• (disco)

    ...there’s a device at 192.168.16.245 .. ... “254, you say?”

  • (disco)

    Ah, yes. Reminds me of our own acquisition - software guidelines included "No packet capture software of any kind, unencrypted passwords may travel over the network". We were like "Do you even know what you've bought?". No active directory though, and I don't think they ever called us on it.

  • (disco)

    Holy shit, how stupid can you be? Aghhh! It's frustrating to read!

  • (disco) in reply to rc4

    Kind of reminds me of this dilemma:

    https://what.thedailywtf.com/t/any-program-that-can-open-a-1-87-gb-xml-document/51209?u=boomzilla

    Here, try $program0. Nope, blocked by group policy. How about $program1. Nope, blocked by group policy. $program2 should work. Nope, blocked by group policy.

  • (disco) in reply to boomzilla
    boomzilla:
    *Here, try $program0.* **Nope, blocked by group policy.** *How about $program1.* **Nope, blocked by group policy.** *$program2 should work.* **Nope, blocked by group policy.**

    Sounds like it'd be easier to check the group policy's application whitelist?

  • (disco) in reply to PleegWat

    Nah, only thing listed on that list is iexplore.exe

  • (disco)

    So, are there any tips on what to do if this situation ever happens to me? Just in case?

    I would like to actually learn something useful from a TDWTF article.

  • (disco) in reply to Anonymous

    I would brush up my CV. Perhaps there is a startup company that could make better use of 20+ network engineers than taking their best tools and have them work around it.

  • (disco)

    Something's missing: We all know WireShark doesn't do this. Did they download a hacked version of WireShark from a sketchy site? Did the problem really go away when they removed WireShark?

  • (disco)

    No, WireShark had nothing to do with the problem (yes, something is missing from the story: we never find out what was actually causing it), that was just the incompetent conclusion of Initech IT.

  • (disco) in reply to lcrawford

    The packet trace was caused by Wireshark. If Wireshark had not been there, the packet trace would not have happened.

  • (disco) in reply to boomzilla
    [image]

    Posted 17 hours ago at that. This humour has multiple levels. Like a classic platform game.

  • (disco)

    http://www.nbc.com/saturday-night-live/video/landshark/2832305

    Oh wait... did you say "Wire Shark" Well that's very different:

    https://www.youtube.com/watch?v=V3FnpaWQJO0

  • (disco)

    Fact: I occasionally install Wireshark, Fiddler, etc. on my work machine. Fact 2: I never leave them installed for more than the length of a usage session explicitly because I'm afraid of having my tools taken away. Wireshark because... Duh. Fiddler because it handily bypasses the MITM SSL proxy.

  • (disco)

    Should have used netsh trace. (netcap, if they didn't have Windows 7 yet.)

  • (disco)

    The good thing is you just go home. No point in showing up when they've taken away your tools.

  • (disco)

    So TRWTF is not using Burps?

    No, hang on, TRWTF is a 2-minute youtube video whose payload is a handful of seconds long, if that.

  • (disco) in reply to RFoxmich

    Uh, It's just Wire Dolphin, ma'am.

  • (disco) in reply to boomzilla

    Not to mention the entire problem is caused by bad software choices.

  • (disco)

    It seems that Initech's software uses the computers accessing the server to route packets to a destination. As a result, when EtherTrode blocked the extra packets, they broke Initech's packet routing solution, and thus Initech's network. As a result, the real WTF is that Initech uses a stupid way to route packets. At least, that is what it seems like. The Brillant solution is to stop using Initech's equipment until they fix it. Sure, everyone at EtherTrode will be fired, but firing and replacing a bunch of seasoned engineers is expensive, it may be even more expensive than just fixing the domain controller/server.

  • (disco) in reply to boomzilla
    boomzilla:
    Here, try $program0.Nope, blocked by group policy.How about $program1.Nope, blocked by group policy.$program2 should work.Nope, blocked by group policy.

    Run Excel. Create a macro that runs $program0. Run macro.

  • (disco) in reply to XanderTheGamer

    No, the reason EtherTrode's network ground to a screeching halt was because Initech's domain controller was flooding it with broadcast messages. There was literally no room for EtherTrode's own traffic because the network was so overwhelmed with the flood of traffic from the domain controller.

  • (disco) in reply to anotherusername

    So why don't they just tell Initech that they will no longer use their controller unless they fix it.

  • (disco) in reply to lcrawford

    Many MANY companies block WireShark and its brethren on the theory that You Never Know What Bad Thing(TM) Could Happen (TM) . I can't figure out why they think that either, but most certainly they consider it a penetration tool.

  • (disco) in reply to XanderTheGamer

    Shutting down the new domain controller was suggested in the article, and the reason given for not doing it was:

    “I’ve already joined everything to the new domain. If we shut down the controller, no one will be able to log in or access network resources”
  • (disco) in reply to XanderTheGamer
    XanderTheGamer:
    So why don't they just tell Initech that they will no longer use their controller unless they fix it.

    Apart from the replay above, something tells me you hve never been acquired by a larger but less technically competent US corporation. I have worked for a company that was acquired by an acquisition. Oh the pain, including turf wars on site and our having a PC running instrumentation that had to be kept off the inventory somehow because it had not come via the official procurement route of the top-level acquirer, and to go down that route (and replace it with something that probably wouldn't work) would require an eighteen-month procurement cycle. As my boss, who was a good guy (and got frustrated quickly and went back to academia) remarked, "There's a reason nobody ever talks about great managers."

  • (disco) in reply to cellocgw

    They are in the Ethernet business. Wireshark is a developing tool for their day to day job. How do you develop Ethernet interfaces without knowing what flows through it?

  • (disco) in reply to Mario_Levesque
    Mario_Levesque:
    They are in the Ethernet business. Wireshark is a developing tool for their day to day job. How do you develop Ethernet interfaces without knowing what flows through it?

    They're in the Ethernet business. It should be trivial1 to adapt whatever hardware they make into a dedicated packet-capture box.

    1 triv·i·al adjective Anything that's physically possible that I don't personally have to do.

  • (disco) in reply to Trouble

    So what did you do then? Whether you found it, whether you removed the DC. Or is it still broadcasting like that right now?

  • (disco)

    As someone who needs to integrate 24 forests (anything from NT4 until 2008R2 in 8 languages) into one domain one forest right now, I'd love to hear which setup allows for a single DC to be installed on-site that automagically joins all systems into the new domain without issues.1

    1 But I'll assume ADMT played a big role there.

  • (disco) in reply to lcrawford
    lcrawford:
    Something's missing: We all know WireShark doesn't do this. Did they download a hacked version of WireShark from a sketchy site? Did the problem really go away when they removed WireShark?

    WireShark was mentioned in the support ticket for the malfunctioning domain controller.

    The support ticket probably contained the words "WireShark" and "server has malware" in close proximity, and the idiot reading it came to the wrong conclusion.

    Lesson number 436245615416531 in why communication skills are the most important skills in IT by far.

  • (disco) in reply to blakeyrat
    blakeyrat:
    Lesson number 436245615416531 in why communication skills are the most important skills in IT by far.

    QFT. Communication is utterly critical, and so many IT professionals are :shit: at it.

  • (disco) in reply to Weng

    I once ran into a Network Security guy who thought Fiddler was a hacker tool. Of course he didn't trust Firefox either.

  • (disco) in reply to Slapout

    Fiddler is a hacker tool. Turns out that anything useful for developing networks and network applications is also useful for attacking networks and network applications. Go figure.

  • (disco) in reply to lcrawford

    No, the parent company simply blamed Wireshark because that's what made the problem visible. If they didn't have Wireshark, then they wouldn't be able to see the problem.

  • (disco) in reply to Anonymous
    Anonymous:
    So, are there any tips on what to do if this situation ever happens to me? Just in case?

    You boot Linux off of the host hardware, boot a Windows VM inside it, join the domain on the VM and run Wireshark on the host hardware and merrily continue to capture the traffic flowing from the guest OS to the host OS and onto the network.

    Having somewhat preserved your day-to-day sanity, you entrench yourself for a long battle against corporate IT while you start polishing up the resume you will inevitably be needing.

  • (disco) in reply to s73v3r

    I'm still confused - even with the switch blocking broadcasts, any interaction with the new server was painfully slow. So are they just limping slowly along with a babbling broadcast server, and Initech is happy because Wireshark isn't installed?

  • (disco) in reply to blakeyrat
    blakeyrat:
    WireShark was mentioned in the support ticket for the malfunctioning domain controller.

    The support ticket probably contained the words "WireShark" and "server has malware" in close proximity, and the idiot reading it came to the wrong conclusion.

    Lesson number 436245615416531 in why communication skills are the most important skills in IT by far.

    Everybody in here seems to subscribe to the, "never ascribe to malice what is adequately explained by stupidity," theory.

    Personally, I think it's more like this. "You have been assimilated. Using Wireshark to inspect the details of your assimilation is a violation of the restrictions imposed when you were assimilated."

  • (disco) in reply to Anonymous
    Anonymous:
    So, are there any tips on what to do if this situation ever happens to me? Just in case?

    I would like to actually learn something useful from a TDWTF article.

    BYOL (Bring Your Own Laptop), so you can load tools like WireShark to at least determine WTF is going on despite company idiots trying to take away your tools.

    Reminds me of the time a company I worked for was bought out, then later took away my admin rights the same week all their other admins were unavailable. Of course, the engineering database server was offline, so we had a dozen expensive engineers twiddling their thumbs while no one was available to do something simple like restart the service on the db server. Best part? I was yelled at by the MIS for "causing trouble" when I went up the ranks to get someone's attention and authorization/access (involving interrupting training session of said MIS) to get the servers going again.

    There's more to this story, but I'm in the middle of 3 simultaneous audits (a WTF in and of itself) and don't have the energy right now.

  • (disco) in reply to cellocgw
    cellocgw:
    Many MANY companies block WireShark and its brethren on the theory that You Never Know What Bad Thing(TM) Could Happen (TM) . I can't figure out why they think that either, but most certainly they consider it a penetration tool.

    A hammer can be used to break glass and gain entry to someone's premises. So by this logic we should outlaw hammers?

    (I'm agreeing with you BTW).

  • (disco) in reply to narbat
    narbat:
    Fiddler is a hacker tool. Turns out that anything useful for developing networks and network applications is also useful for attacking networks and network applications. Go figure.

    With that logic, so is Firefox, ever heard of the Firebug extension? Handy for messing with Javascript...

    redwizard:
    A hammer can be used to break glass and gain entry to someone's premises. So by this logic we should outlaw hammers?

    (I'm agreeing with you BTW).

    And wouldn't you rather test the hammer yourself in a controlled environment and find out what it is capable of then wait for someone else to do it for you, usually without your best interests at heart?
  • (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    Nah, only thing listed on that list is iexplore.exe

    So you rename $program0 to iexplore. Problem solved. That'll be $200.

  • (disco) in reply to Weng
    Weng:
    I'm afraid of having my tools taken away.

    skpswi.dat, man! Or just...hmm, I wonder if there're portable apps versions?

    I had to use fiddler a whole bunch early this year to integrate a web application with another one. If someone at my company tried to block it, not that I think they're savvy enough to do so, I would've ranted to my co-workers and then put it in a VM.

  • (disco) in reply to Jaime
    Jaime:
    Run Excel.Create a macro that runs $program0.Run macro.

    That works until the psychos in infosec audit your PC and find $program0 and send you an email telling you you'd better uninstall it.

  • (disco) in reply to redwizard
    redwizard:
    I was yelled at by the MIS for "causing trouble" when I went up the ranks to get someone's attention and authorization/access (involving interrupting training session of said MIS) to get the servers going again.

    "Really? Let's go call random C-levels and ask them how they feel about idling an entire department for a week."

  • (disco) in reply to FrostCat
    FrostCat:
    "Really? Let's go call random C-levels and ask them how they feel about idling an entire department for a week."

    After agreeing that they were eventually going to also take her admin rights away later (purportedly), my actual response to her was along the lines of: "Now. Next time the server goes down and you can't reach ___ or ___ at corporate to get it working again, do YOU want to explain to upper management why the entire engineering department is being paid to do nothing while projects fall behind schedule? [Silence.] Yeah, that's what I thought."

  • (disco) in reply to gleemonk

    Indeed. No point in working for companies that choose to "just blame/shoot the messenger".

    Also, as network support staff, if they choose to block you from using any of the diagnostic tools you can find, I don't think you can do your job.

  • (disco)

    When I just read to the problem, I thought "Probably the Initech staffs just copied the DHCP setting from their AD and set everyone's gateway to the gateway over VPN tunnel, hence saturating the network. No big deal." and then find a bigger WTF.

    :facepalm:

  • (disco) in reply to XanderTheGamer
    XanderTheGamer:
    It seems that Initech's software uses the computers accessing the server to route packets to a destination. As a result, when EtherTrode blocked the extra packets, they broke Initech's packet routing solution, and thus Initech's network. As a result, the real WTF is that Initech uses a stupid way to route packets. At least, that is what it seems like. The Brillant solution is to stop using Initech's equipment until they fix it. Sure, everyone at EtherTrode will be fired, but firing and replacing a bunch of seasoned engineers is expensive, it may be even more expensive than just fixing the domain controller/server.

    I don't think you read the same article I did.

    XanderTheGamer:
    So why don't they just tell Initech that they will no longer use their controller unless they fix it.

    Okay, now I'm sure you didn't read the same article I did.

  • (disco) in reply to redwizard
    redwizard:
    take her admin rights away

    The one thing about getting stuck with the job of provisioning all the computers in my office because the other programmers who'd been there longer than me didn't want to, was that I got local admin when nobody else did.

    Of course these days I actually deliberately run as a non-admin user at work, only elevating if I need to.

Leave a comment on “Sharked”

Log In or post as a guest

Replying to comment #:

« Return to Article