... to be continued ...
right ?
Or are we being held ransom, and have to pay to read the conclusion ?
BOFH logo telephone with devil's horns "Where've you been?" the Boss asks. "Holiday. I … booked it several months ago." "And where's Stephen?" "No idea – is he not here?" "He called in sick yesterday." "Oh, then I'm guessing he's sick." "Well, I don't have time to sort that out, we have a situation!" "What situation …
One pounds the Marmite....
After a period of deep personal introspection as well as a thorough review of the previous comment to which I have endeavored to reply, I have come to understand that the action clearly specified therein was that the prospective password was "best *read* with a North American interpretation.. ".
Just as clearly, at absolutely no point whatsoever was there the inclusion of even a hint of the suggestion that *anything* should be subsequently *written* after said reading had been completed.
Apologies, etc.
Gotta say that someone has access to the network when 'BOTH' the BOFH and PFY are mysteriously off-site? Jim has the chops or direction to get through the BOFH and PFY's defenses. Ransomeware... I think I've said too much... OK, how much is Jim's cut? It's obvious that Jim works for\with the BOFH. Jim is infecting the network at behest of the BOFH and PFY.
Jim did plug his USB into all the right computers!
I doubt it. He wouldn't have to infect the BOFH's personal computer in that case because that doesn't affect anyone. From the description, the PFY appears to have really been sick. And we know that sometimes someone without the skills gets loose on a computer because they volunteered to help. I'm sure there are backups which this guy couldn't infect--there is no way they would let him get to the server room, but still a lot of work for them ahead which isn't going to end well for the clueless idiot.
Nearly 30 years ago an telecom technician brought in his (infected) CD-ROM to update the phone switch. The update apparently acted funkily in the switch and to test the CD-ROM he shove it into one of our PCs, which was connected to the network...
It was my job to clean up. And my boss, the BOFH, dealt with the technician, of whom I 've never heard again. So better not mentioning any names.
In the days of DOS, we had a few Xtree licenses and I kept all the 3,5" disks in drawers which were not to be accessed by anyone but me. But hey, Mr "I am director and I don't have to follow to rules" came and borrowed the disk because "he knew about computers" and so decided he didn't have to wait until I got back from lunch.
A day later I needed to install it on someone's machine, and I notice the disk was write enabled which I *never* allowed - software that wrote back to masters was first copied (which sometimes took some effort) and then allowed to write to the copy - so I flipped it back to read only and installed.
At which point it complained about the disk being read-only.
From experience I knew that Xtree did not need that, and sure enough, on inspection this thing emerges as infected. Cue me starting to look for a recent install, with run-ins with the aforementioned moron already giving me a hint where I should start my search.
Turns out said idiot had not only installed it on his already infected computer and had just happily write-enabled the disk on request, but he had also "helped" two more board members to a virus.
That was the last time he was allowed near any computer but his own.
And I finally got the firesafe I wanted.
When I was working for a publishing company, we had a sandbox (airgapped from the network) that checked every incoming and outgoing 3.5" disk. One afternoon I was checking the day's production before sending it out, when I came across an infected disk. I immediately crashed the network by disconnecting the thin Ethernet, and instructed everyone to continue working on their hard drive, but not use any floppies or the network. I found out who had produced the infected disk and went to check his machine - it was infected with a mild virus, nothing serious, luckily. I also checked all of his floppies, and found the virus on one he had brought in from another branch. I asked him why he had not submitted the disk for checking before inserting it into his desktop machine, and his reply was that, as it had originated from within our organisation, he didn't think it necessary. I soon disabused him of that opinion, and co-opted him to help me use the Silver Bullet disks to check every other machine in our building (63 IIRC). Luckily, the infection had not spread beyond his own workstation, so I was able to reinstate the network later that afternoon. The office from which he had brought the disk (Coventry) was then informed, and they had to go through the whole virus checking rigmarole the next morning. They had considerably more computers that we had, so it took them all day. My Boss, the IT Director, was distinctly peeved that it had been allowed to happen, and the culprit was summarily dismissed (what we referred to as Instant Dismal). I received a commendation for my prompt action, but I was only doing my job, really.
One of our clients had a similar gateway/sandbox floppy checking system too. Theirs went a step further than yours though. It moved the directory track somewhere else on the disk so it couldn't be read normally. Every PC had a device driver installed in CONFIG.SYS which made the PC aware of the new location. Normal disks couldn't be read on a corporate PC and "adjusted" disks couldn't be read on "normal" PCs. Each disk going in got scanned and then moved directory track. Outgoing disks got scanned and the directory track put back to normal.
IIRC, only part of the HDD was readable as normal too, so booting from a floppy could not do much damage other than to the boot sectors and the PCs own AV booted first and checked for that. Simpler times when viruses were far less likely to be able to get past a scan that early in the boot process, even if it has started running.
I think Jim is not the only one who should discover the wonders of marmite. Looks to me as the head of accounting should also get a taste for allowing personal visits during work hours, and for allowing a perfect stranger to use unsecured media on company property.
Then, of course, there's the boss who actively made the situation worse by granting a security risk access to the Holy Sanctum. And, obviously, the sheer blasphemy of his grubby hands on the PHY's and BOFH's computers.
Oh yes, they're going to need a lot of marmite.
The security model of USB is irretrievably broken, because the device is responsible for telling the host what it is and what it does (i.e. "I'm a keyboard"), without any sort of verification, so if you allow any USB devices at all, then you're open to all of them. Want to use a USB mouse? There's no way of knowing it also hasn't been secretly engineered to be a boot device on the second Thursday of every seventh month.
What if it's a keyboard which does that? Whatever the device looks like, it will tell the computer it's a keyboard. So you have three options:
1. Trust any USB keyboards, including the prospect of a malicious one.
2. Do not trust any USB keyboards, using something else to connect the trusted keyboard.
3. Go through a registration process to trust only a certain kind of keyboard. Some methods include only allowing a certain set of known keyboard IDs and therefore a randomly-chosen ID probably won't work or requiring the keyboard to enter a certain set of keystrokes to be added to the trusted list.
In any case, this has nothing to do with USB. A fake PS/2 keyboard could do all of the same things and you would have exactly the same trust problem. USB having the ability to connect multiple devices doesn't cause the keyboard attack. The closest it can get is that you can make a USB device that looks like something else, but the only way to solve that comparatively minor problem is to have separate connector types for everything which still doesn't fix the larger problem and also makes hardware a lot less convenient.
"Want to use a USB mouse? There's no way of knowing it also hasn't been secretly engineered to be a boot device on the second Thursday of every seventh month."
Yeah, that wouldn't work. There are only a few profiles that can be used, so in this particular example, it would have to be a device that shows as a mouse and also adds a storage device on a schedule. Here are your problems:
First, you can block storage. Really easily. It's done all the time in secure environments--they just don't let you access USB storage. This includes during boot and while the OS is running. It doesn't take much sophistication to do that.
Second, even if that wasn't in place, there is very little chance just popping up a storage device will act as boot media. If it does so while the computer is on, then the computer has already booted and will ignore it. If it does so while the computer is off, the computer is likely to ignore it anyway because basically no computers are configured to try booting to USB media before the hard drive. This isn't the 1980s and floppies--I have booted USB devices on lots of machines and all of them after 2005 have required me to select that manually or change the settings if I want it to be the new default.
A few years ago, when we learnt the name of our soon-to-be director of IT, we googled him.
We found out that in his place of work "someone" had taken out the whole network with an infected USB. That was the impetus required for us to enforce only access by encrypted ones we issued and a virusscan before they even became readable.
By the time this chap started, it was all locked down and the process did not reoccur with us.
There is so much in this that has the ring of truth. Many users are incredibly trusting of any jargon wielding computer boffin and will let them do almost anything with their computer… and wonder afterwards why nothing works any more. But what surely can't be true is that one of the unwashed gets physical access to the BOFH's and PFY's machines without sustaining physical injury, becoming contaminated with narcotics with the police being informed by the intrusion detection system. And that's just on the show machines that they use to pretend to work from…
Next episdoe: Does anyone know anyone called Jim?
You mean the BOFH is prepared to let someone touch his computer and live? You could at least expect the doorlock to kick in and the Halon, because it obviously wasn't disposed after last week, to flood the room?
On what kind of IT planet do you live on? Or are you some kind of grubby little manager?
Inn my first week in a new company as tech support manager I took on a mainframe based team with real reliability and stability issues. What summed things up to me in the first week was when I stopped a sysadmin walking into the DC with a stranger holding a tape.
It was explained to me that they were about to load a preview version of some new 3rd party VM tools. When I asked where it was being installed I was looked at with some incredulity as there was only one VM machine, the production IBM Mainframe.
When pushed the 'systems engineer' who wanted to perform the install agreed that it might be best if we installed it on a new virtual machine and admitted the bloody tools had an API hook into the O/S Kernel.
I kicked him off site and then had to have a conversation with the sysadmin about what I had meant when I had imposed a change freeze on the IBM mainframe while we sorted out stability issues affecting end user services.
I mentored that team for the next 18 months introducing test environments for all regimes, enforcing strict change control processes, adopting quarterly patching cycles for the O/S and the middle ware and generally implementing best practice. At the end of the 18 months we were meeting every SLA and my team were not being called out every night.
We even had the capacity to look at new stuff rather than just firefighting and could actually start having some fun
Improvements like AC mentioned (and AC sounds like they had a good management team if they were able to make those improvements) will often lead to noticeable improvements to base salary, reducing the reliance on overtime, meaning happier bank managers and an easier domestic life. Happened to me.
Icon - good, long-sighted senior management should be recognised.
The first time i went to our disaster site test with the core system Sysadmin I thought it was odd that he brought 2 tapes as I knew the backup data would fit on one.
He says “learn from experience”. He placed the first tape in the dr vendors tape unit and it promptly ate it.
An hour later the unit was cleared of the sacrifice and the data one was installed and read without issue.
He said it happens every time and the every time the vendor promised it would not happen again.
I don't think we'd have seen that particular throbbing vain on the PFY's forehead if he'd been in on it. And I suspect the Marmite might well serve to get the git who got the infection started to confess it was his doing all along and give them the decryption key.
Because it all sounds a little TOO convenient in terms of timing and EVERYTHING getting locked. We might well be dealing with a BSFT (Bastard Shitstain From Hell). The type that knows exactly how to start shit and profit from it, not caring where the filth and stink rub off on.
"I hope the PFY wiped down the usb key before he took a day off ~to the pub~ sick."
It crossed my mind that this may have been the PFYs final exam before becoming a BOFH in his own right and moving onto to his own infernal domain, taking a nice wodge of cash with him for "moving expenses".
This reminds me of 1996, when I was working as a contractor for a large telco. The "Security Manager" (read: an utterly useless bloke they couldn't get rid of and who was therefore parked in a made-up function) decided to email the entire company, all 3,500 or so employees, about the dangers of MS Word macro viruses. Remember, this was when Windows 95 and Office were just taking over the desktop, and Outlook was still fairly new to most people, including our Security Damager. So what did he do? He typed it up in Word and then used Word's "send document as email" function to distribute it to the masses, not realizing, of course, that this would send everyone an email with his Word file attached.
You can probably guess what happened next.
Fortunately at the networking department we ran Solaris on our workstations rather than M$ rubbish, so our little enclave remained unaffected (and uninfected), as opposed to the rest of the 3,500+ staff were less lucky. I remember that episode as a very, very long weekend.
I was doing holiday cover as an outsourced Notes admin at a telecomms company when Melissa hit. Most of the rest of the company was on MS Mail, or possibly Exchange 4, and came to a juddering halt. All systems teams were ordered to isolate their servers, install this new-fangled AV software (not so enlightened management had deemed it an unnecessary cost), and run full scans, before being allowed back on the network.
This being a Notes mail environment, our users weren't spreading Melissa, but we did almost run out of disk quarantining all the macro-virus infected attachments in their mail. We were still the first team back on the network at that site (it helped that my boss and mentor lived nearby and was on hand to help).
My experience was somewhat the converse of that. Also in a telecoms company in Leeds. There was another building with some consultants working on something or other that, AFAIK, never happened but they were using Notes. According to those in our building who had dealings with them the emails coming from the Notes users were regularly infected.
Single Copy Object Store was an absolute nightmare, not least because, before version 6, all it took was a misplaced tell router update config
and you'd enabled it, rather than updating your router configuration as you'd intended and had done on your v 6 servers.
All SCOS content was stored in a single .nsf with the storage limits and risks of db corruption that entailed - just attachments but any rich text - and if you weren't careful with your overnight collect tasks, that was easily provoked.
DAOS (Domino Attachment & Object Service) is a far more refined beast, dropping attachments to a different drive as encrypted .nlo objects which can be backed up by a non-Domino aware backup regime, and also with a far greater capacity: our largest DAOS drive is currently about 1.8 TB (our users never damn delete anything, even, or rather, especially case-related emails that should have been uploaded to the case management system).
@Outski
Aaaah, Melissa!
I remember her well. A user called me to come and have a look at her machine, as it was doing funny things. The first thing I did was to ask her to unplug the network cable, in case it was a virus.
Unfortunately we were using Outlook, as we had moved to MS Office two years previously (to the utter dismay of the typists, I must admit, as they were extremely happy with WordPerfect), and not on Pegasus Mail anymore, so the first thing I did was to call the people that the mail had gone out to to ask them to delete the message immediately and not open the attachment (luckily not many people in her contact list at the time - it would have been a major issue a year or so later when Head Office created mailing lists and put those at the top of the contact list ("to make it easy to use")).
I was less lucky with ILOVEYOU; a user forwarded the message to me to ask to check if it could be a virus (although my standing instruction was to first unplug the network cable and then call me to come and have a look).
Since my policy had always been to set all machines to display file extensions (I cannot believe that it is still MS practice to hide extensions by default, despite all the mayhem it has caused. It is still in Windows 11 - I do not buy the excuse that it prevents people from accidentally removing the extension when renaming files - it is an easy enough mistake to fix. Mageia highlights only the file name before the extension when renaming - does Windows still highlight the whole name, including the extension? I am not interested enough to fire up my dual-booting laptop just to check), I saw the .vbs extension (which was what triggered my user to not open it and pass it on to me).
I did some searching (as an aside, my search engines of choice before Google were Alta Vista, Excite! and Lycos, with Webcrawler as fallback in case I did not find what I was looking for - in 2000 I still used all of them, but Google had become my go-to) but could not really find anything.
So I unplugged my network cable and decided to see what happens if I run it. I did lose some jpg's, but nothing of note - mostly stuff that others had sent me that I kept for some reason. And I had to wipe the hard drive and reinstall Windows 2000. Since I had contemplated using server 2000 as my desktop, this was as good an opportunity as any.
Since we're on the topic of ancient viruses, just this tale: the very first machine we had in the company (recounted earlier in my posts), an IBM XT, had a virus checker that ran on boot. The typist who used it at the time had the following routine: she would come in earlier in the morning, start the machine and set the date and time (well before CMOS batteries came into fashion!) and then go and make coffee, attend to her make-up, gossip a little check what was in her in-tray and then go to each of us to ask for new typing that we had not yet delivered to her. By the time all of that was done, the machine might have finished booting - it took about 30 minutes or so for it to finish scanning the hard drive (40 MB by that time, if I remember correctly).
Icon, because I had to nuke my machine.
> Mageia highlights only the file name before the extension when renaming - does Windows still highlight the whole name, including the extension? I am not interested enough to fire up my dual-booting laptop just to check
Nope; from about 7 onwards, I think, it initially only highlights the part before the extension. You can of course subsequently alter the selection as you choose, but if you just go click-pause-type, the extension will be untouched.
And if you do change the extension* it pops up a dialog to warn you that you might be making the file unusable and asking you if you really want to go ahead. Though of course the average user won't read the warning and will just press "OK" anyway.
* except in the case where it didn't have an extension originally
@Kobus Botes - "So I unplugged my network cable and decided to see what happens if I run it. I did lose some jpg's, but nothing of note - mostly stuff that others had sent me that I kept for some reason."
You didn't open the vbs in a text editor? It was quite easy to see the part where it deleted image files.
Was working for a small company that had two offices. Head office was infected, we were fine - partly because I had blocked access from head office. Got my ear bent on that one by some dear that wanted to send email to our office.
Also reminded me of a "salesman" that we had - he didn't believe in AV software, if he had a virus then his customers will let him know.....
My guess is that the recovery laptop has the clients for the backup servers and the encryption keys which are not stored on the tapes. Destroy those and you won't be able to decrypt and you'll need a new machine even to start reading. Of course, I'm sure the BOFH has plenty of other places where those keys are stored for insurance purposes.
I come from a hardware /electronics background and sort of drifted into IT.... I started off as a YTS trainee and saw my first IBM AT PC. It was two years before I found out it comes with a cover as it was always open for testing ISA cards.
So now I'm in IT, trying to recover data off a HDD in a PC too small for two drives, I tend to leave the case off, monitor balanced on PSU, cables everywhere - I think that the other people are too scared to touch it in case they get electrocuted.
Bunch of pansies - using RDP to connect to a virtual server. Bet they never burnt their fingers with a soldering iron, the smell of magic smoke, or felt the jolt of 120V from a discharged capacitor!!*
* From a LCD PSU PCB - had laying unplugged on the desk for 24 hours before I picked it up
Is SimonT actually talking about human rather than computer viruses? And how they get distributed via a plausible sounding expert and an idiot on the inside? If so the reason justice hasn't yet been served on Jim is because it hasn't yet been served on the culprits IRL.
That said, if the BOFH is on form Jim won't suffer anything as mundane as a fall from a window or a cattleprod-carpet-quicklime operation. It'll be something special - probably involving him "offering" to help clean up the mess and then being found, along with his mate the idiot on the inside, en flagrant and smeared in Marmite having unfortunately passed away in the middle of a particularly depraved act together.
It is a plot between Jim and the Head Accountant to milk the company for all the money they can with selling equipment and paying for their "services". It was a deliberate sabotage as an end-user would not even know what a BIOS is, how to clear the BIOS, how to disassemble a computers, etc.
Maybe we find out that this was pre-arranged with BOFH and PFY?
To be continued.....
We were still using the X400 email system that was common in the NHS (at least our bit of it). This meant that, although lots of us received infected mails they were just a long listing of the .VBS. As I had never seen a virus in the wild before, I had an interesting read.
This however did not stop the onward growth of the Microsith stranglehold and we succumbed within the year. We have used Outlook ever since and are now using 365 so that people can now read their email from the public library, their grannies or whatever virus sanctuary they like,