back to article What the #!/%* is that rogue Raspberry Pi doing plugged into my company's server room, sysadmin despairs

It's every sysadmin's worst nightmare: discovering that someone has planted a device in your network, among all your servers, and you have no idea where it came from nor what it does. What do you do? Well, one IT manager at a college in Austria decided the best bet was to get on Reddit and see what the tech hive mind could …

Silver badge

I.T. illiterate management who seems to be responsible for the whole mess anyway. OK, it's just a school, but still.

9
0

You may be right, but before you can raise the CR to remove it, you first would have to get it added to the CMDB before you can raise the change. You wont be able to get it on the CMDB because you don't know what it connects to and what services it runs.

this could go on for some time...

22
0
Silver badge

"but before you can raise the CR to remove it, you first would have to get it added to the CMDB before you can raise the change"

If it's not on the CMDB it doesn't exist so it was never removed when you unplugged it. Just following CR logic.

Following BOFH* logic, just unplug it to see who screams.

Remove the SD, plug it into a Unix/Linux box, edit the shadow password file to ensure you can log in, replace SD, add monitor and keyboard and find out what it's trying to do.

*I'm worried. BOFH not been seen for some time. Did a boss finally get him?

17
0

"just unplug it to see who screams"

Ahh memories...

Many years (decades!!) ago I was working at a site which was an old factory 're-purposed' as offices. Nobody had a wiring plan.

We had some Vaxes and VT100 / VT220 terminals dotted around the place.

One day I was chatting to one of the operators (remember when operating a Vax was a full time career?) who casually pulled a plug from the patch panel, saying "hold on a mo...".

Sure enough the phone rand and his side of the call went "suddenly stopped? oh dear I'll see if I can fix it.... where are you located? and which terminal is that? third from the left? great" then he'd write out a sticky label and put it on the cable and plug it back in. He reckoned nine times out of ten there'd be a pathetically grateful call-back.

Doing once cable every 20 minutes or so from widely different parts of the patch panel reduced the risks of any user cottoning onto what was happening.

He saved the company thousands compared with getting contractors in to do the wire tracing.

On the BOFH absence front -- where is Simon? we need to know - has the PFY launched a successful putsch at last?

7
0
Anonymous Coward

If it's not on the CMDB it doesn't exist

At a previous job we had a relatively nice (compared to the normal corporate crud) pooled MBP that was used for video editing. But despite being asset tagged it somehow never ended up in the CMDB.

A year or two and a few role changes later, our team were no longer using it and getting tired of hauling it to new locations in the estate every time we got moved. The call went into desktop support to come and pick it up. But they had no record of its existence. And I got the distinct impression that asking them to pick up a theoretically non-existent asset was akin to suddenly shifting into reverse while doing 70 down the motorway.

Eventually we got moved again. Left the MBP on a spare desk at the end of the row and after a few weeks it disappeared. I assume IT did pick it up, but honestly couldn't be sure.

2
0
Silver badge

Infosec staff quality

I'm slightly off topic, or at least the point is tangential ... but I suspect I'm not the only one who's noticed that people in corporate infosec jobs seem to vary wildly in their abilities. IT remains generally infested with cowboys and all-purpose oxygen thieves, but sometimes I wonder whether infosec is the secondary magnet (after management roles, of course) for those who talk a good game while knowing basically nothing.

I have some tragic familiarity with a major British airline whose infosec team seems to have no clue about risk, prioritisation, mitigation etc and therefore resorts to absolutist dogma whenever challenged, usually because after some probing it turns out they don't really understand the technology or the ramifications of their "policy". It may, for example, seem like a good idea to look tough and competent by blocking all admin-level access to all machines, but have you thought how that might affect agile*¹ development teams? Do you know how many man-months of work are wasted because you didn't think to enquire before implementing such a draconian policy?

And are you really insisting on 2FA via SMS for 'extra security' ...? Cue, howls of laughter.

*¹ That's 'agile' with the silent 'FR'.

20
0
Silver badge

Re: have you thought how that might affect agile*¹ development teams?

Uh, they won't be able to fuck up so quickly anymore ?

34
2
Silver badge
Terminator

Re: Infosec staff quality

>I have some tragic familiarity with a major British airline whose infosec team seems to have no clue about risk, prioritisation, mitigation etc

Just wondering if it is the same lot who had some "improvements" made to the javascript on their page recently meaning some customers' credit cards got "borrowed"...

13
0
Anonymous Coward

Re: Infosec staff quality

<quote>I have some tragic familiarity with a major British airline whose infosec team seems to have no clue about risk, prioritisation, mitigation etc and therefore resorts to absolutist dogma whenever challenged, usually because after some probing it turns out they don't really understand the technology or the ramifications of their "policy"</quote>

That will be BA then? I can't imagine any other British airline with a worse grasp of IT generally!

5
0
Silver badge
Holmes

Re: Infosec staff quality

Infosec bod here.

Yes I too know of this dogmatic mentality. However that can stem from corporate culture. If it is the culture of that airline to use the infosec team as blamehounds whenever a project goes wrong then it's not really a surprise. But it can also stem from a lack of confidence.

I get quizzed every day all day with 'is this ok?'. This will be on every IT subject from server setup (Windows, Unix, Linux and propriatory), cloud architecture, software development, web development, databases, legal and compliance ramification GDPR, PCI, SOX etc etc. I'm expected to be an expert in them all at the moment the question is asked and my answer makes me responsible for the outcome.

So I have become good at asking questions and mostly all I do is guide the subject matter experts who are asking the questions to the reasonable answer they probably knew in the first place. And I learn a little bit more in the conversation.

I might identify risks and take them to the right person to sign off but it is not in my authority to say no or yes to anything. Getting is across that the risk is never mine can be quite hard. Speaking to an infosec bod is not outsourcing the risk.

21
1
TFL
Pint

Re: Infosec staff quality

This is something that the group I work with actually has worked out. We're part of a fairly large org, with security people in many roles. Ours is essentially internal consulting, where projects come to us for review. Sometimes even before they've done what they wanted.

PMs are still used to the idea that we approve things, but we don't. We identify risk, document it, and there is a process (still evolving) where this risk is formalized. If needed, the business people are responsible for fixing the problem identified, or accepting the risk.

4
0
Anonymous Coward

Re: Infosec staff quality

but sometimes I wonder whether infosec is the secondary magnet (after management roles, of course) for those who talk a good game while knowing basically nothing

You mean there's a chance for me to move into that field after all?

4
0
Silver badge

Re: Infosec staff quality

It's not hard to blag the certs. It just costs money.

0
0
Anonymous Coward

Re: Infosec staff quality

> blocking all admin level access

Except, if it's the airline I'm thinking of, you can raise a request for a "development profile". Unless things have changed recently.

0
0
Silver badge
Coat

I am a bit disappointed ...

there wasn't an saffron-clad, vaguely oriental-looking, elderly man with a broom named Lu-Tse involved.

Or maybe there was!! Nobody ever notices a sweeper!!!

Ah-hah!!!!

I can feel an extra exclamation mark coming up right now!!!!!

OK, I'll get out of here. The one with "Thief of Time" in the pocket please

35
0
Headmaster

Re: I am a bit disappointed ...

Who gives their brooms names?

25
0
Silver badge

Re: I am a bit disappointed ...

You shouldn't name a broom, you risk becoming attached to it. The same goes for any cleaning product really - before you know it you have empty bleach bottles sitting around because you can't face breaking it to them that they're off for recycling.

15
0
Silver badge

Re: I am a bit disappointed ...

@Androgynous Cupboard, you scoff, but it's hard. Their little pale plastic faces, so familiar, so beseeching...

10
0

Re: I am a bit disappointed ...

Trigger probably did...Or bits of it as they came and went

1
0
Anonymous Coward

Re: I am a bit disappointed ...

> Who gives their brooms names?

Errr ... Brummies?

4
0
Bronze badge
Happy

Re: Who gives their brooms names?

@Sabot. I'll repeat a recent post of mine.

I have a wood planer called Nigel. :) PP

3
0
Silver badge

Re: Who gives their brooms names?

Right , i'm gonna call my hammer Mike then, or maybe MC.

0
0
Silver badge

Legality

In England/Wales, this behaviour would be illegal under the Computer Misuse Act. Is there a similar law in Austria?

3
0

Re: Legality

Yes - a POS called cfaa, which is so badly written that you can be criminally prosecuted for even braking ters of use. That the law FBI used to drive Aaron Swartz to suicide.

It was passed after Regan saw "war games" and panicked.

2
14

Re: Legality

vgrig_us, I will break it to you gently, no-one apart from you is talking about the US, this happened in Austria.

Austria is a country in Europe, so the US Computer Fraud and Abuse Act and the FBI have no relevance here.

Comments like yours are why Americans (and by that I mean US citizens, as people from South/Central America and Canada are actually Americans) get a bad name for thinking that world revolves around them

26
3
Anonymous Coward

Re: Legality

Wait, you're telling me there are *laws* outside the US?

Next you'll say something really ridiculous, like that foreigners are actually people.

18
1

Re: Legality

Ah, my bad - somehow read wrong... Blame the sleepy early morning commute, i guess.

9
0
Go

Re: Legality

Best thing I ever did was stop driving and start exercising. We moved house and I was faced with a 60 minute drive plus pay for parking, or a 60 minute bike ride, or a 90 min bus ride.

The burst of exersise wakes me up and I'm effective much more - the excuse of "haven't had coffee" is unneeded. Even using the recent Lime scooters is a step up in the personal exercise area.

And as IT wallahs we all run the risk of chair-sized bums, so adding some blood stirring moments is the best thing you can do for yourself and your work.

5
0
Silver badge

Re: Legality

I guess so , but , yuo know , it sounds like hard work.

Sound like 30 minute moped ride could be a compromise :)

3
0
Anonymous Coward

Re: Legality

No. I blame you for being thick.

0
2

Re: Legality

"Next you'll say something really ridiculous, like that foreigners are actually people."

People with Rights, not subject to United States laws. What a concept, huh?

People like Julian Assange, even.

4
0

Re: Legality - Austria is a country in Europe

You mean, you mean they don't have kangaroos...

2
0
Anonymous Coward

Reputation and qualification

The Reddit angle is interesting - for its abject failure. As a social platform it is supposed to elevate the good comments as it builds the credibility of the posters. Being rated by your peers does not work if your peers are all clowns, at which point you should take a closer look in your mirror.

Taking it to 4chan would not have made a difference but it might have been more entertaining at least.

18
1

I'm not a sysadm, but surely if you find an unknown piece of kit in your server room and the management don't know about it, then the first thing to do is unplug it, and see who shouts, rather than get on the internet and wait for replies.

49
0

Why are you involving management into this? They won't know what it is even if they signed off on it 30s before.... Just unplug it, put it in your drawer and wait for the scream test.

33
0
Anonymous Coward

Unplug it?

Yeessss, but in some of the historical documents, if you disconnect a suspicious device, an LED flashes 5 times, then remains on for 2 seconds, and then the room goes KABOOOOMMMMMM!!!

Whatcha gonna do, huh, whatcha gonna do?

13
0
Silver badge
Devil

Burn it, Burn it with fire!

Then nuke from orbit. Failing that, get a hammer! If it doesn't have our company asset tag, it gets removed, and I've never seen it, wink!

14
0
Silver badge

Re: Burn it, Burn it with fire!

No. It's a Pi. You can always think of something useful for it to do.

15
0
Silver badge

Had a device dishing out rogue DHCP packets on our network once.

I bricked it with the wrong firmware.

Whoops, ahahahaha.

26
0
Silver badge

When Ive found myself cursing at a useless/crooked 'professional' business - lawyers, EAs amainly - Ive sat here brooding about ways I could fuck roaylly fuck them over.

It used to be stink bombs/hidden sardines.

These days, a small wireless ARM device deve - those gur plug things, or smething hanging off a USB dongle for power would do.

IT security? Why have expensive consultants when you a payd an agency cleaner NMW and they work out of office hours.

1
1
Silver badge

"These days, a small wireless ARM device deve - those gur plug things, or smething hanging off a USB dongle for power would do."

Like one of those powerline networking thingies. Just glue a small glass bottle on it with some yellow liquid in and slap an Airwick[1] logo on it.

[1] other plug-in air fresheners are available.

7
0
Silver badge

While on the subject of bugs (of the listening kind), it's always worth taking the time to appreciate the genius of Léon Theremin's "Thing" https://en.wikipedia.org/wiki/The_Thing_(listening_device) (presumably it has a better name in Russian).

2
0
Anonymous Coward

Reminds me of working in security for a large corporate and came in one day to server room to get console on one of our test/monitoring servers as it had no remote access means by design, noticed our dedicated to security machines 47u rack in the lab dc had a linksys wifi ap plugged into the switch.

Asked the duty sysadmins what that was, and nobody knew, no asset tags, no records, not even racked properly just plonked on top of one of our boxes so promptly unplugged it and put it in desk drawer after a quick poke about revealed it had default creds and was allowing open wifi access to our isolated dc management network inside a security zone which required elevated access to do some of the things it did. Also alarming because even though we didn't have a route out for it to call home, its range easily reached to the break rooms and across site to the tech park diner with the right kit.

I heard nothing for ages then suddenly our "security penetration test expert" team sent their boss to sheepishly ask for their access point back as they needed it for another job. It wasn't my place to, but I did suggest to him that perhaps he might want to apply some config in case the next client wasn't asleep at the wheel and spotted it too...

13
0
Silver badge

The majority of these comments apply to amateur pen-testing, the professionals don't get caught this easily, their kit never hangs off a switch unless they want you to find it ... because then you stop looking for the real one.

14
0

Sounds like a trial run to me.

0
0
Silver badge

Bah!

Look, it's very simple:

The FBI is a domestic law enforcement organization with no legal powers outside the USA, so stop recommending people in Europe call them.

The people you need to talk to are the CIA.

Who already know because they put the Pi in your closet in the first place.

Allegedly.

22
0
Silver badge

Re: Bah!

Ring ring, ring ring...

"Hello, CIA?

Yeah I found this device I don't recognise in my server room... I've unplugged it but want to know what I should do now... You want me to plug it back in and not worry about it?"

6
0
Anonymous Coward

Nobody ever expects the cleaners..

I was working on a secure project and was sat in a caged data centre with access to some secure racks - and was working away. My colleague was remarking on how secure the place was - several locked/key/biometric doors, cages, etc and the fact we had to get clearence when he was interrupted mid-flow by a cleaner walking in to empty the bin..

I've never laughed so hard.

24
0
TRT
Silver badge

Re: Nobody ever expects the cleaners..

Are they collecting large amounts of bubble wrap and do they have a gas-tight, explosion proof fume cupboard?

But... it could just be collecting data about the environment in the cabinet, or acting as a radio relay for freezer & fridge alarms...

4
0
Silver badge

Re: Nobody ever expects the cleaners..

"when he was interrupted mid-flow by a cleaner walking in to empty the bin.."

Seriously? You think that's a potential security weakness? Really? Have you *SEEN* the security checks that cleaners have to go through? No? Me neither :-)

5
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018