The Actually Helpfull Helpdesk



  • Hello all,

    I'm working for a government agency dealign with... well, doesn't matter what, but it's the kind of stuff that has a certain political sensibilty, and it's enough "political" to have my boss (or actually my bosses bosses boss) appear on TV about every other day.

    Not me of course. I have nothing to do with this. I just take care of the web site. I wouldn't like to appear on TV because that would involve wearing a suit and tie - and more generally not stuttering when infront of a camera. Well, but back to the topic.

    Today I was asked to make a change to a page that was actually part of an online application and thus not handled by us but by a different department (they don't seem to trust us to be too tech-savy over here, so we only get the simple stuff, and they are generally perceived as a bit elitist and sometimes arrogant... well, I wouldn't mind working for THAT department though. As long as it doesn't involve giving Interviews, that is..)

    All these applications are using a complex rights management system (after all, security is realy high priority here!) and any kind of changes in access rights involve a complicated bureaucratic procedure, which includes filling out forms, having them signed by your superior, your superior's superior, and sometimes even bringing in a letter of good conduct from your local police station first (no kidding!). Of course there was a"single-sign-on" implemented, so you don't have to enter your password hundreds of time each day (or remember hundreds of passwords), but generally, security was not only written with a capital "S" but also a capital "E", "C", "U", "R", "I", "T" and even "Y"!

    So I reckoned,  the easiest way to make the change would be to find out who is in charge of that particular page, and then try to make an appointment, and bringing the prepared HTML-Code to be pasted in with me. Bad luck, of course, if the person has already left, or is on sick leave, or in holidays, or whatever..

    The guy from the help desk took an easier route:

    > Use the following logins and pass to access it:

    > Login: xxxx [my superior's login name]

    > Password: xxxx [appearently his password]

    Uh, cool... so much power in the hand of a simple Web Developer...



  •  As the old saying goes, security is only as good as those charged with enforcing it.

     I've run into so much of this already in the IT departments I've seen, in my short while actually looking for it.  This in partiuclar happens a lot in schools, I remember the "Computer Science" class I took in high school (should be renamed Microsoft Word 101, but that's another story) had us take turns logging in as the Principal himself to install Word onto our profiles or some such thing.  Whatever, I figure, they hide all the juicy bits and change the password temporarily, right?  Nope.  Two weeks later I try that username/password again, and I get full access just as before, but without anyone watching.  And yes, I can see the grading system, scheduling system, etc with administrator level access to all.

     Thankfully I'm the honest type.



  • @Master Chief said:

     Thankfully I'm the honest type.
     

    Thankfully for the school, perhaps, but not for us.  We'd have more stories to enjoy if you weren't.



  • @Master Chief said:

     Thankfully I'm the honest type.
    Liar!



  • @Master Chief said:

    Thankfully I'm the honest type.
    Hopefully that means you a) didn't share this information with the dishonest types and b) alerted someone about the insecurity.

    But I digress.



  • @belgariontheking said:

    @Master Chief said:

    Thankfully I'm the honest type.
    Hopefully that means you a) didn't share this information with the dishonest types and b) alerted someone about the insecurity.

    But I digress.

     

    I left a text file on his desktop about it.  Next day his password was changed.



  • @Master Chief said:

    Next day his password was changed.
    But by whom?

    (dun-dun-dunnn...)



  • @Zecc said:

    But by whom?

    (dun-dun-dunnn...)

     

    My legal counsel says I'm not allowed to discuss it.


Log in to reply