back to article Parliament IT bods' fail sees server's naked OS exposed to world+dog

Someone in the Parliamentary Digital Service managed to leave a server so completely exposed to the internet that Google indexed the Windows machine’s operating system. Register reader Chris, who stumbled across this while searching for something related to a Google update, discovered that sizeable chunks of bills.parliament. …

  1. Doctor Syntax Silver badge

    It seems to have disappeared from the cache now.

    As a non-GDS site you could actually see a reasonable amount of stuff on-screen at one time without the GDS trademark white space, large fonts and flaccid prose.

    1. Anonymous Coward
      Anonymous Coward

      still in google cache for me.

      1. steviebuk Silver badge

        All appears gone. I get nothing :(

  2. rmason

    it's probably

    It's probably quite difficult to do something like this, this badly.

    Qudos!

    1. Alister

      Re: it's probably

      Kudos, possibly? Or maybe you were thinking of QDOS?

      But you're right, you'd really have to work quite hard at the stupid to be able to allow web browsing of the whole system drive.

      1. rmason

        Re: it's probably

        missed the edit window, curses.

        :)

        1. Anonymous Coward
          Anonymous Coward

          Re: it's probably

          By 'curses" do you mean the unix terminal package?

      2. sal II

        Re: it's probably

        I doubt that the people working there know what QDOS is...

        A fine example of the kind of talent you get on government salary / Inside IR35

        1. steviebuk Silver badge

          Re: it's probably

          We can't all afford to be outside of IR35 and work for ourselves. Some of us hate travelling and want steady work, doesn't mean we're shit. I've seen plenty of "outside of IR35" contractors who are also shit. You get shit on both sides.

        2. Steve B

          Re: it's probably

          I used to love developing for QDOS.

      3. Anonymous Coward
        FAIL

        did that.

        I can't remember why I shared / over samba 16 years ago, but I did.

        I can't remember why I made it guest writeable, but I did.

        I can't remember why I made that machine's IP also the DMZ, but I did. (probably for telnet and I didn't yet bother with port-fw in the router)

        I think I remember that there was nothing important on it and it was just a nearly-useless P-166 or 200 with maybe 32MB and maybe a 1- or 2GB disk.

        When I came in a day or two later, it didn't answer. / was empty and I instantly knew why.

        "At least" I got that out of the way, back before anything was riding on it.

      4. GruntyMcPugh

        Re: it's probably

        @Alister: re: QDOS

        A few years ago, I signed on after taking voluntary redundancy, and because I worked in IT, I got referred to a training outfit and they called themselves QDOS. I mentioned when I saw them, that QDOS used to stand for 'Quick and Dirt Operating System', so older IT veterans like myself would associate 'Quick and Dirty'with their business, not 'kudos'. I asked them why they hadn't Googled and checked the history. They seemed a little embarrassed.

    2. Radio Wales
      Black Helicopters

      Re: it's probably a job for MI5

      Maybe the trusty techhie has a slightly foreign look about him/her and put on fat-finger gloves to avoid leaving incriminating DNA.

      Just a thought...

  3. Lee D

    If that allowed read-only access to, for instance, the NTDS or other password files.... then ouch.

    John The Ripper can take those and crack the passwords offline, and then use them to login elsewhere, most likely.

    And I'd guess that any web server is probably holding at least SSL private keys... again... ouch.

  4. Anonymous Coward
    Anonymous Coward

    Right click - Share C drive as read only...

    ...now open the 139/445 ports to the internet for file sharing.

    Job done.

    Feking eejit.

    1. Alister

      Re: Right click - Share C drive as read only...

      Nope, that's not what they've done.

      They've set the default IIS site to point at the root of C:\ and then turned on file and folder browsing. So the whole drive is available over port 80 from the web server - which is how Google have managed to index it.

      Which actually takes more concerted fail than your way...

      1. John Brown (no body) Silver badge

        Re: Right click - Share C drive as read only...

        ...or just managed to fat finger a space character into the path for web site home,

        eg c:\<space>\path\to\site\files\

        1. Alister

          Re: Right click - Share C drive as read only...

          @JB(nb)

          That on it's own would not be sufficient, you'd still have to change file permissions and allow folder browsing, both of which are deliberate acts of mind-blowing stupidity.

          1. Anonymous Coward
            Anonymous Coward

            "deliberate acts of mind-blowing stupidity."

            "cygwin, the Lynx WWW client, Perl "

            From this software, it looks a Linux admin trying to manage a Windows box... these are the results.

            Sutor, ne ultra crepidam...

        2. NiceCuppaTea

          Re: Right click - Share C drive as read only...

          Its actually quite easy to do.... no need to activly change file permissions, the fat finger path with a space plus using an account to run the IIS application/site that is a member of the default Users group would have the seen results. Easy mistake to make but still not forgivable...

      2. Halfmad

        Re: Right click - Share C drive as read only...

        Been a good few years since I touched IIS but isn't it actually quite fiddly to configure it that poorly? By default it's way more secure?

        1. Alister

          Re: Right click - Share C drive as read only...

          Oh yes, it would require changing a lot of the defaults to make it work, and you'd have to change the file permissions on the drive as well. Whoever did it was world class, without doubt...

        2. waldo kitty
          Mushroom

          Re: Right click - Share C drive as read only...

          Been a good few years since I touched IIS but isn't it actually quite fiddly to configure it that poorly? By default it's way more secure?

          these days, maybe but back in yesteryear, it was not so stable or secure... it is still as fiddly as hell, though...

  5. AndrueC Silver badge
    Joke

    Hey if you search it long enough you might find a credible plan for Brexit.

    1. Will Godfrey Silver badge

      Hmmm, not sure I'll still be here in 30 years time!

      1. hplasm
        Windows

        Hmmm, not sure I'll still be here in 30 years time!

        That's Windows time!

        30 years...5 seconds...30 minutes...3 gigayears...99% complete...99% complete...

  6. Anonymous Coward Silver badge
    Big Brother

    As paranoid as I am...

    Who's to say that it wasn't a honeypot, and by perusing it you've just been added to the 'suspect hacker' list??

    It's also obviously stuff that they can use in any future criminal case against you: hacking government servers.

    1. Jason Bloomberg
      Black Helicopters

      Re: As paranoid as I am...

      It's also obviously stuff that they can use in any future criminal case against you: hacking government servers.

      I'm not really sure looking at Google's cache is tantamount to hacking a government server. I'll add more once I've dealt with that persistent knocking on my front door. Sounds like some ejit is trying to kick the whole bloody door down!

    2. Notas Badoff

      Re: As paranoid as I am...

      If a spray-painted tag on a government building is a password, am I 'hacking' when I see it?

      1. Anonymous Coward Silver badge
        Holmes

        Re: As paranoid as I am...

        If they want to incarcerate you, yes.

    3. phuzz Silver badge
      Holmes

      Re: As paranoid as I am...

      "Who's to say that it wasn't a honeypot"

      Because that would assume some level of competence, and here in the UK we don't expect that sort of thing from our government.

    4. Mark Manderson

      Re: As paranoid as I am...

      lol you give civil servants too much credit chief.

  7. This post has been deleted by its author

  8. Philip Storry
    Coat

    You don't understand their genius...

    You can't steal their data. They're giving it away!

    HAHAHAHAHA! YOUR MOVE, HACKERS!

    (I'll get my coat.)

  9. whitepines
    Big Brother

    Isn't that criminal copyright infringement? Shouldn't some government employee(s) be going to jail for several decades for that?

    Or is this yet another case of some pigs being more equal than others?

  10. ps2os2

    Shhhh... Don't tell the IRA (Russian hackers of the GRU) they might find some gasp emails and then the house of lords may have to do a tell all.

  11. StuntMisanthrope

    Sentience.

    Even the computer systems want out! #trythebabelfish

  12. Psmo
    Windows

    Parliament... bods... naked... exposed...

    I ready shouldn't skim the headlines so quickly.

    Someone pass the mind bleach?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021