Why do we need logins?



  • A friend who owns a small business asked me to write a small utility for him. He also asked that I put in an admin-mode so that only he could run certain functions of the application. Ok, no big deal, check logins and use that.

    I install it and he fires it up. All is well. Then someone else fires it up and they also have admin mode. Hmmm, did I miss something?

    Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.

    Why? It's too much trouble to create different logins. Besides, we don't surf to porn sites so we won't get viruses.

    After a failed attempt at educating him, he decides that he knows best and that I should just make it work.

    I just created two versions of the program (one with the admin stuff exposed and the other without it), but I'm waiting for the phone call.



  • Why are you creating two different versions of the software? You should just add an URL switch that enables the admin functions. Like... oh, I dunno... &admin=true.



  • @PSWorx said:

    Why are you creating two different versions of the software? You should just add an URL switch that enables the admin functions. Like... oh, I dunno... &admin=true.

    Nah, he should have the first page or screen that loads with the program show up a disclaimer and two buttons. Something along the lines of:

    Warning: this system contains some functions that can only be used by Carl. Click 'yes' if you are Carl, or otherwise click 'no' if you are not Carl. Snoofle Inc. cannot be held responsible for Carl impersonation.



  • @snoofle said:

    After a failed attempt at educating him, he decides that he knows best and that I should just make it work.

    I just created two versions of the program (one with the admin stuff exposed and the other without it), but I'm waiting for the phone call.

     

    Much as I like most of your work and am entertained by most of your stories, in this case you are TRWTF. After your friend said that he knows better than you, you agreed with him by going along with it. If you said "no, I'm not going to do that for you because it will all go wrong and you will ask me why I didn't stop you" then he might actually think twice about it.

    If your friend wants to hang himself, you don't make the noose for him!

    If a doctor friend told me I needed to get a skin cancer checked and I said "no, just give me some herbal remedy" and he said "ok take aloe vera pills" and then waited for the phone call, what would we say about him? If we in the IT industry wanted to be treated as more than "some guy that plays with computers" we need to have the courage to stand by the advice we give.

     



  • @Paddles said:

    @snoofle said:

    After a failed attempt at educating him, he decides that he knows best and that I should just make it work.

    I just created two versions of the program (one with the admin stuff exposed and the other without it), but I'm waiting for the phone call.

     

    Much as I like most of your work and am entertained by most of your stories, in this case you are TRWTF. After your friend said that he knows better than you, you agreed with him by going along with it. If you said "no, I'm not going to do that for you because it will all go wrong and you will ask me why I didn't stop you" then he might actually think twice about it.

    If your friend wants to hang himself, you don't make the noose for him!

    If a doctor friend told me I needed to get a skin cancer checked and I said "no, just give me some herbal remedy" and he said "ok take aloe vera pills" and then waited for the phone call, what would we say about him? If we in the IT industry wanted to be treated as more than "some guy that plays with computers" we need to have the courage to stand by the advice we give.

     

    I think you're comparing apples to oranges there, with the medical analogy.

    And Snoofle did solve the guy's problem, even if it wasn't the most elegant thing to do. IMO the right thing to do next is, after the phone call, selling some consultancy to the guy about good security practices.



  • @PSWorx said:

    Why are you creating two different versions of the software? You should just add an URL switch that enables the admin functions. Like... oh, I dunno... &admin=true.

    Who said it was a web application?

    You should just use a button "Switch To Admin". Hide it by putting it in the lower right, nobody looks there.



  •  You said the app is login-aware but you're basing it on the current Windows user? In an environment where they apparently are not using networked Windows login? (I can only imagine Administrator is a local account on each machine). Doesn't sound like all that great of a design in the first place.

     Why not have a login system in the app itself?



  • @Zolcos said:

    You said the app is login-aware but you're basing it on the current Windows user? In an environment where they apparently are not using networked Windows login?

    Not necessarily true, they could all be using the same network account. Not that that helps anything...

    Wouldn't you assume a sane network when building this app, though? I mean... wouldn't anybody? The Real WTF comes down to not asking right away, "hey are you guys total fucking morons when it comes up to setting up an office? See, I have to ask because it lets me know if I can use single sign-on in a sane way or not..."



  • @blakeyrat said:

    Hide it by putting it in the lower right, nobody looks there.

    Heh.  That's where I always put the "exit" button.  I must be subconsciously trying to give my apps more run time or something.



  • @blakeyrat said:

    @PSWorx said:
    Why are you creating two different versions of the software? You should just add an URL switch that enables the admin functions. Like... oh, I dunno... &admin=true.

    Who said it was a web application?

    You should just use a button "Switch To Admin". Hide it by putting it in the lower right, nobody looks there.

     

    Though, you could put the Switch To Admin button pop up a login box. Hard-code an "admin" username and password, and give it to Carl.

    As a bonus, you can charge a consulting fee anytime they need to change the Admin password.



  • @blakeyrat said:

    You should just use a button "Switch To Admin". Hide it by putting it in the lower right, nobody looks there.

    Nah, watch for arbitrary keystrokes and unlock admin mode when they type Up, Up, Down, Down, Left, Right, Left, Right, B, A.



  • @cvi said:

    Nah, watch for arbitrary keystrokes and unlock admin mode when they type Up, Up, Down, Down, Left, Right, Left, Right, B, A.
     

     

    I wrote a quickie in Java to control my cable box over Firewire. After having some issues getting it to work through a firewire concatenator, I had to go back and add a debug mode. Simply press up, up, down, down, left, right, left, right, info, enter.



  • @NoOneImportant said:

    @cvi said:
    Nah, watch for arbitrary keystrokes and unlock admin mode when they type Up, Up, Down, Down, Left, Right, Left, Right, B, A.
    I wrote a quickie in Java to control my cable box over Firewire. After having some issues getting it to work through a firewire concatenator, I had to go back and add a debug mode. Simply press up, up, down, down, left, right, left, right, info, enter.

    I once ate a deadly slice of Fugu fish. At the hospital, the doctor laid me on my back and on my sternum he tapped up, up, down, down, left, right, left, right, then twice on my forehead and I projectile-vomited the contents of my stomach right into his face. True story.



  • @NoOneImportant said:

    up, up, down, down, left, right, left, right, info, enter.
     

    Cool.

     

    When I did that, she came.



  • @Paddles said:

    ...in this case you are TRWTF.
     

    Only if I blindly went along with it without first trying to get him to do the right thing.

    I explained all the badness of having everyone run as Administrator locally; of  not running AV; of not even having a firewall; of installing the same thing on each PC (vs a network share), etc.

    He's got 5 PCs sharing an internet connection - wide open, and refuses to do anything about it.

    It's stupid and I warned him that he would have problems, but he didn't care.

    I was helping out a friend so I just made two ant targets: one with a -Dflag=xxx and one without, and coded it such that it would make two programs: one with the admin function visible and one without it (same code). Then I just dropped different programs on each local pc (no network share).

    To follow your analogy, if the doctor tells you the aloe vera won't work and you need to deal with the cancer, but you only use the aloe vera, is it really the doctor's fault?

    You can lead a horse to water but you can't make him drink.
     

     



  • @dhromed said:

    @NoOneImportant said:
    up, up, down, down, left, right, left, right, info, enter.
    Cool.

    When I did that, she came.

    What was the "info"? "I make 6 digits a year and drive a BMW?"



  • @blakeyrat said:

    @dhromed said:
    @NoOneImportant said:
    up, up, down, down, left, right, left, right, info, enter.
    Cool.

    When I did that, she came.

    What was the "info"? "I make 6 digits a year and drive a BMW?"

    JESUS CHRIST MAN! THERE ARE JUST SOME THINGS THAT YOU DON'T TALK ABOUT IN PUBLIC!



  • @snoofle said:

    A friend who owns a small business asked me to write a small utility for him. He also asked that I put in an admin-mode so that only he could run certain functions of the application.

    That sounds reasonable...

    @snoofle said:

    Ok, no big deal, check logins and use that.

    You made up this part yourself. You assumed that your client had purchased and implemented one particular security product (Windows networking IDs), instead of following the spec ("give the program an admin mode so only I can run certain functions).

    @snoofle said:

    Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.

    That sound eminently reasonable to me... there is a single "password" and if someone gets fired, there's only one password to change.

    @snoofle said:

    Why? It's too much trouble to create different logins. Besides, we don't surf to porn sites so we won't get viruses.

    As anyone who has been a user / victim of Active Directory can tell you, Microsoft security is a self-perpetuating virus whose goal is full employment for graduates of ITT Technical Institute.

    And I do go to porn sites, and I don't get viruses. I did have the "McAfee" virus when I got my computer, but I was able to (mostly) remove it.



  • @Paddles said:

    @snoofle said:

    After a failed attempt at educating him, he decides that he knows best and that I should just make it work.

    I just created two versions of the program (one with the admin stuff exposed and the other without it), but I'm waiting for the phone call.

     

    Much as I like most of your work and am entertained by most of your stories, in this case you are TRWTF. After your friend said that he knows better than you, you agreed with him by going along with it. If you said "no, I'm not going to do that for you because it will all go wrong and you will ask me why I didn't stop you" then he might actually think twice about it.

    If your friend wants to hang himself, you don't make the noose for him!

    If a doctor friend told me I needed to get a skin cancer checked and I said "no, just give me some herbal remedy" and he said "ok take aloe vera pills" and then waited for the phone call, what would we say about him? If we in the IT industry wanted to be treated as more than "some guy that plays with computers" we need to have the courage to stand by the advice we give.

     

    I think the standard in the medical community is Against Medical Advice forms. If the patient requests to do something really stupid, the hospital or doctor asks them to sign such a form and are done. If this were a stranger I would have asked for a similar form, but this was a friend, and I might trust him to not sue me when it all goes wrong. Depends on the friend.

     



  • @bridget99 said:

    @snoofle said:
    Apparently. It turns out that everyone in the office runs as the same login: Administrator. With the same password. And full admin privileges.

    That sound eminently reasonable to me... there is a single "password" and if someone gets fired, there's only one password to change.

    This was a pretty good troll, except for this part. Hmmm....remove a single account, or make everyone learn a new password?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.