Our hero returns home £500 richer thanks to senior dev's appalling security hygiene Welcome back to On Call, a special corner of The Register where readers can share tales of their cries for help and the deaf ears on which they fall. Today's yarn, which includes a non-Linux-based solution to Active Directory woes, comes from a reader we shall call "Clive", who was struck with a run of bad luck at the hands of …
I've used a lot of <my favorite password>1234 type passwords at places where they need to changed often. They usually require it be different by several characters, so then 1234 becomes 2345 and so on, and I've never had a contract long enough to be on 6789 and find out if it will let me use 1234 again.
They *could* have taken your password and applied maybe some kind of a standardisation algorithm to it. Maybe lowercasing it, and/or removing numbers and nonalpha chars, then saving the hash of that? (obviously they'd store the hash of your actual password too.)
But they probably didn't.
This post has been deleted by its author
No, you take the new password which hasn't been hashed and the original forgotten yet and compute a whole bunch of likely variations and run those against the hashed old password. If any of them match, the new password is too similar to the old one.
If you don't get any matches, create the hashed password and get rid of the plaintext.
If you want to be scared, try lots of online banking where they ask for specific numbered characters from your PIN and password
e.g. digits 1 and 3 of PIN, characters 3, 6 and 7 of password
Which, would either mean plain text password storage
Or (not much better) password is encrypted but in a format that can be easily decrypted to some degree (and so IMHO just security theatre, )
Which is why other half does online banking and I avoid it.
If you want to be scared, try lots of online banking where they ask for specific numbered characters from your PIN and password
Kiwibank does it a little better.
First, you have your user number and long password/pass phrase (the number is NOT your account number). Then you get a system where a couple of characters have to be entered from your security questions. The nice thing is you can set your own questions OR choose the normal suggested ones (the latter being the sort of thing many people spaff all over social media - mum's maiden name, first school etc etc - keep trying to get through to dimwits that those are NOT security, same as a gubbermint department that I often deal with that, for 'security reasons', I have to speak my ID code into their system rather than typing numbers.. In a public place, anyone with a recorder (not like anyone has voice recorders in their pocket today...) has my details. Of course, in all likelihood their voice match system does a poor job anyway.. And I later have to give DOB etc also over voice.
But anyway.. Yes I see your point that the 'security questions' or 'select which number of your pin/pass' could have them stored in clear text, and I suspect the way you describe it the password field would give any shoulder-surfer the length of your password. They could keep an encrypted system that stores individual characters and total length (the latter having to be clear but the former shouldn't)..
I wonder... [buggers off, checks things, contact's banks site team and leaves a few suggestions] Ok, you can use numbers with Kiwibank but they only show the relevant part of the keyboard, IE if you only use letters you only see letters. Dunno how they handle allowed spaces (will try sometime maybe). Have suggested a few changes including always having the full character set displayed, otherwise a shoulder surfer could get insights you might not want them having. Damn, forgot to mention the default security questions are commonly on people's farcebork profiles, or known by family (eg mom's maiden name). Ok, so I deliberately used ones my family would know, but not outsiders, but that's beside the point...
There are other problems with these "partial password" schemes. They're really not a good idea.
Yup, I emailed Santander to point out the idiocy of asking for the xth, yth and zth character as I now had to write down the password rather than simply typing the whole thing from memory.
(it's now stored in KeePass in its 'expanded' form, so I just need to remember the passphrase for that)
What? use your app... the one that remembers everything and just needs a gummy bear to unlock!
Stickynotes aren't an urban myth, but anywhere that doesn't have hotdesking, 8/10 passwords are guessable within three tries based on the desk furniture so it doesn't make much difference. Once you have physical access, you have access. Engineer the users, fiddle with the hardware, or just ask nicely. Hacking is for people too far from their target to do things properly.
A prog in the pre email days used by a few people at an ex employers was password protected. It was an in house prog giving you access to a company directory which included home phone numbers. The person that had written it obviously thought of security. Users were not allowed to keep the same password and were forced to change it every so often. Sadly he'd set it up to require changing after x* number of logins. One user exceeded this after two days. People wouldn't keep it open though and exceeded the login limit very quickly. A revised version was released quite quickly which used a date rather than number of logins.
*I think it was 60.
One place I worked had password management which detected whether or not a password was too similar to a previous one. Not identical, similar. The only way I can think of making that work is to store the passwords in plain text somewhere....
It can be done without plain text storage, you can learn a lot by playing with what they will accept. When I've seen that in the past the underlying logic hashed the first and second halves of the password separately, rejecting the new password if either half matches. That catches e.g. Password1 -> Password2 but fails on Password1 -> 1Password.
>It works in most places, but yes there are some places where I need to use a higher security password containing a symbol... I wasn't going to tell you which symbol I add to the end... for security reasons?
My password contains the "@" symbol, which was great until the latest Windows 10 FR release reset my keyboard mapping from ENG-UK to ENG-US and I didn't notice. Took me a good couple of hours with the helpdesk to sort that one out!
This can happen on Mac OS and Linux as well. I remember the occasion rather painfully when I had been working on an important recording (an audio project requiring a lot of editing and long-running operations) when I waited a bit too long and my machine locked. Only then did I realize that A) I had been writing notes on this project in Spanish, B) I was still set to the Spanish keyboard layout, C) my login window did not have a method to change the keyboard layout, and D) my password contained characters that were on the English keyboard but not the Spanish keyboard. Fun times, having to think about forcing a shutdown knowing that a lot of my work which I hadn't yet saved was going to be lost. It's fun when we first learn that saving should be done as often as possible and somewhat less fun when we forget to even though we've learned we should.
And this is why paranoid autosaves should be a thing. "Oh, the user has typed something? Let me save that, along with the last 2,000 other things they did, so they can undo/redo to their heart's content."
That can sometimes be a very bad thing in it's own right.
Client's kid thought they'd make the computer faster by a 'factory reset'. Mom and Dad's tax documents and other stuff were there and not backed up. They brought it to me to do a recovery, and I ran a basic tool (possible "GetDataBack" - nice tool to have!).
The problem is, there were a lot of documents recovered, and no obvious way to tell which was the latest. Autosaves every 5 minutes or less, meaning a new copy, where they might have the document open pretty much all day every day..... They were a bit upset that I didn't just recover the latest ones.
I tried to explain how much was there and how much time would be involved, and suggested they could pay me to NOT work on any one else's machine for a few days to trawl through it all, OR they could give me some information that'd narrow it down (like a very recent cheque or other transaction).. But being clients - very much like another word that is just missing the E - (CLINTS - if you connect the dots...), well... I should've handled that better but I was all out of quicklime :(
HP's easy 'factory reset' and people's inability to read and comprehend stuff like "THIS WILL DELETE ALL OF YOUR DATA" gave me a lot of work at times.
I do wonder how many places accept unicode in the password field. Certainly would make brute forcing less probable.
I'd love to see a couple of things...
The ability to use numeric keypad and surrounding keys as separate to the other number keys. Left or right shift use being different codes could also be nice - of course I don't think USB keyboards do the same scan codes like the older ones did do they? Never looked.
And a separate login with the same username but different passwords. I've been in a could of places where that could be useful for various things, including being able to have higher/lower level accounts but use the same everything else (same desktop, same browser/email profiles etc).
Years back the alarm company that fitted out a friend's home gave them a main code as well as a "duress code" in case someone forced them to disarm. It wasn't appreciated by the sales person (aka "installer") when I asked if the duress code can be changed, and when I was told 'no' I pointed out that all of us in the room, if we were so inclined, could force someone to disarm and point out if we saw that code entered (think it was "1 3 9 7") we'd know what it was and do whatever threatened harm... But I did always like the idea of a 'duress password' and as most home computer OSs list the user accounts on screen and it'd often be obvious which belonged to who - having a 'duress' password that opened a different or similar-but-crippled profile (faked an internet fault or...) would be useful... Even if it does eventually risk coming under the same knowledge of it's existence I mentioned above.
At home, on the kids' computers, I use the same password on each for my account (which is the only admin account on their machines).
The password hint for my account on computer A is "Same as on computer B" and the password hint for my account on computer B is "Same as on computer A".
I started work at one company, as their first IT Manager. Until that point, they had had external contractors running their IT. This was a company with a couple of hundred employee, working on 3 sites.
When I started, the first thing to do, was to change the administrator password - but the accountant didn't want that, because all the wanna-be admins wouldn't then be able to log on! Then there was the user passwords. The consultant had set everybody's passwords to "12345" and they couldn't change them "for ease of support."
I then checked around the server configurations and the first thing I spotted was, that all of these user accounts with password 12345 also had Exchange mail, with OWA exposed and mobile device access open... So anybody, anywhere in the world, with the email address of an employee of the firm could log onto the web portal and give the password 12345 and they were in...
A hectic morning of going through all accounts and disabling OWA and mobile access and setting the "change password at logon" flag... Followed by wailing and gnashing of teeth and a stern word from the CEO for "disrupting" his business...
Curiously, the company went into receivership shortly thereafter...
I've mentioned it here before, an estate agency where the MD and accounts direct refused to allow me to set password complexity and re-use rules, they had two passwords each and rotated them.
Idiots, they also went the same way, after they took over the business they managed to take a thriving city letting agency and drive it into the ground, after 2 years of their 'management' it was sold off for around a hundredth of the amount they got it for.
One company who we used for a software prog had very lax password rule. It could be just one character if you wanted but not blank. Another security hole was that your password was used to access the program. Then once in you could access any of the databases in the correct folder. So you could purloin a database from a rival company and access it from your copy of the program. I pointed this out and was told it would be hard to replicate in the real world.
Conversely the code to authenticate and license the damn thing was about twenty characters. It required reading your code down the phone to the lady at head office.She'd input that into her machine and give you a code to input (this was at the dawn of the internet). All this had to be done quite quickly as your machine would generate a new code every minute or two. If that happened you had to start again. Painful wasn't the word for it.
".....so you see Mr Smith, anyone could have accessed our systems and changed or deleted anything"
"Oh, I never had any idea things were so bad. Excellent work. Excellent work Steve"
....
"Hi Monty."
"Yes"
"That new IT manager. He's gotta go"
"Why what's the problem?"
"He's only gone and smashed up our escape helicopter"
"Eh?"
"The plausible deniability thingy, that it wasn't us that wiped the servers just before the cops turned up"
"How?"
"He's implemented a proper password and login system. No way could we hide behind a lax security system. We need him gone. Your dimwitted nephew back, and password1234 reinstated across the entire company"
"I'm on it!"
Followed by wailing and gnashing of teeth and a stern word from the CEO for "disrupting" his business...
Curiously, the company went into receivership shortly thereafter...
I'm surprised that they didn't blame you for going out of business. The old saying "a scapegoat must be found" applies.
I had set up a network (WinNT) some years ago, did all the documentation etc then left.
Came back several years later, but at a lower level - wasn't allowed access to the network. Until it went wrong, "AC can you have a look at it?" and gave me the folder with the details.
Errr.... that's my handwriting!!!!
I went on site to a major Asian bank who had a performance problem with a >huge< application on z/OS that was going live in 4 weeks.
The standard password was "qw", every one had admin access to everything, and the code taking up 80% of the CPU was the "printf" function.
Being an Asian country you have to be aware of loss of face.
I raised my concerns that they were not ready to go live, and was told to keep my head down, the battle was between the bank and the implementor - both sides knew there problems, and both sides blamed each other. If I had raised a concern, they would have blamed me for every thing!
I once had a project for a major hosting provider, which involved forest admin access. This was way more than I really needed for the actual project, but it got the job done with late-night support calls.
When the project was finished, I handed over the documentation and asked for my account to be terminated or disabled.
It turned out that so large a client had strict processes to follow, which meant that half a year later, my account was still live. I actually had to threaten them I'd write to corporate compliance to get the access revoked.
One of my friends married an admin/helpdesk type who's secret super power was remembering passwords: <type type type> -- 'hey how did you know the password?' <type type type> You told me the password. When I was here 3 years ago'
I have that same ability.
I won't call it a gift. I'll call it a burden.
Do you know how much of a pain it is to remember people's passwords from 5 years ago? To find out they still work? And, when you still know their password, to get those 'special looks' reserved only for certain classes of person - looks that do not convey feelings of trust or security in your abilities?
There is so much in this industry I wish I could forget. Passwords are up there with photo screen savers... (When you get clients who use those.. Who are nudists.. And when you realise (very quickly) that most nudists are older and much much heavier people... Then you'll know why I dread other people's screen savers... There are things you cannot unsee...)
--> I shall be ordering mindbleach by the truckload tonight. This is the closest icon we have!
With glorious security such as that, no wonder the company was in trouble!
Note: Not saying they'd folded due to crap security, but it does give you great insight into at least one complete muppet that they'd hired. If the dev was that crap at security arrangements, you wonder what else he's probably crap at as well...
If you are dev in an smb a lot of the time you are both development and support at the same time, there are no excuses for hardcoding passwords though.
Personally with stuff like that a new account is created with minimal permissions for the code in question and the details dumped into the password database this takes me about 5 minutes to do.
At a previous job, the web devs needed to change the way they built sites that needed to send mail - which was most of them. Until a few years ago it was simple to setup a basic SMTP service configured to forward everything to the main mail server (using authentication). Apparently at some point the SMTP service was removed, so the site code had to send mail directly.
So for the first site that needed this new approach, I generated them a suitable account which they promptly coded into the site code. Before long I realised that they'd then gone on and re-used the same credentials for every site - rather than, as I'd told them to do, getting me to give them different credentials for each site (allowing per-site sent mail quota's/rate limits). I was really tempted to find an excuse to need to change the password on that multiply used account :D
So for the first site that needed this new approach, I generated them a suitable account which they promptly coded into the site code.I was really tempted to find an excuse to need to change the password on that multiply used account
One or two apparent 'spam' messages from any of them would've worked well I'm sure but one question - did you clearly document the need for different credentials/clearly note your offer? I know some people can sometimes put these things too deep inside a huge pile of notes/waffle that no one is ever going to sit through, and they get lost in the noise (not that I'd have ever done something like that, honest! ---> )
If I had done, I'd have had some fun :)
Well the need for different credentials per site was certainly stated - but not in writing as nothing else was either. To say their processed were "informal" would be a bit of an understatement. Change control, design process, source control ? Yeah, I think some of them had heard of them - the ones that now work where their skills are appreciated.
Reminds me of Chris, our IT manager 10 or 15 years ago. He spent most of his time in the office playing WoW, and any time someone had the temerity to ask why he wasn't doing IT stuff instead, he waspishly told them that he was managing the systems so well, it didn't need constant firefighting or troubleshooting, freeing him up to play games.
I've automated myself out of a job before. My last job, I'd reduced the daily workload so much, they didn't bother replacing me, and just kept on one person.
I've done similar in my current job, replacing 50-something individually managed machines with puppet, so now I have time to read elReg proactively research upcoming technologies.
Yes, it is a bit half assed. If an IT manager (or anyone else for that matter) referred to me as a code monkey (to my face or otherwise) I’d have come up with a much more imaginative, effective, and reliable way of putting him/her in his/her place than just leaving my login credentials around. At the very least I’d be arranging for them to be broadcast on a skiddie IRC channel rather than just leaving them visible in the office...
It is absolutely logical thinking. If you treat people in an unprofessional manner then you shouldn’t be surprised if/when they start to behave in an unprofessional manner too.
Since there’s no fucking way I’d ever work for a company where anybody behaved disrespectfully towards me (and when it turned out I had been suckered into a company where such attitudes were common I was back out the door faster than you could say “probationary periods work both ways”) the situation has never arisen...
I had to write some quick and dirty, single use (after debugging), code that needed login credentials recently – I couldn't bring myself to hardwire in said credentials. You have to wonder what other corners were cut and whether poor quality code contributed to the downfall of the company...
People, management, often have the wrong idea that it is important to get something working, that security is not important and can easily be added after.
It is ignoring the fact that one has no more free time after than he had at the beginning of the project, so security concerns are always delayed. And also that adding security after is way more complicated than envisioning security from the get go. If some cutting corners choices had been made, the very architecture of the project has to be changed, with all the risks associated and because of the risk, security is not been implemented.
At a previous job, we had a few incidents where customer sites (some of them online shopping, some of them business processes) were compromised. The devs, or at least, the ones calling the shots*, really didn't understand security.
Eventually the managed to hire someone who did understand security - he lasted longer than I expected before he got fed up and left. He is now doing "quite well". Why was he fed up ? Obvious really, they were still writing insecure sites and then expecting him to bolt on security as an afterthought - and ignoring his "suggestions" that security is something you have to build in from the start. AFAIK they are still building "dodgy" sites.
* I have to say, there were a couple of the devs (it was a small team) who did actually understand these things - they've also left for places where their skills are appreciated.
In my somewhat recent experience it is a two-way street.
My team was frustrated because we felt we never were allotted the necessary time to close some rather glaring security holes.
After GDPR was in the news we re-raised the issue, and finally explained, in detail, potential consequences and told them how much time we needed.
At that point it was easy to get a go-ahead for what became a very fat patch. (more or less: "This hole causes X to happen, and when it does, then Y will have to pay a big fine")
For us it is painful to speak to management. When we struggled with the DBMS our predecessors had chosen, we got nowhere until we finally spelled it out for management: "You want big customers? You give us big DBMS. Ugh."
I find it difficult to explain such obvious things to manglement. After I had kids I imagine I have to explain things to my three year old and then everything flows easier between manglement and me.
You mean your manglement is about as stupid as a 3yo (not that three years old are stupid, but they have a limited understanding of the world).
I am glad I work in education and research, people usually listen when they are told something they don't know, because they know they cannot know everything.
<quote> I am glad I work in education and research, people usually listen when they are told something they don't know, because they know they cannot know everything. </quote>
This explains why my nephew and his wife, both recent college graduates, seem to believe they know everything - they have finished their education therefore they MUST know everything !! It's a shame that some establishments seem to foster the idea that, once you graduate, they will have taught you everything you need to know. After all, it's not like the 200+ *years* of real-world experience possessed by their various uncles, aunts and grandparents could compare to the 6 years of college between them, is it?
(Actually it's far worse than that - they may have started college three years ago, but I think they averaged about 3 days a week between them of actual class time, "personal study" and whatever they call the college equivalent of homework... so about 8 months actual 'learning' between them... 4 months each. And that's probably being generous!)
I think the crux of a good education that you can bank on, lies not in the depth of understanding, but the confidence with which you hold yourself.
Many bright students came out of polytechnics lacking the confidence to lord it over the distinctly average minds that tumbled out of universities into senior posts.
Although polys are no more, the UK still has an annoying educational hierarchy that elevates some quite unworthy individuals into prominent positions, because they truly believe it is their birthright.
Meritocracy my arse.
A PhD is intended to be an apprenticeship in research. In other words, it is a simple piece of supervised research just to demonstrate you might eventually have the capacity to work independently.
Most serious bodies granting professional qualifications insist on CPD (Continuous Professional Development) as a condition for retaining registered professional status.
I have a PhD and, before retirement, held a professional qualification. I have always been acutely aware that attainment of either is the start of one's serious education.
I was thinking this. I don't have many postgrad qualifications ( a few certificates and diplomas as required) because that wasn't the learning that I needed in any part of my work. I didn't even bother to do the dissertation in some of the courses I took- I'd got what I needed in the studying.
But for 40 years I never, not from day 1, stopped looking for more training and study. There's always something to get better at or some new aspect to discover.
Over the decades there's been education management ( twice, the first one was useful- but no certificate the second was a pile of shit, but with a required bit of paper.) various educational computing courses ( though I was providing thee before I'd taken any myself- when I started they didn't exist). And continuously in my teaching roles.
A lot of people are doing "later in life" PhD these days, I know a few who, having taken early retirement, are pursuing research that their employment never allowed them the time to do (plenty of quite "practical" subjects where teaching does not always demand a PhD (but does require various business / commercial experience) so plenty of staff teaching at uni level without a PhD).
When I was nearing the end of my MSc. I was invited by my University Tutor to take a PhD. as he knew of a perfect project for me. I went with him to visit a well known Nuclear Engineering company to investigate their problem and take back with us a representative sample of their data. I spent the last three months of the term polishing my MSc. thesis and at the same time, developing a FORTRAN three dimensional finite element analysis program to run on our Elliot 1603 computer (mid seventies). In early July we went back to show them what progress I had made, and they said that they were satisfied that I had identified the problem, and that their own engineers would take it from there. I had given them the entire solution, including the 3D FE program, and that was that. I never got to do the research, nor did I get either payment or the actual Doctorate. I spent that summer fitting tyres at a well known tyre company, before getting a 'real' job on the drawing board at a local engineering company.
3 years olds are like a sponge - they willingly soak up every piece of information you throw in their direction and want more.
Treating management like 3 year olds is an unkind comparison to 3 year olds (Seagull management in any case)
Seagull managers don't WANT new information and they certainly don't want more after you've given them the bare essentials they didn't want, but did need.
Back in the 1990s, I worked for a government contractor, and was talking to a government techie about a new shiny system from another agency. He spoke of a conversation with someone he'd worked with years before, who had been explaining the wonders of that agency's new system that would allow an authorized user to log in from anywhere with an internet connection. The guy I knew said, Is your password still [whatever it had been]? There was silence on the line for a minute or two.
I'm reminded of a story I heard years ago. A family bought a house in a gated community. They enjoyed the extra feeling of security knowing that only residents could come in. Some time later, they ordered a pizza and asked for it to be delivered. The pizza guy asked "Is your gate code still xxxx?"
I will always make exceptions for the pizza guy - they are always trustworthy!
Doesn't matter a damn if they're trustworthy or not. They have Pizza! I'll give you my bosses credentials for a slice!
--> Round like a pizza, yellow like the cheese on a pizza, and makes me smile like a pizza!
When I was managing the Xerox DTP system for a large electrical manufacturer, I needed access to some of the higher functions that weren't usually available in order to fix a problem on one workstation. I applied for and was granted a Temporary password, that would only be valid for that day, and used it to solve the problem I was encountering. Some months later I was in on a Saturday morning, when the old problem reared its head again, but on a different workstation. No telephone helldesk at weekends, so I fiddled about a bit until I came up with a solution. I disconnected the Thick Ethernet cable, thus isolating the workstation from the server, set the date back to the date on which I had been granted temporary access, fixed the problem, reset the correct date, and reconnected to the server. Over the next three years, while I was in that position, I must have used that trick several times on every one of the workstations.
"Is the root password still 'XXXXXX123'?". Of course it was.
Well, a couple of my machines still have the same root password I set on them some 15 years ago... It's even written on a note on the case.
(I'm sure the fact they haven't been powered on for at least 13 years doesn't matter :) )
I think you'll find your CR2032 BIOS battery is cactus, and your machine boot loops. Ask me how I know.
The bios settings that matter would be written on the note on the case, but they don't actually matter. With luck I wrote down the date it was last started, although that probably doesn't matter (but I have the option of setting it to that date or the day after before it boots - assuming the RTC has stopped)
IIRC the mobo is one that'd moan about the date/time being out before trying to boot (or throw a CMOS checksum error), and I'd hopefully have the presence of mind to look at things closely first.
Someone else I know recently lost a bit of legacy kit because an old FDD drive gave up the smoke, somehow taking the mobo with it (and maybe the PSU - I don't have a tester/sacrificial mobo to hand) - I'd get rid of as much hardware as I can, perhaps image the drive (if it spins), and give the machine a decent clean or at least good inspection before firing it up. I hope. Otherwise, maybe a spider got in and maybe it's carcass is somewhere sensitive and maybe when I turn it on there's a pop and a smell and no more whirring sounds... (I sometimes love "I told ya so!" when suggested he remove any hardware he doesn't need! At least now there's some more old crap destined for the recyclers, where it damned well should be !)
Maybe the Windows Administrator tools weren't installed on the Dev machine, maybe there was IP address restriction on access to the AD, maybe he enjoyed working at his old desk better, maybe his seat was more comfortable than the Dev's seat, maybe the administrator was still sat up by his PC waiting for him, maybe there was a better view from the window of his seat....
Does it matter, the Dev's credentials were in the code, he didn't need to use the Dev's machine?
Unfortunately all too often where I work I come across the attitude that security “isn’t my job”, I get that from Developers, testers, project leads and even management. The attitude is the business risk of not getting feature X out the door is higher than the risk of not paying attention to either security within the software or security within the organisations own environment. So it ends up the security and IT teams are trying their hardest to keep things secure with toddlers trying to actively destroy and progress made! So when the breach comes, I’m going to smile, a lot.
This is why security needs to be made a legal requirement. Or at least something which is routinely required to be tested for.
If that software product was instead a car, and it drove fine , and they'd just implemented some kind of fancy ai feature, but the car got zero in the euro ncap, or couldn't pass an MOT, few people would buy it.
Things like cyber essentials being required are a step in the right direction.
...I understand what you mean, and it's a good point. The rub is that in many large orgs - particularly government in my experience - your sensible position morphs into a management mantra that "Security is Everyones' Job"
What does that mean in practice? When the inevitable problems occur, the set {everyone} is searched until some poor bastard without any political clout or protection is identified, "investigated", and eliminated.
In environments like that I will use weasel words such as, 'While I employed best known practices, I'm a hardware guy. For the security angle you need to consult with Joe Blow...' It's a long sentence, but it must cover my entire arse.
My experience, working between users and devs, has been that security and ease of use are both way down the priority train behind getting in the features that the top brass want to see (often for no sensible reason) and then getting the product out. Result, complex insecure systems that users will simplify if they can, and avoid if they can't. Which can be anything from the post-it note p/w to a complete non-use of the poxy software.
IT security and management mandated that all Windows machines were to have BitLocker encryption implemented on the hard drives...
I found a bunch of laptops helpfully dymo labelled with 'BitLocker nnnnnnnn'!
(I pointed out they all had a list of 'handy numbers', phone nos and acct nos, on the wall... pick a number, any number... just don't write it down on the machine!!!)
I have some interesting tidbits for Oncall. One of them is even about The Register.
But I can't relate them, because Google rejects all the mail I send to The Register with
"The account [sender email address] is disabled."
Of course I've never had an account [sender email address] with Google, so that might, er, account for it.
Yet to work any where where the title of senior dev didnt mean anything more than longevity, generally they have been the worst culprits of poor sec practices and due to longevity are trusted by higher ups, generally just leave them to hang them selves unless its something totally arse backwards. Worst one i have encountered was a walking disaster of apathy and a teflon like attitude to responsibility, doing stuff like dir browsing enabled on a webserver with a share mounted to it of sensitive docs, like you know customer lists and account details, the look on the CEO's face when all the companies "secrets" were browseable was a nasty shock for him, the longevity dev at that place had some explaining to do after that one, his excuse was basically it "wouldnt be found" (server logs said otherwise), it made his job easier when he was working from home because he didnt like the vpn software (because it forced all traffic via the companies gateway/net filter and blocked his torrent access), he got to keep his title but the trust the higherups put in his technical chops was forever gone, he left 6 months later when the jnr dev brought up equally stupid coding practices to do with passwords, turning open relay on the smtp service because he thought the code was inellegant to do smtp auth and unfiltered file uploads to a folder where he had set execute permissions on because chmod 777 was the only way to make his arse backwards code work (it wasnt he just couldnt grasp that the folder was owned by root and his code executed under a different user account that wasnt root)
After the senior left they scrapped that title and replaced with lead, small name change but one where people actually took some responsibility on with the title...
In my very first job, "senior dev" meant projected longevity. I stepped straight out of university into the senior dev post with a 2.5 year contract: the junior devs started on the same day, with something like 3 month contracts, as they were doing a summer job between the second and third year of uni. Since I was the one who would have to maintain their code after they left, I had the deciding vote in disagreements over design.
I got kept on by the liquidation administrators... I made more out of them in 3 weeks, than I did normally in 6 months... In addition, they willingly sold me some of the company assets - half a dozen nearly-new Dell Precision laptops (top spec) for £100 each.
Whilst I was grateful for the ludicrous low price, it also disgusted me - I'd been with the company since the start, as the IT Manager, I knew the value of all the assets, and the liquidators were selling them at 10-15% of their actual resell value, even second hand, those Dell Precision laptops were worth > £1000 each.. and this was money that was meant to settle what was due to employees and creditors!
I did a short stint at a car maker about 20 years ago (the one shortly to leave Swindon...) where the IT director had directed that no-one was to have administrator rights given to their normal user account as this was insecure, which to be fair is quite correct. However, there were about 100 developers working there. It was really not practical (time, people and knowledge all being in short supply) to think that these devs would be able to provide the list of granular rights and permissions they needed for every project, and anyway the necessary rights and permissions changed fairly frequently.
The IT director said that the devs should submit their request for whatever they wanted to do to the IT support team and they would do what needed to be done. Asking a bunch of basic IT support bods to do developery things just made messes and the overall problem was then even worse as these messes had to be cleaned up. The devs were under massive pressure all the time to release working things and the upshot of this situation was that in the end about 100% of the developers knew the domain admin UID and password. This ensured that all changes on all systems were totally untraceable to whomever had actually made them. Something I pointed out and advised that it would be better to give the devs local admin rights on all servers, then at least we could track those changes against individuals and the devs couldn't bugger up the AD. Did they pay any attention? No, of course not. They changed the domain admin password, which fixed the problem for possibly a whole hour.
What a nightmare that place was. They also used a Windows PC to do a nightly FTP transfer from a mainframe in the Netherlands, and the downloaded files would periodically and unpredictably be unusable. This mystery had been around for ages before I was asked to take a look and quickly found that they did not know that an EBCDIC to ASCII conversion was taking place during the transfer and even more quickly found that the default conversion in the FTP client was not quite right.
Back in the 90s I had a summer job as a mail carrier in a European country. We had to do a final sort of the mail at the distribution center (centre) before we loaded everything on our bicycles for delivery. As one might expect, the distribution center had some security, complete with coded door locks. Very fancy for those days. Of course, everyone used the same code, but at least the code lock looked impressive.
About six months after this summer job I suffered the agony of a flat tire (tyre) on my bicycle. Of course this was the one time I didn't have my repair kit on me and it was after 6 so all the stores were closed.
Nearing desperation (I had a 1.5 hour bike ride home ahead of me - much longer if I had to walk) I realized (realised) that I was very close to said postal facility. Which, of course, had ample repair kits since all their carriers rode bikes to delivery the mail. I rang the door bell, but this being after hours and all nobody answered.
The fancy code lock beckoned...
Nah - probably not a good idea.
I rang the bell again, with the same result.
The fancy code lock winked at me...
Nah - not a good idea. Besides, they would surely have changed the code after giving it to a bunch of snot-nosed students that summer.
The fancy code lock begged me, pleaded with me, assured me all would be well.
Considering my plight, I agreed with the fancy code lock and punched in the code I still remembered from my hated summer job.
I was awarded with a satisfying click and the door swung open...
PS
Yes, there was still someone in the building who found me and demanded to know how I got in. And no, he had no idea where the repair kits were kept. And yes, he was happy to walk with me to the manager's office where I showed him in which cabinet the kits were kept. Did I need help fixing my flat? Nah - I'll manage. Thanks, though.
Throughout the eighties and well past Y2K there was an industry wide bad habit of setting the engineers override pin code on all commercial intruder & fire alarms the same as the last 4-6 digits of the installation company's phone number. This doesn't sound too bad till you realise that often the company name and contact number is stuck to the box... Go on push the buttons, you know you want to
I worked a contract in a place that printed high security documents. I had to pass through half a dozen security locks, each a booth made of strong wire chainlink-ish stuff with a closed circuit camera to give me a good going over as I progressed nearer and nearer the programming suite (a co-incidence; the computer was not the reason for the security, the piles of printed paper were).
Once there I could step into the machine room, which was housed in a wooden shed attached to the rest of the building.
Said shed had a six-inch hole in the outer wall through which the carpark could be clearly seen. Hole gnawed by computer-curious vermin was the best guess.
A mainframe computer in an open-air conditioned environment was unique in my experience to date.
But a high security area which could be entered by snapping bits off a wall e.g. by grabbing the edges of said hole and pulling really hard was a pisser.
Ah, the good old days.
It's always amusing to see security for tech firms set up by non-technical types.
Years ago, I landed a job with a tech company in Texas (no names). Not knowing anyone in Texas, I figured I spend some evenings roaming around doing some photography. I didn't want to leave my (film) camera in a HOT car, so I asked the head of security (retired police chief) if I could bring it into the building. No. Could I leave it at the security desk? No. Ah well.
Now, the interesting bit is that I could bring in a briefcase or backpack and it would never be searched. Never. So I could sneak in a camera. Or I could just print documents out and lug them home. Or I could fax the documents (no PIN needed) anywhere in the world.
Yes a camera could be used to steal valuable IP. But it would be the least efficient method at my disposal. SMH.
On the other hand...
Worked at a site with guns, gates, and guards. Unfortunately the guards' jurisdiction ends at the gate, but at least their eyesight doesn't. Upon observing an individual carefully photographing the gate area, they called local law enforcement. LE couldn't arrest the individual (what's the actual crime?) but did their level best to discourage security tourism
Good to go? Not yet.
Both the police department and employer sued for "racial profiling". Some times you cannot win.
Many moons ago, I was asked to take on the IT management role of a small business. Their system a file and mail server for ~20 NT4 desktops had been set up by an IT professional from one of the parent organisations, but then the ongoing responsibilities were passed to the office manager. This IT malarkey was relatively new to her so she was sent on a week long introductory course. Six months later she left and I was asked to take over (being one of the staff engineers providing the actual, non-IT, services to clients). She’d passed over the admin login details before leaving and I set about diving in to see how the system was set up. I had a fair idea as I’d been pally with the guy who set it up and he’d given me the admin login details when he left (as a backup, just in case management lost their copy).
I saw that the office manager had reset the password when she took over (as her training course drummed this in as one of the first duties when taking over a system). However, the training hadn’t pointed out that server backup software also needed the password updated. A quick look at the backup log showed error messages regarding no access authorisation. For six months, the daily and weekly backup tapes that had been religiously run and securely stored were almost blank. Luckily, there’d not been a need to restore anything in that time, but my first task was to ensure we had three good backup sets. A few months later, the Exchange server fell over (another story) and I was glad I had backups.
I worked for a small biz where network admin was everybody's responsibility. After a couple of backup woes, they made one of the developers assume full responsibility of the network.
A month later, sick of fielding password resets, he enforced everyone having the same password - the name of the company.
I went back there as a contractor, some ten years after I'd left - and my username and password, with full rights, logged me in at the first attempt.
How they're still in business I'll never know.
At a prior employer, I was responsible for applications running on quite a few servers (not responsible for the servers themselves, just the applications on them), so I had password access to them. Being paranoid, my AD password is long (> 30 characters; yes, I'm nuts). One day, I was logging into a particular server and mistyped my password. Muscle memory being what it is, I couldn't stop my fingers from finishing the password and hitting enter. To my surprise, I was logged in. Confused, as I was sure I had mistyped the password, I logged out and then logged in again, deliberately mistyping the password. And was logged in. With a bit of experimenting, I found that as long as the first N characters were correct, the rest of the characters did not matter.
I called the admin who was responsible for the servers themselves. Turns out, one of our servers ran a very old version of its OS and for some reason could not be upgraded, but it could not handle passwords of more than N characters. So rather than single it out, AD passwords had been universally compromised so that only the first N characters (and N was frighteningly small) were relevant.
Posting anonymously to protect the guilty.
This sentence has about one bit of randomness per key stroke. Memorable, ish, but you may as well be typing a binary number.
For me: alphanumeric with 1 initial capital - but all symbol values are random. Abcdefgh12 - or for a rare system that insists on a symbol, Abcdefgh12! (These aren't the random ones.) To avoid other stupid password filters (parse that carefully), I may exclude repeated letters and all vowels. Because they do.
Long long long ago, I tried and failed to set a UNIX password to "moscow". That's because SCO UNIX banned passwords containing string "SCO".
Long long long ago, I tried and failed to set a UNIX password to "moscow". That's because SCO UNIX banned passwords containing string "SCO".
You should have used "Moskova", would have passed with the additional benefit of it being a correct transliteration of Cyrillic.
When I was hired a god id had the password 'god', without quotes of course. So after a couple of months the password had to be changed and since there was no minimum length another new hire changed the password to 'allah'. A bunch of Evangelist Christians complained verbally. I replied that I would change things and what I actually changed was the title of the standards 'Bible' to 'Policy and Procedures.'
anonymous for the obvious reasons.
Years ago the place I worked for was stuck with a vendor's crappy software, one of those long term contracts. I had already reverse-engineered several features of the thing as it was a mess, when I found their main developer's credentials en clair, just like that, in the middle of a goulash of code.
I immediately ran to my supervisor, as, in the previous months, I had developed quite an adversarial relationship with that bloke and his box, who refused to see any sense, something my supervisor knew about and was starting to get concerned.
What I wanted was to make sure that he knew that I knew that he knew, etc., that if something happened to the guy on the other end, as he rightfully deserved and it was when rather than if, I had nothing to do with. Supe wasn't overly impressed, but could see some of the twisted logic involved.
I moved out of such temptation a few months later, and been happier since.
Wouldn't be surprised that that developer's outfit is gone - I mean, they probably got infected and wiped out at least twice before folding, but I really don't care, and wont't
Oh what a saint, right?
I can confirm that the top-level code monkeys at my employer have domain admin privileges. I know because I'm one of them. It's primarily done because the IT people have no idea how to fix problems with production application servers and databases. Actually, come to think of it our IT people don't actually have access to our production servers. That's weird right? I'm pretty sure that's not normal.
Way back about a thousand years ago, our network admin pissed off for a week of something or other, and left an entire department unable to log onto their accounts, due to his Netware 3 admin screwup.
Since he was the only one with the server passwords, my boss brought it to me to fix it. I informed him without the passwords, I can't do it. The resulting look on his face prompted me to say "if you kinday look the "other way", and give me the keys to the server room, I can "fix" it in several minutes, and said this was the only way, as long as he was happy to look that other way of course.
Turns out he wasn't keen on that, and instead told the entire department to go home for a week instead.
My old boss (I was a sysadmin and general IT slave) forgot his new and fancy password and was trying for half a day before fessing up to me. He told me several permutations of what he thought it was while I nonchalantly typed away and I just said "yeah it's the first one with an exclamation mark on the end" as I changed it in AD.
He was sure I knew all the passwords and was very concerned that I might have been logging in as him and looking at his "photo albums". I did not explain how the file server worked
My college used to give all new students a default password at the start of the year with a requirement to change it on first login. The default password was always "Welcome" followed by the year. Login was an incrementing 5 digit student number. Fairly trivial task to then check through this year's series of student numbers to see which ones hadn't logged in yet and use this account to upload a bunch of cracked software, movies, etc to the school network drive, allegedly.
Our uni computer dept admin had a text file of every students account with birthdays and default passwords in his home directory, and that was world browseable. We happily used that list to get extra time on systems, or increase our online storage quota. You'd be amazed how many business studies students never signed into the central systems so we essentially had unlimited resources all year long.
The most ironic part was the admin was on printer desk duty the day we printed out the 300 pages of that list. It took a lot not to flinch when he happily took the reams of paper out of the stack and handed it to us at the pickup desk. One glance at the contents would have made for a somewhat strained conversation.
I know the BIOS password on the work machines because I worked in the IT section 10 years ago.
Doesn't do me much good, however, as the last two machines delivered on my desk (3-year refresh cycle) the install-monkey (I can call them that because that was me 10 years ago) had forgotten to set it anyway - I only know because I had to pop in on both machines to disable USB/CD boot as coming back to the machine after hitting the power button and going to get my morning snack while it boots, to find an any-key prompt because of a (non-bootable) USB stick left in the machine is a minor annoyance. !!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
