This article could benefit from some proof reading.
This article could benefit from some proof reading.
Welcome once more to On-Call, The Register’s attempt to make Fridays tolerable by bringing you fellow readers’ tales of terrifying tech support jobs they somehow survived. This week, meet “Guy”, who told On-Call he grew up in the golden age of the microcomputer, meaning that by the time he joined his local Army National Guard …
When I was younger I did the same with padlocks. The cheaper ones I remember could be opened by just turning one way almost 360 degrees then the other way the same before going back to a final stopping position. Before TSA locks came in I opened the padlock on a friends case when they forgot the code. Betting me £100 I couldn't do it in under a minute was a mistake. You just had to put tension on the lock and turn the dials.
A long time ago the team I was in was moved to a new building (by new I mean old but vacant)
Every desk had a metal drawer cabinet by its side but every single one of those cabinets (built like tanks) was locked and we were provided no keys.
I started fiddling with mine and got around the lock by picking the lever system inside it that connected the lock to the locking mechanism of each drawer (it was just accessible from the bottom of the cabinet).
After seeing I'd opened my own cabinet, my boss instructed me to open the rest of the 60+ cabinets. Fun times.
"What I want to know is how they worked that out as opposed to just picking a basic lock."
Two obvious ways:
1) You can save a good deal of money by purchasing filing cabinets without locks, but with the capability for locking hardware to be installed. As you install it yourself, you note that the locking bar is held in place by gravity, not by the lock itself. The lock only prevents a lever from moving, and thus moving the the locking bar. The bar itself is free to move if you tip the cabinet.
2) You are the poor bastard selected by the Boss to move filing cabinets from one office to another. Naturally, the Boss insists that they be moved fully loaded, and locks the drawers "so they don't shift on you". Inevitably, one of the cabinets is top-heavy & manages to discover it's center of gravity at an inopportune moment. As it hits the ground, one or all of the "locked" drawers pop open.
Whilst on the Isle of Skye, I took my disabled wife to visit a seal watching hide overlooking the estuary. The road from the car park was barred by a gate with a combination padlock, and Blue badge holders were invited to phone an Edinburgh number to get the combination to allow them to open the gate and drive about half a mile nearer to the hide. I looked at my mobile phone - no signal. No land line anywhere in sight, so I looked at the four digit rotary barrel lock. Applied a bit of tension and twiddled the barrels until each went slack, and opened the gate. I don't know how the RSPB expected anyone to contact them from a signal deadspot, unless one was expected to return to civilisation to get the combination, but by then, the moment would probably have passed.
Many years ago I had a friend at college who, for a kind of party trick, would easily pick the padlocks on student trunks. Took just a few seconds and you'd have to be watching quite closely to see he didn't have a key.
He never abused his ability, but he would pick a lock, then put it through a piece of paper on which he'd written "Get a better lock!".
I don't recollect witnessing it, but I think he also did that to bikes, and was dismissive of big heavy expensive D-locks that were really secure against being broken but could be quietly picked in a few seconds.
Many years ago I had a friend at college who, for a kind of party trick, would easily pick the padlocks on student trunks.
Did this. There was a group of us (>45) going overseas. All our luggages were piled in our room while waiting for the hotel to come and pick them up in one go.
I had a metal wire and a heavy door jam. About 10 minutes later I was "cracking" some of the locks and interchanging them around.
We arrived at our destination hotel and within 2 hours of check-in there was a huge commotion (some of the rich kids called home to daddy) while my side-kick was, literally, rolling on the floor laughing.
When the owners of the locks managed to open up their luggages, the next thing they did was march down the hotel reception and asked where the nearest hardware store is so they can buy a sturdy lock, particularly one I can't pick.
What I didn't tell them was I could still open their luggages without touching the locks (via the zippers).
No, they weren't offended of the stunt I putted.
Yes, during the trip I was able to use the same "pick" to open a room door and the door to the bus. Fun times, that was.
"Yes, during the trip I was able to use the same "pick" to open a room door and the door to the bus. Fun times, that was."
I had a friend at college who always carried a screwdriver and would unscrew tables, chairs, anything held together by screws.
I kept very quiet about my lock picking abilities when he was around in case he picked up on that idea. There was nothing worse than having to unpick a bike lock when you were cutting it fine getting to a lecture on time.
"I had a friend at college who always carried a screwdriver and would unscrew tables, chairs, anything held together by screws."
A few of us paid a visit to the NUU in Coleraine not long after it opened. The bit we were in was constructed out of a sort of oversized Meccano. I wondered how much of it could be dismantled overnight by a determined squad of students armed with the right size spanners.
I wondered how much of it could be dismantled overnight by a determined squad of students armed with the right size spanners.
There are stories of students taking a car apart and reassembling it in the owner's room. Usually a kit car like a Lotus 7.
"A Citroen 2CV is piss easy too"
The Mini and Beetle have monocoque bodies that would not go through standard room door widths? The Lotus 7 was a shallow sports car. Not sure if the 2CV body could be easily taken apart?
"Not sure if the 2CV body could be easily taken apart?"
It was originally designed for rural French farmers, hence the narrow tyres, long play suspension and extreme ease of removing and replacing the body panels. ISTR seeing a video many years ago where one was stripped down in a TV studio with little more than a single spanner and screwdriver. Not so sure about the chassis though.
Here's an example, 5 minute video speeded up, but a complete strip down to the chassis in probably 15 minutes. I'd estimate that the chassis with or without wheels would probably fit through a door on it's side.
"We used to pick up a neighbor's VW Beetle and set it in his pool. "
An IT colleague used to compete in international motorcar rallies. One day they arrived in a town and couldn't find anywhere on the street to park. They rolled out their wheeled jack - and "tidied" the cars that were already parked until there was enough room for them.
"There used to be a Dexion shop in N London, long gone, of course. It's right what they say: the variety has gone out of the High Street these days"
Twenty years ago I moved to a small town in which all the non-food shops were devoted to ladies clothes. Seemingly nothing at all for the blokes, at least not at the weekend.
Then I discovered a small corner of a department store devoted to car accessories (not needed once my banger days were over) and more exotic things like Dremel drills. Ah Bliss.
Unfortunately that place was eventually taken over by a large chain and the blokes' options diminished significantly.
Old-style D-locks had a type of circular lock that was very vulnerable to being picked using a circle of plastic like, say, the cap of a Bic ballpoint pen. I'm not giving any trade secrets away here, since this quick pick system has been around for decades.
Masterlock however is something of a concern. They have an unenviable reputation as the absolute easiest-to-pick padlock makers in the world, barring some of the cheap and useless Chinese brands. Masterlock use no security pins, and even go so far as to include a vulnerability in some padlocks that leads to them being easily bypassed.
Their latest outing into the world of security done wrong is a Bluetooth padlock with the key hardcoded into the device MAC address...
I have a photo that reminds me how security works in the minds of many, and which illustrates this story perfectly. The picture is of a boat on a loch, secured by a large and imposing padlock one wouldn't dream of trying to pick. But above and below the padlock are two conventional shackles, easily removed with a pair of pliers, or maybe a bit of wire. Most people, except miscreants, concentrate on the padlock. So it's excellent security for keeping out people who wouldn't steal the boat anyway. Not sure whether links are acceptable on ElReg but the pic is here:- http://www.tinslave.co.uk/vrp/wp-content/uploads/2012/10/TinSlave-175624-05102012.jpg
"I have a photo that reminds me how security works in the minds of many, and which illustrates this story perfectly."
Someone recently came to visit us at home. I had to go outside for some reason and came back in.
"Is that your bike out there?"
"We should put it round the back, it's safer."
"OK, I'll just be there in a second."
She came out of the house and I was holding the bike in front of her. She had locked it to our gate post, so I had just lifted the bike, and lock, over the gate post and wheeled it down the drive.
> I had just lifted the bike, and lock, over the gate post and wheeled it down the drive
One of my neighbours has a chain-link fence around the property, with double gates at the front which they are obsessive about locking.
Come the inevitable "I've lost the key to my gates" knock on my door, I followed them back with a box full of tools to try and force / break / cut a way in. Apart from the obvious (chain-link fence that would be easily cut through) it turned out that their gates simply lifted off the hinges.
"it turned out that their gates simply lifted off the hinges."
The comms team had a big cabling job to do at the warehouse over a weekend. The warehouse was near a football ground. When they got there they found some local wide boys had lifted the locked gates off the hinges and were selling car parking to match goers.
"But above and below the padlock are two conventional shackles, easily removed with a pair of pliers, or maybe a bit of wire."
Hmm. If you were to undo the shackles and reconnect them to each other you could leave the boat still tied up and steal the padlock.
I had my department buy me a fire safe for floppies. During a re-organisation it was decided that such things would be a group resource - rather than "belonging" to an individual. After a few years it came back into my sole possession - unlocked but without the key.
There was a manufacturer's piece of card still inside that had some cryptic numbers. The manufacturer's UK branch insisted there was no way to find a key for the safe. Took the information to our high street independent key maker - a week later he supplied a key that worked.
Took the information to our high street independent key maker - a week later he supplied a key that worked
We recently had our front door replaced and the new one had uprated "security" locks - for which the supplier wanted £35 per duplicate key (it only came with two keys) and assured us that we couldn't get them anywhere else.
One swift trip to our local independant key cutter and we had 6 extra keys - for the princely sum of £10. All of which worked.
Get a settling torch. Cut a hole with it in the top of the safe. Pump a load of water into it until it's full. Put a charge in it to cause a small explosion. Set it off. The pressure inside and shock wave from the water will blow the doors off.*
Obviously only useful if full of gold or silver. Money would kinda get wet.
*Yes I've stolen that from The Score (sorry if that now ruins the movie. Still a great movie and still not fully ruined the plot for you).
Reminds me of when we got about half a dozen desktops back to head office for a RAM upgrade at a place I used to work. Spent about 30 seconds trying to open the padlocks with a pair of pliers which only got as far some minor dents in the lock. Then turned the pliers on the loops on the case the locks went through, it was lick putting a hot knife through butter.
"Then turned the pliers on the loops on the case the locks went through, it was lick putting a hot knife through butter."
Yes, but also very obvious to a casual observer that it's been fiddled with.
If you pop a padlock you can close it again. If you break it, you can remove it. We've had both instances occur.
There are _much_ harder locks to pick than standard pin or barrel jobbies but there's no point going harder than what holds the lock down.
" but there's no point going harder than what holds the lock down."
Before the advent of cannon - stone castles were reasonably impregnable to direct attack. However - at night it was impractical to keep opening and closing the main gates. So they often had a small postern gate tucked away in the outer wall. This was the weak spot that was prone to phishing or bribery - letting a small enemy force in to open the main gate.
"stone castles were reasonably impregnable to direct attack."
A bit more laborious but you could also undermine the walls. It needed some sort of shelter unless to approach. You shored up the excavation with wooden props until a enough length of wall was undermined and then light a fire to burn the props out. I think this how "mine" also came to be used for an explosive device.
" I think this how "mine" also came to be used for an explosive device."
The word "undermine" could possibly be assumed to have the same origin - in its figurative usage of an unexpected collapse of a position.
Not sure when someone replaced the burning of the props with a load of explosives. Guy Fawkes didn't have to do any physical mining. The technique was used to devastating effect when multiple underground mines were detonated at Messines in 1917.
I recently had a locksmith out to my house to fix the mortise lock ony 100 year old front door.
While here he also took a look at my 5 year old dead bolt I had added to the door for extra security.
The dead bolt is a mechanical Weiser SmartKey (https://ca.weiserlock.com/en/deadbolts/)
He said they don't recommend them because they are pick proof so if I lose my key they would need to drill out the cylinder.
Isn't pick proof an advantage?
In the security business it's always a compromise between security and convenience. It's much more convenient of you don't have to lock your door, and make sure you have your key on you when you try to get back in. Your locksmith was telling you the other end of that compromise, if you do manage to lose your key, then it's very inconvenient for the locksmith to get through it. Which may mean more expense for you as you'll now have to replace the lock that was drilled out. It may mean more inconvenience for you if there are multiple copies of the key that may need to be replaced now, coz others have the key. It is however more secure, coz thieves can't pick the lock.
Only you can decide where in the spectrum between security and convenience annoys you the least. You makes your choices and you takes your chances.
I once was given a batch of Zenith Data Systems 286 boxes to try and "recover" (auction lot, no idea of passwords). Luckily I had a very clever local sysadmin who told me to follow these steps:
1) Switch off the computer
2) Open the box
3) Unplug the floppy drive form the main board
4) Start the computer
5) You are now in the BIOS.
6) Reset the password and switch off the computer
7) Plug the floppy drive back in
The laptops we have at work have a similar exploit I discovered.
They are DELLs locked with a boot password, which prevents access to the BIOS - one password for the user, which we are told, and one admin password, which we aren't told.
When installing a RAM upgrade, and booting, you are presented with a helpful, "The installed RAM amount has changed" message, and helpfully allowed straight into the BIOS. I didn't change the passwords, but I could have...
> They are DELLs locked with a boot password
Try a Panasonic Toughbook, it_is_not_the_same...
I had a (actually this one I'm on) Panasonic CF-53 I picked up on CL* for $200 and it was locked down to a fair-thee-well. Took it apart, motherboard is in three separate pieces, no matter what, it held on to it's password like it's life depended on it. After about two months of exclusive kitchen table priority(there is nada on web for Toughbooks btw), finally gave up and sent it off to Panasonic to clear the password. Cost me like $200.
*It was legit. Somebody used it to pay off a landscaper and the landscaper didn't know what he had so... It's a good machine lol.
I was once waiting in reception for an interview at a security company.
Someone came in, went into the internal door, which had a keycode lock. She hesitated, and looked towards the security guard, who called out "3285" so she could get in....
(Just to add to the fun, I didn't get the job - I was a contractor, but for some reason the agent had sent me for an interview for a permie position.)
A program I was using on a UNIX box was setuid root. It had a menu option to start a shell which turned out to be a root shell. I reported the security hole to the sysadmin and my manager and thought nothing more about it. One day, the sysadmin was away and we had four programmers starting. My manager asked me to break in and set up their home directories. I did so and told the sysadmin what I had done when he returned so he could check my work. He was fine about it but my manager was furious that I had told him, saying the sysadmin would fix the problem so we couldn't break in any more. That didn't happen. Every four to six weeks, I'd get a call from the sysadmin saying he had forgotten the root password and asking me to break in to reset it.
As a student, I lived in what would originally have been a rather posh house now converted to multiple occupancy. One person kept his bike 3combination padlocked to bottom of the ornate iron bannisters in a position that was right the way I wanted to go. I would pick the lock and hang the bike from the top of the bannisters. He never figured it out.
A few years ago, a relative was helping a lad with a few problems. To stop his bike being stolen again, he proudly showed a combination padlock of a type I recognised. I told him that this was not gong to help him. As he felt it would be all right, I asked him to time me and picked it in about 20 seconds. I hope he got something better!
Last year I was at a conference on a Californian university campus, staying in shared dorms, the apartments of which had hotel style card door locks. Late at night, I went out to look for Perseids. As I shut the door, I realized I had the cafeteria card in my hand, not the door card. My roommates were all drinking the night away with their buddies in other rooms.
Just before resigning myself to a night on the doorstep, I thought, ok, why just try the old credit card trick. Five seconds with the nice flexible cafeteria card, and I was back in...
Can't imagine how any lock can yield to that these days!
I have done this, legitimately. I had a bike which had a locky-up thing with a combination lock (this was in the late 1970s before decent bike locks). I had cycled to the local town and locked the bike up before meeting some friends and spending the evening in the pub I think, having decided I could walk the bike home (no lights, not stupid enough to ride up the A5 in the dark, drunk, with no lights even as a teenager).
Problem: where I'd locked it up was dark, and it was midnight. So I spent what seemed like a long time (I was drunk, would have been less long if sober) solving the combination by feel: at any point the lock was hanging on one of the wheels, so when that wheel got into the right place the lock would move a bit, at which point you knew that digit was right. Iterate on the other wheels until it comes open. The 'drunk' problem was remembering which wheels you had solved, while not able to see the lock clearly.
Same here. A few years back I locked my bike against the railings on the sea front. Came back thinking "What If I forget the combo one day. That would be annoying". I put it what it was, it wouldn't open. WTF! Proper annoyed as it def was the combo.
Wondered around town looking for options (as in going in hardware stores to look for massive bolt cutters). Couldn't find any was repeatedly told it wouldn't work. Found a bike shop and spoke to the guy there. He asked what lock it was. Told him and he said "Well some you just need to put tension on them and turn the dials. Then you'll feel it pop".
I'd called the police first, the local number to warn them I'm not stealing the bike if you see me with bolt cutters. I went and tried what the guy said thinking it wouldn't work. And my god it did. One of the fucking numbers had changed while I was in the shops. I guess the lock was cheap and must of knocked the setting as I was locking it. Threw the crap away and ended up getting one with a key instead.
I guess the lock was cheap and must of (sic) knocked the setting as I was locking it.
... or, perhaps, some passing wag had picked the lock, changed the combination, and locked it again.
Maybe a friend of the guy in the bike shop -- he seems to have known how to go about such a prank.
I work across lots of different types of sites, with lots of different levels of security. Many of these sites use the combination door locks.
I was shown a trick by a locksmith whilst working on a police station to bypass some of the basic types of these locks. I showed him my trick that works with about one in five of the locks (including the none basic ones): the code would be written somewhere near the door, often on the door frame.
The locksmith claimed I was exaggerating so we walked through the police station and stopped near every code door lock we saw. I managed 2 out of 5 on that site, including the code lock on the door of the evidence room!
Many years ago I was tasked with installing Keypad Security Locks in Social Services offices across the county. I was told not to change the passcode from the default 123456, as having different passcodes at different offices confused the Social workers. Whixch of course entirely defeated the object of having the locks,.
If the security was just a password prompt in the autoexec.bat file, then there were a million different ways to circumvent that. The easiest would have been to press shift or F5 when it said "Starting DOS" to skip autoexec.bat and config.sys. Or boot from floppy.
Further, I'm not sure how a ROM option could have affected the OS once the machine had booted.
"Further, I'm not sure how a ROM option could have affected the OS once the machine had booted."
If you read the article, it says that Ctrl-Alt-Insert was a diagnostics mode which would have been on ROM and that's where the option not to run autoexec.bat was found.
Thus, a ROM change with that option removed would have been the fix. We don't know the machine had a floppy disk.
Pretty sure F5 was only introduced around MS-DOS 6, so if you were running that on a Zenith 286 you've got some other military technology on the go! Could have just lept forward in time to a point where they had the password though....
We don't know what version of DOS it had - before MS-DOS had the F5 skip, it was available on other DOSes.
So what you're saying is this machine booted DOS from ROM (Possible but very expensive in the 286 era) and had all other boot mechanisms, such as floppy drives, floppy pin headers, SCSI headers, expansion boards, blocked so you couldn't plug something in?
I doubt it - autoexec.bat security sounds more like a hindrance rather than security.
"Thus, a ROM change with that option removed would have been the fix. We don't know the machine had a floppy disk."
Yep, we had a couple of PCs that needed to be "secure". I wrote a password routine as a device driver loaded by config.sys, so a bit more difficult to by-pass than autoexec.bat and then we fitted a key switch into the case that controlled the 12v line to the floppy drive. It passed the BIOS POST but wouldn't spin a disc without the key inserted and turned to the on position. Obviously whole HDD encryption wasn't really an option then. We also patched the OS on the user machines to look in a different place for the FAT/Directory sectors. Discs being taken in or out of the office then had to pass through the one of the "secure" PCs dedicated to the task of being the gatekeeper which virus scanned them and relocated the FAT/Directory sectors to the correct place for internal or external use. This allowed disks to move freely but made sure they were as virus free, at least internally.
Once upon a time the physics department terminated my computer and relegated me to a noisy room with a desk and a PC equipped with only one wordprocessor (ChiWriter, an abomination).
I was able to secure the PC with a few commands in the autoexec.bat file
The first two insured that onlookers were not shown what was going on, the last one parked the hard drive and halted the processor (the latter act was non-standard). I would switch on the computer and terminate the batch job with <CTRL-C>, and run a different batch file to start the word processor. The rest of the department thought the box was broken, since <CTRL-ALT-DEL> would not reboot it. (security by obscurity was effective in this case)
It's the very nature of Basic Input Output System to provide access to the underlying hardware and if it's not in BIOS then it has to be coded into the OS.
It's not difficult to request a modified 'secure' BIOS if you buy enough/have the right connectons (think government agency)
Thankfully this was during integration testing, and I was doing my best to break things.
We were developing a secure system for the MOD. The client machines we were working on were going to be running a locked down version of Windows NT with keyboard equipped with a magnetic card reader. To log in you had to insert the card and that supplied your username, effectively. You then entered your password and logged in. Any removal of the card had to lock the machine or abort the login process and leave the machine secure. That seemed to work fine.
Separately, we had additional software installed that, after login, but before showing the desktop, would show you information about your last login session - e.g. when/where. That seemed to work fine.
Unfortunately, whilst that dialog was being shown, it was impossible to lock the machine. Which meant that so long as you choose to remove the card before acknowledging the dialog, you'd end up logged in with no card inserted.
Loved showing that one to the guys who had lovingly crafted these separate systems.
This post has been deleted by its author
At a previous employers a good few years ago they used an industry standard DOS program. It was still a DOS version despite XP now being the latest windows version. Each brand had a mission critical database on the system that you needed to be authorised for before you could read or edit the data. The security was such that giving a user a level of access for each database were possible. The program needed at least one administrator to be set to assign other users their access level. There was read only/read and write only/administrator (with ability to dump data out). They also required you to license each database each month by manually inputting a code they gave you every 30 days.
However I spotted a flaw with this because after entering the code it just left a licensed database on the server. If you had a copy of the program you could simply copy the database file/files to your computer and use that to access the data. You just used your own login on your version of the program and bingo you had access until the code needed to be reentered. So you could have a month of access doing that to a competitors data. Once you did though it was easy as admin on your version to dump the data out. Of course you had to get access first but a disgruntled employee or a hacker could do that. I pointed this out to both my employers and the firm concerned. The employers were quite concerned and took measures to restrict access to where the databases were stored on the system. The software company didn't think it was a major problem and it would doubtless be fixed in the Windows version when it arrived shortly. The problem with that was the windows version had been "arriving shortly" for some time.
At my work we used to have an application that needed to be installed on almost all of our PCs. It used a licensing mechanism that had a license server that needed an encrypted list of the MAC addresses of each PC. We would have to call the vendor with a new MAC address each time we replaced a PC, and they would remote in and add the encrypted MAC to the license server. It was a huge pain in the backside. We had plenty of licenses, more than we actually had PCs.
So, one day after having to deal with replacing a couple of PCs, I decided to look into how their licensing worked under the hood. There was a dll named exlicense.dll, Not very well hidden! It turns out that the dll exported only two functions: InstallLicense() and CheckLicense(). The CheckLicense() function simply returned TRUE or FALSE, depending on if the license server said the license was valid or not. It took me less than 10 minutes to build my own exlicense.dll that always returned TRUE. I also implemented the InstallLicense() function in case it got called from somewhere. I even patched the installer to use my dll.
I used to subcontract to someone who did pci compliance tests. One time a bunch of issues came up and we worked to patch them. As we patched things and modified configs the issues went away one by one until only one remained.
Supposedly the remaining issue should have been covered by a software upgrade we did, but it persisted. My boss had to go do other things and left me to investigate. I downloaded the exploit reference code and ran it against the server...nothing. I mucked around with the code and still nothing.
After hours and hours of trying to get the exploit to work my boss called me. Turned out he hadn't quite scrolled to the end of the pci scan list and was looking at the second last report in the list, the one right before the service in question had been upgraded.
Can't tell you how many times I have encountered a "protected" web page, hit View > Page Source and copy-pasted what I was looking for into a text editor.
It stared to die out once when server-side was all the rage, but now we are back in a world of client-side and serverless, it seems to be coming back into its own again.
Many years ago I used to frequent newsgroups on web development subjects. This was a big FAQ: lots of people asking how to protect a page, and many who had trouble with "you can't". Even when viewing source was explained (as in the FAQ).
@Mycho - alternative solution - read the page in question in a text-only browser such as lynx. I do that from force of habit, having started before the days when graphical browsers had the kind of tools you use.
Second on lynx ... There are other, arguably better, text-only browsers, but my fingers know lynx. That'll happen to a guy when he's been using software for a couple decades or so ... Why a text only browser? Well, think about it. 99% of everything useful that you browse is text, right? So it only stands to reason.
 And would probably be perfectly readable in 7-bit ASCII, at that!
"Not to mention the web pages that have little widgets that cover the text if you're not allowed to read it, that you can just right click > inspect element > delete node > carry on."
You mis-spelled "the porn video I want to watch but am too cheap to pay for full access to view"
Once a university course required from me to hand over my assignment through a web form. It had a checker built into it (server-side), which had a bug in it that didn't let me hand over my assignment on time. Once I managed to track down the bug _in the assesing system_, all I had to do to upload the assignemnt file after the deadline had passed was to remove a disabled="disabled" from the form. Oh the sweet times of Opera 12 with its "Edit source" option (way back then we didn't have the nice development consoles we have now). Came the oral examination, I duly explained myself. The teacher sighed "If only you lot put as much energy into the assignment as half of you seem to invest into hacking my system". The fact I had to hack into it because he had a very rookie bug in his beloved system didn't seem to console him.
A few weeks back, we had a bug on some of our tech where it wasn't detecting that some information had indeed been input correctly and the save button was disabled.
Looking at the page's source code, I noticed a HTML element specifying the button was disabled. Removing that element enabled the button and allowed me to save the data. Quick call with the devs confirmed that everything had saved to the database correctly.
Cue fireworks and a victory parade saving the devs having to hotfix a bug on a Friday.
Whereas I needed a change to a stored procedure which no-one claimed to own, in order to make it read a directory from the database instead of a hard-coded variable value >8o(
I tried the obvious code difference but nothing worked. So I sent out a more general call for help and was told to report to one team leader, who now claimed the code and snottily told me he would take care of it and not to touch his stuff and so on and so forth.
He erased my code, then called me upstairs again to show off the changes he had made. I took a look and told him it wouldn't work. He asked why I thought that. I answered that he had simply re-written the code I had put in - that didn't work. (I at least had the excuse that I am not a PL/SQL programmer; he was hired as an expert PL/SQL developer).
I went away and noodled around for a bit and more by luck than judgement hit upon the way this tech was supposed to be coded. I wrote a test proc and ran it with all sorts of fail scenarios to make sure I had m'facts straight.
I sent back my findings by email. Mr Expert then said I should make the change in the proc. I did so. He then insisted I move it over to the test system (despite my telling him I had already tested the file access code) and "test it". This involved creating a dataset from live data and about two hours hard work. When I was done, he snottily grabbed back his code and took the credit.
Fast-forward a couple of years. There's a problem with the process this proc drives. Devs are speaking pompously to DBAs about "what are they going to do to upload the data". I am out sick that day, but get a phone call. I tell the DBAs to answer "Nothing. We do not upload this data. It is processed by code owned by Mr Expert. We have been expressly forbidden to touch this code or modify its working in any way. We stand ready to assist the developers in any way we can in the solution they devise to their vexing problem."
Apparently the look on Mr Expert's face was classic as his make-it-someone-else's-problem strategem belly-flopped. And I laughed all the way through the four day remediation that resulted in Mr Expert losing much sleep. Fuggim.
About six months after that we did a DataGurad switchover and another proc started bleating about directory access. It was clear another hard-coded variable value was to blame. I was called to task for changing the directory name, but pointed out that in fact that had not happened, and that I had placed a soft link as a temporary fix and professional courtesy on the old primary system to make everyone's buggy procs work the last time we had switched over, and that I had said that this was asking for trouble and that it was eventually bound to cause the exact problem we were seeing.
I then went on to add that I would of course add the same soft link as a professional courtesy in the interest of not impacting the production schedule, but that the proc code needed to be fixed as a priority so it wouldn't happen again at the next switchover in six month's time or when we needed to redefine the file system under the directory object for SA reasons.
I then tossed the ball even further into their court by saying that the code needed was already deployed by another dev group, and that Mr Expert had a proc he could show them that would explain how it all should work and that "his code" would be a robust way forward.
No credit for me, but everyone went away, if not happy, secure in the knowledge that the problem could be fixed with minimal effort and I got to avoid another "you own the code for the next four hours" ploy and no need to keep track of stupid soft links to cover dev arses.
In about 1987 we borrowed a 6150 from IBM for use at a trade show. The 6150 was IBM's first AIX (their Unix) machine. It did not have a lot of disk so I removed about 1/2 the operating system so that we could make a decent demo of our application.
After the event we returned the machine.
A fortnight later I had a call from someone in Warwick. They wanted to know what I had changed the root password to. I told them, but was astounded that IBM were not going to just completely wipe/re-install the whole operating system - I would not trust a machine that had been loaned out to someone like me!
Also: did they not know how to break into their own machine at the hardware level ?
Yeah, that was the RT ... Not even IBM's internal folks really bothered learning much about 'em. Under powered, over priced, and not very compatible with anything else. Died after a very short (5 years?) and not very useful life. Like most such bits of born-orphaned kit, there has been a fairly active fan scene around 'em since the early '90s. Fun to play with, if you are into that kind of thing.
Note that AIX was IBM's second version of un*x, the first was PC/IX which was based on System III and ran on the IBM XT ... Yes, you read that right. Look it up if you need a giggle :-)
Back in the days of Compaq they used to have the facility for a power-on password.
They were also very nice in having little diagrams on the inside of the cover to show where the DIP switches and other bits were.
One day my manager was doing the usual box-ticking on security and asked if I'd got a power-on password.
"Oh, yes" says I, "It's there" -- pointing to a small chip embedded in blue-tac on top of the monitor.
"You asked for it, it's there in that chip. That chip that when removed allows anyone access."
'Fair enough, well done, you have a power-up password', ticks box.
One of those rare managers who understood what I was saying.
If you've got physical access to the machine "cracking it" isnt a worry so much as something you should be embarrassed if you cant do. ie more than likely possible (see many tricks described above)
It'd take a hell of a setup to stop a half decent techie armed with boot disks , drive caddy , dipswitches , screwdriver , downtime , permission to tinker etc etc .
Encryption is probly the only way.
"Physical access beats all"
Orange book security standards allowed you assume physical security
Windows NT claimed to meet C2 level security, except for the network susbsystem.
So the machine was perfectly secure, so long as it wasn't networked and you could control physical access !
Not actually that silly, C2 required you to log certain actions in a secure manner. One other manufacturer we tested did log these events, but provided no way of viewing them. The Orange book just said they had to be logged, it didn't mention retrieval.
It'd take a hell of a setup to stop a half decent techie armed with boot disks , drive caddy , dipswitches , screwdriver , downtime , permission to tinker etc etc .
Encryption is probly the only way.
Which is why I use LUKS to give my data (at rest) a modicum of privacy.
As far as I know, I'm not trying to protect myself against 'state actors', so 'Evil Maid' attacks, or custom hard-drive and/or network device firmware is not something I need to protect myself against, yet. No doubt some enterprising malware author is working on changing that. Systems really ought to have the option of a physical write protect/enable switch on the UEFI firmware.
"For most home machines, you can simply reset the CMOS [...]"
In the old days doing that also cleared the hard disk "geometry" settings that were also stored in the CMOS. You had to know the original virtual cylinder/head/sector values - to be able to access the data on the disk. There were usually several feasible variants.
"You had to know the original virtual cylinder/head/sector values "
Which were usually written on the top of the drive.
For old enough drives, they weren't. I used to carry around a book with thousands of CHS values for various drives in it.
Plus, for added laughs, people would often put the wrong number of heads or sectors in. So the drive would sort-of work, but not all of it would be accessible. And they would then get cross when you tried to upgrade their PC. "How can I have lost all my files?????"
"For most home machines, you can simply reset the CMOS (battery or jumper) or use a master code calculated from a hash displayed when maxing out password attempts."
If it's a desktop Intel MoBo, you just change the CMOS jumper from 1-2 to 2-3 and power on. It boots to the BIOS config screen with an extra menu item, top left, where you can remove/change the power on and BIOS passwords.
It's all about levels of security. Most cases have a loop you can padlock, some have a key-lock, some have neither. It depends on the level of security you require. Using something like bitlocker to encrypt a drive gives a great feeling of confidence, and for most use cases, that confidence is probably justified. Someone really determined might just break in and replace the ROM with something a little more co-operative to nefarious acts or find some other way of getting some malware onto the system, maybe by hacking in via the Management Engine or something. Levels of security (and cost thereof) needs to be commensurate with the value of the data being protected.
1998 - at the start of the Y2K remediation project in one of the big banks of the day.
We were using Windows NT without admin privileges. As you might be aware, doing IT in those days without it was neigh on impossible (we weren't provided any tools for the job bar a basic text editor and compiler)
There were no portable apps then either, so an installation was required for everything else we'd need to do our job (like hex editors and the like).
After logging in, there was an init script that ran the antivirus in it's own DOS window. Somehow (wasn't on purpose Guv', I swear) I found out that you could Ctrl+C into that window to get a DOS prompt retaining the privileges the anti-virus ran with (guess what those were) and, from there, do whatever you wanted to, including - but not limited to - changing user privileges.
(A/C 'cause you never know)
Year ago I work for an IT consulting company. We had a contract with a local county government to install a bunch of new PCs at various locations (300+ PCs). It was a little insulting that we were hired to do such grunt-work, but the money was way too good to pass up.
We get on site at the first location, get a bunch of the PCs set up, but can't join them to the domain (Windows NT 4.0 days). They had tried to create a non-admin account for us that could still join PCs to the domain. So after having four people waiting around for more than half a day, we just created our own admin account on their domain. You really have to love Microsoft's half-assed attempt at security.
It was annoying to be treated as a "dumb contractor" when we were much better admins than the government guys!
Many years ago a friend had ADSL broadband installed. The ISP supplied router wasn't very reliable - but couldn't be replaced because the unique user's broadband login password in the config wasn't known. The help desk had no idea what it might be - "it should just work".
A browser "view source" of the config page for broadband showed the password field as clear text. A decent ADSL router was then installed and ran for years without problems.
Recently the friend upgraded to 35mbps. The ISP supplied a new router - and wanted their old one back in exchange. Luckily*** it was still in its box in a cupboard - in apparently pristine condition.
***The friend is a "tidy" person who throws things away if they appear to be unused.
Sonicwalls? Many out there, but mostly in smaller orgs methinks. You're unlikely to find one in a big org. I have several dozen in play of assorted shapes, sizes and ages. They're generally better than most others I've used and are mostly stress free. The old 'can't handle VoIP' rumours are (mostly, now) just down to idiot VoIP providers and sellers who really don't have a clue. Haven't been able to break into one though, at least not yet. If you lock down the management, enable the stealth and don't leave anything stupid open they're pretty safe from opportunistic eyes and scans. Even a 'safe mode' boot doesn't wipe the admin password, only a factory reset does. The latest UI version is pretty swift.
A/C b/c you're not hacking mine.
Early in my IT support career I learned that a way past O/S security constraints was to treat the media as data to a different O/S.
In my early days our mainframe ran several different O/S types depending on the jobs. The operators would prime the configured O/S from tape to the disk as the need arose during the day.
The new disk O/S had a bug that it would not create new users properly. I found that I could use the system tape as data to a program on another O/S - and add a few blocks containing new users' information.
"Early in my IT support career I learned that a way past O/S security constraints was to treat the media as data to a different O/S."
I recall a certain Word document which had some "interesting" history, but hidden from view for Word users.
I forget what protection was in place, but dropping it onto a non-Windows O/S and dumping the raw contents of the file revealed all, in clear text.
It's also a good technique for discovering files which Windows hides.
I recall a certain Word document which had some "interesting" history, but hidden from view for Word users.
I forget what protection was in place, but dropping it onto a non-Windows O/S and dumping the raw contents of the file revealed all, in clear text.
I company I worked for sold access control systems that had a database on the PC. Open that database up in Wordpad, do a search for Admin, right next to it was the password in plain text!
To be fair, they did change that rather quickly!
cheap "safes". In said safe I kept ALL my lock picking gear (it's a bit of a hobby of mine) including the 8pin cylinder pick to pick the safe.
Ahh yes, the safe that the batteries had expired and I had no idea where the key was. Probably put safe (no pun intended) years ago and long since buried somewhere.
So, knowing it WAS relatively easy to pick off I went to the local lock smith to be told "cant open it mate, you'll need to angle grind it!" "But there's a pick in the safe, surely YOU, a LOCKSMITH, have a pick and the knowhow to use it". "No mate, as I said I can angle grind it open". So I left.
Went home and started to think how to open it. Then I saw, under the keypad a recessed "earphone" socket! Bingo, a connector for an external battery pack!!!!
Safe opened, picks removed. Safe then repaired and new lock with keys fitted.
Not copy-protected as it was ok to copy non-redacted information.
Select (including redacted content), copy, paste.
Redacted content now visible - text had simply been set to black with a black background!
Also seen redacted documents where the "hover" information had been forgotten about.
in 2007, the FIA didn't properly redact the documents
I think it was still being called "censoring" or "blacking out" back then.
"Redacting" is one of those Orwellianisms that the Younger Bush and, to a greater extend, the Obama Establishment Construct (the O.E.C.) "brought to the table".
So to say.
A bunch of machines in an IT suite that I was revamping for a school, all tied together with serious steel cables, attached to the machines with some quite serious adhesive on a plate secured direct to the metal chassis of the machines.
Because they were all interlinked, and the cables padlocked together, you couldn't steal one without the one next to it, and so on. I thought it was going to be a nightmare of having to reimage them all in-situ or going through a bundle of different padlocks key endlessly to separate them, but I thought I'd give things a shot to see if there was an easier way.
I knew that you couldn't just pull the computers apart by brute force - I'd witnessed one fall to the floor hard and just dangle there by the plate/cable, and seen a few cursory demonstrations by big strong men trying to pull on them.
But every system has a weakness. In this case, the hefty metal plate that was epoxied in some manner to the chassis that everyone assumed was inseperable. Like with a maglock, it's not how strong it attaches when you pull laterally against the lock, it's how you can break that lateral surface area connection.
Turns out, a small flatblade screwdriver inserted into a tiny sliver of a gap between the chassis and plate, and then a small "twist" rotation of the head at normal hand strength would easily separate the two surfaces. Despite the fact that you could probably tie the offending articles to two vehicles driving in opposite directions and only ever snap the cables not the attachment, once you got the hang of it, you could literally walk down the row, stab, twist, stab, twist and fire the plates off the machines at high speed with nothing more than a basic hand tool and hand-tight motion. And no damage to the machines.
Headmaster of the school came past about 20 minutes after he'd said he'd go get me the keys, saw the pile of hefty steel cables and plates on the floor and his now "insecure" IT Suite and was flabbergasted. We never bothered to put them back on. (And, yes, I had permission to remove them if I could, before you ask).
If I found it, you can be sure anyone determined to steal those machines knew it too, even if they hadn't brought bolt-cutters.
Similarly, schools all used to just buy expensive projectors and dangle them from their high-ceilings on long-rods. In time, people became aware of the necessity of a "swing test". Literally, if you can't swing from the rod with your full weight then it only takes seconds to get the projector down and walk off with it. Sure, you'll damage the hell out of the ceilings/joists, but burglars tend not to care if they can walk out with £1000 of kit in ten seconds.
Despite then being told by several places that "our projectors have to survive a swing test", never did find anyone who even suggested it was possible to build or fit such an item if you're just attached to joists and your ceilings are 14 foot height, so the pole has to be at least 8 feet long. They learned quickly that leverage and brute-force beats ingenuity every time. After that, they started to buy projectors that were marked educational use only (destroying resale value on the main markets), had passcodes to stop them turning on, that weren't as valuable, or that mounted "short-throw" so at least the thieves only damaged a £50 bracket rather than created a £1000 ceiling repair for their insurers.
Reminds me of something that happened to me many many moons ago now.
We were decommissioning some equipment, and for security, they too had epoxied some large plates onto the top of the cases, which in turn had large chains welded onto them, then some large padlocks to fasten to the wall. This gear had been in there for probably 20 years (this was custom electronic control gear, full of relays etc. not servers). You could access the insides for maintenance (side panels), you just couldn't remove the gear itself, not easily anyway (in theory).
Turns out no one had any idea where the keys were, and so they were thinking of getting a disk cutter/angle grinder (too big for bolt cutters) to cut the chains. I wasn't keen on this idea, as I still needed to get the stuff off site, and really didn't want chains etc stuck to them.
I noticed that the surface looked like it was painted, on closer inspection, it was actually some sort of plastic coating. So out with the Stanley, cut a groove in the surface a short way from the plate, then used a blade on its own to lever up the plastic, it just peeled off. I placed a flat wide chisel in between the metal top and the plastic coating, to see if this could pop the plate off. A few taps with universal adjustment device (i.e. a large hammer), and the plates just came off, still glued to the plastic layer!
> tied together with serious steel cables, attached to the machines with some quite
> serious adhesive on a plate secured direct to the metal chassis of the machines.
I remember those well. You didn't even need a screwdriver. Just grab a computer and drag it across the desk, while letting the cable holding the plate back. A nice steady lateral force would slide the plate off the computer. It seems the makers assumed that thieves would only ever try to pull the plate away from the box. Uni students used to remove the plates this way purely for fun.
Buying a pick set just to learn a new, maybe useful skill? $50 and much fun
Teaching your secretary how to pick locks on filing cabinets and so forth so she can do parts of her job more effectively? Now they are worth their weight in gold.
And as soon as I get my new drill mill... bump keys!
My then boss was on hols in the states for 2 weeks, he had all the back up copies in one of those under desk on wheels drawer units. One of the Cd`s had got scratched (to the naked eye that badly) and wasn`t seen as viable media. I arrived with the brains trust trying to pick the lock to no avail in full flap, " ok we drill the lock out no biggie, however...." I turned it upside down, one of the drawers sort of wilted , a GPO #6 screwdriver moved it a little further in and it unlatched from the locking bar, bingo! drawer out and removed the bar.
We got the disks made, 2 copies one for where backups should have been in the 24/7 workshop, not a managerial drawer.
. It was paperclip and several years of old crap armageddon in the drawer unit though.
Many years ago I had need to ask our graphics/marketing literature deaigner to move the nice Vauxhall Carlton hed bought newish sexondhand off the comaony.
As usual, it took ages for him to appear, by which time Id got bored, found a chunk of parcel strappimg, opened the car and was waiting for him.
His reaction: You camt have done that its an executive range car.
Another time, our admin lassie rang in from town, having locked herself out of her Datsun (it WAS a long time ago). Went to her rescue and managed to spring the catch on the back window then rwach in and unscrew the catch from the glass, open the window enough to reach the hinges, unscrew them, lift out the window and finally get at the door latxh.
Despite the two of us doing thus in the middle of a carpark and making no secret of it, no-one took the blindest notice of us.
"Summarily killing the messenger who brings bad news goes back probably several thousand years."
Some background searching suggests that in fact people were usually exhorted NOT to kill the messenger. Basically they were granted immunity by either convention or law - and breaches were usually regretted.
Back when I was doing QA for Packard Bell/NEC in the era of Pentium 200MHz & Windows 95, I figured out how to crash the system using the registry editor & MS Paint. Open the editor, copy a bunch of text, open paint, paste in the text, edit the text (it didn't matter how only that you made some change), copy the edited text from paint, paste it back into the registry, & tell it to save. The system would promptly shit itself since paint did something wonky to the text that the registry editor didn't like & the whole thing keeled over like the Titanic.
I notified my boss whom contacted the software folks whom contacted MS; we got a visit from a bunch of MS geeks later that week & they had me repeat the issue. The computer wasn't the only thing to shit itself that day. The MS geeks left in disbelief because "That's not possible!" except they now had proof that not only was it but easily done.
It was at that point my fellow QA team handed me & my partner matching t-shirts: white background, black classic bomb-with-burning-fuze logo & black lettering proclaiming "QA Bomb Squad - if you want it to pass don't hand it to me!" I loved that shirt. I think I wore it to death.
AC because if my old boss is reading this he'll come smack me for all the hell I put him through. :-D
a lifetime ago I did QA testing for OKI (very temporary job) - one of the jobs was an automated power test on the printer boards (they were being soldered in the same room). we would hook up the control board, and press a button on the computer, and it would run the tests on the board. I was bored with how long it took, so stated playing around with the computer (DOS 3.1 I believe) - discovered that I could adjust the parameters of the test, and if it ran too quickly it would ALWAYS blow a couple of caps - and require a resolder. I did find a sweet spot where the boards would still pass, but the tests took less than half the usual time.
I once crashed Windows '95 by starting a small visual basic app,then starting up a second instancee, third, etc, until Redmond decided that 56 running programs was the limit. I then tried to log out to stop all the instances without having to click them all separately. This was enough to crash Windows '95. Later I crashed an old NT server by firing ping packets at it without the customary 1 second delay and in other ways.
More interesting was when I upgraded a PC of the local student union from Windows '98 to NT 4.0. This worked until I looked at the registry settings and noticed that mostly any logged in user could change any setting, so I tried to secure it, but I went a little further than intended. Now nobody had access - even Administrator and System. NT could not boot without registry access. The usual trick of trying to upgrade Windows (to the same version as it was running) also failed without registry access. Only reformatting the disc helped.
AC because if my old boss is reading this he'll come smack me
Naw, mate. AC because:
Back when I was doing QA for Packard Bell
Back in the P60 days those things were abominable, with that shitty operating environment slapped on top of Windows. And those god-awful WinModems. I shudder at the thought these days. The number of them we sent back as faulty...
Still, can't blame you. Worse things have been done in the name of paying the mortgage...
In about the year 2007, a colleague had made a nifty spreadsheet that was password protected because he didn't want anyone to know how he'd done certain 'cool' effects. He had hidden columns and all sorts of stuff like that.
I renamed it as a .txt file and opened it in Notepad (which took a while). Near the start of the file was some text that looked very nuch like it was a password, it was his name plus some significant text. Sure enough, that was the password. I do hope the Excel password protection is more secure nowadays.
It is, thankfully
Mind you, after they stopped putting the password in plain text (office 7 or 10, not sure off the top of my head), they replaced it with a hashing system that had collisions. A *lot* of collisions. Very easy to brute-force with short strings, regardless of the password.
The current scheme in office 16+ is pretty decent, I think, but that might just mean no-one's pointed out the flaws yet.
(Anon because t' Computer Misuse Act says I ought not to know these things)
Excel's read-only password protection is still garbage.
For .xls files (which we still use a lot of), it's fast and easy to break - create new workbook, protect with random password, run brute-forcing macro, wait 2 minutes - macro produces a usable password and an unlocked worksheet.
For .xlsx files, it's only slightly harder. Rename to .zip, unzip, open xl/worksheets/sheet_.xml, delete the tag sheetProtection, save, rezip, rename to .xlsx, and open. You can probably put it back after editing the file, to reprotect it with the same (unknown) password.
(Just tried these in Office 365 ProPlus.)
I once attended an "advanced" Excel class at $employer. Instructor was trying to show us something, but couldn't because the sheet was edit-protected. Got the file from her, removed the password, and sent it back. The look on her face was priceless.
(AC, 'cos current $employer)
1. Take hard disk out of PC
2. Hang on another PC
3. Copy cmd.exe over the top of utilman.exe (may need to fart about with permissions)
4. Put hard disk back in original PC and boot
5. Click on accessibility icon when Windows Logon screen appears
6. Marvel at the command prompt that appears running in the context of SYSTEM
7. Use command line tools to create a new user, as member of administrators group
8. Full logged-in admin access to operating system at your fingertips
Yes, Bitlocker generally thwarts this approach; but it's a fairly quick way to earn £50 for unlocking people's home PCs when they've managed to forget their password.
Inherited one from a coworker. Back in the day, it had been a CAD workstation. He'd been using it as a footrest for some time. I wondered if I could get it to boot. After spending *way* too much money on keyboard, mouse, display and network adapters to convert the proprietary interfaces to the more commonly available PC versions, I powered it up...and was confronted with a demand for a username and password. The SGI systems are quite secure (see below), requiring a ROM password to bypass the default boot process, so I wasn't able to just look at the (SCSI-1) HDD without some effort.
No problem, I thought, I'll just ask the IT guys if they remember what they used back then for a root password. They told me...and it didn't work. However, Google told me that demo/demo might work (it did), so I was able to look through the /etc/passwd file (remember, this is *classic* UNIX). Said file was transferred to a PC using the network connection, and "John the Ripper" was applied to it. By the time I had returned from getting coffee, the password had popped out. And it worked.
Fast forward 6 months later and I get a phone call from the IT guys. Hey, they said, guess what we found while we were cleaning out the safe? An envelope, labeled "UNIX Root Password", which contained a piece of paper, on which was written the password I had recovered.
I managed to find a second SCSI HDD on Ebay, some IRIX OS upgrade CD images on a bittorrent site and created a new boot disk to play on. The system's sitting in my basement. The SGI graphics demos are wonderful, the system boards are impressively heavy and logging in is like taking a trip down memory lane!
I’ve spent years hacking away at locks and passwords but my favourite is still the first. I was working in an old church used as a museum, we found the proverbial “old locked desk drawer”.
After much mucking round it finally gave in and contained nothing but forty year old stationery and a pair of old photo negatives. I had a quick look at the negatives “Queenstown 1912 april 11th” and two mid distance shots of a ship.
Yup, you guessed it, I was holding the last two photos of Titanic ever taken. As this was before Ballard found the wreck they were unique.
I’ve opened up lots of locks since then but only ever found crud, that day was a good day.
I recently bought a phone from Ebay (boxed and complete with all original accessories, so not freshly acquired by a teenager on a moped), only to discover that there's a new security feature on some Android phones: after a factory reset, you have to log in with the old account to verify that the phone hasn't been stolen.
Sadly, the seller had done the factory reset, but hadn't followed up with the verification, and completely failed to respond to my queries; I ended up raising a refund/return request, and still only got an automated "you can return it now" response on the very last day before Ebay would have auto-refunded me.
Thankfully, a bit of searching around threw up a solution. I can't remember the exact details, but it was something along the lines of: open the keyboard's accessibility options and click through things until you got to a help page where you could trigger the Youtube app, from which you could get into the phone's settings and trigger a full credential reset.
Then it turned out that the phone was locked to the wrong network. Fortunately, there's people selling unlock codes on Ebay for 99p, so I just bought one of those - far cheaper than the high street or dedicated unlock websites, and I'd pretty much given up on trying to get anything else at all from the seller!
Some of the older variants of these tricks have been plugged by security updates. But when it's an older device and it's had a factory reset, it's back at the original security patch level. Rescued a Lenovo tablet a few weeks ago with one of these. First two I tried didn't work. Third time's the charm.
Ah yes, the good old days before ebay! I bought just over a hundred Toshiba laptops in our local auction from a company that went bust. All were BIOS locked, so as no-one could get in to them I managed to pick them up for peanuts.
This was back in the time though all you had to do is have a spare parallel port connector and solder a couple of wires to the back of the connector. Plug it in to the laptop, turn it on and one wiped bios password.
Hanoi, 5 years ago, I think they hotel was Blue Lotus or something like that: I could connect to the hotel wifi with the phone but there was no Internet access. Bummer, because I needed it to find out what to do in the city (What, talk to someone?! In person? Pfft.) Well, I put the gateway IP in browser...nice, a router login page! Tried the usual default admin passwords and voilà, I'm in. Looked through the configuration, couldn't see anything wrong so I just selected the reboot option, waited for a minute... and Internet! Yay!
Turns out the tourist guides are not worth anything. Just go to the street side stalls with the small plastic chairs, you get the best food there!
It's 1942. Artillery sergeant is teaching gunners how to fire a machine gun. Sgt asks if anybody has fired one before.
S. Milligan Esq continues the narrative: "I had but I said nothing. In the Army never volunteer for ANYTHING." - from "Adolf Hitler, My Part in his Downfall" by Spike Milligan (sorely missed).
John Pertwee's biography recounts a story of being asked if he spoke French when in the army. He was from an old French family in the channel islands and spoke it like a native - but of course kept quite.
He later met the fellow officer who had said yes - and had been posted as military liaison on Tahiti for years
" [...] and had been posted as military liaison on Tahiti for years"
An IT colleague had flown Sunderland flying boats in the war. He then obtained a job as a pilot on one of the legs of the Empire flying boat service to Australia - stationed in Tahiti. He said it was a dream posting - especially if you ignored the main city which looked like a clone from France.
"Sgt asks if anybody has fired one before."
Reminds me of the possibly apocryphal scene in the comedy film "Carry On Sergeant" (1958) - which is set just after WW2.
The sergeant is giving a lecture to the new conscripts about maintenance of a submachine gun. Having stripped it to a collection of components he notices that one guy is obviously not paying attention.
So the offender is told to put it back together - which he does with amazing speed and dexterity. The sergeant apologises for thinking him inattentive. The soldier admits he wasn't listening - but says his previous job was in the factory that made the gun - doing the final test assembly.
It was a very slick demonstration in one continuous take by Bob Monkhouse. He must have had a lot of practice.
...I was chuffed & know I was SUPER lucky.
Just been asked to get a password for Excel that was set to protect a sheet. Not the best of security I know but still. Normally use an article I found ages ago about the AllInternalPasswordMacro. Didn't use it this time, wanted to try something different.
I use Sysinternals software all the time. Didn't think it would help though, really need to look at memory I thought. So turned to Process Hacker. Ran Excel, got the Unprotect Sheet dialogue box up, put in anything, got the "The password you supplied is not correct" box up then looked in Process Hacker. Looked at the properties of Excel, looked at memory, then looked at Strings, did a filter for word "password" and only a few results back all related to the "The password you supplied is not correct" dialogue box. Double clicked it to show what was in memory at that moment in hex. Saw that wording and soon after saw
I wondered if this was some kind of hint prompt so put in the actual site name that the document was about. Sure enough it worked. I was in.
I've tried to recreate it on the same document but can't. Haven't seen the s.i.t.e-n.a.m.e in the hex entries since. And playing with excel it appears when you set the password for the protection of a sheet, there is no option to give a password hint.
Got proper lucky on that one. Maybe I'll buy a lottery ticket tonight.
Where do I start...
My first proper job, not counting work experience during high school, was very late '70s to very early '80s. Working for a company that designed and built a S-100 computer. At one stage we had sold one of those computers to the company that ran the catering and housing for a mine site that was under construction. I got to live on site for a while, programming that computer, and then the second computer they bought.
At one stage they added some fancy security locks, two to keep the case locked, and eight front panel key switches to unlock various functions depending on what key you had. Some sort of unusual geometry of the keys, I think it was sorta 3D triangles or some such. Supposedly unpickable. So one day, I'm twiddling my thumbs while I wait for a compile, I have a medium sized screwdriver, and a gleam in my eye. I love a challenge. Stop me if you've heard this one before. Didn't take long to "pick" one of the case locks open, which was just shove the screwdriver in and jiggle it randomly a bit, barely any force needed. Close it up again, go get one of the bosses, demonstrate it to him.
Since the office computers where being used during business hours, I was often working on them during the night. Remember, this was early '80s, computers where rare. Since I was in the office of all night anyway, the client slung me a bit of extra cash to be the emergency accommodation officer. Late arrivals needing to sign in and get their rooms assigned, drunks coming home from the pub but lost their key so I had to cut them a new key, that sort of thing. The main accommodation was demountables with small rooms and cheap locks. Aluminium keys that would break off leaving half of it inside the lock, locks that would rust in the high tropical humidity and jam, etc. I became adept at pulling the pin out of hinges and opening the doors the other way, using needle nose pliers to grab the half key stuck in the lock and giving them a twist, and for those really hard cases, using a crowbar to break the seal on the windows and open them up, without actually breaking the windows. I've lost count of the number of places I have legally "broken and entered".
My next job was with the Department of Health. Usually I was in the IT offices, but once I had to go out to the head office, where they actually used the systems we developed. I should point out that up to that point, I had nothing to do with the IT security systems. For some reason or another I was in need of a real password to log onto some part of the system to check what ever they had sent me out to fix, something to do with patient records or billing I think. I didn't have a suitable real password, I only knew the test passwords. While someone went off to find a password for me, I pushed the return key for some reason. Once again, stop me if you've heard this one before. "Password" accepted, I was in. Repeat a few more times just to double check, indeed leaving the password field blank got past the password check. I reported this, and they asked me to fix it when I got back to my office.
Slightly off topic, but it did involve bypassing a security mechanism. At around about that time I had a game for my very own computer, on a floppy disk. It used the sort of copy protect mechanism where they use a laser to burn coded spots in the floppy disk. The idea is you write to those spots, of your can't read back what you wrote, the proper holes where in the disk, copy protection was in place, continue to boot the game. Naturally at some point the copy protection code managed to write to the wrong bits of disk, corrupting it so it would no longer boot. I'd paid good money for this game, and as state above, I love a challenge. Didn't take long at all to disassemble the boot code, find the call to the copy protection code, simply patch out the call, and boot my game. It was the copy protection code itself that had been corrupted. Some of the graphics had also been corrupted slightly, but it was still playable.
I'll stop now, the beginning of this comment is about to scroll off the top of my screen.
I worked for a nuclear power plant, and one access to the reactor building was through a 20-ton slab of concrete on the yard outside. It had the tiniest padlock, the kind I wouldn't even use on my bicycle, securing it on the ground.
I laughed, but then I got the explanation: that was a SEAL, to show signs of TAMPERING, or signs that something inside the building had gone possibly VERY wrong. Like, "steam blast pushing 20 tons slabs out of place" wrong.
If you get past security with a 20-ton hydraulic arm truck and manage to lift that slab without proper authorization there would be some chewing around... and in an emergency, security can authorize the slab to be raised like the padlock wasn't even there.
I spent 4 years getting by that padlock snickering and thinking how clever it was afterwards...
While outside the plant, in the nearest neighborhood, distribution had a problem in their hands: the switchgear cabinets kept having their padlocks broken, but no gear or copper stolen from them... those were old-school brass padlocks, most valuable to junkyards. Once replaced with steel ones, nobody stole them anymore.
Not IT related, but I found parallel to these padlocks in computers, like those darned hardlocks used for CAD sofware...
Details differ, but this story is about 90% in sync with one of my own.
In the early 1980s, I was on a mainframe system that had a punchcard interface, and a terminal interface, which was actually just a terminal that simulated the punchcard system. This is important to the story.
The system used 8 different queues, and the terminal queue was only one of them. However, all terminal jobs, for all users, were using the same queue, queue #1. So if 200 users were using terminal jobs in queue #1, if you ran your job in queue #2, it would run much faster.
However, terminals could not use any queue other than queue #2. So, the secret (documented in the manual) was to use the SUBMIT command, to submit the job in another queue. Of course, you'd have to write all of the terminal inputs into the card deck ahead of time so your job didn't get stuck, but once you did, you'd find your job would run in 90 seconds rather than 90 minutes.
Now, at a terminal, you logged in with username/password. When you submitted a job to a queue, you needed to put /USER(username,password) card at the top so the job would log into the queue. A neat trick was that the card deck you submitted was the INPUT file, and you could play with it like a file pointer.
In other words, the following job:
When submitted would result in the output to your job appearing in your queue, and you would see USERNAME(MYUSERNAME,MYPASSWORD) in clear text. Amusing, but not very useful.
However, the mainframe was networked to another, and when you changed your password on one, it would change it on the other... eventually. So you could run this job to see what your current password was, ie. if the change had propagated over the network yet.
But how does it propagate over the network, I wondered. It turned out it was done as another job in the queue, but was done with the site admin's credentials. So, I wrote a batch job that changed my password, that looked like
And lo and behold, the following appeared in my batch queue:
And lo, I had the adminpassword, in clear text, in my input queue.
The admins denied I could do this. So, I logged in using their password. I was called into the head of network security's office who said no, this was not possible, and then I logged in at a terminal in front of him. He still didn't believe me, and he changed the admin password. I told him I could get it in 10 minutes, and I did.
The end result was "tell anyone about this and you will not only be fired, I will have you killed" or words to that effect.
I had been hoping/expecting that I'd uncovered an implementation issue that they hadn't properly configured, which could be fixed now that they knew of it. Instead, I'd found a design flaw in the network security layer than required an operating system patch. This was $BIGNAME$ corporation, which had mainframes around the world, in sensitive areas (far more sensitive than in the industry I was using it in), and the idea that a low-level user could crack the admin password in under 10 minutes stopped several hearts in the boardroom.
Eight months later, I was called back into the head of network security, and told to try it again. The bug had been addressed in a patch, but it was still being rolled out worldwide, and I was still not to speak of it "ever again". Which, technically, I guess I am, except (a) this story is 30+ years old, (b) the mainframe I refer to is almost entirely obsolete, as is the network it ran on, and (c) the issue would only affect said mainframe whose patch levels aren't at 1982 or so level yet.
Shorty after we had been upgraded from Win98 to NT3, the boss had changed his password only to find next morning that he couldn't log in. The IT bods insisted that the only way to get his PC up and running again was to completely re-install, losing all the stuff he had stored locally in the process.
5 minutes on the interweb found a downloadable linux utility which could read NTFS and remove passwords from the appropriate hive. Another 5 minutes to write a 3.5 floppy and return to his desk and he was up and running again. No where near as heroic as the original story but I got a £50 bonus at year end for excellence beyond my job description. I later worked out that he had caps lock on while creating the password but not on subsequent attempts which was why he didn't get the usual capslock waring.
Those were the good old days, sigh. An entire OS with hacking utilities all in 1.44 MB What has the world come to that even Linux needs a quarter Gig to run in, and Windows won't run any programs unless you have at least 2GB.
OK I know some one will come up with a version of linux you can self compile to do the same trick, so I expect a few downvotes.
"OK I know some one will come up with a version of linux you can self compile to do the same trick, so I expect a few downvotes."
No downvote, but an upvote instead, coz in general I agree.
Aboriginal Linux might be a start for that sort of thing. http://landley.net/aboriginal/about.html Development for it finished last year, but it's still usable. I've used it to build an OS for an embedded device.
Not security breaking, just breaking but related to the password issue.
I joined a team rolling out upgrades to a chain of opticians. We were upgrading both the Unix server and Windows client tills. I shadowed a guy the first time then was let loose on my own. I did the server upgrade not problem by following the script, then upgraded the clients, but I could not get them to talk to each other , tried typing the passkey at both end many times.
A visit from another engineer the next day (after they had been down all day for a 1 hour upgrade) showed me what I had done wrong. I normally use the number keys ont he main keyboard, above the letters, but the engineer I had been shadowing used the numberpad soI thought I would try it that way. What I hadn't noticed that was he had pressed numlock. I was typing in the same passkey on server and client, but one with numlock on and one without.
I never use the numberpad now.
...trust if I remember right they used Sophos encryption. I pointed out a flaw but was told "its a feature" because I "wasn't in with they boys" (c**ts more like. Harsh but fair description).
Sophos had a bad habit of locking us out of the laptops at boot. Would lock your account as well. But I had an old laptop I kept back that had my account on it that was unlocked. All I had to do was boot from the laptop with the unlocked account which would unlock the other laptop.
I gave up convincing them it was an issue. I left and later discovered someone else pointed it out. They finally listened and discovered they made the laptops overall the server instead of the other way round.
Elderly neighbour locked herself out, distressed at the cost of a bank holiday locksmith (but not quite distressed enough for the police to break in for her) she mentioned there were keys inside in the lock of the other door.
Out we went with toolbox and a small mirror to make something to hook the keys out through the front door letterbox. Took maybe an hour, Victorian terrace street plenty of people passing and not one single person queried or even jokingly mentioned what we were doing.
I guess it was the toolbox. I'm told a hi-viz and a bucket of water will get you in just about anywhere.
Neighbour let her door close behind her - and she didn't have the key with her. I was asked to help as it appears to be assumed I can almost walk on water with my life's experience of solving problems.
Fortunately the inside of the door lock mechanism was a lever handle not a knob. Shaped a wire coat hanger into an "L" - and pushed it through the letter box to loop over the handle. Then used the handle of the walking stick to apply a downward pressure on the wire - without it slipping off the door handle. No more than a minute in total and the door was open.
First time I had done that trick - but everyone was amazed a thief could gain access so easily if the door wasn't double locked with a key.
Same street, fire engine turns up outside one teatime and their radio came right through the hi-fi (A&R A60). Turns out the young female student occupant (details that seemed important to the fire service) had locked herself out with a fryer going on the hob.
Smart friend, house in her name, partner & father of her three kids decides to re-engineer his personality with cocaine. He's kicked out but returns one day while she's showering and one of the kids lets him it. He drags her into the street, naked except for a small hand-towel, and locks her out of her own house. Phone box 999, mentions she's naked - said she'd never seen so many police cars turn up at once.
When I was in the Air Force, we were to enter a room to do periodic maintenance. Only the day lock (a five push-button job) had been changed. It was about 0230, and the lead was trying to decide if he should wake up the day shift supervisor or just put off the PMI. I informed him that I could go through the lock.
"Is that an order?"
It took less than a minute.
Recently had one go intermittent and then completely fail. But we noticed a pattern... it would only fail when we were wet and cold. So we grabbed a blowtorch, a hammer, threw on some overalls and went to work "gently" heating the lock and providing percussive encouragement. Security patrol walked right by us, totally ignoring two men in somewhat battered clothing working on a lock with blowtorch and dead blow hammer. 2 min and we were in.
One of my friends knocked one day and growled that he had locked himself out of his foot locker. I said maybe we could pick it, so we went around to his place and took a look. It was a beautiful piece of woodworking, glossy oak. He told me his granfather made. The lock was a padlock through a hasp. Picking was a definitely possibility, but any quasi-cubical object has six sides. So I turned it aound and discovered the hinges were face mounted. So we broke out his Swiss Army knife removed the hinges and he retrieved his key.
Microsoft Combat Flight Simulator 3 and Age of Empires 3 had all the game variables in XML files.
Things like "points of contact" of aircraft. 3 points with Z= 0 are the landing gear. Delete all the others and enjoy your nigh-invulnerable plane. Delete these 3 and watch the airplanes cross the airfield floor and explode when they go underground, even before the game begins.
Age of Empires 3 had all the variables spelled out, like TrebuchetAttackForce = 20 or something like that. Replace that 20 with 255 or 65536 and watch all your enemies buildings crumble beneath a single catapult attack. But I think that on AoE 3 only the heroes were identified, so if you changed one of these generic attack units, they would change for BOTH sides, so you could mod your game to your heart's content, knowing that your enemies would get the upgrade too... with hilarious results.
A friend got his hands on street sweeping simulator...
The variables were done in the same way, and he had great fun with the game - changing them so that the wheels were in different positions, making it spawn more, increasing speed etc, making the wheels put quarry dumper trucks to shame, and then putting them all round all over the place, so it acted more like a huge ball.
ah, here it is: https://www.youtube.com/watch?v=dHKpCD1OOvQ this was still quite early on in his experiments.
Someone made a game out of sweeping streets?
Has anybody made a game out of collecting garbage? Watching grass grow? Paint drying?
Actually I found a VR game for Google Daydream that involved doing a stock take in a department store. My favourite though was VR solitaire, with online multi-player mode. Some one doesn't quite understand the concept of solitaire games, and there are two different apps for that.
Well, there's a Computer Repair Shop Simulator on Steam... so... anything goes.
From the cryptic broken english request from users asking to fix or upgrade their PCs, to waiting for delivery of parts, it's pretty broad.
And Solitaire games were developed to get the user familiar with the interface... like a mouse. A VR solitaire should serve the same purpose then, familiarity with the helmet/goggles and handles.
If you had one of those, you just booted off an IBM-pressed Windows 95 disk to format your machine and reinstall all the factory drivers. It formats and then decompress several zip files, not an actual installation, more like an image. (It beats having those in several floppies, back then.)
I lost/damaged the drivers of its unique winmodem, and sure enough they were in a password-protected .zip file inside that disk. But no password available, even in the manual there was no option for a partial restore, I'd have to REFORMAT the whole thing to get it going. It didn't ask for a password if you formatted it off the bat, however.
Cue zip cracker for DOS. First attempt, only lowercase, 8 digits. Pentium 100 MHz gauged 2 million attempts per second.... off to lunch.
The password is "magic".
If you got old IBM hardware and install disks on passworded zip files, try that. Why would they put their own Windows installation and drivers inside locked zip files is beyond me.
Biting the hand that feeds IT © 1998–2021