back to article Prank 'Give me a raise!' email nearly lands sysadmin with dismissal

Welcome again to Who, Me?, where we invite Reg readers to begin the week crossing their fingers it will be better than those of our featured techies. This week, meet "Damian", whose tale is a warning not to get too cocky when demonstrating a security glitch. Damian's tale is of a time when he was working as an admin …

This post has been deleted by a moderator

Silver badge

Re: Incognito Mode?

A typical case, who we shall refer to as Mr A, although his real name is this:

ARTHUR JACKSON

32A MILTON AVENUE,

HOUNSLOW, MIDDLESEX.

https://youtu.be/uK92NYwBMts?t=142

40
0
TRT
Silver badge

Re: Incognito Mode?

Don't tell him, Pike.

48
0
Anonymous Coward

Re: Incognito Mode?

How many sheds does Arthur have?

10
0

Re: Incognito Mode?

"For the sake of privacy, let's call her Lisa S... No that's too obvious, let's say L. Simpson."

22
0

Re: Incognito Mode?

Sol: How you doing, Vincent?

Vinnie: I'd be doing a lot better if you'd stop using my name ...

19
0
Silver badge

Quite an understandable mistake - except for the CEO

I get the mindset of the moment, but if you're testing something, common sense says to keep the CEO's email the hell out of it.

50
0

Common sense

The problem with common sense is that sense never ain't common (Lazarus Long)

42
0
Silver badge

Re: Common sense

"I'm off to roger me mum"

Lazarus Long

12
0
Silver badge

Re: Common sense

""I'm off to roger me mum"

Lazarus Long"

And his opposite-sex clone 'sisters'. And his computer. And his adopted daughter. And... do you really want a complete list?

15
0
Anonymous Coward

Re: Common sense

That's a silly name fir a mum.

Is that like calling a man Sue?

6
0
Silver badge

Re: do you really want a complete list?

Don't need one. I have a first edition NEL paperback c/w their patent "virtual glue spine" of Time Enough For Love. It fell apart as I read it, and I treat paperbacks with great care. The pages are crammed back inside the (wonderful) Bruce Pennington cover in order. I could probably repair it with the book-fixum-upgood non-acidic PVA glues available today. I have a library full of unreadable NEL paperbacks because of VGS technology - a full set of the John Carter Barsoom for a start, more Heinlein, Dune et al, all only of sparse shelf-space value because of the Pennington covers.

To be honest, I read TEFL in '75, around the same time I read Dhalgren. I've re-read the second about four times (no, I don't understand it). I've never attempted the first again partly because of the spinal disintegration thing, partly because I came away from it the first time feeling that the best part of the book was the Pennington cover.

No doubt I will get an earful for this attitude, but I think RH did a better job of the time-loop thing in the rather shorter All You Zombies.

5
0
Silver badge

Re: Common sense

"And his opposite-sex clone 'sisters'. And his computer. And his adopted daughter. And... do you really want a complete list?"

No thanks. I know the Internet is big, but I don't think it's big enough to take that list without breaking.

"Remember, if you break it, you bought it!"

Jubal Harshaw (probably)

6
0
Pint

Re: do you really want a complete list?

I'd also offer into evidence "By His Bootstraps".

But to be fair, my take is that the time-loop is very much at the centre of Bootstraps and Zombies where-as in TEFL (and To Sail Beyond the Sunset) the loop was only really a device to facilitate a much wider exploration of societal and cultural norms (very much the recurring theme in Heinlein's work) through the character of LL.

4
0

This post has been deleted by its author

Silver badge

Re: do you really want a complete list?

I had fun with putting the address of your intended victim (from my company) into the from field in outlook. I knew that the email wouldn't send and I'd get a message saying that in my inbox. However the email now sitting in the sent box looked like it was from the victim. Move that into the inbox and it really looked like it had come from them. So I wrote an email that purported to show my desk mate, a not unattractive woman asking me out for a drink. I then sent it to myself supposedly from her and replied saying that I was flattered that she was interested in me. She looked up and said she had no idea who had sent that but it wasn't her. "Must have left my computer unlocked, sorry" I then sent a reply from "her" which said 'scrub the drink how about going straight to dinner instead?' By this point she was smelling a rat and had worked out it was me sending them. She said "That's fecking evil - but bloody brilliant. You have to show me how you did that, I want to have some fun!"

It wouldn't stand up to any scrutiny (serious or otherwise) but made for a good practical joke.

8
3

Re: Quite an understandable mistake - except for the CEO

I was once responsible for some of the networking in the (academic) organisation where I worked.

We had BT's X.25 PSS service connected to one of our DEC VAX systems. Someone tried to 'hack in' and seeing it reported I made a quick 'in retaliation' connection to their server... There were a few well-known system s accounts on VAX, with default passwords. I logged in on the first attempt because they had not altered theirs (just lucky for me it was a VAX).

After noting they had a dozen or more systems, with names suggesting they were spread widely across Europe, I managed to find a mail list for the board members. I left a task in the queue to run a few weeks later, middle of the working day, middle of the week, telling them their security was poor if they still had default passwords on privileged accounts.

I have no way to know if it ran, and I probably wouldn't do it nowadays, but it seemed sensible to at least warn a few of the decision makers, hopefully in different countries, there was a security issue, possibly on more than 1 of their systems.

2
2
Anonymous Coward

Re: do you really want a complete list?

This amusing anecdote sounds alarmingly like harassment.

0
4
Anonymous Coward

Re: do you really want a complete list?

It's only harassment if the "victim" says so. She evidently didn't. What right do you have to insert yourself into the lives of complete strangers and proclaim your moral superiority over them?

7
0
Silver badge

Re: do you really want a complete list?

This amusing anecdote sounds alarmingly like harassment.

Well in that case so does having free samples of Tenna for Men sent to me at work. We got on very well together and the practical jokes were part and parcel of our working relationship. By the way she did that first

1
0
Silver badge

It probably wasn't a consideration but it's never a good idea to fire someone who's just demonstrated they know where your IT system has a security hole.

57
2
Silver badge

The security hole isn't really what's claimed: ability to forge a From: address is baked in to SMTP, and it relied on Damian having sysop privileges.

It's the mail system that first accepted the message then bounced it. Anyone who's suffered a Joe Job knows the hard way how inexcusably broken that is - and has been for the last 20 years or so (since mail abuse went from prank to spam). Either reject it or accept it; don't bounce!

22
2
Silver badge

im trying to think of something that WONT let me put what i want in the from field. Dell MDSM does, synology NAS, qnap NAS all do for me. Then there are the dell iRAC cards, they do.

4
0
Silver badge

"Security holes" really have gone to both extremes now. On one hand, we have exploits that rely upon timing attacks against the CPU cache to act as an oracle. But also apparently, we accidentally configured our mail server to act as a relay then spoofed an email from the PHB. HELO theregister.co.uk. Must do better.

4
0
Silver badge

"ability to forge a From: address is baked in to SMTP, and it relied on Damian having sysop privileges."

You don't need sysop privileges to forge SMTP. You don't even need to be the janitor.

10
0
Bronze badge
Unhappy

I've learnt the hard way not to muck about when setting stuff up/testing. It will go wrong..

21
0
Anonymous Coward

I was temping at a company and set up their new anti-virus server. The problem was, I had just come off a 5 year stint at another company and I put in the recipient email address on the new AV server as it@old-company.com.

6 months after I left the company, I got a call from the manager. He'd just had a call from old-company's IT department. They weren't very happy about having received AV notifications for the previous several months and could he please change the recipient email address!

36
0

At work, we have a special mailing list for receiving notifications like this. All the technicians are on it.

We use that address for any notifications from systems, unless for some reason, they need to go to a subset of technicians and techs outside that subset should not see it.

We also use it for testing, but to send a warning of the test to the mailing list.

11
0
Anonymous Coward

You wanted it to look like the CEO was emailing the Sysadmin asking for a raise?

How does that make sense?

24
1
Anonymous Coward

Well, that seems to have been just a silly test message to a friend. Stupid? Yes.

Did the CEO get a fit because his email was spoofed or because someone dared to ask for a raise? My CEO would fall for the latter category.

27
0
Silver badge

Did the CEO get a fit because his email was spoofed or because someone dared to ask for a raise? My CEO would fall for the latter category.

Or perhaps because his name was taken in vain instead of being treated like that of a deity despite being a fat, balding, Lexus-driving golfist with all the charm, wit and character of putrefying road-kill.

Pure conjecture, of course.

26
1
Silver badge

CEOs tend to get pissed when grunts misuse their email addresses. Thats why pissing in the water cooler works better.

6
0
Silver badge

"Thats why pissing in the water cooler works better."

If you're going to go down that route, a drop of phenolthalein is more effective and I'm surprised Simon hasn't worked it into a BOFH story yet.

3
0

Phenolphthalein. A rare word with 5 consecutive consonants, none of which is y.

Also a very effective laxitive.

3
0

Re: Phenolphthalein

How the phthuck do you pronounce that properly!?

1
0
Silver badge
Facepalm

DROP Financials

We had an OLAP cube running in Essbase, one of the first OLAP tools in the mid 90s.

The problem was, if you recalculated a filled cube, it would take forever! Well, 4 - 5 times as long as normal.

The "quick" database was recalculated every 4 hours and took about an hour to calculate. The procedure was:

1. Export bottom level data

2. Drop the database

3. Import the bottem level data

4. Recalculate.

Can you guess what happened next? Yep, I did 2, 3, 4, ooops!

I was new on the project and asked my colleague what the procedure was. He said, just re-calc and blame the missing data on user error! :-O

I went to the head of the financial department, told him, that we had had a problem with the export - well, we did, didn't we, I forgot to do it! I then told him we would import the previous export and then run the transaction file against that and then recalculate.

I reconstructed the data, recalculated and informed the users, that we had had a problem and they should check their inputs from the last 3 hours. In total, we lost 2 transactions.

I got commended for being up-front with the customer.

37
0
Anonymous Coward

Re: DROP Financials

I know exactly what you went through - I'm going through very similar issues with the Essbase cubes at my company. Glad you got it resolved with a commendation, it rarely gets that good over here.

7
0
DJO
Silver badge

Business as usual

Spoofing the from address in an email is not exactly tricky, in fact it's so easy I doubt it's really a "security hole", any SMTP client can (and by design, must be able to) do it although the ability might not be exposed.

57
0
Silver badge

Re: Business as usual

Yep, but most people seem to think it's impossible, hence the full dress panic when the owner of our company got spam purporting to be from someone else in the company. "OMG we must be hacked" etc.

Cue my boss patiently trying to explain how SMTP works for an hour, before giving up and pointing out it's about as secure as a postcard.

42
0
Silver badge

Re: Business as usual

"Cue my boss patiently trying to explain how SMTP works for an hour, before giving up and pointing out it's about as secure as a postcard."

And the irony is that in all probability the business's marketing department were paying some marketing company to spoof emails to customers in exactly this way.

It's high time email clients, as a default, would raise a conspicuous flag on messages that don't originate in the domain they purport to come from. Yes, it would make life difficult for marketing departments and the spammers they employ (I can scarcely contain my indifference) but it would also make life a little more difficult for malware flingers if their spoofing were to become exposed.

40
2

@Doctor Syntax

"It's high time email clients, as a default, would raise a conspicuous flag on messages that don't originate in the domain they purport to come from."

SPF is way ahead of you, matey.

31
1
Silver badge
Facepalm

Re: high time email clients, as a default

No, it would be REALLY stupid for many residential users of email, who can only send via their ISP's SMTP and also people using loads of email addresses on their personal domains that are automatically forwarded to some other mailbox.

The problem with email goes much deeper, a lack of any whitelisting and blacklisting in the design at the start. Retrofitted adaptions break email. Only some completely different system will solve it. Then there is the change over problem (see IP4 and IP6). The designers of email learnt NOTHING from the exploits of optical telegraph/semaphore (the Clacks was real once and spanned Europe at time of Napoleon), wired telegraph, analogue phone (POTS), POTS & Fax with caller ID (it HAS to allow spoofed return numbers due to PABX/Network design limitations on sending from one line and receptionist handling reply on another number as well as other issues.). ISDN was designed to interwork with POTS inc Analogue Fax as well as do digital voice, fax, data etc. So was still "broken" regarding lack of whitelist & blacklist mechanisms inherent to design.

There is no sensible reliable way to separate malicious from innocent email. You can sanitise by having no scripts, no remote content and display the real link for all link text (why do you need to hover and see status bar?). Plenty of stupid valid emails have also links that don't match text because the EVIL legitimate companies are using tracking and cloud services etc not on their own domain, IDIOTS. Paypal, my bank, my ISP all have such idiocy.

9
0

Re: high time email clients, as a default

When I spoofed emails to colleagues I used to have to change the from address to .C0M so that Exchange didn't reject it - surely preventing incoming emails that say they're from the domain that you own would be rejected by default on most mail servers? I guess a lot of companies don't have the domain owned by a specific system?

2
0
Anonymous Coward

Re: Business as usual

Know of a school who lost £1000 to "charity" as the spoofed charity email address looked legit. Pity the laundered bank account numbers were not.

2
0
Silver badge

Re: high time email clients, as a default

"residential users of email, who can only send via their ISP's SMTP "

Residential users of email should _never_ be using the SMTP port. That's a big red "Danger Will Robinson" flag. They should be up on the authenticated ports and ISPs have zero business blocking those.

2
2
Silver badge

I can't wait for the "Who? Me" article in a few weeks to explain why On Call wasn't published last Friday...

15
1

Did i miss the memo telling me to forget it?

https://www.theregister.co.uk/2018/08/10/on-call/

8
0
Silver badge

I kept looking for it on Friday and didn't see it. I now realise that usually "ON-CALL" is included as part of the headline, which is what I was looking for.

8
0

I'm guessing Simon is either on holiday or is the star in his own, "Who? Me?" Column.

1
9
Silver badge

Simon has left El Reg. There was a farewell article a couple of weeks back.

15
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018