- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Ah, yes. Reminds me of our own acquisition - software guidelines included "No packet capture software of any kind, unencrypted passwords may travel over the network". We were like "Do you even know what you've bought?". No active directory though, and I don't think they ever called us on it.
Admin
Holy shit, how stupid can you be? Aghhh! It's frustrating to read!
Admin
Kind of reminds me of this dilemma:
https://what.thedailywtf.com/t/any-program-that-can-open-a-1-87-gb-xml-document/51209?u=boomzilla
Here, try $program0. Nope, blocked by group policy. How about $program1. Nope, blocked by group policy. $program2 should work. Nope, blocked by group policy.
Admin
Sounds like it'd be easier to check the group policy's application whitelist?
Admin
Nah, only thing listed on that list is iexplore.exe
Admin
So, are there any tips on what to do if this situation ever happens to me? Just in case?
I would like to actually learn something useful from a TDWTF article.
Admin
I would brush up my CV. Perhaps there is a startup company that could make better use of 20+ network engineers than taking their best tools and have them work around it.
Admin
Something's missing: We all know WireShark doesn't do this. Did they download a hacked version of WireShark from a sketchy site? Did the problem really go away when they removed WireShark?
Admin
No, WireShark had nothing to do with the problem (yes, something is missing from the story: we never find out what was actually causing it), that was just the incompetent conclusion of Initech IT.
Admin
The packet trace was caused by Wireshark. If Wireshark had not been there, the packet trace would not have happened.
Admin
Posted 17 hours ago at that. This humour has multiple levels. Like a classic platform game.
Admin
http://www.nbc.com/saturday-night-live/video/landshark/2832305
Oh wait... did you say "Wire Shark" Well that's very different:
https://www.youtube.com/watch?v=V3FnpaWQJO0
Admin
Fact: I occasionally install Wireshark, Fiddler, etc. on my work machine. Fact 2: I never leave them installed for more than the length of a usage session explicitly because I'm afraid of having my tools taken away. Wireshark because... Duh. Fiddler because it handily bypasses the MITM SSL proxy.
Admin
Should have used
netsh trace
. (netcap
, if they didn't have Windows 7 yet.)Admin
The good thing is you just go home. No point in showing up when they've taken away your tools.
Admin
So TRWTF is not using Burps?
No, hang on, TRWTF is a 2-minute youtube video whose payload is a handful of seconds long, if that.
Admin
Uh, It's just Wire Dolphin, ma'am.
Admin
Not to mention the entire problem is caused by bad software choices.
Admin
It seems that Initech's software uses the computers accessing the server to route packets to a destination. As a result, when EtherTrode blocked the extra packets, they broke Initech's packet routing solution, and thus Initech's network. As a result, the real WTF is that Initech uses a stupid way to route packets. At least, that is what it seems like. The Brillant solution is to stop using Initech's equipment until they fix it. Sure, everyone at EtherTrode will be fired, but firing and replacing a bunch of seasoned engineers is expensive, it may be even more expensive than just fixing the domain controller/server.
Admin
Run Excel. Create a macro that runs $program0. Run macro.
Admin
No, the reason EtherTrode's network ground to a screeching halt was because Initech's domain controller was flooding it with broadcast messages. There was literally no room for EtherTrode's own traffic because the network was so overwhelmed with the flood of traffic from the domain controller.
Admin
So why don't they just tell Initech that they will no longer use their controller unless they fix it.
Admin
Many MANY companies block WireShark and its brethren on the theory that You Never Know What Bad Thing(TM) Could Happen (TM) . I can't figure out why they think that either, but most certainly they consider it a penetration tool.
Admin
Shutting down the new domain controller was suggested in the article, and the reason given for not doing it was:
Admin
Apart from the replay above, something tells me you hve never been acquired by a larger but less technically competent US corporation. I have worked for a company that was acquired by an acquisition. Oh the pain, including turf wars on site and our having a PC running instrumentation that had to be kept off the inventory somehow because it had not come via the official procurement route of the top-level acquirer, and to go down that route (and replace it with something that probably wouldn't work) would require an eighteen-month procurement cycle. As my boss, who was a good guy (and got frustrated quickly and went back to academia) remarked, "There's a reason nobody ever talks about great managers."
Admin
They are in the Ethernet business. Wireshark is a developing tool for their day to day job. How do you develop Ethernet interfaces without knowing what flows through it?
Admin
They're in the Ethernet business. It should be trivial1 to adapt whatever hardware they make into a dedicated packet-capture box.
1 triv·i·al adjective Anything that's physically possible that I don't personally have to do.
Admin
So what did you do then? Whether you found it, whether you removed the DC. Or is it still broadcasting like that right now?
Admin
As someone who needs to integrate 24 forests (anything from NT4 until 2008R2 in 8 languages) into one domain one forest right now, I'd love to hear which setup allows for a single DC to be installed on-site that automagically joins all systems into the new domain without issues.1
1 But I'll assume ADMT played a big role there.
Admin
WireShark was mentioned in the support ticket for the malfunctioning domain controller.
The support ticket probably contained the words "WireShark" and "server has malware" in close proximity, and the idiot reading it came to the wrong conclusion.
Lesson number 436245615416531 in why communication skills are the most important skills in IT by far.
Admin
QFT. Communication is utterly critical, and so many IT professionals are :shit: at it.
Admin
I once ran into a Network Security guy who thought Fiddler was a hacker tool. Of course he didn't trust Firefox either.
Admin
Fiddler is a hacker tool. Turns out that anything useful for developing networks and network applications is also useful for attacking networks and network applications. Go figure.
Admin
No, the parent company simply blamed Wireshark because that's what made the problem visible. If they didn't have Wireshark, then they wouldn't be able to see the problem.
Admin
You boot Linux off of the host hardware, boot a Windows VM inside it, join the domain on the VM and run Wireshark on the host hardware and merrily continue to capture the traffic flowing from the guest OS to the host OS and onto the network.
Having somewhat preserved your day-to-day sanity, you entrench yourself for a long battle against corporate IT while you start polishing up the resume you will inevitably be needing.
Admin
I'm still confused - even with the switch blocking broadcasts, any interaction with the new server was painfully slow. So are they just limping slowly along with a babbling broadcast server, and Initech is happy because Wireshark isn't installed?
Admin
Everybody in here seems to subscribe to the, "never ascribe to malice what is adequately explained by stupidity," theory.
Personally, I think it's more like this. "You have been assimilated. Using Wireshark to inspect the details of your assimilation is a violation of the restrictions imposed when you were assimilated."
Admin
BYOL (Bring Your Own Laptop), so you can load tools like WireShark to at least determine WTF is going on despite company idiots trying to take away your tools.
Reminds me of the time a company I worked for was bought out, then later took away my admin rights the same week all their other admins were unavailable. Of course, the engineering database server was offline, so we had a dozen expensive engineers twiddling their thumbs while no one was available to do something simple like restart the service on the db server. Best part? I was yelled at by the MIS for "causing trouble" when I went up the ranks to get someone's attention and authorization/access (involving interrupting training session of said MIS) to get the servers going again.
There's more to this story, but I'm in the middle of 3 simultaneous audits (a WTF in and of itself) and don't have the energy right now.
Admin
A hammer can be used to break glass and gain entry to someone's premises. So by this logic we should outlaw hammers?
(I'm agreeing with you BTW).
Admin
With that logic, so is Firefox, ever heard of the Firebug extension? Handy for messing with Javascript...
And wouldn't you rather test the hammer yourself in a controlled environment and find out what it is capable of then wait for someone else to do it for you, usually without your best interests at heart?Admin
So you rename $program0 to iexplore. Problem solved. That'll be $200.
Admin
skpswi.dat, man! Or just...hmm, I wonder if there're portable apps versions?
I had to use fiddler a whole bunch early this year to integrate a web application with another one. If someone at my company tried to block it, not that I think they're savvy enough to do so, I would've ranted to my co-workers and then put it in a VM.
Admin
That works until the psychos in infosec audit your PC and find $program0 and send you an email telling you you'd better uninstall it.
Admin
"Really? Let's go call random C-levels and ask them how they feel about idling an entire department for a week."
Admin
After agreeing that they were eventually going to also take her admin rights away later (purportedly), my actual response to her was along the lines of: "Now. Next time the server goes down and you can't reach ___ or ___ at corporate to get it working again, do YOU want to explain to upper management why the entire engineering department is being paid to do nothing while projects fall behind schedule? [Silence.] Yeah, that's what I thought."
Admin
Indeed. No point in working for companies that choose to "just blame/shoot the messenger".
Also, as network support staff, if they choose to block you from using any of the diagnostic tools you can find, I don't think you can do your job.
Admin
When I just read to the problem, I thought "Probably the Initech staffs just copied the DHCP setting from their AD and set everyone's gateway to the gateway over VPN tunnel, hence saturating the network. No big deal." and then find a bigger WTF.
:facepalm:
Admin
I don't think you read the same article I did.
Okay, now I'm sure you didn't read the same article I did.
Admin
The one thing about getting stuck with the job of provisioning all the computers in my office because the other programmers who'd been there longer than me didn't want to, was that I got local admin when nobody else did.
Of course these days I actually deliberately run as a non-admin user at work, only elevating if I need to.