Prank 'Give me a raise!' email nearly lands sysadmin with dismissal Welcome again to Who, Me?, where we invite Reg readers to begin the week crossing their fingers it will be better than those of our featured techies. This week, meet "Damian", whose tale is a warning not to get too cocky when demonstrating a security glitch. Damian's tale is of a time when he was working as an admin …
Don't need one. I have a first edition NEL paperback c/w their patent "virtual glue spine" of Time Enough For Love. It fell apart as I read it, and I treat paperbacks with great care. The pages are crammed back inside the (wonderful) Bruce Pennington cover in order. I could probably repair it with the book-fixum-upgood non-acidic PVA glues available today. I have a library full of unreadable NEL paperbacks because of VGS technology - a full set of the John Carter Barsoom for a start, more Heinlein, Dune et al, all only of sparse shelf-space value because of the Pennington covers.
To be honest, I read TEFL in '75, around the same time I read Dhalgren. I've re-read the second about four times (no, I don't understand it). I've never attempted the first again partly because of the spinal disintegration thing, partly because I came away from it the first time feeling that the best part of the book was the Pennington cover.
No doubt I will get an earful for this attitude, but I think RH did a better job of the time-loop thing in the rather shorter All You Zombies.
I'd also offer into evidence "By His Bootstraps".
But to be fair, my take is that the time-loop is very much at the centre of Bootstraps and Zombies where-as in TEFL (and To Sail Beyond the Sunset) the loop was only really a device to facilitate a much wider exploration of societal and cultural norms (very much the recurring theme in Heinlein's work) through the character of LL.
I had fun with putting the address of your intended victim (from my company) into the from field in outlook. I knew that the email wouldn't send and I'd get a message saying that in my inbox. However the email now sitting in the sent box looked like it was from the victim. Move that into the inbox and it really looked like it had come from them. So I wrote an email that purported to show my desk mate, a not unattractive woman asking me out for a drink. I then sent it to myself supposedly from her and replied saying that I was flattered that she was interested in me. She looked up and said she had no idea who had sent that but it wasn't her. "Must have left my computer unlocked, sorry" I then sent a reply from "her" which said 'scrub the drink how about going straight to dinner instead?' By this point she was smelling a rat and had worked out it was me sending them. She said "That's fecking evil - but bloody brilliant. You have to show me how you did that, I want to have some fun!"
It wouldn't stand up to any scrutiny (serious or otherwise) but made for a good practical joke.
This amusing anecdote sounds alarmingly like harassment.
Well in that case so does having free samples of Tenna for Men sent to me at work. We got on very well together and the practical jokes were part and parcel of our working relationship. By the way she did that first
"And his opposite-sex clone 'sisters'. And his computer. And his adopted daughter. And... do you really want a complete list?"
No thanks. I know the Internet is big, but I don't think it's big enough to take that list without breaking.
"Remember, if you break it, you bought it!"
Jubal Harshaw (probably)
This post has been deleted by its author
I was once responsible for some of the networking in the (academic) organisation where I worked.
We had BT's X.25 PSS service connected to one of our DEC VAX systems. Someone tried to 'hack in' and seeing it reported I made a quick 'in retaliation' connection to their server... There were a few well-known system s accounts on VAX, with default passwords. I logged in on the first attempt because they had not altered theirs (just lucky for me it was a VAX).
After noting they had a dozen or more systems, with names suggesting they were spread widely across Europe, I managed to find a mail list for the board members. I left a task in the queue to run a few weeks later, middle of the working day, middle of the week, telling them their security was poor if they still had default passwords on privileged accounts.
I have no way to know if it ran, and I probably wouldn't do it nowadays, but it seemed sensible to at least warn a few of the decision makers, hopefully in different countries, there was a security issue, possibly on more than 1 of their systems.
The security hole isn't really what's claimed: ability to forge a From: address is baked in to SMTP, and it relied on Damian having sysop privileges.
It's the mail system that first accepted the message then bounced it. Anyone who's suffered a Joe Job knows the hard way how inexcusably broken that is - and has been for the last 20 years or so (since mail abuse went from prank to spam). Either reject it or accept it; don't bounce!
"Security holes" really have gone to both extremes now. On one hand, we have exploits that rely upon timing attacks against the CPU cache to act as an oracle. But also apparently, we accidentally configured our mail server to act as a relay then spoofed an email from the PHB. HELO theregister.co.uk. Must do better.
I was temping at a company and set up their new anti-virus server. The problem was, I had just come off a 5 year stint at another company and I put in the recipient email address on the new AV server as it@old-company.com.
6 months after I left the company, I got a call from the manager. He'd just had a call from old-company's IT department. They weren't very happy about having received AV notifications for the previous several months and could he please change the recipient email address!
At work, we have a special mailing list for receiving notifications like this. All the technicians are on it.
We use that address for any notifications from systems, unless for some reason, they need to go to a subset of technicians and techs outside that subset should not see it.
We also use it for testing, but to send a warning of the test to the mailing list.
Did the CEO get a fit because his email was spoofed or because someone dared to ask for a raise? My CEO would fall for the latter category.
Or perhaps because his name was taken in vain instead of being treated like that of a deity despite being a fat, balding, Lexus-driving golfist with all the charm, wit and character of putrefying road-kill.
Pure conjecture, of course.
We had an OLAP cube running in Essbase, one of the first OLAP tools in the mid 90s.
The problem was, if you recalculated a filled cube, it would take forever! Well, 4 - 5 times as long as normal.
The "quick" database was recalculated every 4 hours and took about an hour to calculate. The procedure was:
1. Export bottom level data
2. Drop the database
3. Import the bottem level data
4. Recalculate.
Can you guess what happened next? Yep, I did 2, 3, 4, ooops!
I was new on the project and asked my colleague what the procedure was. He said, just re-calc and blame the missing data on user error! :-O
I went to the head of the financial department, told him, that we had had a problem with the export - well, we did, didn't we, I forgot to do it! I then told him we would import the previous export and then run the transaction file against that and then recalculate.
I reconstructed the data, recalculated and informed the users, that we had had a problem and they should check their inputs from the last 3 hours. In total, we lost 2 transactions.
I got commended for being up-front with the customer.
Yep, but most people seem to think it's impossible, hence the full dress panic when the owner of our company got spam purporting to be from someone else in the company. "OMG we must be hacked" etc.
Cue my boss patiently trying to explain how SMTP works for an hour, before giving up and pointing out it's about as secure as a postcard.
"Cue my boss patiently trying to explain how SMTP works for an hour, before giving up and pointing out it's about as secure as a postcard."
And the irony is that in all probability the business's marketing department were paying some marketing company to spoof emails to customers in exactly this way.
It's high time email clients, as a default, would raise a conspicuous flag on messages that don't originate in the domain they purport to come from. Yes, it would make life difficult for marketing departments and the spammers they employ (I can scarcely contain my indifference) but it would also make life a little more difficult for malware flingers if their spoofing were to become exposed.
No, it would be REALLY stupid for many residential users of email, who can only send via their ISP's SMTP and also people using loads of email addresses on their personal domains that are automatically forwarded to some other mailbox.
The problem with email goes much deeper, a lack of any whitelisting and blacklisting in the design at the start. Retrofitted adaptions break email. Only some completely different system will solve it. Then there is the change over problem (see IP4 and IP6). The designers of email learnt NOTHING from the exploits of optical telegraph/semaphore (the Clacks was real once and spanned Europe at time of Napoleon), wired telegraph, analogue phone (POTS), POTS & Fax with caller ID (it HAS to allow spoofed return numbers due to PABX/Network design limitations on sending from one line and receptionist handling reply on another number as well as other issues.). ISDN was designed to interwork with POTS inc Analogue Fax as well as do digital voice, fax, data etc. So was still "broken" regarding lack of whitelist & blacklist mechanisms inherent to design.
There is no sensible reliable way to separate malicious from innocent email. You can sanitise by having no scripts, no remote content and display the real link for all link text (why do you need to hover and see status bar?). Plenty of stupid valid emails have also links that don't match text because the EVIL legitimate companies are using tracking and cloud services etc not on their own domain, IDIOTS. Paypal, my bank, my ISP all have such idiocy.
When I spoofed emails to colleagues I used to have to change the from address to .C0M so that Exchange didn't reject it - surely preventing incoming emails that say they're from the domain that you own would be rejected by default on most mail servers? I guess a lot of companies don't have the domain owned by a specific system?
"residential users of email, who can only send via their ISP's SMTP "
Residential users of email should _never_ be using the SMTP port. That's a big red "Danger Will Robinson" flag. They should be up on the authenticated ports and ISPs have zero business blocking those.
ing spree involving Manglement, HR, Marketing or Financial Directors bones in the usual methods:
falling down stairwells.
entering lifts that aren't there.
Gravity & the effects on heavy items, when they collide onto the above groups.
Percussive user adjustment with lump or sledgehammers.
Just as big_D stated here is the article
https://forums.theregister.co.uk/forum/1/2018/07/20/on_call/
""Monday 13th August 2018 10:34 GMT
wolfetone
Silver badge
I can't wait for the "Who? Me" article in a few weeks to explain why On Call wasn't published last Friday...""
You are SO LUCKY - I, in Hong Kong, never get this edition until TUESDAY and then mostly just before "High Noon" here [GMT + 8 Hours]
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
