Connor was a Highly-Paid Consultant who dealt with data security and audits, making sure companies’ secrets were irretrievable by enemies, competitors, and unauthorized employees alike.
He got an assignment to work with GrocerSoft, a mid-sized company which developed software mostly used by small, independent grocery stores across the nation. They’d just picked up a new client, a chain of medium-sized grocery stores with a paranoid board of directors who imagined all sorts of competitors trying to steal their Top Secret grocery inventory suppliers. As part of the new agreement, GrocerSoft’s sales team had promised annual security audits of GrocerSoft’s data.
Connor arrived on-location at the GrocerSoft National Headquarters in Des Moines, Iowa one snowy winter afternoon. The doors were unlocked and no one was there to greet him. Being a security auditor, he decided to wander around for a bit. After a half hour, someone finally asked him if he was lost, and directed him to his contact’s office.
His contact was a middle-aged man named Toby who worked as the CTO of GrocerSoft. Toby had worked there for decades, since well before GrocerSoft got big, and had never had another job in his life. He was also, as Connor would discover, quite clueless for someone with the title of Chief Technology Officer.
Toby liked to talk. A lot. About everything. Toby took him on a grand tour of the office, showing him every irrelevant nook and cranny. “This, you see”, Toby would say while pointing, “was our first vending machine. We got our first $100K contract in 1982 and got this installed to celebrate. You know you’ve finally made it big when Pepsi brings pop to you.” He laughed loudly as if that was the funniest joke he’d ever made in his life. “It doesn’t work anymore, of course, but we keep it around as a reminder. Sometimes the new guys will try and put quarters in there!” Then Toby leaned in and conspiratorially wrapped an arm around Connor’s shoulder. “We tell ’em that helps keep the bottom line up!”
Connor silently rolled his eyes and suffered through the tour as Toby continued on and on, showing him the Sacred Coffee-Stained Office Chair of Conference Room 4 that some Hollywood technical consultant had spilled his coffee on while gathering information for a grocery store shootout in a blockbuster action film. Next was the Donut Box of Miracles which had been left in the founder’s office and discovered fourteen years after his death, then plastic-wrapped and put on display for all to see. Not to mention the Plush Doll of Excellence, a stuffed alien awarded by a client in 1997 after GrocerSoft completed a trainwreck 14-month-long website development for them.
Eventually they got to business. “Okay, Connor, like we told you earlier our new client, who we can’t name because of their NDA, needs to know our backups of their data are safe.” Toby lead him to the corner of an unused office and showed him a fireproof safe. “All the datatapes are in that safe. It can only be opened by a web page that only works from my computer. It’s locked down by the IT address and MAP port. And,” he pointed his finger up in a Eureka gesture, “it only works in Inter-Network Explorer, too! They say no one uses that anymore and all the hackers use Google Crohns, so that’s blocked. Real, real secure.” He leaned in and winked. “They built these specifically for the NSA to hold all the battle plans for capturing Saddam Bin Laden. Totally unbreakable! Anyways, I gotta go, going to Hawaii with the wife for the week and the plane leaves in a couple hours. Have fun trying to crack that safe!”
And with a wink and a laugh, Toby stormed out, leaving Connor to do his audit.
Connor returned the next morning to begin his audit. A visual examination of the safe showed no physical way for him to get in without destroying it, so he noted the make and model and set up for some Internet research. It was a DigiSafe 9000, a LAN-connected fireproof safe with a built-in web server on port 4567 that could be controlled by any PC or smartphone.
Connor nmap’d the network and poked the only host with an open port 4567, but was greeted with a security error page. “Your system is not authorized to access this device! A report has been filed and may be used by the owners of this device to press charges!”
He chuckled lightly and decided to visit Toby’s office next, to see if he could find a MAC and IP address to spoof on his laptop.
He walked into Toby’s office, a spacious corner office on the top floor of the five-story building. It was open and the receptionist didn’t even look up as he waltzed into the CTO’s office.
He sat down at the desk. It was piled high with paperwork, folders, and notebooks. The darkened monitor was plastered with dozens of sticky notes.
He noticed the small workstation was on and pressed the spacebar. The screen instantly lit up and he was greeted by an unlocked Windows session! Connor grunted in disgust. At least a couple dozen applications were already open, including Internet Explorer, which he guessed was Toby’s previously-mentioned “Inter-Network Explorer.”
Probably fifty tabs were open. He started clicking through them, and, not surprisingly, found the DigiSafe 9000 login page was there. It had a simple login prompt with a note that the default password was “00000000” and should be changed after the first login for security reasons.
Connor eyed all the sticky notes. He saw private email passwords, shopping lists from 2011, phone numbers for women with names like Candy and Bunny, and a reminder to buy tickets for Attack of the Clones ahead of time.
And one labeled “New Client Safe: 00000000”
He punched in eight zeros to the login prompt and hit enter. After churning for several seconds, it showed him a simple control page with no styling. He clicked “Unlock” and after several more seconds the site showed an alert box stating “The DigiSafe 9000 has been unlocked and opened. It will re-lock when you close the door.”
“Ugh,” he groaned as he sat up from the chair and headed down to the empty office with the safe. Sure enough, the safe door was wide open and inside sat a pile of writeable DVDs and several USB hard drives.
Weeks later, Toby called up Connor’s employer to complain about the audit results. He seemed to think Connor’s methods were unfair because real hackers don’t read passwords from people’s notes! Toby didn’t care though. His employer got paid, he got paid, and GrocerSoft’s new client decided to store their Top Secret Supplier List with another vendor.