back to article Thanks for fixing the computer lab. Now tell us why we shouldn’t expel you?

It’s always twelve o’clock somewhere, the saying goes, but Friday comes around but once a week and only this day does The Register offer a fresh instalment of On Call, our reader-contributed tales of tech support torture and turmoil. This week’s contribution comes from a reader we’ll Regomize as “Hank Senior” because it …

  1. Anonymous Coward
    Anonymous Coward

    Free 24x7 user support?

    Our university sysadmin had a deal whereby, if any of us found a security hole, he'd buy us a pint at the bar (as long as we told him exactly what it was, and it was a new one). We managed it several times.

    However we generally kept a backdoor to root on the system so that we could fix things outside hours - usually, when some fool had submitted an oversized print job that needed cancelling, but also when we found a black hat from another university logging in overnight to try and kick our players off of Essex MUD.

    1. Evil Auditor Silver badge

      Re: Free 24x7 user support?

      ...kept a backdoor to root...

      Obviously, we had never done such evil thing nor would or could have thought of. Anyhow, the printing, with the printer standing in the vicinity of my desk, of all and even more so of oversized documents (if they were not ours) was a nuisance we could do without. First step was to connect directly to the printer to circumvent the print server's spooler and bypass its long queue - we still had the busy printer but at least without waiting ages for our printouts. Second step was that we cancelled others' jobs as soon as the printer sprang to life and securely disposed of any already printed pages. The fellow student would arrive in our room to get their printout, wondered what happened, and we would obviously answer: nothing, the printer has just been idling all the time. The discouraging effect was less than expected (reminder: do not underestimate the persistence of a student near a submission date) and clever us figured, or it was rather a disgruntled fellow student, that it looked suspicious that the printer worked just fine when no one was working (i.e. playing id Software's finest) there. The final and very effective step was to kick "our" printer out of the print server rendering it invisible to the casual network user.

      1. saxicola

        Re: Free 24x7 user support?

        For a while at university I used to be able to cancel the print queue for a printer, quickly press print and logout. By the time I'd walked to the printer at the front of the room my printout was ready. Until I couldn't any more. I was rumbled! So it was off to Staples to buy the cheapest printer they had.

        To be fair, the amount of garbage the printer was spewing out, and with the "LOAD LETTER" (the printer was loaded with A4 obviously), errors constantly displayed assuaged my guilt a little as I was probably doing the other students a favour by allowing them to review their page settings before then resubmitting the print.

        1. Evil Auditor Silver badge
          Thumb Up

          Re: Free 24x7 user support?

          Guilt? My fellow students, i.e. the victims of cancelled print jobs, were not supposed to print on our printer, which belonged to a specific department and was dedicated to a specific project. So my sense of guilt in this regard is rather limited, especially after countless verbal "use your own printer!" didn't make a difference.

          1. Benegesserict Cumbersomberbatch Silver badge

            Re: Free 24x7 user support?

            id Software's finest being so notoriously good at generating print jobs...

            1. Shooter
              Devil

              id Software's finest...

              Gotta use the BFG 2000 on those printer demons, er daemons!

            2. Gaamer

              Re: Free 24x7 user support?

              Not to mention countless hours of direct productivity

          2. Anonymous Coward
            Anonymous Coward

            Re: Free 24x7 user support?

            My uni had a printer on the network that a few applications had been assigned to as their default printer. It is important to check [as they discovered] that you change these settings when reassigning a printer or the room it’s in. After they changed one previously faculty room over to being a student print room this became obvious. A few documents were found on the output tray that were not meant for public consumption in the first weeks. They thought they’d got all of them and then a disciplinary report on a faculty member popped out one day and the shit hit the fan.

            Improper use of the internet by a lecturer was one thing [as the report alleged] but letting the students know about it was something else. There were allegations that a student had an admin password for an IT account or had been hacking. Everyone outside IT thought that was bullshit and covering for incompetence or solidarity. Oh and that improper use was visiting a medical website that had male and female genitalia pictures on it. That the person concerned was looking for cancer check advice didn’t seem to matter. Yes, checking for breast cancer is best described with the help of pictures, and the lecturer was female.

            Anon because…….

  2. Anonymous Coward
    Anonymous Coward

    The time the security team locked out the root account on their 'very secure system'.

    Not being the sysadmins they thought they were, all sorts of weird and wonderful discussions were being had. Until I pointed out they had a root owned rc script in with full permissions, so let the hacking commence (me, being an actual sysadmin who happened to be there talking to someone else and overheard what was happening).

    1. Anonymous Coward
      Anonymous Coward

      We used to keep a "dosu" executable buried deep in an always mounted NFS share (it was a copy of the ksh executable with root privileges) for those times when a junior SysAdmin was tasked with updating the sudo templates and managed to screw everyone's legal privilege escalation methods.

      And audit once found it, and we "remediated" by hiding it in a compressed, password protected file.

  3. trevorde Silver badge

    A grade hacking

    Many years ago, whilst I was at uni, one of my fellow students was failing badly due to getting involved in guild politics. So the story goes, he managed to hack into the uni's VAX system and amend his grades to a pass. He was found out but allowed to repeat the year on condition he didn't do it again. Next year, he was failing *again*, so he hacked in *again* and was found out *again*. This time they said they would let him through if he showed them how he did it. Eventually, he managed to scrape through his degree by the skin of his teeth.

    The irony was that he later went on to found several tech companies and did rather well for himself.

    1. Simon Harris
      Mushroom

      Re: A grade hacking

      Did he also almost bring about the end of civilisation by playing Global Thermonuclear War?

      1. Tom Chiverton 1 Silver badge

        Re: A grade hacking

        Wouldn't you prefer a nice game of chess?

  4. ChoHag Silver badge

    Never, ever own up to fixing anything. You either get a bollocking or you have to do it again next time.

    1. Giles C Silver badge

      At one place I worked I was for a while involved in the backup of the servers and hence knew the combination for the large safe the backups were stored in.

      For some reason this safe used to confuse the people whose job inherited the backup process.

      Every time someone couldn’t get in the safe they called me as I had the “skill” to get the door open, worst thing is I can still remember the combination even though I left the company back in 2018. If the safe is still at bgl and it can’t be opened I could be prepared to unlock it for a suitably large fee……

    2. Maximus Decimus Meridius

      Correction - you get a bollocking AND you have to do it again next time

      1. Eclectic Man Silver badge

        ... next time

        Well, in his stories of his life told to Ralf Leighton, Richard Feynman (him of the eponymously named diagrams) was known for hacking the safes at Los Alamos. So when someone left and their safe was found still to be locked who was it but good ol' Feynman who was 'asked' to crack it.

        1. Arthur the cat Silver badge
          Facepalm

          Re: ... next time

          Richard Feynman was known for hacking the safes at Los Alamos

          To be a bit more exact, he knew the default combination the safes arrived with and could dial it in behind his back. Military security having the mentality it did (and probably still does), warned people not to let Feynman near their safe rather than insisting people change the combination away from the default.

          [Icon for obvious reasons.]

          1. Eclectic Man Silver badge

            Re: ... next time

            In the book, Feynman explains that he could fiddle with the combination lock on an open safe and deduce at least part of the combination. Everyone knew the default combination, that was how their safes had arrived. Feynman kept his list of known combinations inside the lock of his own safe, which he disassembled and then re-assembled each time he found a new combination. People were supposed to change from the default combination for reasons of security at Los Alamos. See the chapter 'Safecracker meets Safecracker' in 'Surely you're joking, Mr Feynman' where he describes his safe-cracking and combination discovering techniques in detail.

            1. Anonymous Coward
              Anonymous Coward

              Re: ... next time

              Great book - it’s a cracking read

              1. Eclectic Man Silver badge

                Re: ... next time

                As is the sequel 'What do You care what other people think?'

            2. Doctor Syntax Silver badge

              Re: ... next time

              Also the locks had a bit of tolerance so that a number could just be near enough. That meant that in the worst circumstances it wouldn't take as long to open it blind as would if he'd really had to try every single combination.

    3. Fr. Ted Crilly Silver badge

      No good deed going unpunished again...

    4. BillG
      Megaphone

      Never, ever own up to fixing anything.

      > Never, ever own up to fixing anything. You either get a bollocking or you have to do it again next time.

      Reminds me of a rule that a business mentor once told me: Nobody gets promoted for "stopping screwing-up".

      It's a truism. Again and again I've seen careers come to a screeching halt for not knowing this rule.

  5. Peter Gathercole Silver badge

    How secure *IS* your system

    I ran a Level 3 Acorn Econet of BBC micros (with a 10MB hard disk, no less) at a UK Polytechnic back in the early '80s, something that was never really that secure.

    I had to frequently remind staff that although it was very convenient, the security was lamentable, and they should not store assessment results or upcoming assignment or exam questions on the file server. In reality there was no way of stopping the students from seeing or amending them, especially when two of the students were very good at understanding how things worked (they both were already, or went on to become well known game writers for the BBC Micro and other systems - shout out to Gary and Peter).

    One of them already had experience of hacking a Level 2 fileserver before he even came to the Poly, and in many ways, I was actually following him (often as a result of "I can see what he did, but how did he do it") type situations, even though I had been using BBC micros almost from the first day they were available.

    While I loved what Econet provided, it really wasn't fit for purpose as a general computing environment, at least not for completely open and unprotected systems like the BBC micro.

    1. Victor Ludorum

      Re: How secure *IS* your system

      That reminds me of the BBC network we had at our school. It wasn't Econet, but very similar.

      A friend of mine (yes, really, it wasn't me) reverse engineered the sideways ROM for the network and it turned out that user authentication happened on the client - it looked up a four character (!) password in a special file on the server based on your user number. Cue various students using teacher logins and kicking other users off their machines remotely...

      V.

      1. J.G.Harston Silver badge

        Re: How secure *IS* your system

        Oh god, not the execrable Amcon E-net?

        1. Victor Ludorum

          Re: How secure *IS* your system

          It was 35 years ago - I just remember it was a BBC network but wasn't Econet.

          1. Anonymous Custard Silver badge
            Trollface

            Re: How secure *IS* your system

            Ah the memories of sixth form and BBC/Archimedes networks.

            In the lower sixth, we just had normal (non-priv) accounts, but the network manual was to be found in the (always open) server area (aka the walk-in cupboard at the back of the classroom with the server on one of the shelves around the edge of it). And it had full details of all the OS commands, including how to "write" them in assembler.

            Hence almost all of the priv user commands ending up being available via self-written versions. And a surprising amount of them actually worked perfectly, even without the account actually having any elevated privs.

            And in upper sixth, when we started doing A-level projects that (mysteriously) needed priv users, we got them.

            Queue two of the lower sixth, who hated one another, independently coming to me and asking for the password for the other's account.

            So I did what any self-respecting BOfH would do, and swapped their account passwords over, without revealing to either what their "new" password was.

            Mexican stand-off ensued, with the two trying to find ways to extract their new password from the other without revealing their own password.

            Teacher walking in half-way through, stood there for a while watching before intervening. Then afterwards took me aside, waggled a finger and said mock seriously "don't do it again...", only spoiled by the rather huge grin on his face before wandering away into aforesaid server cupboard from which much pent-up laughter was then heard.

            1. J.G.Harston Silver badge

              Re: How secure *IS* your system

              What was in queue one?

        2. Anonymous Coward
          Anonymous Coward

          Re: How secure *IS* your system

          When I was at school we had a computer lab full of BBC Bs that were originally all connected to an E-Net network. The network was later 'updated' to Econet, but I remember during the E-Net times, a friend and I wrote a little login program that displayed a nice screen branded with the school name and colours. It presented a nice username and password box and took those details and passed them to the command line to log the user in. Once done, it just dropped out to the basic prompt, but it did look nice when displayed on all the machines in the room. The head of IT loved it as it meant he didn't have to help students with how to login all the time and it was set to automatically display whenever a user was not logged in.

          What he didn't realise was that we were saving every single username and password combo that was entered into the login app to a text file. Using this we gained access to the system admin user and several teacher accounts. The admin account allowed us to spy on other people's screens, but you had to be careful if you did it to the IT teacher as it would slow down the lowly BBC B and you'd hear the bellow "who's viewing my screen?!!" from the front of the class.

          Fun times!

          Anon for obvious reasons. It's a long time ago, but I still fear that IT teacher!

      2. senior_muppet

        Re: How secure *IS* your system

        Ah yes - Amcom E-Net where you could gain admin access in 30 seconds by locking the workstation out and then jumping into the ‘failed login’ routine which decremented your 1 byte priority from 0 to 0xff (-1 or 255) which was admin level. Or issue read calls for sectors from the file server hard drive including those 4 char passwords, or read any other workstation’s screen or even reset them remotely.

        After writing a basic disassembler in BASIC and then working through the printout it didn’t take too much to write a ‘sideways ROM’ to load into the temporary sideways RAM which intercepted the NMIs which then allowed total control over the network, blocking real admins access to your machine and reading any file on the entire network. Ahem. Speaking for a friend of course.

        1. Stuart Castle Silver badge

          Re: How secure *IS* your system

          Or the Research Machines network.

          At school, we had a then state of the art computer network. It consisted of a Research Machines 380Z, with Epson Dot Matrix printer. It also had 16 (I think - it was nearly 40 years ago) RM 480Z and, for some reason, one BBC B. The 380z had a Green screen monitor, and the others had Microvitec Cub monitors (which I thought had an awesome picture at the time).

          Because it didn't really have a concept of users (at least not how it was implemented at our school), one of the 480zs (the teacher's one) was a designated Admin station. This just meant it had access to more software, and could update some file shares on the sever.

          My friend, fancying himself as a bit of a hacker, decided to see if he could make another station an admin station, so he looked at the differences in setup. He noticed each machine has a bank of dipswitches on the back, and the bank on each machine was different.

          He theorised that the dip switches made up some sort of binary machine ID. It made sense, and was correct.

          At the time, we were helping the computer teacher expand the network beyond the computer room. The school didn't have enough computers to do this, but the teacher wanted to ensure the school was ready should they decide to add computers to other classrooms, and we wired up every classroom in the building. It was a simple co-ax network, and another friend designed neat little sockets that enabled us to plug in or unplug machines without breaking the chain of co-ax cables. Not for our ease. He was betting (probably correctly) that once the pupils worked out they could take out the entire network by unplugging a cable, they would.

          Anyhow, his brother, who had come up with the theory of the machine ID tested his theory. We had one of the machines with us, for network testing, so we went to the other side of the building. He had copied the dip switch settings from the Admin machine and we opened up a small chat application on each machine.

          I was sitting next to the "hacker" when I saw the following converstation.

          Computer room: "Who is this"

          US: "Mr Peters. Who is this" (Mr Peters was the computer teacher)"

          Computer room: "Mr Peters. Where are you <friends name>?" (Obviously he used my friend's actual surname).

          Mr Peters appeared a few minutes laters (there were maybe 15 classrooms we could have been in, and the school day was over, so we would have been easy to find) and dragged my friend away for a polite talking to.

    2. heyrick Silver badge
      Happy

      Re: How secure *IS* your system

      Econet, for those who don't know, sent the six character password down the wire in clear text.

      This was okay for a room full of BBC Micros, as there wasn't enough power to run the interface in promiscuous mode and do much with the data read other than dumping hex gibberish to the screen. But bring a RISC OS machine into the fray, and there's enough power there to read the network traffic, interpret it, extract interested data (like logins) and remember the username and password combinations, and do all of that quietly in the background.

      Why do you think I taught myself ARM assembler?

      The hardest job I ever had, however, was showing no sign of emotion whatsoever when the log file said "*I AM SYST IAMGOD". No, the guy that used to end lessons by flicking the big breaker on the wall is definitely NOT a God. Two or three lessons later and he'd have to power cycle the FileStore because "Too many users" because nobody ever got to properly log off the way he ended lessons. But, then, I guess "IAMTWAT" is one character too many...

      1. J.G.Harston Silver badge

        Re: How secure *IS* your system

        Six characters isn't Econet, that's Level 1 and Level 2 *Fileserver*. Econet is agnostic of what you send over it, as is the NetFS filing system that talks over the network.

        Level 3 and SJ fileservers uses 10-character passwords, and SJ introduced NetFS_Op 66 GetEncryptionKey which allowed you to use encrypted passwords bound to the requesting client.

      2. Mike 16

        Unscheduled Power fluctuation

        Above brings to mind two memories from the early 1970s.

        A minicomputer (vendor to remain anonymous) had the nifty feature of a "AC Power fail" interrupt, which could "freeze" the current state of the machine in core memory, such that it could resume where it had been when power came up. Sadly, the interrupt would not be invoked if the front panel power switch was used to turn it off. So the least-bad way to shut down the machine was to yank the power cord.

        An example of a non-power-related "unscheduled shutdown (of a task, not the whole machine) was found by a friend (like me sort of a IT wannabe) when he heard some salty language from another user in the terminal room. We were evaluating a new great-leap-forward time-sharing OS in the most logical way: turning it over for "testing" by random undergrads who had managed to justify a login.

        Seems that one such user was "testing" the chess-playing program, and had just gotten it in a fork when the operator killed ("dropped") his process. We were guessing that this was a "we don't play games with expensive research systems" situation, but my friend was suspicious _and_ knew how to read the logs, where the death of that process was immediately preceded by a request from the running process for the operator to kill it. Um... isn't there a way for a process to exit? Why yes, but that would not produce a message about the operator having dropped it. This was apparently a case where the computer player, seeing itself in a fork, "kicked over the table" to avoid taking the loss. 50 some years later I wonder if modern "AI" game players also include "not in the official rules" moves.

        1. imanidiot Silver badge

          Re: Unscheduled Power fluctuation

          If ChatGPT is any indication, it's a case of "I reject your reality and substitute my own" https://youtu.be/kvTs_nbc8Eg

    3. Stuart Castle Silver badge

      Re: How secure *IS* your system

      In fairness to Acorn, security was something that was frankly embarrassingly bad on every micro computer in the 80s from the zx80 to the various PC clones. Outside of specialist systems with requirements for halfway decent security, you could just turn a computer on and use it with no restriction. Even the key switch on most PCs (which was there to prevent unauthorised use of the computer keyboard) could often by bypassed just by opening up the case and unplugging it.

      It took the various network OSes (Netware etc), OS2, Windows NT and Linux coming along to start people even thinking about security. Even then, in consumer Windows, the password prompt could be bypassed.

      The sad thing is, I actually miss the days when you could just turn a computer on and start using it. In the case of some of the early systems, you didn't even need to boot an OS, as they had either basic, or a limited OS built into rom.

      1. Peter Gathercole Silver badge

        Re: How secure *IS* your system

        The really sad thing is that there were more secure network systems around, but they required client machines to have a privileged mode, and for all of the normal users to not have access to it. Examples of the time include SunOS, with NFS as the filesharing model. OK, YellowPages had it's own security holes, but they weren't (quite) as obvious as the PC networks in the early '80s, and you didn't have to use YP if you were prepared to keep /etc/passwd and /etc/group, plus a small number of other files synchronised across the clients and servers.

        It was obvious that something as open as BBC Micros were (you had access to the whole system, including where it held the station ID and User ID), it was impossible to really secure the network. But Windows should really have been better, but it was also designed without any security in mind.

        1. Not Yb Bronze badge

          Re: How secure *IS* your system

          Windows was designed without security in mind, and for years they made every new Windows version backwards compatible with most of the previous security holes.

      2. david 12 Silver badge

        Re: How secure *IS* your system

        It was pretty much the design intention of the system. These were micro computers. aka personal computers.

        unix was an odd exception, and that really was part of it's claim to fame: it became popular as a network operating system. Even Windows, when that came out, had no networking until "Windows for Workgroups".

        1. Peter Gathercole Silver badge

          Re: How secure *IS* your system

          Well, networking was an add-on even to UNIX, as it pre-dated most LAN implementations. Early UNIX networking meant UUCP over serial lines and modems!

          But the foundation of a multi-user, and multi-tasking operating system meant that there was a concept of different users from very early on in UNIX's history (you'd have to go back to Edition 3 or 4 to lose the concept of different users) and certainly by Edition 6 on PDP-11, the first version that I used, the concepts of both users and privileged users was well established, as were virtual address spaces.

          Once you had these established as fundamental features, adding networking could be a bolt-on, especially given UNIX's very open device driver model.

          This was not unique to UNIX, but what actually made UNIX different was that it could be run on quite modest hardware (especially as people started writing C compilers for many architectures). As soon as microcomputers gained memory management hardware and a protected instruction mode, UNIX was able to be fully ported. The biggest restriction for it penetrating the PC world was actually the price of hard disks.

    4. aerogems Silver badge

      Re: How secure *IS* your system

      In my grade school days, they taught basic computer skills using a lab full of Apple ][gs and ][e's networked to some really early model Mac. It didn't take me long to work out that I could traverse the entire filesystem and get into any other student's files. Fortunately for them I wasn't malicious about it, I just amused myself by adding some extra letters or words (nothing offensive) in random places. Of course the kicker of that was, even if they knew what I was doing, they still had to read the entire document to make sure they found every edit I made. Thinking back, I should have included formatting codes to my "sabotage" since on the version of ClarisWorks we were using, there was no visible indicator if you marked something as bold or italic. Oh well.

  6. Anonymous Coward
    Anonymous Coward

    I’m no sysadmin, but I run a Linux box at home. I had a job as a scientist in a small research center owned by a large multinational. Our one and only IT guy was rushed off his feet - so much so that he once left a ‘sudo vi /etc/passwd’ open on my desktop when rushing off to the next emergency. Reader, I created a user with UID 0 before closing it. The following year, he had just gone on a long and well-deserved holiday, somewhere with no phone reception, when the network mounts all disappeared. We were on our own network, and the company did not provide any cover for him - so I did what I had to. When he came back, his first words to me were, “Well done, but just so you know, the system mysteriously healed itself. And do not tell me how it did that until we are safely in the pub.”

    1. Doctor Syntax Silver badge

      Yes, the magic isn't in the word "root", it's in the UID 0.

  7. b0llchit Silver badge

    As they say, no good deed goes unpunished.

    1. wolfetone Silver badge

      The road to hell is paved with Windows administrator passwords.

      1. Jou (Mxyzptlk) Silver badge
        1. AbortRetryFail
          Joke

          @Jou (Mxyzptlk) Silver badge

          12345? That's amazing. I've got the same combination on my luggage!

      2. werdsmith Silver badge

        Or the linux admin password....

        NCC-1701

        1. Anonymous Custard Silver badge

          Passw0rd for beancounters.

          Either that or whatever's written on a post-it taped underneath the keyboard.

          1. Doctor Syntax Silver badge

            Never write the password under the keyboard. It can't be read and typed at the same time so anybody wanting to use it will have to make a copy of it and that's a Very Bad Thing.

            1. The Oncoming Scorn Silver badge
              Pint

              They Have These Things Called Phones

              Nowadays.........they even have camera`s.

          2. Anonymous Coward
            Anonymous Coward

            Count yourself lucky if it's underneath the keyboard.

            I've seen far too many Post-Its with 8 character strings stuck to monitors. (To be fair, seeing even one is too many)

            1. Mike 16

              Apologies if I tolr this before...

              One place I worked solved the password-inconvenience problem by having an application on all the Windows machine that would allow the user to log on as any (Unix) user they wanted to be.

              Another had the "network neighborhood" password be COMPANY_NAME_MONTH_YEAR (got to obey the frequently change passwords" order).

            2. A.P. Veening Silver badge

              I've seen far too many Post-Its with 8 character strings stuck to monitors. (To be fair, seeing even one is too many)

              I have one, but it isn't any password. Those eight digits represent the date I married (lest I forget).

              1. Doctor Syntax Silver badge

                You should really add another - wife's birthday.

                1. A.P. Veening Silver badge

                  You should really add another - wife's birthday.

                  I would ... if it were on another day, but I didn't want to chance getting confused.

            3. John Brown (no body) Silver badge

              ...and I'm sure we've all noticed that no matter the enforced password complexity, if the user is told there is a specified minium length to the password, that is the number of characters used. 8-16 character passwords allowed? 99% of users will have an 8 character password because they are forced into making it "complex" and the natural reaction to that is to not make it any more complex than it needs to be :-)

          3. An_Old_Dog Silver badge

            Passwords Under Keyboards

            I have a Post-It note with a password written on it which I stuck under my keyboard.

            It is a wrong password, 'cause I am a BOFH.

          4. aerogems Silver badge
            Devil

            Mentioned this on some other story, but at a previous job at a defunct retailer that's literally what they did, and it was for the POS system no less. Instead of making sure all the people who needed to log repairs in the system had an account with the proper access, they just limited it to people of supervisor or above rank... and I guess the idea was that they would personally enter in hundreds of repair records or stand around, potentially for hours, as someone else did it and they observed to make sure there was no funny business.

            After my immediate supervisors set me up to be the scapegoat for one of their many failures, like deliberately violating the contract with one of their most important suppliers, I sent a message to top management suggesting someone make an unannounced visit to that location and look at that specific keyboard's underside. No idea if anyone ever did, but since this was a special repair only "store" located within one of the company warehouses, and one of my former coworkers told me they shut it down very shortly after I left... it seems plausible that played a part. I also left at what was the beginning of the end for the company. They managed to hold on for several more years, but it was increasingly obvious they were having issues, so it's entirely possible some bright spark thought it would save them money somehow. I like to think it was the former though. I'm a big boy and can handle it if my work isn't up to snuff, but when someone else screws up and pins the blame on me, I think some vindictiveness is acceptable... called for even.

        2. Sceptic Tank Silver badge

          A hard disk failure?

      3. Roger Kynaston

        old password

        used to be g0d though I am sure that would fall foul of modern complexity and length rules. I wonder if anyone uses

        J3h0v@h

        1. Benegesserict Cumbersomberbatch Silver badge

          Re: old password

          That would be Matthias, son of Deuteronomy of Gath.

          1. Kevin Fairhurst

            Re: old password

            Do I say yes?

        2. Mike 16

          Re: old password

          We did have one machine (file-server for about 200 people) named GOD, until a devout user complained. We had to change the name to GAWD.

          Later a new file-server was named for the head of "the other side"

          1. Cheshire Cat

            Re: old password

            I was one year too late to have used the university's PHysics Undergraduate Computer Resource, named by its acronym. Someone caused it to be renamed for some reason.

          2. DoctorPaul

            Re: old password

            Back in the 90s I was the webmaster for god for a while, that is the Global Online Directory at www.god.co.uk

            1. Giles C Silver badge

              Re: old password

              I’ve mentioned this is a comment before but a friend of mine created a server

              Blackberry Enterprise Server for EXCHANGE number 01

              Or besexchange01

              When pointed out we just laughed and it stayed in place for at least 5 years

              We also had a back door password for most of the network kit a various of “its all gone wrong” better not put the full version in as it is probably still in use 5years after I left the company

              1. Anonymous Coward
                Anonymous Coward

                Re: old password

                I still laugh at "ExpertSexChange dot com" (changed to avoid domain squatter) which did eventually change its name to "experts-exchange.com"

        3. Antron Argaiv Silver badge

          Re: old password

          You're only making it worse for yourself...

      4. Eclectic Man Silver badge
        Unhappy

        administrator passwords

        I once, for a highly prestigious client (City of London chaps, really really nice chaps, good chaps all round)* installed, as part of a team a PKI communications system using the then 'Xxxxxx** Technology's' finest, umm PKI server. Thing was, you could not change the Administrator password, ever. So, if, perchance, an Administrator left the employ of said really nice chaps, with a teensy chip on their shoulder, there was nothing except the client confidentiality NDA protecting the password and the person's absolute honesty and integrity.

        Honestly there were so many problems with that software that it is no wonder they no longer sell it.

        *Well, really really RICH chaps, who can afford much better lawyers than I can, so I'll call them nice and leave it at that.

        **As before, lawyers, etc.

        1. Evil Auditor Silver badge

          Re: administrator passwords

          Well, there is an ERP system which used to have a manufacturer's hidden admin account with hardcoded password. No one could ever change that password or block this account. The ERP system still exists, fortunately the admin account with hardcoded password was removed about eight years ago.

        2. J. Cook Silver badge

          Re: administrator passwords

          Oh gods, that gives me flashbacks to the old RSA servers we had on prem for a while; It was fun times getting access back to those when the administrator fobs all expired after I inherited the admin hat for them...

          (It was convoluted, but involved physical access, the serial number of the box itself, and the vendor's support access account which had local admin on the machine, IIRC.)

          Thankfully, we've long since migrated away from those, especially when I went to get support on one of them and they went "heck no, those have been out of support and EOL for three years now, but we'll get you set up on the virtual machine iterations of those and move your token databases over as a courtesy." A nice gesture considering a 20 pack of tokens was something like two grand at the time...

  8. Anonymous Coward
    Anonymous Coward

    Oh....

    We went a step beyond that in college (they ran RM networks over NT4 systems) and found the docs for said software.. Which listed all the default accounts and some small print warning about changing the defaults.

    So "we" (myself and a few other friends) thought we'd do the responsible thing and double check...

    We might have been told off several times as to how a network privilege ban never seemed to last longer than getting to the next break time but it was only on our last day that things were figured out. Probably because we locked the admin out their own account so they finally went looking for other defaults, along with some basic maths of putting 2+2 together....

  9. jake Silver badge

    Sometimes you do what you have to do.

    A couple decades ago my daughter got into trouble after getting root on a college Apple "server", so she could change a few settings to make it run more smoothly. After the so-called sysadmin found out and told management, she was going to be banned from the college network for a year ... but the sysadmin stepped up and admitted that her work fixed a couple-three major bottle-necks. She married him 5 years later ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Sometimes you do what you have to do.

      ... but the sysadmin stepped up and ...

      ... married him 5 years later ... ...

      The best among the best I have read in this column.

      Being Friday, have a couple of anonymous ones on me ---> |**|D |**|D |**|D

      .

    2. lglethal Silver badge
      Trollface

      Re: Sometimes you do what you have to do.

      She married him 5 years later...

      So no good deed goes unpunished? :P

      1. Anonymous Custard Silver badge
        Headmaster

        Re: Sometimes you do what you have to do.

        So which of them was the Bronte fan?

        1. jake Silver badge

          Re: Sometimes you do what you have to do.

          Somewhat strangely, the Brontes never wrote about love in the data center, even though they were contemporary with Ada Lovelace,

          1. The commentard formerly known as Mister_C Silver badge
            Coat

            Re: Sometimes you do what you have to do.

            "love in the data center" sounds more like Aerosmith to me.

    3. Doctor Syntax Silver badge

      Re: Sometimes you do what you have to do.

      A Jake Austen ending!

      1. jake Silver badge

        Re: Sometimes you do what you have to do.

        It;s not my story, I'm just sharing it.

  10. tseeling

    story does not sound plausible

    The story sounds strange. Why would a DC be accessible in the CS lab?

    And if it really was it can't be an important system except for lab purposes.

    If the lab is open for students on the weekend there would be a hotline to call in case of problems.

    In the end if the student really "fixed" the DC I would have just left it at that and not tell anyone about it.

    The situation before was "working", then it didn't, then it did again. No need to tell anybody why.

    1. nintendoeats Silver badge

      Re: story does not sound plausible

      You find it implausible that people have different motivations and behaviour than you?

    2. doublelayer Silver badge

      Re: story does not sound plausible

      If I find out that something is quite insecure such that a student can get privileges they shouldn't have, I'm going to be tempted to tell someone about it. That situation may make it easier to fix things as in this situation, but it can also be abused. The only reason I wouldn't tell someone is if I thought I'd be unfairly punished for finding it out, which unfortunately is somewhat common.

    3. Anonymous Coward
      Anonymous Coward

      Re: story does not sound plausible

      Having the CS lab on the live production domain does NOT surprise me at all.

  11. Killfalcon Silver badge

    I've never guessed a password, but I have socially engineered my way into the office (a secure site, by my employer's definition) by accident.

    I used to have to come into the office at odd hours (testing things would be working before the main body of the department came in, usually). Never got questioned by security. Wandering in Sunday mornings? They'd just smile and wave me through.

    At first I assumed it was because, per process, my manager had been notifying them I'd be on site, but turned out he usually forgot. I wasn't registered to be in.

    I was fond of 10am starts (and thus, 6pm finishes), and as the last one out of the office I'd often find myself having to deal with whatever was left over if someone had brought in cakes for their birthday, or celebrating a delivery. I'd take what was left over, and give it to the security/reception desk on the way out - 24 hour security guards, it turns out, really appreciate being given free snacks. And once you're a Friendly Face to security, questions stop getting asked...

    1. Anonymous Custard Silver badge
      Headmaster

      Security, secretaries, storespeople and techinicians - the holy quartet.

      If you can get in the good books of those, you can get absolutely anything done in the place...

      1. The Oncoming Scorn Silver badge
        Pint

        You forgot Facilities.

      2. Old Used Programmer

        There are others....

        Don't forget the data entry supervisor and the IBM System Engineer for your installation.

      3. Emir Al Weeq

        Don't forget post/deliveries.

        I would always pop round to the post room in early December with a tub or two of chocolates and wish them "Merry Christmas" just before the annual "do not use the company address for personal deliveries" email came round.

        They never delivered obvious Christmas purchases to my desk where the boss could see, instead a quiet phone call would advise me to bring my car to the delivery entrance at the end of the day and they'd help me load up.

    2. NXM Silver badge

      backdoors

      Years ago I did a stint at an aviation site which shall remain nameless. It was very secure....

      Except if you walked in through the front doors of the admin building and out of the back, which allowed you to sidestep the security barrier and potentially steal a plane. If you had the ignition keys, of course.

  12. Richard Pennington 1
    FAIL

    Giving out the password to a privileged account

    About 30 years ago, I was working on the sort of collaborative project where there was a librarian who signed out parcels of work to the techie types (myself included), and signed in the work packages when complete. The librarian's account was privileged to the extent that it could be used to change access rights to parcels of work in various states of completion.

    The operating system was VMS.

    On one occasion, I was working a weekend shift with not many people around, and the librarian came across to my desk, wearing a puzzled expression. She had tried to login to the system, and instead of the expected system response, the printer had jumped into life and had produced ... a single line of text. Or, to be more precise, more than one line of text, overprinted to appear as a single line. She showed me this page, thinking that - as the sole techie present at the time - I might be able to figure out what was going on.

    Disentangling the overprinted text, I realised that there were in fact two lines (as I mentioned, overprinted). And they could indeed be disentangled character by character, and I could make intelligent guesses as to which characters belonged to which line. At which point ...

    [Myself:] "You do realise what you have just done?"

    [Librarian:] <confused>

    [Myself:] "You have just given me your password."

    [Librarian:] "You know my password?"

    [Myself:] "I do now".

    I then showed her how the two lines of overprinted text could be separated into a plausible userid for a librarian, overprinted with other characters which could reasonably be a password. So now there were two pieces of paper with the password: the original print and the piece of scrap I had used for the demonstration.

    [Myself:] "I suggest you do two things: change the password, and destroy those two pieces of paper".

    I still don't know how she accidentally subverted the system so as to get it to print out her userid and password. It never happened again.

    1. GlenP Silver badge

      Re: Giving out the password to a privileged account

      VMS had some peculiarities such as equating file and device names, so I can see that it could be possible, although it may have been someone else setting it up deliberately.

      When I worked at the local college (now a university) we had an independent management centre on site which used our VAX. We had a printer in there called, naturally, XXMC (name changed to protect the guilty!) One day we had a puzzled student arrive at the computing reception, she was doing a project relating to the Management Centre, had spent all morning typing it up and now couldn't find it. We asked her the file name and the penny dropped, she'd naturally named her file XXMC. A quick dash over there to retrieve the many pages of print out, then we had to deal with a student now in floods of tears thinking she'd lost her work. Fortunately in those days staffing levels were such that one of the department secretaries offered to type it back in for her, crisis averted.

    2. Peter Gathercole Silver badge

      Re: Giving out the password to a privileged account

      The printer was probably attached to the printer port on the back of her VT100 or VT220 (or whatever compatible terminal it was) and somehow she had turned on the printer port either as an alternative to the serial line to the VAX, or in addition to it.

      This could be done in the setup, or by a character sequence sent to the terminal, or sometimes on some terminals by a sequence of keypresses. The reason why they were overprinted is that "Enter" on the keyboard generated a carriage return without a linefeed, so the print head moved back to the left column and overprinted the text.

      I used to do some very obscure things on a Falco 5220e VT220 compatible terminal, which allowed you to use the second RS232 port as either a printer port, or as a connection to another host, controlled by escape sequences. I would log on to the second server on the second port, run a command to capture input to a file, switch back to the first, and then turn the second port to a printer port and turn it on, and cat a file to the screen (I think I even went to far as to put the capture command in the stream sent to the second system). By using uuencode and uudecode, I had a reliable, error-checked binary file transfer mechanism between two systems that were not network connected (we had a terminal concentrator switch that allowed you to select which host you could log on to).

      Colleagues used to wonder how I could move files around between systems so easily!

      1. Mike 16

        VT100 printer-port flashback.

        Ah, the days, when WFH included a VT100, a Flexowriter, and the astonishingly fast 1200 bps modem.

        I did manage to get stuff done, somehow.

      2. An_Old_Dog Silver badge

        Falco Terminal Keyboards, Copy to Alternate Port

        I found Falco terminal keyboards pleasant to use. The multiple-serial-ports/"echo-to-printer" feature you described also was present in other terminals I've used. Terminals from ADDS and Esprit had three serial ports: Host A, Host B, and Printer.

    3. An_Old_Dog Silver badge

      Getting the Password -- the Human Factor

      In uni I we had Control Data Cyber 73 mainframe running CDC's "KRONOS" operating system. Properly-prepared card decks looked something like:

      Job Card (preprinted/prepunched; grab one from the stack in the I/O room; orange for prime shift, blue for evening shift, green for night shift. Tear off the ticket portion and show it to get your cards and printout back from the I/O room clerk)

      User Card (you punched this with your account name and password)

      additional batch commands

      7-8-9 multipunched card ("End of Record")

      program source

      7-8-9 multipunched card ("End of Record")

      program data

      7-8-9 multipunched card ("End of Record")

      6-7-8-9 multipunched card ("End of Information" - an end-of-job card)

      As an experiment, I once created and submitted a deck like the following:

      Job Card

      User Card

      COPYSBF INPUT,OUTPUT

      7-8-9

      (no 6-7-8-9 multipunch EOI card!)

      This worked as I'd expected: it copied the input cards to the line printer (default output device). My "input" file was the cards of the job following mine, which included that user's User Card, which included their account name and password, which was on my printed output. Some random user probably was puzzled when they got their cards back, but with no printout (because their job had never run, as their cards were read as data for my own job).

      The I/O room clerks were supposed to check all input card decks for proper beginning and ending card sequences, but sometimes they got sloppy or lazy -- a human factor in system (in)security.

  13. Boris the Cockroach Silver badge
    Pint

    Remember

    that the chances of the root account/password being Admin/1234 are 1 in a million

    Therefore it will crop up 9 times out of 10

    Beer in memory of Sir Terry

    1. Eclectic Man Silver badge
      Happy

      Re: Remember

      I am just reading 'Terry Pratchett, A Life With Footnotes*' by his former personal assistant and friend, Rob Wilkins. It is really rather good. A bit Pratchett-esque, but not annoyingly so.

      *The Official Biography

      ISBN 978-0-8575-2663-2, £25 from Waterstones.

      1. Stephen Wilkinson

        Re: Remember

        Be prepared for lots of visits from the Onion Fairy - at least I got visits when I read it!

        1. Eclectic Man Silver badge
          Alert

          Re: Remember

          ?

          How on Earth does one prepare for a visit from the Onion Fairy?

          1. Anomalous Cowturd
            Facepalm

            Re: Remember

            "How on Earth does one prepare for a visit from the Onion Fairy?"

            Tissues.

        2. Eclectic Man Silver badge
          Unhappy

          Re: Remember

          I can confirm that I have finished the book and been visited by the aforementioned fairy.

          Thanks for the warning.

  14. Stuart Castle Silver badge

    I think the system admins deserve a slap for picking such an easy to guess password..

    Students have a habit of finding weaknesses in systems. Especially Computer science students. Bear in mind some of them are studying hacking techniques, so are perfectly capable of doing a lot of damage, and are willing to in some cases.

  15. ByteMan

    Re: A Grade hacking...

    Many years ago, while working as a Wintel tech lead for a Newcastle base utility company, I had to travel to Alderley Edge to attend a Compag Proliant Accredited Platform Special course. At the end of the three days, I ended up fixing the config for the exam software which was broken, otherwise all attendees would have had to travel back at a later date, to take the exam. O those were the days, and I also got 95% on the exam :-) .......

  16. Eclectic Man Silver badge
    Pint

    Command.com

    Ahh, the good old days of the 'boot from floppy'* hack are long gone, so, so sad.

    *'Boot from floppy' was a way to get around the PC's boot sequence and use a pre-prepared floppy disk** to boot a PC and gain access to the then unencrypted hard drive*** and basically control the computer. I only did it once, and that was on a PC I had authorisation to access, honest. You just had to load the disc and at the prompt run the file "command.com" too obtain access to all system utilities.

    **Floppy disc: These were data storage devices made of a flexible rust-coated plastic disc which fitted into a 'floppy disc drive' on the relevant PC. For PC's they were originally 5 3/4 inches in diameter, but then as data density increased were incased in a had plastic case with a sliding door to cover the read/write location.

    *** Hard drives were basically a hard version of a floppy disc, where the platters were generally based on glass, rather than plastic, and span much faster.

    (Gordon Bennett! the amount of explaining one has to do now that everyone uses SSDs. I mean this technology was in use only 15 years ago. I must be getting old. It's Friday, I need a pint.)

    1. A.P. Veening Silver badge

      Re: Command.com

      Make that 5¼"

      1. Eclectic Man Silver badge
        Joke

        Re: Command.com

        D'Oh, yes, of course, you are entirely correct.

        What an idiot! I'll just talk amongst my self until I feel better.

        NURSE! Is it time for my medication yet?

    2. Sgt_Oddball
      Holmes

      Re: Command.com

      5¾"? I thought they were 5¼"? and besides, they weren't the first. The first floppies came on 8".

      There was also lots of other bizarre formats and sizes, even on the same size disk on occasion (SD/DD/HD 3½" diskettes anyone?)

      1. Emir Al Weeq

        Re: Command.com

        I was going to say the same thing about 8", but the comment did relate to PCs and I never saw 8" as standard on a PC.

        (Although I suspect someone here will have seen it done.)

        1. jake Silver badge

          Re: Command.com

          My first PC (personal computer) was a Heath H11, in late 1977. It has[0] 8" floppies.

          [0] Yes, has. I still own her, and she still runs. Loudly.

        2. Eclectic Man Silver badge

          Re: Command.com

          The ICL mini computer on which I attempted (and failed) to learn to program in COBOL in the late 1980's used 9" floppy discs.

          1. jake Silver badge

            Re: Command.com

            "9" floppy discs."

            Typo? ICL did some ... odd... things, but I don't remember a 9" floppy being among them.

        3. Doctor Syntax Silver badge

          Re: Command.com

          "I never saw 8" as standard on a PC."

          People were calling microprocessor-based computers PCs before IBM contrived to hi-jack the term. They included Z80-powered S-100 bus machines and I had one of those in the lab. It used 8" floppies.

      2. Andy A
        Facepalm

        Re: Command.com

        The French were forced to invent new official computer jargon so as to stop the spread of Franglais.

        So they ended up with "disque souple de trois pouce et demi", because there was already an official French word for "inch".

        Of course 3.5 inch is actually the rough Imperial equivalent of exactly 9 centimetres.

      3. Robert Carnegie Silver badge

        Re: Command.com

        In the Harry Potter books they use a 5¾" platform. :-)

        Boringly but necessarily, magic in these books stops electronic equipment from working, which raises an eyebrow when one character is seen apparently talking on a cellphone or walkie talkie.

        1. Peter Gathercole Silver badge

          Re: Command.com

          It was Platform 9¾.

          Whoever heard of something as silly as Platform 5¾!

          1. Robert Carnegie Silver badge

            Re: Command.com

            It was a joke, mate. :-)

            So was Platform 9¾, of course.

            Just like the supposedly reasonable magic money system where each denomination is a different random multiple of the next lower coin. Imagine real money working like that!

            That's a joke as well. :-)

    3. jake Silver badge

      Re: Command.com

      "where the platters were generally based on glass"

      Originally alumin(i)um. Various ceramics have also been used for platters/

      "rather than plastic"

      Floppies (and mag tape) are almost universaly mylar, although I've seen a few cheap generic disks that were made of something less stable.

      "was in use only 15 years ago."

      It;s still in use today, in various places. A couple of weekends from now I will be doing the annual cleaning & adjusting (if needed) of a couple of 8" floppy drives that have been in near daily use since the late 1970s. They are attached to a couple pieces of equipment at a machine shop located in SillyConValley. I've replaced the read/write heads & the motors a couple times each with NOS[0] parts that I squirreled away in the '90s .... sometimes being a packrat pays the bills.

      [0] New Old Stock ... brand new product that's been on the shelf for a while.

  17. Anonymous Coward
    Anonymous Coward

    Hacking an airport

    Many years ago I was on a business trip and came early to Quebec International Airport to catch a flight. It was not all that many years ago (read: a few years after 9/11), so the first thing as you come to the airport is security. I went straight through thinking that in the secure zone I'll find pubs, coffee shops, duty free, and other conveniences. Instead, I found a totally empty cavernous hall with no one but a few attractive ladies in Air Canada's red uniforms chatting among themselves behind a counter. Details elude me, but mine was probably an early morning flight, so I was literally the only civilian there.

    So I decided I could catch up on some work, opened my laptop, and quickly confirmed that even though I got a 192.168.0.something address I could not reach anywhere beyond that network. After restarting the network a couple of time, to no avail, on a hunch I typed https://192.168.0.1 into the browser and got exactly the same login screen as my WiFi router at home. Given that the network is unroutable I decided the router could not be the official airport WiFi. Guess what I did next? Correct! I typed the default admin/admin user/password combo, just for the hell of it. Lo and behold - I am admin on whatever it is that gives out IP addresses, routes traffic, has a firewall, etc., at an international airport!

    At this point I came to the conclusion that I had broken enough laws, logged out from the router, shut the laptop down, approached the ladies in red uniforms behind the counter, introduced myself (it helped that I had an impressive-sounding - to "civilians" only! - title at a household name computer company, with a business card to prove it), and explained the situation. I will forever hold Air Canada personnel in very high regard: the ladies immediately got the point, took the gravity of the situation as seriously as I myself would, thanked me, and asked me to wait right there while they make some calls. One of them actually went somewhere at a brisk pace.

    In a few minutes a policeman arrived. Uh-oh... I reintroduced myself - with Air Canada girls in rapt attention behind the counter - and retold the story. At no point did the policeman treat me as a cyber-criminal or a suspect - just thanked me, asked for my business card, and requested that I remained right there (I had a flight to catch, I wouldn't go anywhere) while he would find out what was going on. He came back a short while later to thank me again for my help and quick action to alert the personnel and security. he made it clear that I was not under any suspicion of doing anything but being very helpful.

    Out of curiosity, I asked if he could tell me what damage could be done if I was not the law-abiding me. He could. It turned out that some maintenance work was being done nearby, and in order not to interfere with the main airport WiFi they brought in a router and created a temporary network. Either they hadn't thought it all the way through, or maybe they didn't think anyone would arrive that early in the morning, but they didn't realize that their temp router would start giving out addresses to anyone who asks, would thus be noticeable, and would be very insecure due to default settings. The policeman even said that I could not reach any really critical system, such as flight control, from where I was, but I could potentially do something nasty with systems controlling the departure/arrival information displays throughout the airport, and messing that up could cause serious trouble among the members of the flying public.

    Well, that was a bit of a mess, but all ended well and I was very impressed by the way the situation was handled: calmly and professionally. It was clear that neither the Air Canada ladies not the policeman were engineers, but they understood things immediately on the basis of common sense, knew whom to report it to and even how to get reasonably detailed non-technical information about what exactly had happened and what was affected. And how to treat the innocent helpful sod who reported it - respectfully and politely. Well done!

    The flight out of Quebec was uneventful.

    1. Doctor Syntax Silver badge

      Re: Hacking an airport

      "with a business card to prove it"

      None of the Air Canada ladies nor the policemen must have watched the Rockford Files.

      1. The Oncoming Scorn Silver badge
        Pint

        Re: Hacking an airport

        I remember one episode of that where Jim & his client\victim of the week were challenged by a suit with a ID badge quick fight or they make their escape as fast as possible.....

        (Paraphrased)

        Why are we running from that *******, hes an official.

        He's not, his card is a fake!

        How do you know?

        The background is pink not green.......... same as the one I have.

        1. Eclectic Man Silver badge

          Re: Hacking an airport

          In the Joseph Gordon-Levitt movie 'Premium Rush' (well worth watching for the cycling acrobatics alone) the cop attempts to claim a false provenance of authority, but a young lady is able to read the card he proffers.

    2. David Nash

      Re: Hacking an airport

      You were lucky....some authorities might regard connecting to 192.168.0.1 as hacking, especially after entering the default login, irrespective of your motives.

  18. Phones Sheridan Silver badge

    I think the modern day equivalent would be the Bootable WinPE USB disk, loaded with, ahem, configuration utilities :p

    1. J. Cook Silver badge

      .. or any number of bootable linux thumb drives advertised as for data recovery.

      Although frankly, nothing will work if the drive's been encrypted with something like Bitlocker and the password (or bypass code) has been lost.

    2. Jou (Mxyzptlk) Silver badge

      You mean, like a install-DVD ranging from Vista to Windows 11 (or Server 2008 to Server 2022)? Even with original CDs, boot into CMD, and have your tools on USB.

  19. aerogems Silver badge

    I have often found that the more upset someone is in situations like this one, it's because they're embarrassed about someone uncovering their incompetence. Odds are the reason Jr got away with just a warning was because some (non-system) administrator asked how it was so easy for someone to guess the admin password and the sysadmin didn't really have a good answer so backed down on their demand to have Jr expelled.

  20. Stork

    There was a period I used my monitor model as password

    1. Robert Carnegie Silver badge

      it saves the cost of a Post It note.

      What if they replace your monitor, though?

  21. Anonymous Coward
    Anonymous Coward

    Top Experts

    Years back I left a project supporting redacted in their computer forensic and analysis group because of extreme Dilbert. A week later they were in a screaming tizzy because I hadn't left them the password for my desktop Linux machine.

    "Let me make sure I understand. Your remaining team of computer forensic experts can't get into an unencrypted desktop Linux machine you have physical possession of, is that right?"

    I had to go back on site and unlock the machine for them.

    1. Martin
      Happy

      Re: Top Experts

      I hope they paid you for the travel time and inconvenience for returning to site.

      1. jake Silver badge

        Re: Top Experts

        I'd have let them know up-front that it'd be travel time, mileage on my vehicle, and my standard four hour minimum.

        On my schedule, not theirs. Extra for "right now" or weekends.

        Incompetence on their part doesn't mean charity work, nor an emergency, on my part.

  22. An_Old_Dog Silver badge

    Wheels within Wheels

    At uni we had a PDP-11/45 running v6 Unix. I was then a Unix newbie, and began exploring the filesystem. Most people had all the files in their home directory world-readable with permissions 644. I found a document in a CS prof's home directory in which he had written that the CS department had too many students, and proposed the department create "flunk-out" courses designed to intentionally reduce the number of CS students. As a second-year, this worried me until I recalled that this prof was a very smart guy, Unix knowledgable, and wondered why he'd be so careless as to let world+dog potentially see such a file.

    I concluded he wanted that file to be found, to scare off some CS students, and I never did encounter a "flunk-out" CS course.

    1. John Brown (no body) Silver badge

      Re: Wheels within Wheels

      "I concluded he wanted that file to be found, to scare off some CS students, and I never did encounter a "flunk-out" CS course."

      There may well have been an ulterior motive for a scheme which never actually materialised, but I don't think explanation adds up. After all, those who "discovered" said file would probably be those least likely to flunk out.

      1. jake Silver badge

        Re: Wheels within Wheels

        "those who "discovered" said file would probably be those least likely to flunk out."

        That type is, however, most likely to brag about their exploits among their peers, thus getting the message out.

        As a lecturer, your humble scribe may or may not have engaged in such misdirection ...

      2. A.P. Veening Silver badge

        Re: Wheels within Wheels

        After all, those who "discovered" said file would probably be those least likely to flunk out.

        True, but how well did they keep it a secret?

  23. LateAgain

    If they seriously wanted to punish him

    He'd be doing the weekend cover m

  24. tweell

    Network security - we've heard of it

    I was asked to check a network at a 'secure facility' for issues and violations. This place had fiber to the desktop and used token + biometric to log in. Unfortunately, one of the VIPs decided he wanted wireless access (not allowed, by the way), brought in a Netgear wifi router and connected it to his PC. He compounded the error by setting the wifi login to admin and password. He'd bullied the IT admin into allowing his login to never time out, so I quickly had control and access.

    When I told folks about the breach, there was much scurrying about, and I was removed posthaste. Later I was scolded for poor communication skills, as I'd embarrassed a great man and should have done better. The wifi router was confiscated, the VIP's account was set back to logging out after ten minutes inactivity, and I was scolded again, this time by the IT administrator. Our gentleman could never remember his password, and would call the IT admin (bypassing the helldesk) multiple times a day for a reset. Oh well.

    1. Jou (Mxyzptlk) Silver badge

      Re: Network security - we've heard of it

      "Shoot the messenger, not the culprit!"

  25. Antron Argaiv Silver badge
    Pirate

    SGI Indigo

    I was given it, previously used by my boss, as a footrest, and (way) before that, as a mechanical CAD workstation.

    I was bored, and thought I'd see if I could get it running. $250 worth of adapters later, I've got a PC keyboard, mouse, AUI to 10BASE-T converter and VGA monitor hooked up to it and a login prompt. Problem is, our IT guy can't remember what he used as a root password.

    However, the system came with some demo accounts (demo/demo), which had not been deleted, and which could read /etc/passwd (this is an OLD system). The encrypted root password field was copied from that file and plugged into a commonly available password "ripper". It produced a password which worked. The Indigo is a fairly well protected machine...one does not simply access the hardware from the boot screen (and I had no handy SCSI-1 machines), so I'm glad I thought of that way in.

    I bought a used SCSI HDD off ebay (so as to preserve the original), set up my Linux system as a TFTP server, and created a new system drive, with the last available version of Irix, an ISO of which was sourced off the web. Lots of retro fun was had.

    Best part? Several moths later, our now former IT guy calls me, tells me he was cleaning out a filing cabinet at home and hands me a sealed envelope with the root password in it. :-)

    1. nintendoeats Silver badge

      Re: SGI Indigo

      Heh, I had a similar experience with an Indigo2 I bought off eBay a while back. I sent the password file to a friend who is into encryption, he was able to sort them all out. Unfortunately it was primarily a networked machine, so there was nothing interesting on the drive :(

      Also, it's so big/heavy/loud that I basically never use it p_p

  26. pstones578

    Surprised he wasnt expelled for hacking the places systems. Unfortunately even with a crap password this still comes under computer misuse and hacking type stuff. BUT, I think they landed on the right side of this decision.

  27. steviebuk Silver badge

    Embarrassed & Netbookgate

    “Finally, a week or two later, he was hauled in front of some bigwig and told that he would only receive an official reprimand, and that this was his one and only pass.”

    You've embarrassed us so we're gonna bollock you due to our screw up.

    I had experience of this way back in 2009 in the NHS, the fuckers. I was at a Trust's site with an ex-engineer in another department. He knew all the passwords as nothing had been changed, they were even still using the remote connection software he created for connecting to PCs. Anyway, that Trust didn't like the IT department that had been created to support all local Trusts and were trying to break away and do their own thing. The ex engineer was helping them due to now being employed by the Trust. He asked for help putting some new netbooks on the network that they were trialing as they didn't want to use the HPs that had been forced on them (due to the HP being a bit of a shady deal between HP and the director of IT they didn't like, neither did I, he was a pure cunt). I helped him to make sure all was done securely, as I told him "Well you know the passwords so I'll help to make sure they are done properly". Once done, I informed the stakeholder for the site about the netbooks and being a temp, I was ignored. Not even a "Thanks for letting me know".

    Roll on 3 months later we all get an e-mail "Does anyone know why these netbooks are on the network?". Yes, I told you about them 3 months ago. Why they were on the network and why I helped.

    All hell broke loose. I was reported to the CEO of the IT Department who said "Get rid of him" (she was also an arse and had been milking her high wage for years). But our head of IT and Networking heard and tried to calm the situation down. She said I'd done what I'd done with all the best intensions AND I'd informed them at the time but had been ignored. It changed from "Get rid of him" to "Can you come and have a chat with me about what happened" from the Head of Service (who was also a nasty fuck). When I told my manager he was pissed and called the Head of Service, informing him "You know you can't just have a random 'meeting' with him, you have to allow someone in the 'meeting' with him, he's allowed representation". So we go into the meeting and I explain again what happened, all that was already in my original e-mail. I said "I told you all ages ago that when an engineer leaves all admin passwords should be changed but they never are. So there was a risk he'd just put them on the network himself". The head of service admitted he was partly at fault as it was supposed to be his project that passwords were changed. They then took away the network share we used for all software and utils. I refused to apologies as I did nothing wrong, my manager said it for me and after the meeting said "I knew you weren't going to speak because you were so annoyed so I did it for you otherwise they'd have just let you go" I didn't last much longer, my contract expired again and they didn't renew it. The arse ex engineer from the Trust never bothered to try and help with the situation either.

    It was a clear example of them fucking up (the stakeholder ignoring my e-mail 3 months earlier) and choosing to throw me under the bus instead of admitting their mistakes.

    I've long moved on but sadly, the bitterness has bugged me for years. The IT department eventually got disbanded as the new government came in and they all moved on. I, sadly, hold grudges and when heard 5 years ago that the ex Director of IT had cancer but had survived it, I couldn't hold it my distain for him and spurted out "Shame he never died of it". I hate him with a passion. Something is very wrong in a company if staff end up hating a manager that much. You're clearly a poor manager if your staff hate you that much.

  28. cdegroot

    Actual black hat baddie

    We had a PDP11/44 in uni and Oracle was on it. A course used a lab database crafted by a teaching assistant. One weekend I was bored and started reading some manuals, where I learned that Pracle installed with default passwords.

    To cut it short, one “sys/change_on_install” later I was wondering how to best test whether it actually worked, and “drop database <lab db>” was the only thing that came to mind.

    They figured out it was me, called me in, and I never forget the expression on the TA’s face when I apologized and added “but you have a backup, of course?”

    Learned me some lessons, there.

    1. G.Y.

      Re: Actual black hat baddie

      Is your name Johnny Tables?

  29. Starace
    Devil

    Brings back memories

    Back in the day my account on the main network somehow had no quotas, no audit, and didn't even appear in the active users lists when I was logged in.

    No idea how that happened, the only real useful bit was the unlimited storage space.

  30. Griffo

    Sometimes interpreted correctly

    Back when I worked for CSC (now DXC) we had a junior engineer start with us fresh out of uni. Two weeks in, he hacked the payroll system, but took that information and how he did it to the new head of infosec. A week later he was no longer a shit-kicker but was a junior infosec analyst. Correct reaction from management there.

  31. hammarbtyp

    Access all areas

    As was doing some work looking how we could better use email information as part of a issue tracking database. Our email had recently been transferred from Lotus Notes to corporate gmail, but we still had access to our own Lotus notes email archive. My manager showed us how to gain access, then for a laugh I tried to see if I could access anyone elses. I was amazed to find that not only could I access my own, but i could also access anyone else instead of senior management. Obviously when they did the transfer they had disabled access security but had not enabled it

    The temptation was to trawl through all our managers email looking for some juicy gossip, but being a good boy I reported it to IT

    3 months later, I tried again. I still had full access. Clearly IT had ignored my warning. In fact it took my boss and his boss independently to try and raise it with IT.

    A work colleague of mine was furious though. They had wanted access and were annoyed i had never told them

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like