- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
TRWTF is, once again, improper security.
Admin
Wait, but... there was nobody in the room to hear it!
Admin
Could be worse?
Admin
So the WTF is a trivial password shared over insecure channels? That's what I expect to see when I read my mail around here.
Admin
I so hope that at least the service concerned was not reachable from the open internet…
Admin
I don't know what he's complaining about. It could have been so much worse. I was expecting:
Username: dba, password: dba
But, with a password like that, I don't know why he didn't just post it in TD :wtf:. Oh, wait...
Admin
Thats really non-secure!
To prevent plaintext password interception by hackers, the proper approach is to write it on a peace of paper, take a photo on a wooden table, attach to email as a jpeg!
Admin
What is in any way improper here? As anyone knows, child-proof cap means that only children can get access to the contents. @dkf, why would you hope otherwise?
Edit: Oh, I know. It' so obvious. If the service was reachable from the open Internet, Michael would have had such an obvious way to access the service that he would have been :doing_it_wrong: in a really blatant way.
Admin
You forgot the step where you captcha-fy it before taking the photo. That way it's far more secure.
Admin
You seriously didn't think there was anything wrong with any of that?
Admin
I guess having world peace might be beneficial for security.
Admin
The third panel of http://www.savagechickens.com/2010/11/captcha.html would make it extremely secure if printed on a post-it® notesheet, attached to a wooden table and photographed there.
Admin
Agreed. Either having brought peace to the world, or having brought the world to pieces. Although that would be very much the same thing, I ass-u-me.
Admin
Yeah, the password should have been hunter21
Admin
Admin
I assumed it was irony.
Admin
Here???
Admin
Let me try that… Belgium, Belgium, Belgium, Belgium, Belgium.
It works!
Admin
does it?
■■■■■■■■■■■■■■■■■■■■■■■■■■■.... BUGGER! I @accalia'd...
let me try that again
■■■■■■■■■■■■ .... no that's my school email password....
■■■■■ .... no that's the combination to my luggage...
■ ... no that's my PIN
■■■■■■■■ ..... no that's my CDCK password
■■■■■■■■■■■■■■■ ... no that's IRC
■■■■ .... no, that's my other IRC password.
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■..... OH! hey! it works!
Admin
Actually TRWTF is:
Admin
E_NOREPRO The Forum appears to be hiding EVERY password, regardless of what the password is used for. [image] It even hides them the raw output as well. They think of everything! [image]
What if some of my passwords consist of ordinary ■■■■■■■■■■■■■■■■■■■■■■■■? Ev■■■■■■■■ that sentences make ■■■■■■■■■■■■ passwords! This will keep working as long as everybody makes sure to ■■■■■■■■■■■■■■■■■■■■■■■■ine.
Admin
That looks like Sindarin mixed with English letters. http://gifsec.com/wp-content/uploads/GIF/2014/03/GIF-horrified-Jim-Carrey-Liar-Liar-GIF.gif?gs=a
Admin
And this is why we think that he's the sort to stand on a hilltop in a thunderstorm wearing wet copper armour and shouting "All gods are bastards".
Admin
Admin
no, standard base 2
Admin
Even better: send the photo by snail mail!
Admin
Secret stuff via snail mail?! With all those secret agents in the post offices?
Admin
TRWTF isn't all the horrible security and the clueless admin not knowing about user sessions, but it lies in the username.
THE BLOODY DBA GAVE HIM THE DBA USER. You know that user has SA rights. Look at the rest of the environment. Now the end user can just create all of their own users and back doors, and probably use that password to connect to other SQL instances in their environment.
And that my friends, is the real WTF. I would know. I'm an ahole DBA.
Admin
Is it just me, but:
What I take from this is that the DBA opened notepad, typed the username and password and expected Micheal to be able to read it over his shoulder so to speak. The (intended) confusion is "remote desktop". I suspect that Micheal was using remote terminal - where you get your own desktop on the machine, rather than Remote Desktop where share the active desk top. Hence the request to use team view. In short the DBA was attempting to do the equivalent of writing on a piece of paper instead of stating out loud.
He could have emailed it, he could have sent the file. But I don't think it ever was a file. I quite often use a simple text editor as a simple notepad or, more frequently, "cache" for cut and paste.
That the username and password were eventually sent via the IM may be a :WTF: That it may have been a live account and not a throw away one could be another. The overriding stressor here is the urgency.
Which sorta brings around to TRWTF:
... After all, he'd rehearsed every step of the process hundreds of times during the last six months...A few minutes of digging around... ...the local applications were configured to use Windows logins to connect to the database, the overseas branch used simple SQL Server authentication ...
So much for rehearsal and prior planning or a lot of other things for that matter.
Admin
Still better than taking your chances with TPC.
Admin
There was. And worse than a human - the hostile machines. They're only waiting for the next opportunity to screw you until your head shears off.
[/wtdwtfmember]
[seriously] Which might be the only way to get the next update through, on the other hand. [/seriously][wtdwtfmember]
Admin
Who would have thought that different deployments might need different database credentials and/or configuration! They've only had half a year to check that, come on, is obviously teh stoopeed dee-bee admin to blame!
Admin
Silly @PWolff, human heads don't actually screw on!
Admin
TRWTF is not one, but two items in the story.
#1:
#2:
'nuff said.
Admin
Heck yes...you send a new password to a user, making sure the request ticket has all the proper authorizations, that you are really sending it to the correct user id, make sure to set Outlook to "encrypt" and "personal", send the email, close the ticket...and then you get a reply back "Thanks for the quick response" in a full-quoted, non-encrypted mail. User has gone home after sending the mail, you have no ticket to work on to quickly re-set the password so you have to assume the account is now compromised and lock it. Love it!
Admin
That is why I insist on sending password by SMS only.
Admin
This is how we do it:
You see there is barely any difference in our procedures.
Admin
reminds me of a scene in the book, "the cuckoo's egg": some company gave their "guest" account admin privileges! so username "guest", password "guest" would give anyone total control over their system!