The moment that elevated mum from $user to $admin Tech Support |
The moment that elevated mum from $user to $admin Posted: 29 Apr 2018 07:29 AM PDT Hey TFTS. LTL;FTP. Like most of you here, I too have parents whom are largely tech-illiterate. but over the last two years, I've been making a conscious effort to get my parents (especially mum) to understand computers better. I'm a big believer of the ol' give a man a fish, and you'll feed him for a day, teach him how to fish, and he can have food for life mentality. So rather than showing mum how to resolve her every problem, we go through a process of:
Now admittedly, things do get incredibly frustrating in this process, and it can often take ~1/2 hour up to 1 hour to resolve issues. BUT, it has slowly been working. So today, mum came to me with a problem, and as usual, seemed to blow it way out of proportion.
This is the same person whom two years ago didn't even know how to use the volume buttons on her phone - now troubleshooting all on her own... Mum, I am so proud of you. You've now been granted admin privileges. [link] [comments] |
a Big Bank nearly cut by Hanlon's Razor Posted: 28 Apr 2018 11:46 PM PDT I alluded to the following at the bottom of this tale. Please note, the dialogue is not verbatim, but close enough to the story as (a) I remember it and (b) as I am telling it. It was very early the 21st Century, and I was working for a(nother) multinational - this one based out of Europe, and specialising in First Generation Internet Banking (IB) software. In fact, it is where I found my passion for Web Application Security and Hacking - which led me a few years later to teaching that topic (among others) at a Technical College, and contributing a little here and there to some other research in the area. But I digress. This incident was reported to me by the BigBankingCustomer people that I had 'won over' (won back?) in my previous tale (above). We now had a mutually high level of trust, and things were pretty well "back on track" as far as the relationship went. Oh, btw - I did spend some more time on site with them when we had a "major upgrade" to the software (Java client, Windows Web Server front end and my UNIXTM server middle). I was blown away by their entirely separate 'copy of the Internet' in their test centre - it was limited in where you could go, but it was an amazing little data centre for testing their entire suite of software - including our IB software - in a "real world" environment. Well, when I say the "incident was reported to me by the BBC" - that's not quite true. They had another issue; one I couldn't reproduce on our test system (too small, no where near enough transactions per minute) so I asked them to send me their log files. They did. Burned to a CD-ROM. Sent by snail mail. With no protection (well, a piece of cardboard). Not even "sign on receipt". So, I pop the CD in, and start trawling through the log file. I thought "hmmm... I wonder if my banking id number is in here?" It was. I then I noticed something that sent a chill down my spine. Several lines later, my password was there - in plain text - for all (where "all" is defined as "me" in this particular instance) to see. "Oh $#!+!" I thought. I don't think I said it with my 'outside voice' - but I may have. I called my lead tech contact at BBC and asked them if they had an account with their employer, and if they used the IB system? "yes" and "yes" - followed by "why?"
silence...
I did. Now kiddies, let's talk about "responsible disclosure". I could have trawled through the log files and picked up hundreds of userid / password pairs and tried them on the live system to "check that they worked". And this is the sort of thing that some have wound up in gaol for (or are facing some serious time). If by checking something, and you are pretty sure your suspicions are confirmed, then it makes no sense to do it another hundred or so times to "make sure". You already know. Especially after two items are confirmed as "real", there is no need to iterate through another hundred, or two. it worked for n, and it worked for n+1, there is no need to test for n+2..1000 (or more). Fortunately, the Europeans had done a good job of architecting the logging of this system, and so there was only one place I needed to make a change, so that whenever the password was about to be issued to the log file, a string of "********" was sent to the logfile. Yes, the password was still in memory - but it was required as it was being sent to the BBC's Big Iron via a message queueing system, where the actual account details resided. I passed the same patch to my team mates looking after other banking institutions, and passed the fix back to Europe so they could roll it out to all the other customers across the globe. In less than a month my mandatory patch had been applied many many times across many financial institutions. Of course, having worked for |a|n|a|l|o|g| the previous century (before they were gobbled up) it was not my first 'global rodeo' ;) tl;dr - massive security leak averted by eagle eyed (newbie) C-programmer - shares his edit: formatting {sigh} p.s. yes, I did fix the originally reported problem - from memory it was a memory leak, and I just needed to release an object when it was no longer required (no garbage collection in C). [link] [comments] |
You are subscribed to email updates from Tales From Tech Support. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
No comments:
Post a Comment