Seriously, boss? You want that stupid password? OK, you get that stupid password Can it be Monday already, dear reader? Well, doesn't time fly! Welcome once again to Who, Me? The Register's weekly dip into the mailbag for tales of readers' on-the-job shenanigans. This week's shenanigator is a fellow we've met before – we Regomized him as "Ben" then and we'll do the same this time. Back in the misty days …
What? No story how it all crashed and burned?
You are leaving the dear reader when the reader expects a spectacular ending of doom and glory! Please, tell us how 11o554 managed to kill his company or how 'Ben' was called in to save the day for a fortune and a penny. I feel a bit cheated out of my dear reading time, being left hanging with more questions than answers.
If the user was intelligent, they would have tried their account immediately. That's a good idea, not only to make sure that you dictated your password correctly*, but that your account has the stuff you need in it. Did the admin remember to add you to all the groups you need but didn't ask for? Does the server require SSH keys and the admin used one that used to be yours but isn't the one you want? Do you need to log into a VPN to access the server? You might want to know those things before the admin leaves. You do that on Friday, which means testing your password on Friday.
* Dictating things with a specific format isn't deterministic. If someone reads you some letters which are probably an acronym, do you capitalize them all? All lowercase? And of course the fact that there is a possible character pronounced "o", so you should always pronounce the other one as "zero". Whenever I'm reading passwords, I end up saying the case of letters a lot to avoid this problem. While I'd probably ask for clarification, there is one way of pronouncing the string "11o554", so anyone who understands passwords should know to be specific if they don't mean that.
This was the mid 1990s - I don't recall either SSH or VPNs being much in evidence.
None of proprietary Unixes (SunOS 4/5, SGI Irix, HPUX, DEC OSF/1, IBM AIX...) shipped with SSH.
Tatu Ylönen released SSH in 1995 and the last license free version was 1.2.12 if I recall correctly.
Most of Unixes had "Freeware" Software repositories from which you could download packages but the SSH version would have been locked at 1.2.12. Universities etc could still use later versions so I remember building updated SSH software for various Unixes up until the advent of OpenSSH. Some vendors later shipped Datafellow's SSH but by that time the prevalence of Linux (and *BSD) made it simpler to standardize on OpenSSH.
Scary but up to the early noughties much of the world was telnet,ftp,rlogin,rsh,rcp and sod all of that was kerberized.
I know it wasn't the actual password but 11o554 backwards 455o11 might read ASSoLL.
Anyway Ben should have let the 455o11 boss type his own password but I also presume the root password was recorded somewhere.
It was more of a generic example than what happened in this case, since I don't have almost any details. While there weren't many VPNs of the type we use nowadays, there could still have been more steps to access the login prompt than "telnet hostname". In addition, the stuff I suggested to check when you've logged in was still important in the 1990s, so it was still worth making sure the account worked as expected.
Got to agree on that one. Hardly a "hero" story.
Also, taking on things you don't yet know how to do is how upstarts usually do it, learn along the way, and make it big in the end.
You'll never get anywhere in an emerging market otherwise. Guess he wasn't cut out for that sort of thing.
Probably nothing happened. The account was created because somebody realized that they would certainly need one to administer the software, but they rapidly determined that they didn't really know what they would do after logging in anyway. They probably either never attempted to use their account or hired someone else who created their own account with a password they typed in rather than dictating.
This reminds me of a company I wrote some software for. The company concerned didn't employ other programmers. For context, version control was a local git repo which I copied into SharePoint so they'd have the source code. A few months after working on that, I got a message asking me where the source was. If they had read any of the documentation or mails I'd sent, they'd know that, but I pointed them to the directory. I'm sure it didn't help them, because they had nobody else who could modify that and I wasn't going to; they had the code and the working binary and it wasn't my job to do whatever they wanted added. This was probably not a problem as the code would continue to do the same thing it always had, which is all they really needed anyway.
That would be a bit difficult, given how setting the password was Ben's last task and presumably upon leaving his next coding job was define array(FucksGiven,FormerEmployer)=NULL.
Also he probably wasn't called in. If he had been he'd be gloating about it.
Accidental similar revenge.
A RaspberryPi was monitoring some equipment, the sort of "leave it alone for a year until something fails"
The user swore blind they had used the 'standard' shared password for all that sort of kit.
The Pi starts with the proper Queen's King's English keyboard and asks you to enter a password
To make WiFi work you have to set your locale - to here in the colonies
The password included an '@' ....
I was in Korea and (for some obscure reason I don't recall) I had to use the hotel's "internet café" to check in for my return flight.
It only had Korean on the keyboard, but I managed to use the international settings to set the GUI and keyboard into English and then touch-type what I needed (remembering to set it back to Korean when done).
I believe we were bitten that way frequently and we were resetting users' password to something trivial like ea$ypea$y but they had to log in in a browser - I now use only lower case letters and spaces in passwords, except as enforced not to. Some demand mixed case, a stray numeral, and a special character and you have to guess what "special" means. Some don't allow spaces but don't tell you until you use them. I set: Thisw ithno space sinit 0.
The (mostly) safe way I use, being bitten by that quite frequently:
Letters - all the letters without Umlauts, but exclude A, Q, W, Y and Z - these are in different positions on AZERTY/QWERTY/QWERTZ keyboards. If you may encounter a Turkish keyboard, also exclude I as Turkish has a un-dotted I in the space
Numbers - use the number ad for those
Special characters - use + - * / (always in the same position on the number pad)
This should still give you enough reasonably safe characters to choose from, especially when assigning initial passwords (when you can't be 100% sure what keyboard layout your victim, er, client uses.
Have been bitten by a bug where the password criteria on the account creation page was different to the login page. I created the account OK but couldn't log in because my password did not comply with their password policy!
I also had to explain to someone that they couldn't use '£' in a server password because the Cisco router trying to access it only uses basic 7-bit USASCII and that doesn't include the pound character (or code pages or UTF)
"removes that /VMUnix"
rm /vmunix is a bit subtle. The kernel is unpaged so once booted rm /vmunix really only has the effect of removing the kernel namelist which stuffs a lot of user space tools which used nlist(3) on vmunix to find where in /dev/kmem to read a symbol (ancient history - its all /proc or proper interfaces now.)
Crunch time is the next reboot - missing vmunix but even then there is usually a generic kernel typically genvmunix hanging about unless the boss worked his rm magic there too.
From the article:
perhaps the MD knows enough about Unix to know that the password couldn't be all numbers, and that's why he cleverly said "oh" instead of "zero". That ought to stymie any would-be miscreants.
I'm not actually familiar with any such limitation, and it doesn't appear to affect my Linux machine now. However, if that was the case, the person setting the password should know the limitation and it wouldn't take long to figure out what the obvious answer is. Also, if I had been there, I would have assumed that such a simple password was the temporary password used to gain initial access, to be changed later by the user. I figure that, if they told me the wrong thing, they'll come back in ten minutes and say it doesn't work. If they don't, they probably got in and changed their password successfully. It's not as good as asking for clarification at the time, but I don't see following the dictation to the letter (pun originally not intended) as "screw[ing] them over". A reasonable worst case is that the director came back in a few minutes. The absolute worst case is that the new admin reset it a few days later.
These days password quality (length, complexity, dictionary words, character classes) on Linux is usually managed by through the pam_pwquality module. The /etc/pwquality.conf file controls the settings. Normally root will get the same warning message as a user does but root is allowed to violate the policies, if they choose. Adding the "enforce_for_root" flag means not even root can violate the quality settings, but of course there are other ways to set bad passwords when you can edit /etc/shadow directly...
Wow, I would never admit to assuming something like that. Especially as "Ben" should have been able to form an opinion of the MD's technical nous during his time there. The fact that the boss of this tiny company didn't already have an account on the system, and couldn't create one himself is enough of a clue as to the level of his Unix skills.
Plus, if you have to do something like this, at least stay and watch the boss login once you've created the account, so they can't later accuse you of giving them a password that "doesn't work".
if you're walking out the door, it generally comes under the department of "not my fucking problem anymore" - and given the company blagged a contract they weren't qualified to deliver I don't think it really matters
Of course, once you've left any demand to fix it are best met with "these are my consulting rates - plus expenses, minimum contract period is one day/week"
Not sure what the legal position would be if you contrived not to hand over the correct passwords (or gave them legitimate reason to believe you'd done so) when you left the company then started charging "consulting rates" that could be made out to be extortion.
Even if you wanted to behave maliciously towards them- whether or not you had legitimate reason to do so- there are probably more subtle and effective ways of doing so that wouldn't run the same personal risk.
Not sure what the legal position would be if you contrived not to hand over the correct passwords
IANAL but I think that the employer could argue that as you'd created the passwords while on the clock and employed by that company, then ownership of the passwords rests with the company and not you, so it'd be hard for you to get away with withholding the info
A simple statement of "over the years I've disciplined myself to forget details of a job after completion and termination of relationship. It would not be appropriate to retain such information and so I have not. So I have no possession of anything under your ownership. Which makes this none of my business. Bye now."
Human memory being scientifically established to be imperfect, a real time reimagining rather than a record, and often inaccurate to personal history, You can't prove that someone has information that they do not demonstrate to have.
Such discipline is not difficult to obtain
The best way to forget or invalidate a memory is to tell yourself many other versions with confidence until you cannot distinguish any of them
Works like a charm.
I used to do that quite often when I was servicing other people's computers and inadvertently come across sensitive information.
An engineer in America was set to prison. Can't remember the details, its online somewhere. Reading it, he sounded like a tit.
Found it
https://www.networkworld.com/article/2208076/admin-who-kept-sf-network-passwords-found-guilty.html
Not the same thing. In the San Francisco case, the engineer deliberately set out to make sure only he had access. In the case of the story, the director asked him to change the password for him as he was leaving, and he changed it to what he heard was said. The company would have a much harder time proving any maliciousness here
..... or perhaps the MD knows enough about Unix to know that passwords CAN be all numbers?
They can be anything that can be picked up on the TTY. Passwords are hashed - they have been since the year dot (even when the hashing was weak, and the hashed passwords were publicly visible.
Now, some **linux** installations have restricted their setting of the password to avoid certain character combinations, but that's not "a unix thing" and even on these systems, can be overridden if required, because it's simply not an OS requirement.
I once heard tell of an office device where to log in, you had to type something like passwrod^H^H^H^C^Csodit
Apparently that went with their licence or something. Expensive per seat.
I've been avoiding putting in writing that a certain internet service could monetize by charging for passwords.
You need to be root to add users to the sudoers group in the first place, although with some versions of Linux that may be done during the install phase when the person doing the install is de facto root user. I'd be surprised if there was no root password though. There's certainly a root user since root owns most of the OS files.
> I'd be surprised if there was no root password though
That's been the default operation for many years now when installing Ubuntu, Mint etc. Can't speak for Debian.
The installer requires you to provide a username. That initial user is added to sudoers automatically and can sudo anything, including 'sudo su' or 'sudo bash'. As you note, the root user does exist - but has no password and can't log in on a terminal directly.
It depends. Root is always there. On annoying systems such as Ubuntu access to root is guarded only by a repetition of the user's regular password combined with the user's name being in the sudoers list. It is perfectly possible to use sudo to add a root password. That doesn't help shut the door although it does give the illusion of having returned sanity to the command line. It was a major reason why i migrated from Ubuntu to Debian and one of two major reasons why I now now use Devuan.
I'm not the OP, but I once worked in a similar situation. The management structure was MD -> Everybody else. The most technical item in his office was a telephone.
Tiny company, we sold accounts systems to equally small companies, so of course, he needed an account on our internal systems, and on every client system we installed. Username, his initials. Password, well, suppose his name was "Fred", every system had a password of "DERF". And yep, it was only four characters.
Thankfully this was in the days before you could expect a network to be connected to the Internet, but some did have a direct dial in..
It was only a few years ago that I had to state, repeatedly, that in no way was it acceptable for a supplier (software house) to implement a fixed login password for themselves just in case. Their excuse was that it might be needed just in case we lost access to all the admin accounts. Nope, still not happening.
I remember being asked on Thursday, that someone needed this product installed as it was needed for a demo on Monday afternoon. This was a mainframe system, and the products came on tape.
We paid for a motor cycle courier to deliver the tape - and it arrived Friday 4pm. I spent Saturday installing it, and getting it to work.
I put an overtime claim in to the requester's manager.
I emailed the requester saying it was installed. I didn't hear from him, or how the demo went, so I wandered over to his desk on Tuesday morning, and he was very very grateful for the work I had done - the customer's were very happy etc.
I then asked him which userid and password did he use? "um er, er um Admin!" and what password did you use?
He then came clean that they had not actually used the product. They found this out on Friday but had forgotten to tell me.
His boss queried the overtime, I explained what happened, and he rolled his eyes.
Came back from vacation to find out I had been replaced and demoted. I found out when I tried to log on to the main systems to resolve a problem I was told had not been resolved for over a week. I was locked out. I knew there was something suspect right at the moment.
Confronted the boss, who told me I was demoted and the new admin now ran the show. I asked him when the current system problem was going to be fixed and where was the new guy. I also knew at that moment that new admin had caused the problem.
Boss had no answer except the new guy was off that day and the problem was not getting fixed. I could have fixed it that day, but now it was not getting fixed until the new admin returned.
I spent the day thinking it over and decided to put in my two weeks notice, but I waited the next day to tell the boss.
Next day arrives and put in my notice, but to cover my ass, I promised I would show the new admin around the system. Whenever he decided to show, that is. Which he did not, until the second week of my return. The last week of my notice.
And show him around I did, complete with a checklist that I made him sign for each step. He never once asked me how to solve the ongoing problem. And I was not going to volunteer it. He created it, he can fix it. I was, by definition of the company, no longer in charge nor had access, nor even part of that team anymore.
The final day, the problem was still not fixed, the new admin never asked me how to fix it, production had come to a halt and the VIP client was knocking hard on our door. I left at quitting time knowing they were screwed and that I had thoroughly covered my ass.
Both they and their client were gone the next year.
Sometimes you wonder how manglement gets to that position with those mental limitations. I know I sometimes say that when you find someone on top of a hierarchy the only talent you can be sure they have is climbing hierarchies* but you'd expect that somewhere in the process reality would have intruded itself enough for them to be aware it exists.
* Unless they inherited the family firm.
Nowhere near the same but similar issues. Had been doing a roll for 9 years but didn't get made perm for bullshit "political" reasons. Had my admins rights removed yet constantly got asked "Can you fix this, can you fix that". Yes I can I said, its an easy fix but no one has asked me how and they refuse to give my admin rights back so you'll have to wait for them to work it out themselves. I eventually left as they were never seeing the light. Now, as I keep in-touch with folks, something I used to do every year all myself with the odd help from certain people when needed (due to lack of access) that used to go flawlessly, they are now constantly fucking up and end up with a team of people. Despite me leaving good documentation behind, which I've heard they'd always ignored as they want to make their own mark, oddly seemingly feeling threaten from documentation from an engineer who's long left, odd.
Yikes! I've worked at several companies like that but I didn't last a year. I already knew where it was heading.
Good on ya! I have this bad attitude about being set up for failure and ending up the scapegoat. I use the Bugs Bunny method. (if you know, you know)
@ecofeco
I expect any employees who lost their job when the place closed down would be ever so grateful for your childish "work to rule and bung in demarcation lines whilst I am at it" stampy footy session.
You are not clever person you think you are. You are just nasty.
Do you have any level where it becomes the company's responsibility? If I bang on every door with a problem, a suggested solution, and volunteering to do it singlehandedly, how many people have to say no before it stops being my responsibility and you stop blaming me for the consequences of that problem. As the original poster indicated, they didn't even create the problem. I also assume that, had they attempted to fix the problem and introduced a new problem, you'd be blaming them for doing that when management hadn't approved.
Why do you jump to assuming that this person's failure to solve a problem that nobody cared about and they didn't create caused the demise of the company? It seems more logical to me to assume that the company's inability to work on the problem was a symptom of inept management which caused the collapse, something an individual tech, even if they took the initiative to fix everything above the complaints of management, couldn't solve.
Right?
Person who thinks that someone who didn't create the problem, was not allowed to solve the problem and was penalized for someone else's problem, has some responsibility to solve the problem, is the nasty person, is projecting on an IMAX level.
We should thank them for telling us who they are.
《And show him around I did, complete with a checklist that I made him sign for each step. He never once asked me how to solve the ongoing problem. And I was not going to volunteer it. He created it, he can fix it. I was, by definition of the company, no longer in charge nor had access, nor even part of that team anymore.
The final day, the problem was still not fixed, the new admin never asked me how to fix it, production had come to a halt and the VIP client was knocking hard on our door. I left at quitting time knowing they were screwed and that I had thoroughly covered my ass.
Both they and their client were gone the next year.》
Can't say fairer than that.
Quite clearly a corporate death wish graciously granted.
"Ever taken sweet revenge through their magic of malicious compliance?"
As all my account was going to be deleted anyway and no one bothered to ask me to move my documents over to someone else, I may or may not have deleted all my YouTube video guides (we stupidly used Google) so the whole FAQ page was full of "This video is no longer available".
At a past job, I had one particular problem user who kept forgetting his password, and rather than email the dang email address from his personal email address for our helpdesk that creates a ticket, he would make a major fiasco of it every time going straight to executive level HR and copying his Manager on the email he did send.
After about 4 days straight of this hot mess, I got frustrated and set him a new password that surely he wouldn't forget. The password in question you say? It was IKEEPFORGETTINGMYPASSWORD.
Yeah, suffice it to say I got raked over the coals for that one by both my manager and by HR (seems the guy was autistic to a certain degree, which I didn't know). He never forgot his password again though after that.
Working as a lead engineer / architect in fairly big aussie uni and they decided in their infinite wisdom to get an outside consultant in to design and build a new financial reporting warehouse thing. So PM buys non-standard hardware, with an even more non-standard configuration. Consultant starts install, we are whatever. Consultant, after a few weeks of really annoying our 12 person engineering team has had enough of the consultant but never the less he comes to me with a list of accounts that he wants created in active directory and the passwords he wants.
I gave him the accounts, but the passwords, as they were service accounts, had to conform to our policy of being ridiculously difficult. So 18 characters, upper case, lower case, numbers, special characters, no sequential repetition, etc. For the 12+ accounts requested. Consultant then complains that they are to complex, and it is unfair that we expect him to type them in and it is taking too long for him to type in. My manager, nor his manager are going to argue with me or the team, as they know better than to get the engineering team offside (we had near total ICT control).
Once consultant gets over this hurdle, we start receiving tickets every day from finance team that the reporting system is not working. When we deep dive into the system, turns out the consultant had configured it to delete all data before it attempted to pull fresh data from the, known to be flakey when connecting from other apps, operational systems. Thus every morning the finance reporting system had no data.
Result of this and a few other facepalm moments:
Consultant gone within a few weeks, the PM (and his lackey) where gone with two months.
After which we found some interesting transfers of funds between the two projects the PM and his lackey were running (the other project also massively failed and was binned as we wouldn't accept it for testing due to non-compliance to our build standards). Financial reporting system was eventually virtualised, the non-standard hardware was demoted out of the data centre with the intent to put into our Test & Eval room (which also got decomm'd when we moved buildings and pretty much everything got scrubbed and into ewaste).
Fun times
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
