back to article Job 1: Get the boss on the network. Job 2: Figure out why Job 1 broke the network for everyone else

Welcome readers one and all to another instalment of Who, Me? in which we recount tales of technical troubles (and occasional triumphs) that our valued readers have been dying to get off their chests. This week meet a reader we'll Regomize as "Walt" who found himself working in technical support at, of all things, a theme park …

  1. chivo243 Silver badge
    Go

    What's the password?

    Walt sent me!

    1. Gotno iShit Wantno iShit

      Re: What's the password?

      Man I'm slow some days. It was only when I read this comment that the penny dropped as to which theme park it was.

      1. BenDwire Silver badge

        Re: What's the password?

        You might have guessed sooner if iDevices had a mouse ...

        1. Anonymous Coward
          Anonymous Coward

          Re: What's the password?

          Well, they iDevices still hint at Scrooge McDuck....

      2. steviebuk Silver badge

        Re: What's the password?

        Thorpe Park.

      3. Anonymous Coward
        Anonymous Coward

        Re: What's the password?

        There's no way a park that big has help desk folk given that kind of network access. Especially not without a change request.

        In fact given my own experience working at a theme park based around bricks in Windsor, that became part of a large conglomerate whilst I was there, I'd suggest this theme park was a smaller, independent affair.

        1. Janir

          Re: What's the password?

          Nah,it's quite possible. Especially when you outsourced the IT help. A proliferation of admin access to a level 1 admin pool of staff without any basic controls is a whole lot more common in larger companies than one would like to believe.

    2. Cheshire Cat
      Go

      Re: What's the password?

      Here to meet Jessica, eh?

      1. chivo243 Silver badge
        Happy

        Re: What's the password?

        Here to meet Jessica, eh? Nah, just dabblin in some watercolors... with my pants up!

  2. Richard 12 Silver badge
    Boffin

    I hope it was only the WiFi

    As the park would be very dark, very quiet and very still if the wired network went down too.

    1. Little Mouse

      Re: I hope it was only the WiFi

      ...apart from the screaming as all the rides span faster and faster out of control(!)

      But anyway - Why were the public and staff on the same WiFi network?

      1. jake Silver badge

        Re: I hope it was only the WiFi

        "Why were the public and staff on the same WiFi network?"

        I've noticed you'll often get that with Apple geniuses in charge of iDevices.

      2. Anonymous Coward Silver badge
        Facepalm

        Re: I hope it was only the WiFi

        Almost certainly on different SSIDs and VLANs but the same physical access points and cabling. Because it's expensive to double-up everything over a whole park when VLANs will do the job just as well.

        But the MAC allow/deny list may not be VLAN specific.

        1. Anonymous Coward
          Anonymous Coward

          Re: I hope it was only the WiFi

          "Almost certainly on different SSIDs and VLANs but the same physical access points and cabling. Because it's expensive to double-up everything over a whole park when VLANs will do the job just as well.

          But the MAC allow/deny list may not be VLAN specific."

          I am 'Walt' and you are entirely correct!

          PS: It was not a Disney theme park and I can't remember for the life of me what the issue with the iPad actually ended up being.

          1. The Oncoming Scorn Silver badge
            Coat

            Re: I hope it was only the WiFi

            He was holding it wrong.

      3. Anonymous Coward
        Anonymous Coward

        Re: I hope it was only the WiFi

        Because the safest approach is to consider EVERY WiFi network hostile and thus only allow access via VPN? That way you don't have to worry about staff using airport WiFi (which is *always* intercepted) or falling victim to a proxied network.

        In addition, just because you hide the SSID and use a complex password doesn't mean it cannot be accessed. Even an "internal" WiFi network should not be able to reach anything critical without at least a DMZ or better in the way.

        That's why you use a VPN.

        1. MrReynolds2U

          Re: I hope it was only the WiFi

          Always use MAC restrictions on private WiFi (even though you can spoof your MAC address) and if you can, on any internal network. At home I run a private WiFi network with MAC allow list and a separate guest WiFi via voucher code for when visitors ask "What's your WiFi password?".

          1. David Nash

            Re: I hope it was only the WiFi

            I used to use MAC allow-list at home but I was persuaded that it was not worth the effort, because it didn't add significant protection. I forget where but it might even have been comments here that persuaded me.

            1. Anonymous Coward
              Anonymous Coward

              Re: I hope it was only the WiFi

              Possibly because you can easily spoof a MAC address, but that still requires breaking into the traffic first to actually pick up valid MAC addresses to use (and then you have to wait for them to be offline before you can use them as the ARP request results would otherwise be, err, interesting).

              Frankly, if you have something on your home network that someone wants to put in that much effort to access I'd use a VPN wrapper. Or cables.

            2. Jou (Mxyzptlk) Silver badge

              Re: I hope it was only the WiFi

              Modern routers, and I refer to 10 year+ old AVM-Fritz models, have an option to "open WLAN", and then "restrict to known Clients listed here".

              Much easier to handle.

              1. Anonymous Coward
                Anonymous Coward

                Re: I hope it was only the WiFi

                I just name my network Federated Bread Incorporated. No hits on THAT name yet!

                1. DiViDeD

                  Re: I hope it was only the WiFi

                  I just name my network Federated Bread Incorporated

                  One of my neighbours called his network 'ASIO Monitoring Vehicle #267'

                  He never got an intrusion either, although he did initially get a visit from local plod, who thought it was a wizard wheeze.

                  For the folks in the old dart, ASIO is the Australian Security Intelligence Organisation. Think spooks in thongs and boardshorts

                  For people in the old dart (again thongs are flip flops and not at all what you were thinking

      4. Aladdin Sane

        Re: I hope it was only the WiFi

        No mention that it was work devices, so I'm guessing that their personal devices were being affected. It does mention that it was the Grand Fromage's personal fondleslab.

      5. Jou (Mxyzptlk) Silver badge

        Re: I hope it was only the WiFi

        Very simple: The boss fondle-pad has to be on the public untrusted network, since it is an untrusted device.

        1. Antron Argaiv Silver badge
          Thumb Up

          Re: I hope it was only the WiFi

          Dollars to donuts:

          Boss grabbed his personal, not his work, fondleslab on the way out the door that morning.

          OF COURSE it wouldn't connect to the network...as it should not.

  3. Cheshire Cat

    But ...

    ... what was the underlying reason for the Chairman's problem? Particularly if an Allow rule for a given MAC fixed it, even though there was apparently an implicit allow-all beforehand.

    I always find it irritating when these stories don't give the full explanation.

    1. DS999 Silver badge

      Re: But ...

      I'm gonna go out on a limb and guess there were no available IPs in the DHCP pool when he tried to connect. If so, the solution would be to assign a static IP for VIP devices - and make them know if they replace the device they need to contact him to make that change if they want to insure this doesn't happen again.

      The allow list wasn't a fix for the problem, other than for the fact that it caused everyone else to be kicked off, which voila freed up plenty of IPs :)

      1. Anonymous Coward
        Anonymous Coward

        Re: But ...

        Well, you have to admit he fixed the initial problem..

        :)

        1. Flightmode

          Re: But ...

          It's the Agile way...

      2. slimshady76

        Re: But ...

        Maybe he added a static IP to the chairman's iPad, which coincidentally was the same as for the DHCP server/gateway? I've seen that happen before!

      3. Yes Me Silver badge
        Facepalm

        Re: But ...

        I'm gonna go out on a limb and guess there were no available IPs in the DHCP pool when he tried to connect. If so, the solution would be...
        ... IPv6. That's what it's for -- when you run out of IP addresses.

        1. DS999 Silver badge

          Re: But ...

          No one is assigning public IP addresses to iPads and iPhones in an amusement park.

          1. Jou (Mxyzptlk) Silver badge

            Re: But ...

            > No one is assigning public IP addresses to iPads and iPhones in an amusement park.

            IPv6: Yes, you do. By design! Else they will not be able to use internet. Even if you use IPv6 in you LAN, with your correct configured LAN IPv6 range, you always get a second IPv6 just for internet. The third one, fe80:: is for link-local, the follower of the 169.254.0.0/16 range - which is always active.

            1. Anonymous Coward
              Anonymous Coward

              Re: But ...

              Yes, and the fun problem with that is that it makes your home device potentially directly addressable from the Net. NAT is no firewall, but it does at least offer a bit of delay before some jerk in a basement starts rattling your front door for funzies.

              1. Jou (Mxyzptlk) Silver badge

                Re: But ...

                Yup, one of the drawbacks of IPv6: The router and its firewall must be correctly implemented to, by default, not allow every device be accessible from the internet. And for portforwardings, which is actually the wrong word here, it must handle that clients change their IPv6 address when the internet address changes, but they keep their lower /64 (or /56, depending on ISP) address. Including that the clients keep their former address for a few minutes, sometimes for an hour, in parallel to their new actual internet IPv6 address.

                Not trivial. And one of the reasons why IPv6 is slow on the uptake.

    2. Anonymous Coward
      Anonymous Coward

      Re: But ...

      If I worked there (which I haven't) I would probably have a rule that blocks any idevice purporting to be from the upper executive team, since almost all will be script kiddies playing around. But when one of those folks brings an ithing they bought off AliExpress and expects it to work, well, there's a change management process and reviews and ... Oh here's this whitelist option...

    3. David Hicklin Bronze badge

      Re: But ...

      >> if an Allow rule for a given MAC fixed it,

      Maybe there was no allow/deny rule set before, and by creating an "allow the chairman" rule he automatically denied everyone else.

      1. Prst. V.Jeltz Silver badge

        Re: But ...

        yeah sounds that way ,

        the "deny" rule kinda sprang outa nowhere

        coulda happened to anyone!

        ..except those with some experience on that hardware

      2. David Nash

        Re: But ...

        That's how I read it.

  4. Scott 53
    Joke

    The situation after this

    The Chairman's iPad works here, but Walt disnae.

    1. Evil Scot Bronze badge

      Re: The situation after this

      Don't know if I should be appalled or enraged that I did not come up with that.

      1. Calum Morrison

        Re: The situation after this

        Don't worry, neither did Scott - it's one of our older Scottish jokes:

        What's the difference between Bing Crosby and Walt Disney?

        Bing Sings and Walt Disnae.

        Luckily we've invented Billy Connolly and Kevin Bridges since.

  5. Anonymous Coward
    Anonymous Coward

    Banyan Vins network

    I once was the network guy for an entertainment company. This was in the 90s in all its win95 glory, with the cursed NetBUI protocol by which every connected PC was telling the whole world it was here every single bloody second, via broadcast. That was annoying.

    Since we'd just replaced the network legacy hubs by brand new switches, I began to explore the new possibilities and Oh, I found our switches could rate limit broadcasts !

    So, I went the following morning to set this up and remove 90% of the broadcasts.

    But what I didn't know was, the bloody Banyan Vines protocol was doing something crazy: use broadcasts and even assemble multiple broadcasts into bigger packets.

    Just after the set up, the global directory went VERY SLOW, indeed, which prompted a queue of users at my office. Didn't take me long to fix it, though.

    Bloody Vines !

    1. MJI Silver badge

      Re: Banyan Vins network

      I managed to avoid that.

      Had one customer wanting to use it, luckily our bought in database server only came as a NLM.

    2. Trixr

      Re: Banyan Vins network

      I'll raise your mid-90s Vines with the fact I recently found a bunch of 2019 servers running the computer! browser! service in our AD. Some numpty had enabled SMB1 in the build, and by default, it enables Computer Browser. The legacy build procedure that disabled it was not applied to the newer boxes.

      I noticed because I was idling through the SMB audit logs and found a load of servers yelling at each other for network browser elections.

  6. The Oncoming Scorn Silver badge
    Joke

    Sounds Like

    A real Mickey Mouse Operation.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds Like

      One could say the network admin was a bit Goofy.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sounds Like

        I assume it was an iPad Minnie

        1. Hazmoid

          Re: Sounds Like

          As long as it wasn't the Donald's golf course :)

  7. Alan W. Rateliff, II
    Facepalm

    No access to 56k pr0n for you...

    Yup. As a newly-hired network administrator, I took down an entire dial-up ISP with an implicit deny-all rule while mitigating DoS attacks against some users. Once I realized what I had done and that my back-door into the system was also affected, I had that sinking feeling of letting go of the car door just as you realize your keys are still in the ignition.

    Fortunately, this happened around 2am when usage was low. A 20-minute drive across town to the office (completed in 12 minutes) resolved the issue and no one was any the wiser. Though, I admitted my tomfoolery to my boss in the morning, which elicited a chuckle.

    1. Robert Carnegie Silver badge

      Re: No access to 56k pr0n for you...

      Well done for confessing to your boss, risky but better than being found out. Double well done for getting a laugh for it, you must be a very good story teller. ;-) Driving too fast across town...... don't do it again, I think.

      1. Alan W. Rateliff, II

        Re: No access to 56k pr0n for you...

        Let me tell you a story. I met my boss at that job before I was hired, when the company held a customer appreciation event. How I became a customer is almost as interesting. See, I had an Amiga, and I was told by a couple of places there was no way they could get me on-line. When I called this company, the guy who answered the phone thought it was cool as hell, and while we were talking he had signed me up and let me have a chance to get going. I did.

        At the event, some people wanted to meet me and I got to meet them... but not after I had already gotten completely shit-faced, but was still very excited to talk about the Amiga and technology in general. I kind-of had a job interview right there, and within a month I was working with them.

        I was brought on to be an assistant administrator, and the guys taught me the ropes. In a couple of months I was proficient with the dial-up and ISDN system, Windows on the Internet, IP networking, and some colocated server management. In the dark, dark corners of the network sat a Unix machine (Solaris 2.4 on a SparcStation clone,) with a dying hard drive and some other issues. I was tasked with its administration since I knew some Unix and the administrator, aside from having a lot on his hands with the NT side of things, would get uncharacteristically furious at Unix.

        By the time the dial-up system lock-out occurred, I had a deep respect for my boss. We worked as both equals and as pupil and master. I had no reason to hide what I had done, especially when expressing that I had learned a valuable lesson about "implicit deny." A lesson he admitted to having had learned the hard way, as well.

        We all worked together for almost four years; we became a team, and our work relationships mostly turned into good friendships. Our company was sold to a local competitor and I spent the first six months working in the new company's office as a contractor. We have continued that mutually beneficial working relationship for 20 years, coming back around to me not playing a major part in the company under new management

        I am proud to say that I am still close friends with a couple of the guys I started with there, and have had the deepest honor to participate in their weddings, as a groomsman and as my former boss's Best Man.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like