How DEFINITELY not to CV



  • Continuing the discussion from How not to CV

    OK, this is too fucking incredible to end up as just no. 5 in that other thread.

    ##VERY VERY IMPORTANT CV TIP, TOO IMPORTANT FOR A NUMBER

    List a bunch of past projects in your CV?

    Great! Nice to see someone with a lot of experience for a change.

    Provide logins for your past projects, so we can actually see these otherwise internal applications?

    Even better! If the former employer is cool with it, set up a little demo instance and show it off, why not?

    Provide ACTUAL ADMIN logins to the PRODUCTION INSTANCES of ALL your past projects?

    #NO!

    #NO!!

    #HELL NO!

    #DEFINITELY FUCKING IN A MILLION YEARS NO!

    I couldn't believe when I saw it. I spent an hour VERY carefully clicking through, hoping beyond hope these are just very convincing demos.

    Nope.

    It seems I can actually access full financial records of a major movie distributor, see customer data of a bank's loyalty program and control the power grid of an entire country.

    Yes, you read that last one right.

    Almost posted it in the lounge, but hopefully I anonymized these well enough for the public. If not, please let me know immediately.

    Fucking unbelievable.



  • @cartman82 said:

    It seems I can actually access full financial records of a major movie distributor, see customer data of a bank's loyalty program and control the power grid of an entire country.

    Almost posted it in the lounge, but hopefully I anonymized these well enough for the public. If not, please let me know immediately.

    I don't think you anonymized these well enough. Send me the original, unedited CV and I'll anonymize them for you.



  • @Bort said:

    I don't think you anonymized these well enough. Send me the original, unedited CV and I'll anonymize them for you

    Sure, anonymous forum creature. I'll get right on it.


  • Fake News

    @cartman82 said:

    It seems I can actually [snip] control the power grid of an entire country.

    So you didn't check if it came with a confirmation dialog?


  • sockdevs

    How fucking retarded is this prospective candidate?



  • @cartman82 said:

    Sure, anonymous forum creature. I'll get right on it.

    Aw, come on. You know me...

    You know I'm a good guy...

    OK, I'll give $3000 and a Cambodian sex slave.



  • @Arantor said:

    How fucking retarded is this prospective candidate?

    His LinkedIn picture is like this, only with clothes.

    Judge for yourself.



  • Change all these passwords to "hunter2", and let the current owners figure wtf is going on.

    (not really, you could get into trouble, because logs and etc)



  • @fbmac said:

    Change all these passwords to "hunter2", and let the current owners figure wtf is going on.

    (not really, you could get into trouble, because logs and etc)

    I'm not messing with those logins, that could be interpreted as "hacking" under some circumstances.



  • Why did you even try them? You already did too much.



  • @blakeyrat said:

    Why did you even try them? You already did too much.

    Wasn't sure it's production.

    Still have my doubts. It's just too unbelievable.



  • Copy the CV, send it to the affected companies from an as anonymous-as-possible account.


  • Winner of the 2016 Presidential Election

    Wait, these are the actual logins and passwords?! Gotta love me some securitah.



  • I'm curious - does the CV list valid contact information?
    Maybe I'm just being too optimistic about the brain capacity of people, but maybe it's a deliberate attempt at "seeing what happens" instead of an honest application?

    I mean he can probably be tracked down just by cross-referencing the places of work, but still

    <script> Not that I'm sure you're not having us on


  • Yeah, those passwords are so bad I don't think that emailing them to random employers was making things any worse than they already were.


  • Winner of the 2016 Presidential Election

    Oh surely it's not tha...... OHGODWTFWHYYYYYY

    That's amazing.

    What are you planning to do with this? I imagine these companies would like to know there's been a breach, especially the power guys...

    You might lead to this guy getting sued into oblivion (or worse) but honestly...... that's beyond stupid.



  • A power grid? Controllable from outside? That sounds really bad. Also highly unlikely it was the candidate's own work. I figure he found the access somehow and now tries to impress. Alert the companies, possibly using a security research company as intermediary.



  • Agreed.

    I think it's safe to assume cartman82 is not the only one who receive these CVs, and that means other people will have access to these systems too.

    Better alert them without getting yourself in trouble.



  • @CreatedToDislikeThis said:

    I'm curious - does the CV list valid contact information?Maybe I'm just being too optimistic about the brain capacity of people, but maybe it's a deliberate attempt at "seeing what happens" instead of an honest application?

    I mean he can probably be tracked down just by cross-referencing the places of work, but still

    It has full information.

    When you hear hoofs, don't think zebras. Think idiot.

    @rc4 said:

    Yeah, those passwords are so bad I don't think that emailing them to random employers was making things any worse than they already were.

    That's why I decided to post them. They are probably already in every cracking dictionary in existence.

    @sloosecannon said:

    What are you planning to do with this? I imagine these companies would like to know there's been a breach, especially the power guys...

    You might lead to this guy getting sued into oblivion (or worse) but honestly...... that's beyond stupid.

    @Hanzo said:

    ...

    @cheong said:

    ...

    I'll probably just tell the boss and let him decide. Since I was doing this on company time, it's an easy way out for me.

    The worst thing is, other than the tiny issue of (MAYBE) LEGALLY ACTIONABLE IRRESPONSIBILITY, this guy's CV is actually pretty good. The best we've got so far, Which means, there's a chance the boss might decide to call him in, and give him a chance to explain himself.

    That might be interesting. If he actually hires him, even more so.


  • area_deu

    Invite him in for an interview, get him to confirm it was actually him, then call the fucking cops right in front of him.
    "Don't call us, we'll call... 911"



  • @cartman82 said:

    Provide ACTUAL ADMIN logins to the PRODUCTION INSTANCES of ALL your past projects?

    All I could think of was: global thermonuclear war. Are you really accountable if you think you are playing tic-tac-toe but really causing all kinds of real issues?



  • @cartman82 said:

    The worst thing is, other than the tiny issue of (MAYBE) LEGALLY ACTIONABLE IRRESPONSIBILITY, this guy's CV is actually pretty good. The best we've got so far, Which means, there's a chance the boss might decide to call him in, and give him a chance to explain himself.

    "Sure, this guy brutally murderered his entire family once, but aside from that he's the nicest person I know, and he bakes some delicious chocolate cookies. I see no reason not to be his roommate!"



  • @anonymous234 said:

    "Sure, this guy brutally murderered his entire family once, but aside from that he's the nicest person I know, and he bakes some delicious chocolate cookies. I see no reason not to be his roommate!"

    That. And Cartman might also want to remember that he is possibly in violation of some law by not reporting it.Take it up with the boss, and probably boss^2 too, @cartman82. Send these people an "official" letter or email: "While ... it has come to our attention that ... "



  • @cartman82 said:

    The worst thing is, other than the tiny issue of (MAYBE) LEGALLY ACTIONABLE IRRESPONSIBILITY, this guy's CV is actually pretty good. The best we've got so far, Which means, there's a chance the boss might decide to call him in, and give him a chance to explain himself.

    If you delegate this to your boss, and your boss does that, I think you're at least morally obligated to take action anyway. I'd take it to the cops.



  • You guys are imagining way higher level of governmental organization than we are dealing with here.


  • Winner of the 2016 Presidential Election

    @Hanzo said:

    And Cartman might also want to remember that he is possibly in violation of some law by not reporting it.

    +∞


  • Winner of the 2016 Presidential Election

    @cartman82 said:

    You guys are imagining way higher level of governmental organization than we are dealing with here.

    The fact that your government/police will be too stupid to notice you've broken a law by not reporting this does not imply that it's okay to break that law. Just sayin'.



  • @ChrisH said:

    nvite him in for an interview, get him to confirm it was actually him, then call the fucking cops right in front of him."Don't call us, we'll call... 911"

    That power grid one was too close to home for Mr. Burns.

    I bet you're his previous power plant employer, considering you hired Homer for taking care of safety.


  • sockdevs

    @cartman82 said:

    Provide ACTUAL ADMIN logins to the PRODUCTION INSTANCES of ALL your past projects?

    yeah... that's what I would call "contact the exposed companies and inform them of the potential data breech"

    how anonymoose you want to be in that contact is up to you but those companies need to know about that breech....

    @blakeyrat said:

    Copy the CV, send it to the affected companies from an as anonymous-as-possible account.

    yeah. the rat is right here.

    at least on the contact point. the anonymoose part... well that's up to you.


  • Discourse touched me in a no-no place

    @accalia said:

    potential data breech

    Nitpicking…



  • @dkf said:

    Nitpicking…

    Considering who you're replying to, I'd say it's remarkably close to correct spelling.



  • TRWTF here could be the guy for giving you the admin passwords, but what are the odds that the places he happened to work for are the only ones whose production admin logins are admin/admin123? How many other movie distributors, banks or national power grids are secured with passwords that your router would make you change when you first set it up?


  • sockdevs

    @dkf said:

    @accalia said:
    potential data breech

    Nitpicking…


    .... Suntanatrix of Spellar, remembre?



  • @accalia said:

    .... Suntanatrix of SpellarSwypo, remembre?

    FTFY.



    1. Create the anonmyoose accounts
    2. Submit CV to effected companies except
    3. Submit them THROUGH HR as a job application.

    Then he'll have to explain not only why passwords are on resumes, but also why he's submitting resumes at all.

    :hear_no_evil:



  • If those are the real usernames and passwords, maybe he's just using this as a cleverfucking stupid way of reporting a major security hole in the systems?



  • @Dragnslcr said:

    celver

    I don't know, I didn't think it was very celver at all.


  • Discourse touched me in a no-no place

    @accalia said:

    .... Suntanatrix of Spellar, remembre?

    True, but it's one to watch out for. Along with the homonym “britches”. In fact, anyone who breechs your britches, breaches decorum too.

    I do like wrodpaly!



  • @dkf said:

    homonym “britches”

    Depends on your dialect; quite different vowel sound, /ɪ/ vs. /iː/, here.



  • I had a similar experience - big project with a consortium of companies. Guy from one of the software companies involved was visiting my office and wanted to show me the "dashboard" thing they'd built for a client, got me to fire up a browser and go to "someclientname.wtftech.com" - and up came an overview of all that client's internal data. (Management stuff, project progress, financials, that kind of thing. Not anything you'd want public!)

    "Er ... (Name)... isn't there supposed to be a login or something before we get all their data?"

    "uhhhhhh ... yeah ... did you bypass that somehow?"

    Yes. Yes, my laptop has magical superpowers that automatically logs itself into your website without needing any credentials, you drooling spare organ repository. "Security, pal ... might want to try some."



  • @jas88 said:

    "you drooling spare organ repository"

    I wrote that one down.



  • @cartman82 said:

    It seems I can actually access full financial records of a major movie distributor, see customer data of a bank's loyalty program and control the power grid of an entire country.

    So, you just couldn't resist, could you?



  • I was just checking out the CSS, I didn't mean to press that button!



  • Wow that guy must have some trust issues. I mean the difference between the trust he places in people he doesn't know compared to the trust he gets from the people who know him :laughing:



  • WOW!

    Do the right thing: Anonymize, send by snail mail (be sure not to leave prints / DNA) to affected parties.

    My guess on reactions:
    Power station :OHHH SHIIIT we fix this
    Bank: We will somehow make our customers pay for it
    Movies: We'll sue you and everyone you know for whatever reasons



  • Don't use a printer that can be linked to you if you don't wanna be identified. There is a reason movie criminals cut and paste letters from magazines when they want to send an anonymous message.



  • So that's why my printer will refuse to print black and white when the Yellow cartridge is empty.



  • This reminds me of a CRM I was tweaking. When setting it up in a restricted domain (our office) I'd given the username and password as 'admin'.

    At some point the domain was made public, and I'd forgotten about it. At some point I realised and changed the password, sending an email to people using the login/password so they knew.

    I got an email back from my boss saying "WHY WASN'T THIS DONE SOONER!" or words to that effect. I simply ignored the email, and never heard anything more about it, but it occurred to me that no email would have been better than that, or a simple "Ok". Or even better "Ok, good catch".

    I was tempted to reply with "Thanks for catching that, Shoreline. I'm not surprised somebody caught it given that everybody you sent your email to was aware of the domain going public and was using the username/password combination. I'm glad you did though, because it illustrates initiative. I certainly wouldn't attempt to even question why this wasn't caught sooner, since I'm one of the people who knew about this, and there would be absolutely no point to externalising the question."

    The older I get, the more of a smartass I become. Worse, I'm feeling young in experience and old in spirit. I'm pretty sure that's bad.



  • After thinking about this-- we've all been talking about how you could warn the companies and close the security holes.

    How about a different approach? Have you thought about, perhaps, exploiting the security breach, taking over the electric grid and become a super villain? If you get lots of monies, give me some.


  • Winner of the 2016 Presidential Election

    @Lorne_Kates said:

    If you get lots of monies, give me some.

    You forgot to say "fuck you".


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.