline reticulating, there's not too much excitement.
Hahahahahaha. Reticulating Splines! Brillant! I love it!
Wait... is there more?
Admin
Admin
Admin
yah... it was totally chris farley
<shameless>http://grapethinking.com</shameless>
Admin
yah... it was totally chris farley
<shameless>http://grapethinking.com</shameless>
Admin
The description said, "he'd only get paid if the server was shut down while he was not in the office."
So he snuck in after hours with the cleaning staff, and pulled the plug, right? So he was in the office when he pulled the plug, right?
So he didn't really "do it." At least, not as described.
However, he did demonstrate how an outsider could crash your web server! ;->
(...and maybe walk off with some of your equipment, too! ;-)
Admin
Why on earth do the cleaners have access to the server room to be able to unplug it in the first place. Are the servers located in the janitors broom closet?
Thats the WTF!!!
Admin
Perhaps you prefer the triple breasted whore of eroticon 6...
Admin
I don't see much wrong with it. I know a security consultant who arrives at a company, goes to the receptions, says "I'm from KPMG to make an IT security audit. Where's the server room?" If they just point down to the corridor, and he is able to walk in, then they've failed it already.
Admin
I don't doubt the story. I think the "super hacker" earned his money. He demostrated quite clearly that the servers were at risk because they were not in a secured location.
Admin
But he would not need to pay someone $10 to remove the power cord.
Admin
still wondering how humorous the management was. He didn't actually earn the 3500$, but did they pay him anyway?
Admin
Lame articles lead to super shit comments. And yes, this is one of them. Dear lord.
Admin
The only thing cooler than the Super Hacker is Mr. Rodriguez' name. I'm not joking.
Admin
The consultant did everything perfectly and quite frankly earned his money. He planned and successfully executed a DoS attack within the first day of being hired.
Further, he showed that physical security was easily compromised. Sure he only paid the cleaning guy $10 to pull a power cord. But that shows he could have gotten a job with the cleaning company... Just use your imagination.
What's worse, someone gaining electronic access that can be monitored and tracked or someone you don't know physically standing in front of the machine(s)?
Admin
But you have to deduct from your net profit the medical bills incurred when some number of women turn out to have large boyfriends standing nearby.
Admin
FTFY.
Admin
The first obvious flaw to this comment is the assumption that no one would ever do anything for which he might be sued. As, in fact, people are routinely sued every day, it stands to reason that some people DO sometimes do things for which they can be sued.
I'm not a lawyer, but I would think that whether the contractor in this case could be sued would depend on whether they actually had a written contract and what it said, or what a judge decided about any verbal contract.
Unless the contract (written or verbal) required him to fix any problems found, then writing a useless script does not violate the contract.
Anyway, as many posters here have already pointed out, "social engineering" attacks are probably the most common way to break into systems, and demonstrating that he could bribe his way in for $10 is arguably the sort of thing that he was paid to do.
Hey, did the janitor or whomever know that the consultant was getting $3500 for this? I would have negotiated for a higher percentage of the cut. If he replied that others would do it for $10, I could threaten to inform management of the bribery attempt and thus thwart the plan.
Admin
Admin
... if you can get that girl ...
Man learn to read
Admin
Admin