Intern with superuser access 'promoted' himself to CEO Aaah … Monday! That wonderful week-opening day that brings with it so many possibilities. Including, as Register readers know all too well, the chance to make errors that must then be discreetly buried – the subject of our Who, Me?, our weekly reader-contributed tale of career-threatening bullets you’ve managed to dodge. This …
The really prickly, self styled IT manager at the European head office of one company I worked for, sent out an email to the whole company to say that she had just enjoyed a wonderful 2 weeks in the US sun on a security course and now everything IT was setup tighter than a Gnats chuff.
Needless to say that it wasn't her that sent it!
And he could count his blessings that day, because today there would have been a response, quickly, and then things would have escalated from there.
A massive semiconductor company, eh ? Not based in Taiwan, eh ? Sounds like Intel. Looks like Intel participated in the learning IT security paradigm.
You don't give interns superuser access to anything.
Now they know why.
About 22/23 years ago, I worked for a large manufacturer. They were a Lotus Domino/Notes shop as well as big users of Citrix (the latter being the reason I was there).
One of the young lads on the helpdesk was a bit of a prankster and often got himself into a spot of bother for acting before thinking.
This one particular day, he was called out to one of the HR managers' for some problem on her desktop.
Whilst he was fiddling around with her computer, she went to get a coffee, leaving our intrepid plank alone for a few minutes.
Did I mention his dad also worked for the company at the same site. Not in am IT role, as I recall, but he had email.
He also had a sense of humour, so when he received an email from the HR manager that read "You're fired you bald bastard!" he knew it was a joke. He also had a good idea (he'd been on the receiving end of his son's pranks before) who had sent it, so he did nothing with it.
Again, though, the genius that the kid was, he didn't delete it from sent items.]
Yeah...you guessed it. The HR manager found the email and lodged a formal complaint. Due to his other pranks it ended up being a final written warning.
It was quite funny, though.
Back in the day of the hard copy office memo and internal post, with a bit of imagination and care, a PC, a photocopier, and an internal mail envelope (last addressed to another team) it was easily possible to pull off these sorts of capers without any provable link to the originator.
One particularly successful effort of mine resulted in a senior manager writing to a board director and a tranche of other senior managers to deny that his team was going into hibernation over the winter. Nobody was ever caught, or even accused, but I know that management mentally assigned the blame to the wrong person. Collateral damage, from my perspective.
I worked at an aerospace firm in the 1970's, and those brown envelopes also existed in classified form. And where I worked, as an Engineer, you were not allowed to walk from lab to lab with tools or hardware, no matter how small. You were supposed to get an "expediter" to come and transport it. Expeditors were (all union, of course) High School dropouts who generally had a gallon of beer for breakfast, and another for lunch. (A couple of them dropped a mockup for a multi-billion dollar project the night before a bunch of Generals were showing up as they imbibed too much at dinner.) And after showing up late, union rules required they would charge your project a minimum of 4 hours labor even for 5 minutes of walking an object down the hall. If you, as an Engineer, were seen carrying anything, you could be stopped by a union rep, and if found to be carrying something an expediter should have been called to carry, all hell would break loose, you'd get written up, and they'd charge you project 4 hours labor anyway. The best use of the classified version of those intraoffice brown envelopes was to put the object in one of those, as if a union rep stopped you, you just hold it out and say "You open it." If he did, while you'd get written up for carrying the object, he'd get a more serious writing up for violating the unsealing of a classified envelope where he didn't have project "need to know", even if he held the proper clearance level. (If you could, you used an envelope above your own clearance level to really feign ignorance.) So then you'd have a cat & mouse game of walking around with the rep following you until he got tired or you found a classified lab to enter that he didn't have access to. (I was young, the reps were old. Did I forget to mention, they were all overweight?) Oh, the joys of overly bureaucratic defense conglomerates. I left that place in 1980. Probably hasn't changed.
It might surprise you but Socialist countries tend to have very subservient to the management unions.
Correct and that is because management usually has the higher positions in the unions as well.
The fall of communism in Poland started with the first independent union (Solidarność).
That's the problem: like any organisation, technology, or tool, a union can either be a good thing, or a bad thing.
Trade unions sticking up for workers, making sure they don't get screwed over by the bosses, get fair pay and conditions, and ensuring that they get a fair share of the profits (and that the workers get support and proper retraining if a particular role gradually becomes obsolete)? Good thing.
Trade unions enforcing really quite ridiculous rules (or roles) like this one, basically so that they too can dine on the gravy train? Come on, that's clearly unreasonable, and is the sort of stupid behaviour that will either make the company very uncompetitive, and/or eventually bring it down, and then where will any of the workers be?
When I worked for the UK subsidiary of a medium-sized international concern, HR (UK) wanted to introduce a system which would collate all personnel detail into a single program. This would include details such as bank-details, passport, as well as the usual personal information. She had set up some details to show how it all worked and organised a demonstration. Best of all this program was 'Free' and internet-based. "What could possibly go wrong?"
Being a 'Superuser' she had access to all and everything and demonstrated the frightening detail at her fingertips, including her personal bank details. It gets worse. Telling us her password was <<daughter's name>> she confided that used her daughter's name for all her passwords. Anyone could now log in using her name and password and view everyone's details. On a 'free' online sysyem....
I refused point-blank to have any of my details applied to this system. I was threatened with disciplinary action if I did not comply. The projected system was quietly abandoned as was the HR lady.
Did the story end there? Maybe she has a youtube channel, because that design seems not far off from many implementations today.
"I was threatened with disciplinary action if I did not comply." Typically HR uses the big stick over any and every issue. I think they get a charge out of it. Your only hope is that someone at a higher level than the top of HR has the same objection as you. Been there, done that.
Back in the early naughties we had a sales veep looking to cut some people during a bad quarter. So he looks over the March prelim sales report and writes an email to the two lowest ranked people. "Due to your insufficient blah-blah-blah, performance improvement plan, blah-blah-blah."
Five minutes later he's in the IT office, freaking out and asking us how he can delete mail he's sent. Seems he sent the email not just to his two under performers, but to every one in the sales group. Oh, joy. While we could technically do it, Legal would eat us alive. They even complained when we deleted spam, insisting we silo it away instead.
My boss waves him to an empty cube, tells him to log into webmail, then types up a second email on his behalf:
>Subject: April Fools!
>Body: Our March numbers aren't even out yet! And don't worry, from what I've seen of things, you're all doing a fantastic job.
He clicked send and then told the Veep to go back down to Sales, remind them to look at their inbox again, and announce that the first round was on him after work.
Back in the days of offices and phones on desks, a new colleague joined and had, as luck would have it, the same name as the COO.
I started by pranking other colleagues, who were usually quite nervous receiving those calls.
Then I got the lightbulb idea! Whenever I really needed people to pick up my call, if they ignored it they would then get a call for the COO - rarely missed the mark!
In the good old days, when phones were rather heavy desktop devices, didn't need nor have a display beyond a couple of LEDs, and before e-mail was a thing... With two phones next to each other, you phoned two different people and then put the two handsets opposite each other to enjoy the development of a random discussion ("...you phoned me." - "No, you phoned me!" etc.)
before ever getting to true BOFH (or even PFY) level of abusive IT shenanigans. Sending an e-mail in the boss's name is one thing, but a proper BOFH would never have it traceable to himself.
Likewise, giving an intern admin rights over anything at all suggests there were no BOFH-level admins on site either.
While not quite the same as spoofing email, a former 3rd line manager had a habit of sending emails from people's actual accounts if he found they'd stepped away from their desk and not locked their computer. He even encouraged the rest of the 3rd line staff to do the same, with the instruction that the email must say the following: "I've been an idiot and left my PC unlocked, so the next round of coffee's are on me' and that it must remain within IT - preferably to their own team, but to feel free to include 3rd line if so inclined.
When it came to more senior members of IT, the offering got more severe with the CTO being caught twice: Both times with Pizzas.
Obviously, he got caught, too, and to be fair: He paid up. Everyone in IT got a coffee on him (Costa as it happens).
He would boast that he'd got everyone in IT, but he hadn't. There were some who were already careful, and some of us looked out for each other, so locked each other's PC's if we noticed they weren't locked. Especially if we saw someone from 3rd line on the prowl.
It's also why we had a sign up in the office: Win+L saves you from Hell.
I worked at a place where the head of IT Security would do this.
He even took 5 laptops from a meeting room, when the people meeting in the room went on a walk around the office.
While he had a point, to a degree, he was ultimately a twat.
When he left his laptop unlocked, and I send around the usual 'I'll be buying doughnuts tomorrow' email, he threatened me with all sorts of disciplinary action.
His duality did not go unnoticed, and his contract was not renewed.
When I started at Google, there was a strong culture of embarrassment-enforced screen locking. Apparently, it had been this way for some time. A couple of months later, some self-important VP or the other got stung, and this "unprofessional" behavior was squashed. Screen unlocking became a much more common problem almost immediately.
Back in the early days when mobile phones replaced pagers, anyone leaving their mobile on their desk unlocked was fair game. The favourite trick was to change the language to Finnish. For a while those of us in the know could legitimately blame it on the fact all the phones were, as you've probably guessed, Nokias.
I worked in a place that had this sort of thing as a semi-official policy.
When a new senior manager arrived, and got caught out, there was a lot of recriminations, and a "this behviour must cease immediately, or else" message sent out.
Well, someone, who shall remain nameless, managed to get in touch with the director who had implemented the policy, and a follow on message went out "this behaviour continues to be acceptable, but in light of complaints, from now on, any one who is caught out may choose to supply the treats promised on their behalf, or they can choose to go down a formal disciplinary process for their breach of our information security policies that allowed them to be caught out."
The senior manager bought the office Pizza, and didn't leave his computer unlocked again.
《And like many young people, he didn’t always think things through very well.》
I can think of a couple of US presidents, not all geriatrics, of whom this could also be said.
Lets invade Iraq and Afganistan! ......... .......... .......... ........... ...........
Well that didn't work out as well as we might have wished, but as we could quite conceivably have foreseen.
At a previous job in the early 2000's, management proposed to allow a lone email message as sufficient authorization for very large expenditures of money. I suggested that this was not an ideal way to handle such things since email (as demonstrated by this very article) is not particularly secure. Management did not believe me, so I demonstrated my point using telnet to connect to the SMTP server and manually faking an email from the big boss authorizing a very expensive company car for myself.
They did not make the proposed change (and I didn't get the car.)
Came here to say the same thing. You don’t need superuser access to send a message from a spoofed address.
It wasn’t just SMTP, either. The first time we had we had two VAXes connected via DEC’s mail system, we discovered this sort of spoofing worked there, too. Actually, we hadn’t even heard of SMTP (yet) at that point.
In a small office with just 4 of us with feck all security really I changed the boss' sound profile on his desktop (as you did on 98) so that it would blurt out various Father Ted related quote.
All very funny until he was on the phone to a posh mature lady and his PC ping out a minor alert to Father Jack screaming, "Hairy Japanese Bastards".
We lost that bit of business.
Many years ago I set up my research supervisor's Atari Mega ST (we used them in the lab) so that its error sound became "It can only be attributable to human error.This sort of thing has cropped up before and it has always been due to human error." and any attempt to use ctrl-y (we used them as VAX terminals too) got "I'm afraid I can't let you do that Dave." His name was David, which was handy.
A colleague discovered that the audio device on early Sun workstations had world write permissions, so you could rcp audio files to someone else's system. On one occasion he sent the noisy bit of Handel's Hallelujah Chorus to a machine being used by a fairly new team member on the floor below.
With impeccably unintentional timing she had just completed a successful demo to a visiting VIP when the system boomed "Haaallelujah! Haaallelujah!"
Apparently she just looked stunned, and stuttered "it's never done that before!"
1988. I proudly was one of the first three students on campus to get Internet access. Sure, it was only a 2400 baud modem or a walk over to the computer lab and use one of the dumb terminals. Gopher, Pine, Telnet & FTP were how things were done. User: "anonymous", Password: Your email address - which meant someone could see it as clear text. In hindsight, there was a glorious lack of security and immense freedom.
I discovered a fakemail script. It allowed me to send email from a false email address. Of course I promptly sent one to my favorite professor who I had just noticed was on-line with the mainframe. The email happened to arrive precisely when that professor was getting 1:1 instruction from the senior administrator. Ooops.
Shortly thereafter I learned that the contents stored in my home directory, including this spiffy fakemail script, were available for administrators to see. And that is how I not-so-proudly was one of the first two students to have Internet access revoked.
Back then "electronic mail" was a novelty and not the mainstream communications medium it is today, so it was written off as a harmless prank. They let me back in a month later with a promise to be good. The fakemail script had been helpfully deleted from my home directory. The Internet was not commercialized then, so the idea of using this script to be a spammer/scammer never occurred to me or anyone else.
Cheers for lessons learned early in life!
Shortly thereafter I learned that the contents stored in my home directory, including this spiffy fakemail script, were available for administrators to see. And that is how I not-so-proudly was one of the first two students to have Internet access revoked.
Ooops! Damn!!
At college I got called in to the head of ITs office due to "unauthorised executables in my home directory". I pointed out that the rule allowed for executables we had compiled ourselves, and that it was a modified VNC client built from source...
Before leaving I commented that I was glad he hadn't noticed that the "modification" was that it tunnelled over HTTP and would make ~200 requests/second through the proxy servers... Knowing he couldn't complain about me impacting server performance or anything because they hadn't even noticed...
> Gopher, Pine, Telnet & FTP were how things were done. .... a fakemail script. ....to send email from a false email address.
I believe you remember it this way; how else would you know "pine"?
I pined, and I remember it asked you who to be "from", but I can't/won't find pine docs today (and sure can't ask anybody to trust my memory). There was some forking-around with 'Alpine' and an 'Elm', and 'Mutt' seems to be about the last tree standing. Mutt Docs clearly say the user has a keystroke to edit the FROM: Esc f {edit-from} edit the From field
On an unrelated note: we often pined over dial-up. For the first year the dial-in server would serve anybody, then they added username/password and told us YOU MUST LOGIN! Indeed if you gave a username and a wrong password, no-go, leading to a lock-out, you had to bring an ID to the Lab to get re-set. But my brightest professor discovered that two ENTERs at the prompt bypassed that annoyance. (While teaching him a new trick, I noticed that he got in a LOT faster than I could, and not just finger-speed.)
"The Internet was not commercialized then, so the idea of using this script to be a spammer/scammer never occurred to me or anyone else."
Spam email started (in my life, anyway) when a student at Stanford sent every email account on campus a "wanna buy my bike?" email back when I was stanford!sail!vax!jake (name changed to protect the guilty; I'm archived at DejaGoo under the real name (if the alphagoo kids haven't irresponsibly destroyed that irreplaceable archive entirely)) ... Probably 1982 or thereabouts. He got yelled at, loudly, and had computer privileges revoked for the rest of the year. I'd have hung him by the thumbs in the quad if I had my druthers.
Footnote to history ... According to some sources (and repeated in this very august publication some years ago), HMQE2 personally sent an email addressed to "everybody on the ARPANET" on March 26, 1976. If true, this unsolicited mass emailing touting the Coral 66 compiler would be the first example of spam that we can place a name, face, product and date on. However, I doubt it's true for a number of reasons. First of all, there was no mechanism to "email all" on the ARPANET back then. Still isn't. Thankfully. Second of all, I have searched my archives, and despite having many emails from around and on that date (including roll accounts at around a dozen hosts), I see none that would correspond to the mythical "HME2" email. Gut feeling is that it was merely sent to the list of accounts on that particular machine.
So I'm happy to report that HMtheQ (RIP) was probably not an unwitting international spammer.
A few of us techies were admins of mail etc. Back in the good old days of DOS our company used something called Notework which sort of worked but would crash at certain times. The storage was basically a users folder name populated with individual files for each email stored on a box in the server room (thats another story or two there alone)
One of my colleagues quit his job rather spectacularly over the weekend by emailing the PHB a long missive. By Monday he rather regretted sending it and luckily PHB had not come in to the office, remember this is the days before you could get email 24/7. He asked me for help in removing the email. First task was to disable the PHBs email which could be done by corrupting one of his files after making a backup of it, this stopped him opening his inbox etc...rather handy as he'd just come into the building. By this time PHB called me saying couldn't open email said I was working on it, Notework was a right dog at times would just corrupt itself so he would not expect anything untoward. This then gave me time to text search the files and remove the offending message, and then replace the corrupted file with the backup. Bingo colleague still worked with us and beers consumed.
Reminds me a bit of a former coworker. If you left your workstation unlocked to go use the restroom or something, he'd use your computer to send messages to people or set up meetings for like 2am on Saturday to discuss the weather. He claimed it was to make sure people would lock their workstations, which it did, but really he was just taking the piss.
Eeek. I had a brief job in 1991 where we similarly all had admin level accounts. In fact, it was worse than that. Everybody was told to log on as user root! I thought that sort of nonsense had been killed with fire.
Using that access, I created my own log-in to keep a few files. Having been given zero indication of what I was supposed to do in the job, I spent my month or so there browsing the source tree and documenting magic number offsets into data structures as #defines.
Eeek. I had a brief job in 1991 where we similarly all had admin level accounts. In fact, it was worse than that. Everybody was told to log on as user root! I thought that sort of nonsense had been killed with fire.
One of my most recent jobs, the company was migrating ERPs. As I was told it, the previous ERP, everyone had admin access. This was only a few months ago. It's unfortunately far more alive and well than it should be.
You can still do it with any email client that gives you access to the mail header before it gets sent.
For example you can still do it with Thunderbird.
At one point it was even possible iwht Outlook, but they seem to have removed that option.
Now I won't give you how to do it... If you're a real Vulture you either already know or it won't take long find the way.
If I remember correctly, the devil had arranged it so that the Outlook versions that were around in the early 2000's used Ctrl+S hotkeys for sending emails. One friday afternoon a mid-level manager was messing about on one of his subordinate's PC and typed up a harshly worded email to the global distribution list, telling everybody in rather rude language how stupid they are. Then Ctrl+S to save ... followed by a futile attempt to recall the message. The disciplinary hearing was held two weeks later and the farewell drinks organised for the following friday. Turns out that the head of IT was on the hunt for a reason to get rid of the guy already, and then this fell out of the sky. Subordinate survived with a warning on his employment record.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
