Why do we need logins?
-
A friend who owns a small business asked me to write a small utility for him. He also asked that I put in an admin-mode so that only he could run certain functions of the application. Ok, no big deal, check logins and use that.
I install it and he fires it up. All is well. Then someone else fires it up and they also have admin mode. Hmmm, did I miss something?
Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.
Why? It's too much trouble to create different logins. Besides, we don't surf to porn sites so we won't get viruses.
After a failed attempt at educating him, he decides that he knows best and that I should just make it work.
I just created two versions of the program (one with the admin stuff exposed and the other without it), but I'm waiting for the phone call.
-
Why are you creating two different versions of the software? You should just add an URL switch that enables the admin functions. Like... oh, I dunno... &admin=true.
-
@PSWorx said:
Why are you creating two different versions of the software? You should just add an URL switch that enables the admin functions. Like... oh, I dunno... &admin=true.
Nah, he should have the first page or screen that loads with the program show up a disclaimer and two buttons. Something along the lines of:
Warning: this system contains some functions that can only be used by Carl. Click 'yes' if you are Carl, or otherwise click 'no' if you are not Carl. Snoofle Inc. cannot be held responsible for Carl impersonation.
-
@snoofle said:
After a failed attempt at educating him, he decides that he knows best and that I should just make it work.
I just created two versions of the program (one with the admin stuff exposed and the other without it), but I'm waiting for the phone call.
Much as I like most of your work and am entertained by most of your stories, in this case you are TRWTF. After your friend said that he knows better than you, you agreed with him by going along with it. If you said "no, I'm not going to do that for you because it will all go wrong and you will ask me why I didn't stop you" then he might actually think twice about it.
If your friend wants to hang himself, you don't make the noose for him!
If a doctor friend told me I needed to get a skin cancer checked and I said "no, just give me some herbal remedy" and he said "ok take aloe vera pills" and then waited for the phone call, what would we say about him? If we in the IT industry wanted to be treated as more than "some guy that plays with computers" we need to have the courage to stand by the advice we give.
-
@Paddles said:
@snoofle said:
After a failed attempt at educating him, he decides that he knows best and that I should just make it work.
I just created two versions of the program (one with the admin stuff exposed and the other without it), but I'm waiting for the phone call.
Much as I like most of your work and am entertained by most of your stories, in this case you are TRWTF. After your friend said that he knows better than you, you agreed with him by going along with it. If you said "no, I'm not going to do that for you because it will all go wrong and you will ask me why I didn't stop you" then he might actually think twice about it.
If your friend wants to hang himself, you don't make the noose for him!
If a doctor friend told me I needed to get a skin cancer checked and I said "no, just give me some herbal remedy" and he said "ok take aloe vera pills" and then waited for the phone call, what would we say about him? If we in the IT industry wanted to be treated as more than "some guy that plays with computers" we need to have the courage to stand by the advice we give.
I think you're comparing apples to oranges there, with the medical analogy.
And Snoofle did solve the guy's problem, even if it wasn't the most elegant thing to do. IMO the right thing to do next is, after the phone call, selling some consultancy to the guy about good security practices.
-
@PSWorx said:
Why are you creating two different versions of the software? You should just add an URL switch that enables the admin functions. Like... oh, I dunno... &admin=true.
Who said it was a web application?
You should just use a button "Switch To Admin". Hide it by putting it in the lower right, nobody looks there.
-
You said the app is login-aware but you're basing it on the current Windows user? In an environment where they apparently are not using networked Windows login? (I can only imagine Administrator is a local account on each machine). Doesn't sound like all that great of a design in the first place.
Why not have a login system in the app itself?
-
@Zolcos said:
You said the app is login-aware but you're basing it on the current Windows user? In an environment where they apparently are not using networked Windows login?
Not necessarily true, they could all be using the same network account. Not that that helps anything...
Wouldn't you assume a sane network when building this app, though? I mean... wouldn't anybody? The Real WTF comes down to not asking right away, "hey are you guys total fucking morons when it comes up to setting up an office? See, I have to ask because it lets me know if I can use single sign-on in a sane way or not..."
-
@blakeyrat said:
Hide it by putting it in the lower right, nobody looks there.
Heh. That's where I always put the "exit" button. I must be subconsciously trying to give my apps more run time or something.
-
@blakeyrat said:
@PSWorx said:
Why are you creating two different versions of the software? You should just add an URL switch that enables the admin functions. Like... oh, I dunno... &admin=true.
Who said it was a web application?
You should just use a button "Switch To Admin". Hide it by putting it in the lower right, nobody looks there.
Though, you could put the Switch To Admin button pop up a login box. Hard-code an "admin" username and password, and give it to Carl.
As a bonus, you can charge a consulting fee anytime they need to change the Admin password.
-
@blakeyrat said:
You should just use a button "Switch To Admin". Hide it by putting it in the lower right, nobody looks there.
Nah, watch for arbitrary keystrokes and unlock admin mode when they type Up, Up, Down, Down, Left, Right, Left, Right, B, A.
-
@cvi said:
Nah, watch for arbitrary keystrokes and unlock admin mode when they type Up, Up, Down, Down, Left, Right, Left, Right, B, A.
I wrote a quickie in Java to control my cable box over Firewire. After having some issues getting it to work through a firewire concatenator, I had to go back and add a debug mode. Simply press up, up, down, down, left, right, left, right, info, enter.
-
@NoOneImportant said:
@cvi said:
Nah, watch for arbitrary keystrokes and unlock admin mode when they type Up, Up, Down, Down, Left, Right, Left, Right, B, A.
I wrote a quickie in Java to control my cable box over Firewire. After having some issues getting it to work through a firewire concatenator, I had to go back and add a debug mode. Simply press up, up, down, down, left, right, left, right, info, enter.I once ate a deadly slice of Fugu fish. At the hospital, the doctor laid me on my back and on my sternum he tapped up, up, down, down, left, right, left, right, then twice on my forehead and I projectile-vomited the contents of my stomach right into his face. True story.
-
@NoOneImportant said:
up, up, down, down, left, right, left, right, info, enter.
Cool.
When I did that, she came.
-
@Paddles said:
...in this case you are TRWTF.
Only if I blindly went along with it without first trying to get him to do the right thing.
I explained all the badness of having everyone run as Administrator locally; of not running AV; of not even having a firewall; of installing the same thing on each PC (vs a network share), etc.
He's got 5 PCs sharing an internet connection - wide open, and refuses to do anything about it.
It's stupid and I warned him that he would have problems, but he didn't care.
I was helping out a friend so I just made two ant targets: one with a -Dflag=xxx and one without, and coded it such that it would make two programs: one with the admin function visible and one without it (same code). Then I just dropped different programs on each local pc (no network share).
To follow your analogy, if the doctor tells you the aloe vera won't work and you need to deal with the cancer, but you only use the aloe vera, is it really the doctor's fault?
You can lead a horse to water but you can't make him drink.
-
@dhromed said:
@NoOneImportant said:
up, up, down, down, left, right, left, right, info, enter.
Cool.When I did that, she came.
What was the "info"? "I make 6 digits a year and drive a BMW?"
-
@blakeyrat said:
@dhromed said:
@NoOneImportant said:
up, up, down, down, left, right, left, right, info, enter.
Cool.When I did that, she came.
What was the "info"? "I make 6 digits a year and drive a BMW?"
JESUS CHRIST MAN! THERE ARE JUST SOME THINGS THAT YOU DON'T TALK ABOUT IN PUBLIC!
-
@snoofle said:
A friend who owns a small business asked me to write a small utility for him. He also asked that I put in an admin-mode so that only he could run certain functions of the application.
That sounds reasonable...
@snoofle said:
Ok, no big deal, check logins and use that.
You made up this part yourself. You assumed that your client had purchased and implemented one particular security product (Windows networking IDs), instead of following the spec ("give the program an admin mode so only I can run certain functions).
@snoofle said:
Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.
That sound eminently reasonable to me... there is a single "password" and if someone gets fired, there's only one password to change.
@snoofle said:
Why? It's too much trouble to create different logins. Besides, we don't surf to porn sites so we won't get viruses.
As anyone who has been a user / victim of Active Directory can tell you, Microsoft security is a self-perpetuating virus whose goal is full employment for graduates of ITT Technical Institute.
And I do go to porn sites, and I don't get viruses. I did have the "McAfee" virus when I got my computer, but I was able to (mostly) remove it.
-
@Paddles said:
I think the standard in the medical community is Against Medical Advice forms. If the patient requests to do something really stupid, the hospital or doctor asks them to sign such a form and are done. If this were a stranger I would have asked for a similar form, but this was a friend, and I might trust him to not sue me when it all goes wrong. Depends on the friend.@snoofle said:
After a failed attempt at educating him, he decides that he knows best and that I should just make it work.
I just created two versions of the program (one with the admin stuff exposed and the other without it), but I'm waiting for the phone call.
Much as I like most of your work and am entertained by most of your stories, in this case you are TRWTF. After your friend said that he knows better than you, you agreed with him by going along with it. If you said "no, I'm not going to do that for you because it will all go wrong and you will ask me why I didn't stop you" then he might actually think twice about it.
If your friend wants to hang himself, you don't make the noose for him!
If a doctor friend told me I needed to get a skin cancer checked and I said "no, just give me some herbal remedy" and he said "ok take aloe vera pills" and then waited for the phone call, what would we say about him? If we in the IT industry wanted to be treated as more than "some guy that plays with computers" we need to have the courage to stand by the advice we give.
-
@bridget99 said:
@snoofle said:
Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.
That sound eminently reasonable to me... there is a single "password" and if someone gets fired, there's only one password to change.
This was a pretty good troll, except for this part. Hmmm....remove a single account, or make everyone learn a new password?
-
@boomzilla said:
@bridget99 said:
@snoofle said:
Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.
That sound eminently reasonable to me... there is a single "password" and if someone gets fired, there's only one password to change.
This was a pretty good troll, except for this part. Hmmm....remove a single account, or make everyone learn a new password?
The scary thing is, based on past posts, I'm pretty sure Bridget isn't trolling.
-
@Rick said:
I think the standard in the medical community is Against Medical Advice forms. If the patient requests to do something really stupid, the hospital or doctor asks them to sign such a form and are done. If this were a stranger I would have asked for a similar form, but this was a friend, and I might trust him to not sue me when it all goes wrong. Depends on the friend.
Steve Jobs' cancer had a good prognosis of recovery if caught early (it was) and treated early (it wasn't). Instead, he tried to self-medicate with a "special diet" from Doctor Dean Ornish, and by the time he turned back to traditional medicine, the cancer had grown too much to be easily treated.
-
@blakeyrat said:
@boomzilla said:
@bridget99 said:
@snoofle said:
Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.
That sound eminently reasonable to me... there is a single "password" and if someone gets fired, there's only one password to change.
This was a pretty good troll, except for this part. Hmmm....remove a single account, or make everyone learn a new password?
The scary thing is, based on past posts, I'm pretty sure Bridget isn't trolling.
I sort of agree with you, except that we're all trolling here. Also, that gives him a way to save face and admit his mistake, which he won't.
-
@blakeyrat said:
@Rick said:
Sometimes smart people do stupid things. And sometimes famous people have private lives that the public will never know about.I think the standard in the medical community is Against Medical Advice forms. If the patient requests to do something really stupid, the hospital or doctor asks them to sign such a form and are done. If this were a stranger I would have asked for a similar form, but this was a friend, and I might trust him to not sue me when it all goes wrong. Depends on the friend.
Steve Jobs' cancer had a good prognosis of recovery if caught early (it was) and treated early (it wasn't). Instead, he tried to self-medicate with a "special diet" from Doctor Dean Ornish, and by the time he turned back to traditional medicine, the cancer had grown too much to be easily treated.
But if what you say is the whole truth, there is still nothing his doctor could have done, except for protecting himself with some kind of waiver.
-
@Rick said:
But if what you say is the whole truth, there is still nothing his doctor could have done, except for protecting himself with some kind of waiver.
No of course not. Steve Jobs lives in what we like to call a "free country", and I am damned proud of how free we are. For example, the government can't compel you to under go any medical treatment.
But that just means we have to be more diligent in getting the news out that alternative medicine costs lives.
-
@blakeyrat said:
For example, the government can't compel you to under go any medical treatment.
You're leaving out medicating mental illnesses, they can compel that.
-
Not to mention lethal injection for convicted murderers... though that kinda stretches the definition of "medical treatment"... :/
-
@locallunatic said:
@blakeyrat said:
For example, the government can't compel you to under go any medical treatment.
You're leaving out medicating mental illnesses, they can compel that.I guess if you count the court system as "the government", it can compel all sorts of things.
But... shut up! That is my well-reasoned response.
-
@snoofle said:
He's got 5 PCs sharing an internet connection - wide open, and refuses to do anything about it.
It's stupid and I warned him that he would have problems, but he didn't care.
Try one of these arguments. They have worked for me in the past, might work for you.
"If one of your staff, or a neighbour using your unsecured wifi, surfs child porn, you go to jail because you didn't take reasonable steps to secure the network. Now do you care?"
"If some of your customers' data is damaged or lost and they sue you then you lose your house, car and retirement fund because you didn't take reasonable steps to secure the network. Now do you care?"
"If one of your computers gets infected with a bot (and you know, it might be infected right now for all you know¹) and that bot attacks someone else's computer system, that person can sue and prosecute you then you lose your house, car and retirement fund and perhaps go to jail because you didn't take reasonable steps to secure the network. Now do you care?"
_____
¹ I have had a few aquaintances say "I don't run any virus scanner and I don't have a virus.". The correct answer to this is "Really? How would you know?".
-
@havokk said:
If one of your staff, or a neighbour using your unsecured wifi, surfs child porn, you go to jail because you didn't take reasonable steps to secure the network
Doesn't the porn have to be found on a computer in order to get a jail sentence?@havokk said:
If some of your customers' data is damaged or lost and they sue you then you lose your house, car and retirement fund because you didn't take reasonable steps to secure the network
Has that actually happened to anyone?@havokk said:
If one of your computers gets infected with a bot (and you know, it might be infected right now for all you know¹) and that bot attacks someone else's computer system, that person can sue and prosecute you then you lose your house, car and retirement fund and perhaps go to jail because you didn't
I find this highly unlikely.
take reasonable steps to secure the network.@havokk said:
"I don't run any virus scanner and I don't have a virus.". The correct answer to this is "Really? How would you know?".
Because I know what's running on my computers TYVM.
-
@boomzilla said:
@blakeyrat said:
@boomzilla said:
@bridget99 said:
@snoofle said:
Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.
That sound eminently reasonable to me... there is a single "password" and if someone gets fired, there's only one password to change.
This was a pretty good troll, except for this part. Hmmm....remove a single account, or make everyone learn a new password?
The scary thing is, based on past posts, I'm pretty sure Bridget isn't trolling.
I sort of agree with you, except that we're all trolling here. Also, that gives him a way to save face and admit his mistake, which he won't.
It's not trolling, at least not if one defines trolling as "stating opinions one knows to be wrong in an effort to cause rancor."
I really won't do security. I think it's an infantile drain on society's scarce resources. I have zero respect for the people who work with it. They are prostitutes at best, and Barney Fifes at worst.
I don't usually mention this personal rule of mine in job interviews, because it sounds really bad. But it usually comes up within a few weeks of starting somewhere, and I've never been fired for it. Employers respond in one of two ways, in my experience. The conventional approach is to respond with something like "oh, it's good you know your limitations; we'll get another developer to do it." Another common approach is to simply decide to agree with me that the application does not need security. Security is just a feature, and it's often one that we don't need.
In either case, I don't do passwords, firewalls, anti-virus, or any other spy crap. I do real programming, as defined by making the computer perform some task. And just about everyone I've ever coded for has told me I am the fastest developer they've ever worked with, and that I write the most reliable code.
Is it possible that security might be a legitimate key feature for some piece of software? I guess... but 99% of security systems were created as an exercise in ego-building for a frustrated neckbeard-type who wants to play spy. And for all I know there might be some legitimate need for a software application to make waffles... just don't expect me to help with that.
-
@bridget99 said:
I really won't do security. I think it's an infantile drain on society's scarce resources. I have zero respect for the people who work with it. They are prostitutes at best, and Barney Fifes at worst.
If you don't "do" security, you're not qualified to have an opinion of it. Spouting uninformed opinions + being deliberately inflammatory = trolling.
@bridget99 said:
Is it possible that security might be a legitimate key feature for some piece of software? I guess... but 99% of security systems were created as an exercise in ego-building for a frustrated neckbeard-type who wants to play spy. And for all I know there might be some legitimate need for a software application to make waffles... just don't expect me to help with that.
Security is a legitimate key feature for [i]every[/i] piece of software, from authentication filters to image filters.
-
@PJH said:
Doesn't the porn have to be found on a computer in order to get a jail sentence?
As far as I am aware (usual disclaimer - don't take legal advice from some stranger over the internet) under New Zealand law the provider of service (you, running a wifi router) are liable for all traffic over the router.
Additionally, under New Zealand law (again, IANAL) if your server is infected with a bot and used to take down another computer, the owner of the second computer can go after you for damages. I believe this is also the case in the UK and USA.
In any case, the arguments are not supposed to be actual legal threats, more of something to make the person stop and rethink their position.
An additiional hint - when you are making such an argument, using the phrase "child porn" is good because you now have the total and undivided attention of every parent in earshot.
-
@havokk said:
@PJH said:
Doesn't the porn have to be found on a computer in order to get a jail sentence?
As far as I am aware (usual disclaimer - don't take legal advice from some stranger over the internet) under New Zealand law the provider of service (you, running a wifi router) are liable for all traffic over the router.
Additionally, under New Zealand law (again, IANAL) if your server is infected with a bot and used to take down another computer, the owner of the second computer can go after you for damages. I believe this is also the case in the UK and USA.
In any case, the arguments are not supposed to be actual legal threats, more of something to make the person stop and rethink their position.
An additiional hint - when you are making such an argument, using the phrase "child porn" is good because you now have the total and undivided attention of every parent and sex offender in earshot.
FTFY
Everybody pays attention anyways
-
@heterodox said:
@bridget99 said:
I really won't do security. I think it's an infantile drain on society's scarce resources. I have zero respect for the people who work with it. They are prostitutes at best, and Barney Fifes at worst.
If you don't "do" security, you're not qualified to have an opinion of it. Spouting uninformed opinions + being deliberately inflammatory = trolling.
I disagree. bridget is allowed to have an opinion on security all day long. The kicker is that the opinion amounts to little more than rubbish/trolling, and should be ignored. I would LOVE to know what bridget thinks about security with respect to banks and financial-related stuffs. Should we just not have any security, and just expect all of society (present and future) to just Do the Right Thing ™?
-
In defense of Bridget, I don't believe she said that she doesn't BELIEVE in security; she just said that she doesn't want to IMPLEMENT security. Which would be a quite sane viewpoint, actually - why should she trust herself to do it right? There are people out there whose only job is security; let them handle it - they're the experts, they'll do it infinitely better than any half-assed job any layman would do!
-
@dohpaz42 said:
I disagree. bridget is allowed to have an opinion on security all day long. The kicker is that the opinion amounts to little more than rubbish/trolling, and should be ignored. I would LOVE to know what bridget thinks about security with respect to banks and financial-related stuffs. Should we just not have any security, and just expect all of society (present and future) to just Do the Right Thing ™?
You disagree because you misread my post. Certainly bridget is allowed to have an opinion; my assertion was that that opinion is uninformed, with which you seem to agree. I have seen this attitude quite a lot; I expect that she would believe the banks' applications, having been programmed by "real" programmers, should not implement security; systems administrators and network administrators should implement the security. Unfortunately, this is too narrow a view; security includes not only authentication but authorization, accountability, integrity, etc. None of this can be done at the systems and network level. All of it must be done at the application level.
@ekolis said:
In defense of Bridget, I don't believe she said that she doesn't BELIEVE in security; she just said that she doesn't want to IMPLEMENT security. Which would be a quite sane viewpoint, actually - why should she trust herself to do it right? There are people out there whose only job is security; let them handle it - they're the experts, they'll do it infinitely better than any half-assed job any layman would do!
That would be a sane viewpoint. Except her viewpoint is not one of deference to the experts, it's that the "experts" are con men and security is bullshit (only slightly rephrased). This is a dangerous view for any "real" programmer to have. Real programmers need to implement security in every line of code they write, from security-centric code to anything that reads and writes anything from/to the user.
-
@heterodox said:
I expect that she would believe the banks' applications, having been programmed by "real" programmers, should not implement security; systems administrators and network administrators should implement the security. Unfortunately, this is too narrow a view; security includes not only authentication but authorization, accountability, integrity, etc. None of this can be done at the systems and network level. All of it must be done at the application level.
200% correct. Security can not be "bolted on" after the fact, it must be designed from the very beginning. A few times a year, I get contacted to "improve security of our product" by a potential client (sometimes by a client I have done other work for). I do a carful review, and then tell them what will be required. The look of shock when I tell them "the most cost effective way to meet the target security bar is to scrap and re-write the system" is priceless. A few understand (after detailed explanations and examples) and it becomes a good contract. Most do not. It is not uncommon for there to be a news story about these systems within weeks/months of them having the security issues pointed out to them.
-
