Re: Incognito Mode?
A typical case, who we shall refer to as Mr A, although his real name is this:
32A MILTON AVENUE,
Welcome again to Who, Me?, where we invite Reg readers to begin the week crossing their fingers it will be better than those of our featured techies. This week, meet "Damian", whose tale is a warning not to get too cocky when demonstrating a security glitch. Damian's tale is of a time when he was working as an admin …
Don't need one. I have a first edition NEL paperback c/w their patent "virtual glue spine" of Time Enough For Love. It fell apart as I read it, and I treat paperbacks with great care. The pages are crammed back inside the (wonderful) Bruce Pennington cover in order. I could probably repair it with the book-fixum-upgood non-acidic PVA glues available today. I have a library full of unreadable NEL paperbacks because of VGS technology - a full set of the John Carter Barsoom for a start, more Heinlein, Dune et al, all only of sparse shelf-space value because of the Pennington covers.
To be honest, I read TEFL in '75, around the same time I read Dhalgren. I've re-read the second about four times (no, I don't understand it). I've never attempted the first again partly because of the spinal disintegration thing, partly because I came away from it the first time feeling that the best part of the book was the Pennington cover.
No doubt I will get an earful for this attitude, but I think RH did a better job of the time-loop thing in the rather shorter All You Zombies.
I'd also offer into evidence "By His Bootstraps".
But to be fair, my take is that the time-loop is very much at the centre of Bootstraps and Zombies where-as in TEFL (and To Sail Beyond the Sunset) the loop was only really a device to facilitate a much wider exploration of societal and cultural norms (very much the recurring theme in Heinlein's work) through the character of LL.
I had fun with putting the address of your intended victim (from my company) into the from field in outlook. I knew that the email wouldn't send and I'd get a message saying that in my inbox. However the email now sitting in the sent box looked like it was from the victim. Move that into the inbox and it really looked like it had come from them. So I wrote an email that purported to show my desk mate, a not unattractive woman asking me out for a drink. I then sent it to myself supposedly from her and replied saying that I was flattered that she was interested in me. She looked up and said she had no idea who had sent that but it wasn't her. "Must have left my computer unlocked, sorry" I then sent a reply from "her" which said 'scrub the drink how about going straight to dinner instead?' By this point she was smelling a rat and had worked out it was me sending them. She said "That's fecking evil - but bloody brilliant. You have to show me how you did that, I want to have some fun!"
It wouldn't stand up to any scrutiny (serious or otherwise) but made for a good practical joke.
This amusing anecdote sounds alarmingly like harassment.
Well in that case so does having free samples of Tenna for Men sent to me at work. We got on very well together and the practical jokes were part and parcel of our working relationship. By the way she did that first
"And his opposite-sex clone 'sisters'. And his computer. And his adopted daughter. And... do you really want a complete list?"
No thanks. I know the Internet is big, but I don't think it's big enough to take that list without breaking.
"Remember, if you break it, you bought it!"
Jubal Harshaw (probably)
I was once responsible for some of the networking in the (academic) organisation where I worked.
We had BT's X.25 PSS service connected to one of our DEC VAX systems. Someone tried to 'hack in' and seeing it reported I made a quick 'in retaliation' connection to their server... There were a few well-known system s accounts on VAX, with default passwords. I logged in on the first attempt because they had not altered theirs (just lucky for me it was a VAX).
After noting they had a dozen or more systems, with names suggesting they were spread widely across Europe, I managed to find a mail list for the board members. I left a task in the queue to run a few weeks later, middle of the working day, middle of the week, telling them their security was poor if they still had default passwords on privileged accounts.
I have no way to know if it ran, and I probably wouldn't do it nowadays, but it seemed sensible to at least warn a few of the decision makers, hopefully in different countries, there was a security issue, possibly on more than 1 of their systems.
The security hole isn't really what's claimed: ability to forge a From: address is baked in to SMTP, and it relied on Damian having sysop privileges.
It's the mail system that first accepted the message then bounced it. Anyone who's suffered a Joe Job knows the hard way how inexcusably broken that is - and has been for the last 20 years or so (since mail abuse went from prank to spam). Either reject it or accept it; don't bounce!
"Security holes" really have gone to both extremes now. On one hand, we have exploits that rely upon timing attacks against the CPU cache to act as an oracle. But also apparently, we accidentally configured our mail server to act as a relay then spoofed an email from the PHB. HELO theregister.co.uk. Must do better.
I was temping at a company and set up their new anti-virus server. The problem was, I had just come off a 5 year stint at another company and I put in the recipient email address on the new AV server as firstname.lastname@example.org.
6 months after I left the company, I got a call from the manager. He'd just had a call from old-company's IT department. They weren't very happy about having received AV notifications for the previous several months and could he please change the recipient email address!
At work, we have a special mailing list for receiving notifications like this. All the technicians are on it.
We use that address for any notifications from systems, unless for some reason, they need to go to a subset of technicians and techs outside that subset should not see it.
We also use it for testing, but to send a warning of the test to the mailing list.
Did the CEO get a fit because his email was spoofed or because someone dared to ask for a raise? My CEO would fall for the latter category.
Or perhaps because his name was taken in vain instead of being treated like that of a deity despite being a fat, balding, Lexus-driving golfist with all the charm, wit and character of putrefying road-kill.
Pure conjecture, of course.
We had an OLAP cube running in Essbase, one of the first OLAP tools in the mid 90s.
The problem was, if you recalculated a filled cube, it would take forever! Well, 4 - 5 times as long as normal.
The "quick" database was recalculated every 4 hours and took about an hour to calculate. The procedure was:
1. Export bottom level data
2. Drop the database
3. Import the bottem level data
Can you guess what happened next? Yep, I did 2, 3, 4, ooops!
I was new on the project and asked my colleague what the procedure was. He said, just re-calc and blame the missing data on user error! :-O
I went to the head of the financial department, told him, that we had had a problem with the export - well, we did, didn't we, I forgot to do it! I then told him we would import the previous export and then run the transaction file against that and then recalculate.
I reconstructed the data, recalculated and informed the users, that we had had a problem and they should check their inputs from the last 3 hours. In total, we lost 2 transactions.
I got commended for being up-front with the customer.
Yep, but most people seem to think it's impossible, hence the full dress panic when the owner of our company got spam purporting to be from someone else in the company. "OMG we must be hacked" etc.
Cue my boss patiently trying to explain how SMTP works for an hour, before giving up and pointing out it's about as secure as a postcard.
"Cue my boss patiently trying to explain how SMTP works for an hour, before giving up and pointing out it's about as secure as a postcard."
And the irony is that in all probability the business's marketing department were paying some marketing company to spoof emails to customers in exactly this way.
It's high time email clients, as a default, would raise a conspicuous flag on messages that don't originate in the domain they purport to come from. Yes, it would make life difficult for marketing departments and the spammers they employ (I can scarcely contain my indifference) but it would also make life a little more difficult for malware flingers if their spoofing were to become exposed.
No, it would be REALLY stupid for many residential users of email, who can only send via their ISP's SMTP and also people using loads of email addresses on their personal domains that are automatically forwarded to some other mailbox.
The problem with email goes much deeper, a lack of any whitelisting and blacklisting in the design at the start. Retrofitted adaptions break email. Only some completely different system will solve it. Then there is the change over problem (see IP4 and IP6). The designers of email learnt NOTHING from the exploits of optical telegraph/semaphore (the Clacks was real once and spanned Europe at time of Napoleon), wired telegraph, analogue phone (POTS), POTS & Fax with caller ID (it HAS to allow spoofed return numbers due to PABX/Network design limitations on sending from one line and receptionist handling reply on another number as well as other issues.). ISDN was designed to interwork with POTS inc Analogue Fax as well as do digital voice, fax, data etc. So was still "broken" regarding lack of whitelist & blacklist mechanisms inherent to design.
There is no sensible reliable way to separate malicious from innocent email. You can sanitise by having no scripts, no remote content and display the real link for all link text (why do you need to hover and see status bar?). Plenty of stupid valid emails have also links that don't match text because the EVIL legitimate companies are using tracking and cloud services etc not on their own domain, IDIOTS. Paypal, my bank, my ISP all have such idiocy.
When I spoofed emails to colleagues I used to have to change the from address to .C0M so that Exchange didn't reject it - surely preventing incoming emails that say they're from the domain that you own would be rejected by default on most mail servers? I guess a lot of companies don't have the domain owned by a specific system?
"residential users of email, who can only send via their ISP's SMTP "
Residential users of email should _never_ be using the SMTP port. That's a big red "Danger Will Robinson" flag. They should be up on the authenticated ports and ISPs have zero business blocking those.
ing spree involving Manglement, HR, Marketing or Financial Directors bones in the usual methods:
falling down stairwells.
entering lifts that aren't there.
Gravity & the effects on heavy items, when they collide onto the above groups.
Percussive user adjustment with lump or sledgehammers.
""Monday 13th August 2018 10:34 GMT
I can't wait for the "Who? Me" article in a few weeks to explain why On Call wasn't published last Friday...""
You are SO LUCKY - I, in Hong Kong, never get this edition until TUESDAY and then mostly just before "High Noon" here [GMT + 8 Hours]
I had a business meeting with a client many years ago who was in the Direct Marketing game, and had developed a super-fast database that was several orders of magnitude faster than anything else around at the time (according to them). The guy I was taking to told me a couple of fun little anecdotes.
The first was that they had had to anonymise all their test data and discipline a developer, as he had been running database searches as a personal dating service and making unsolicited contact with potential dates. No, really.
But my favourite one was the story of how when the system went live for the first time, a test job still in the system immediately selected the top 10% richest people in the database and sent them a direct marketing letter which started "Dear Rich Bastard..."
Mailing Lists can be great fun.
We used to get announcements from our upstream service provider via an "updates" mailing list which unfortunately (for them) they had failed to secure. Someone replied to an announcement requesting to be unsubscribed from this list. This was subsequently broadcast to everyone on said list. Before they secured it, all sorts of stuff was going on - I think the last message I saw was someone offering to sell a pair of skis ....
Some years ago I was working on a programme to implement a new HR system for a large UK-based multinational group and during testing spotted that the access wasn't segregated so that any user then had access to all employee records, up to and including the board. The programme team (who were already several million overspent and a year behind schedule) refused to accept this as an issue and insisted that the product was "working as intended". So I took a screen shot of part of the HR Director's record, blocked out some parts of it, and emailed it to him, with the words "I don't believe I should be able to see this..." and surprise surprise, there was suddenly a defect being fixed. I never did win the argument about not using production personal data for testing though.
In a former life, working for a large financial institution, we found some unsecured SMTP servers on the intranet. Their purpose was to send notifications of some sort.
When discovering such an issue there are different possible ways to get it rectified. Being an auditor, an obivious way would be to raise it in a report. If found outside of a regular audit, a memo would work, too. Or even a phone call. But we, very cleverly, decided that best would be to send and e-mail from the CEO to the person responsible for maintaining those servers. Luckily, no typos. And only now I'm getting aware of the risk involved... it was not exactly the type of CEO to fsck with.
In a former life I was working for a large NHS organisation with a track record of inept IT. One non-clinical and completely non-essential vanity website had a trivially exploitable hole courtesy of an open SMTP relay and some PHP coded by an amateurish but highly paid vendor.
I raised this issue with the project team and the vendor. Apparently the attack vector and fix were "highly sophisticated", unlikely to be exploited, and would take some weeks to fix so sod off and stop being difficult.
So by way of demonstration I knocked up a quick Python script and sent a hundred or so automated emails to the project team and the vendor's helpdesk. They switched off the relay sharpish and had a code fix in place within a couple of days. Funny that.
Reminds me of the reason I left one place. Luckily the IT Director realised what was going on and arranged a month's "garden leave" for me when I handed in my notice.
Long story, the IT Manager, who I'll simply call "Dick" (pretty much everyone in the company called him that), was of the arrogant "I know more than anyone else and I can't do anything wrong" type.
So apparently he owned a multi-million dollar oil exploration data company in the USA, had a Cray supercomputer in his barn, used to be on the Olympic archery team, completed 6 degrees at University at the same time over just 18 months, counted Richard Branson as a personal friend, could play classical piano to professional level, you get the picture. Lived in a 2 up, 2 down in a cul-de-sac in Gloucestershire.
Somehow this genius managed to program part of the code to the billing system, a third party system no less, that resulted in random debits and credits being added to customer's accounts if only a partial payment was made. By random I mean anything from a few pence to thousands of pounds. Part of my job was looking into why it was doing this, and when I finally found the cause we got it fixed. Cue testing of the reports that go out to the client, which "Dick" promptly tells me are absolutely fine because he's written them. And which promptly showed the thousands of pounds of un-billed customers that owed money because of the bug he'd introduced in the first place.
As the person running the report (on his orders) I'm promptly called in and put on notice (it's at this point the IT Director calls me in and says he can at least guarantee me a month's wages, which on the grounds that saving my job means working with the manager from hell straight after dobbing him in suddenly sounds like a great idea). Day of the meeting I promptly hand over my resignation and proceed to discuss in great detail how much of a complete idiot my boss actually is (including how for the last 3 years he'd been calculating VAT wrongly on all the client reports, despite being told he was doing it wrong. He'd been calculating VAT as 17.5% of the Sale price). Needless to say I enjoyed that. Almost as much as I enjoyed the month's holiday on full pay after the IT Director informed HR that they had to pay me for that month as technically I was still employed despite being on garden leave.
As far as I can tell the company folded about 2 years later. Probably as a result of losing clients due to the IT Manager's incompetence.
Simple, because I was the one who ran the report, on his orders. Except after the client kicked up a fuss he denied all knowledge of signing off the report. Despite there being witnesses. But because said witnesses weren't IT, it came down to his word against mine. And as it was me that actually ran it, it wasn't enough to give him the push, not without a very protracted and lengthy tribunal case by him. Personally I was happy to take the month's wages, I was already looking for another job after having to work a 24 hour shift every 2 weeks (24 hours due to an overnight report that then had to be debugged and fixed due to said billing errors).
If the Director could organise gardening leave for you, why didn't he organise it for the manager instead?
1) Always shoot the messenger.
2) There was a scam going down and the IT-manager and the Director were partners. It is hard to audit when the accounting system cannot add up properly. This is a feature if one is skimming the till.
@AC no scam, he really was a complete idiot. As said, he claimed to be an Einstein level genius, but couldn't get his head around the simple fact that VAT is ADDED tax, not a % of the sales price. Luckily for him you don't pay VAT on postage which meant that the numbers kind of balanced out, but if HMRC ever audited the client they'd have some serious questions to answer.
@Alien8n VAT definitely is charged on any postage billed to customers just as it is on other delivery charges (the Royal Mail doesn't charge VAT but that's another story), so the numbers wouldn't balance out. If it was a scam and the IT Director was in on it, he did rather well to get rid of you with nothing but a month's pay.
There were plenty of other things that rang alarm bells. Such as how he was apparently a super duper database developer. The accounts database which he created in Access generated over 8Gb of data and took 8 hours to run. After optimising the ODBC queries and moving the where clauses to the initial database query I got it down to 2Gb of data and 2 hours to run. He really didn't have a clue, but was always ready with some bullshit story about why he was better than everyone else in the company.
Apparently his fully cryogenically cooled Cray supercomputer was bought for a song and used to generate oil exploration data for the UK government and was connected to the internet with a T1 connection, which according to him meant he had to be registered as an ISP. Also apparently he was allowed to keep surgical titanium rods that were used to hold his collar bone in place, which is why he was unable to compete for the Olympic archery team, due to an accident involving a herd of red deer.
@The Boojum nope, if it had been I think I'd feel more open to admitting that. Unfortunately the individual in question shares the same name as someone rather famous who died earlier this year. Which ironically makes it impossible to verify any of his claims (you'd think his claim of being on the Olympic archery team would be verifiable at least).
"Point of information: in English, the thing you ask for if you want to be paid more is a "rise". I believe this word is difficult for foreigners, who misspell is (sic) "raise"."
Being a pedant doesn't give you much sympathy. Being a pedant and wrong makes you a fool. Congratulations. Being a pedant, wrong, and not being able to string a sentence together without making mistakes ...
A "raise" on its own, no further words attached, is an increase in salary, especially in US English.
A "rise in salary", with the word "rise" attached to another word, is British English for an increase.
So: "I got a raise" and "I got a rise in salary" are both perfectly fine. You would never ask for a "rise", even in British English (well, YOU might). You ask for a "raise" or a "rise in salary".
I did something very similar once. My typo was while demonstrating the 'net send' command. Unfortunately I wasn't paying much attention when I typed out the command and typed the name of the domain instead of the username of the person I was showing it to. The boss was less than impressed. Fortunately there was no harm done so I just got told not to do it again.
I was working for a small sized company at the time as one of the IT PFY's. The company had a policy of sending out happy birthday notices (think "reply to all" situations) to their employees on the Monday just prior to said event, thus giving all the other employees a chance to tell the birthday person "Happy Birthday!", leave a small gift at their desk, etc.
I slightly altered the mass email meant to announce mine so it included the line "<HypnoToadEyes>Bring me candy!</HypnoToadEyes>" in the hopes some of the others might bring me at least one of those tiny single serving packets of sweets.
I got the shock of a lifetime when I showed up on Tuesday to find my desk nearly *buried* under mounds of packets! They obviously got the hint.
I wound up filling a candy dish with all the poured-out sweets & sharing the bounty with my coworkers in thanks for the outpouring of happiness.
I hated having to leave when they went under, but the boss wrote me a glowing letter of rec to help me find new work elsewhere. =-J
Some many years ago, a colleague of mine (who shall remain nameless) was developing some tag reader kit. You touch the reader to the tag and it would read an id from it, matching it with a name and would display the name on a small readout on the unit. It was a good gag to put rude names like Betty Swollocks and Mary Hinge in the unit during testing and development.
However, what was not smart was for forgetting to change the test data when demoing the kit to a potential customer. There were some red faces that afternoon.
... as I found out at a previous role (witnessed it rather than actually doing it).
We were part of a leveraged team at a global outsourcer, installing new solutions for customers and changing infra for existing ones. We had an offshore PM overseeing our work for a particular client, and he'd demanded two engineers be dedicated to a task that would take all day.
When he realised that it would take longer than he thought for this task to be completed (we'd warned him in advance), he demanded additional engineers be allocated, then threatened to escalate it when we politely informed him there weren't any available to help. We spelt out the escalation route to him and waited for the eventual email copying in our boss (we used to get two or three of these a week so were used to it).
Except the guy cc'd the CEO.
Within 30 minutes, we had a director of services on the phone to my colleague asking what was going on. We explained everything to this guy, who listened intently, was very polite and thanked us for the clarification before hanging up.
About a week later, the PM disappeared completely from the GAL and noone heard anything further from him...
To be honest, this was more common back when somebody left their VT-220 terminal accessing the Vax VMS computer unlocked...
Anyway, we'd send an email to the big boss, cc'ing our victim. The big bosses' email address would have a subtle typo, like a zero instead of an o (so it wouldn't get delivered to them). We'd send it, and then delete the email bounce message. Then we'd leave the incoming cc version open on our victim's screen. Give them a heart attack when they get back to their desk.
VMS also offered some sort of Message system, so we could send each other messages supposedly from "SECURITY" stating that, "YOUR CAR IS ON FIRE." Great fun.
Previous place the common thing for unlocked and unattended IT machines was to send an email to the IT Manager professing Undying Love (male or Female - didn't care) and then the IT Manager would reply with the usual "that's nice but no thanks", we would have a laugh and Prat with elevated privileges would maybe learn a valuable lesson - Not.
Of course, then the Manager inevitably left his machine on and someone decided to send the message to the CEO instead who didn't have a sense of humour.
Cue uncomfortable conversation with the CEO about the IT security policy.
it reminds me of a time when my now "ex" partner used to work at my location. being the onsite adm for dom I used to send short messages via send command acting the goat to her account.
All fun n japes until i messaged her to say work sucks, wish we were still at home on the sofa like last night....." (ahem!!)
wasnt until my workmate said wtf, when i realised, Id sent to all connected users of a DB (every bloody single one of the 135 users which they had to click Ok to clear the message.....not just her!
Boy i was red and quiet ALL week, even had to confess to my MD....he found it hilarious! PHEW!!!
anon because i still work there! :p
We have a rule, if IT find your machine unlocked, be warned!
my fav is always to open start menu, take screenshot with it open and make the default desktop, when the ticket comes in to say my windows start menu is screwed, they are ridiculed then informed its fine, you just crossed the path of local IT.
after 3 strikes its not so funny anymore and becomes an HR issue ;o) we are hard...but fair.
In the 90s, just as email was starting to hit the national consciousness, I got a detention for playing the same trick on the headmaster, using an online 'Monty Python Spam Email Generator'. Of course *I* used a fake 'From' address. My idiot friends used their own.
Many years ago, working at a large warehouse/office complex, some of us got very irritated with our useless boss call diverting all his calls to our phone.
Several plans of revenge were put into motion, but the one with the biggest impact occurred one night; while dodging the security doing rounds, we managed to access about 70-80% of all the phones in the complex and diverted them to our bosses phone. (The system wouldnt allow a diverted call to be diverted a second time).
I understand he is still trying to stop Readers Digest, Everest, CO-OP Funeral Services and a few other companies from sending him sale reps though.
(Spent another night filling in packs of Rep request cards from a trade show)
Back in the days when we ran Novell Networks, we discovered you could send instant messages that popped up on screen, very handy for lots of good reasons. However, people would take to annoying each other with them, and so it was that two of the junior staff were annoying each other one morning (even though they sat the other side of the desk from each other), when one got fed up and logged off to put a stop to it.
Or so she thought......we discovered afterwards that Novell assigns a unique login ID for each user, and when you log out that ID can be assigned to the next person who logs on, if it's within a very short time period.
Which is how we got a phone call from a senior manager asking why his computer had just popped up a message telling him to "STOP IT!!!"...thankfully it wasn't anything worse!
A good few years ago, I was working at integrating an SMS gateway into our intranet (forget why this was a good idea)...... To test it, you just had to enter a string of the text you wanted to send "MATT - PLEASE COME TO MY OFFICE IMMEDIATELY - YOU HAVE SOME QUESTIONS TO ANSWER" - the RECIEVING number - whatever that had to be - and most importantly, you could specify the SENDING number - which (inevitably) was my bosses number. The S**T really hit the fan when "MATT" ran into our bosses office with his tail between his legs, wondering what the hell he had done wrong. I admitted to it immediately, rather than anybody else get blamed, and the mitigating circumstances was that I was showing a mutual colleague how insecure the system was. I got a (verbal) slap from my boss, and a pint (thus the icon) from "MATT" for owning-up. Be careful out there folks, larking around has consequences. I did feel a bit silly, but the whole project was scrapped as a result, due to the inherent insecurity and risk that I uncovered. To be fair, the "FROM" field would not have likely been exposed by the webform, but not worth the risk.
Biting the hand that feeds IT © 1998–2019