Archive for September, 2008

Password, Password, Who’s Got The Password?

From The Lines | Posted by attriel September 30th, 2008

So, the other day I was asked to run a security scan of an app as part of my supplemental duties as a non-attached member of a third party group.  Sure no problem.  Well, actually, I haven’t used the tool since I got the new system at the office, lemme make sure I can still access it.

Yep, there’s the prompt for a login.  <look up my password information> … wait, no?  Crap.  I thought that was what I changed the password to.  Oh, right, they changed the username to make it more obvious what the account was for … talk to the group lead, he doesn’t remember either.  He hasn’t been on in longer than me.

He takes me over to the guys who admin the server.  The guy we need to talk to is out, as is the second best bet.  So I ask person C, who I know is covering some of A’s projects while he’s out.  But they don’t know.  They suggest D.  We (three of us now, me, boss, and C) traipse over to D’s office.  Some discussion, C admits that E would be a better choice, but E is talking to their boss … So D brings out his security notebook, and starts paging through it.  ”You’d be amazed at how much is in this book.  I’ve got every password on every system.”  ”Except the one we want?” “Well, you might be right.  I don’t see anything for that server.  Maybe see if E is done talking to Boss2?” … No.  But I talk to C for a bit on something else, Boss1 keeps talking to D on some subject, then is heading back to his office when Boss2 finishes, so I call Boss1 back to talk to E at least long enough to provide validation for my request for the password to an account who’s name I don’t know …  Yeah, THAT’s not fishy at ALL.

Finally get the account name (it was pretty self evident), and got the password reset since E didn’t have it noted anywhere either (They may not have it written down, since they can always just reset it).  FINALLY!

Elapsed time: 1hr.

Went back, started configuring the scan tool (Piece of …) (that took about 2 hours, but I pushed it off some to do some other tasks vaguely related to my normal job).  At some point in the afternoon, Boss3, who owns the app I’m scanning, sends me an email with “test account information”, the URL and the username I need to login.  Great.  It’s a dummy test login for the QA server, I don’t think anything of there not being a password in the email (it’s qa, so I wouldn’t have winced too bad at getting “Password: abcd1234″ in the email with the username “Username: qatestacct1″ …)

Wrong.  Needs a password.  Well hell, go over to Boss3′s office, but he’s left for the day.  Call Boss1, he says “oh yeah, I have the password” and gives it to me once I grab a pen.  Turns out my pen doesn’t work, but it scratches enough to let me read it 5 seconds later to type it in.  And it doesn’t work.  Well, he said it wasn’t case sensitive, but we’ll try it the cases.  He said “oh” and i took that as the letter, but maybe he meant the number?  number and cases?  hrrm.

Go find Boss4, who replaced Boss1 in his other duties when he moved to a new position, and is theoretically (I believe) above Boss3.  Maybe they’ll know who to ask, anyway.  They send me to G or H, and takes me to G’s desk.  G doesn’t know, he takes me to H.  H isn’t there, but his stuff is so he’s not gone yet just out for a drink or maybe he’s looking for a password somewhere … Anyway, go back to my desk, try a few other things and some regular work, get up a few minutes later and go check and H is there, but he’s putting on his walking shoes (vs work shoes), so he’s obviously getting ready to leave.  Damn good timing on my part.  Some back and forth with me, G and H, H gets what I’m looking for and writes me down the password (case insensitive still).  Looks only vaguely like what Boss1 gave me earlier.  As in it shares some characters, but not most of them.  But it works!  I can now log in to the app, so I can now run the scan.

Elapsed time, Password 2: 45 minutes.

*sigh*

And the best part?  I’m fairly sure the scan is basically going to give me meaningless gibberish, because the “approved scanning tool” sucks.

Oh, and by the time I launched the scan?  Boss 1 was gone.  It was his last day, he’s off to a new project at some other site.  Which means I’m the only person left on the team, and I’m kindof curious why he’s calling me for the results this week …

Tags: ,
Comments Closed

Soundex Example 2

Codes, Demonstration | Posted by attriel September 25th, 2008

Encoding my name (ATTRIEL)

Keeping the A, we encode the remaining characters

T:3

R:6

L: 4

After step 2 our string is A336ie4

Step 3 removes “adjacent digits”, leaving us with A36ie4

Step 4 removes non-encoded letters, giving us A364

Step 5 truncates to 3 digits, which is all we have.

The SNDX value for ATTRIEL is A-364

Tags: ,
Comments Closed

Soundex Example 1

Codes, Demonstration | Posted by attriel September 23rd, 2008

Encoding the name of the blog (Deadbeef):

We retain the D

Then we encode D B and F.

D: 3

B: 1

F: 1

So our partial value (after step 2) is : Dea31ee1

Step 3 makes no change (Note that the two 1′s are not currently by each other)

Step 4 removes the “non encoded letters” (vowels), giving us: D311

Step 5 limits us to three digits, which is all we had anyway.

So the SNDX for DEADBEEF is D311

Tags: ,
Comments Closed

Soundex

Codes, Descriptions | Posted by attriel September 18th, 2008

Soundex is not technically a Cipher or Code. It’s invention was for census data.

The idea behind Soundex (or SNDX, although not usually referenced in that manner) is to provide a representation of a name that will match for any minor variations that do not greatly alter the pronounciation. Pronunciation. Whichever.

The idea being that Robert and Rupert will be represented the same (R163) but Rubin will differ (R150). Because it was intended for names, it’s function is limited outside that scope. The original soundex structure calls for first letter followed by 3 digits, making the algorithm questionable for large words.

  1. Keep first letter of word or name, this is the first value in the Soundex value
  2. For remaining letters, convert all consonants with the table after the jump.
  3. All adjacent duplicate digits are collapsed into a single instance of each
  4. All remaining characters (vowels) are dropped
  5. The first three numbers are the remainder of the Soundex Value

Read the rest of this entry »

Tags: ,
Comments Closed

Oops. Missed Post

Site Maintenance | Posted by attriel September 18th, 2008

Oops. I thought I had a post queued up for Tuesday, and then everything else in the way I didn’t get a chance to look until now.

I’m going to try to get up a post later today for today’s post. This is just to acknowledge that i botched Tuesday’s :/

Comments Closed

Generating DES Example

Crypts, Demonstration | Posted by attriel September 11th, 2008

I wanted to let folks know that I’m working on the DES example (nee demonstration).

I’m currently doing it while I’m on the train every day, usually in the evening now that the fall season is starting up and iTunes is having my shows again :o  But it’s slow, and some days I just feel like reading my book.

Anyway, each iteration takes ~3 half-sheets (I’m folding papers over and using half a sheet to write on, just because it gives me a contained space that’s easy to hold on to for writing). It looks like I can do 1.5-2 iterations a day at this point, but I’m only done with the 3rd iteration, so that may be over or under.  The first iteration took a day, then I finished the next two in one day give or take, but the XORs are starting to get more complex … Hopefully will be done by the end of the month, then I’ll have to work on typing it all in.  I want to get them posted in a row, though, so it’ll be a while before they start posting.

I did change the example some, however, so the old start is no longer relevant.

Tags: ,
Comments Closed

The Blame Game

From The Lines | Posted by attriel September 9th, 2008

Apparently people don’t like to take credit for their mistakes.  Gee, who knew?  And they like it even LESS when you point them out.  In front of their bosses.  Shocking

Today was a wrapup meeting for a deployment that went horribly wrong in July.  Actually, it went badly, then wrong.  Then badly again in August before finally working.  Today’s meeting was to go over what all went wrong, why it went wrong, and how do avoid it in the future.  ”Lessons Learned” kind of meeting.

Some of the issues were “unpredictable.”  Like the network switch ignoring the system.  Or the network configuration being wonky and requiring a new magic piece that didn’t need to be there before (and had no particularly good explanation for why it is suddenly needed now on multiple various configurations).  And there was some confusion with the security group and whether the system was supposed to be checked or not.  That part sounded like a failure on the security groups planning and distribution end.  To Wit: They have a mailbox for these kinds of requests, that no one on the server group knew about.  And even if they had, the policies are kindof vague.  Like “You ask for A, and we do it (when we can) and don’t tell you the results”.  That was actually the basic policy.  They’re looking into it and thinking about maybe, yaknow, telling you the results.  Instead of making you guess.

The code on the system, that was all configured and functional.  That had been tossed up on various occasions on an internal network for testing and qa.  But the networking had to be physically changed over to a whole new set of hardware to make it public rather than private.  The errors at that point were numerous.  And still not code related.

First error — The server group misconfigured a piece of hardware so it wasn’t coming up properly.  They actually took the bullet on that one, saying they made a typo.  Except that instead of 1234 it said abcd.  ABCD was the configuration from another system.  So, yes, technically she might have miskeyed it, it’s more likely she started with that file and just didn’t fix that line.  Nitpick, since she took the bullet, but it’s still different.  And during the meeting she took the hit after I mentioned that piece.  They kindof glossed over that error, blaming it all on other things.  Including error 2

Second error — Some of the networking and scripting was messed up, didn’t work properly, wasn’t allowing traffic correctly to the services.  Turns out that there were a bunch of lines that they hadn’t understood what they did or how they worked on the old system, so they had just copied some of them over wholesale without changing any of it so that it reflected the new system.  Others they declared to have no effect whatsoever and deleted.  Turns out that the prior admin had set them up for specific reasons, and even had a script to automatically generate those lines for any new server.  But failed to document why or how they worked.  So oops :o  The official explanation is “magic script” that fixed “undocumented problems.”  I’m still not sure if they documented the lines, their function, or the script.  I’m not convinced they know what any of them mean (I don’t, but that’s because I don’t know what they are ; I’m still not convinced they weren’t a red herring tossed up to hide the first error, and after they got called on #1 they couldn’t retract #2)

Error the Third — Because of the way they have things set up (badly and undocumented), it turns out they needed to move a SECOND configuration to the new server.  Because it turns out that the services had two interfaces.  And both were actually necessary!  go figure, who’d've thunk?  After the second “badly” they found this, more by accident than design.  Actually, they were wondering what A meant in the config, looked it up, and it came back with C.  Which didn’t match with the part where a different check (from a different server) came back with B.  When they should have matched.  When I asked about it, I was told offhand “Oh yeah, A has two answers, B and C, depending on where you ask from”  Really?  Did we need to tell the new machine about C, then?   We told it about B, does it need C? “Yeah.  Hey, do you think that could be the problem?  It’s supposed to be listening for B or C”

And someone actually suggested that that COULDN’T be the problem.  Because it worked on the old machine.  DUH. … the old machine which knew both B and C?  That one?  That still knows C?  Yeah … Turns out that it WAS important.  But at today’s meeting?  They kept saying the only problem was a networking issue from outside their control that makes no sense.  Until I asked about the config B/C thing.  And then gave more details.  Then a few more.  And finally just told them exactly what had happened, how it had happened, and how it had gotten fixed.  ”YOU forgot to move the config for C.”  The manager of the server group finally said that they vaguely recalled something from what I was saying, I <em>might</em> be right.  I think that was basically a signal to the other guy to drop it because I wasn’t letting them deny it.

Part IV — THEN there was another problem, with services going out from the new server.  Turns out we forgot to tell group X that we were changing the server host.  So they didn’t update their configs to reflect our new source.  They also had some unrelated problems that affected myriad hosts.  So that was glossed over at the meeting and denied.  Until I pointed out that part of the problem had required them to update their configs to reflect our new server.  At which point, yes, that’s true, but … but what?  That means that there was  <strong>A</strong> problem related to our server move!  Thus it should be part of Lessons Learned!

Oi.  I didn’t make any new friends, I’m sure.  Probably negatively impacted some of the folks I AM friends with in that group.  But jesus, take your own hits.

Speaking of.  Last week I got a project finalized and it went live on a new server.  And I neglected to note that the old server was accessed via secure tunnels.  So I didn’t check the new server that way.  Code all worked, so I approved it.  And then the next morning had to scramble to find out what everyone’s problem was.

During this scramble, I was getting IMs from the server group asking if I’d checked it.  ”Yes”  Did you check it via secure? “Uh, no, I didn’t realize it needed it”  So you didn’t do your testing via the mechanism used to properly access the service?

This set off alarm bells.  We’re setting me up for the fall here.  It’s not THEIR fault, it’s all MY fault.  Which, yeah, I effed up and didn’t check it properly.  But I went and checked my dev environment, because I didn’t remember secure being set up there either.  But it turned out it was.  Great, lemme look … and … yeah, everything works FINE still.  So, yaknow what?  Not really my code being broken here folks.

So I sent a message to all involved, apologized for dropping the ball on the testing, announced that it all worked with the proper mechanisms on dev, so as soon as the server group identified the problem with why secure tunnel wasn’t set up or configured, we’d be good.  

Server group never responded AFAICT.  In a different conversation I was brushed off with “well, you didn’t tell us you needed it so we didn’t bother configuring it properly”.  And I’ll grant that it’s possible that I told them that I didn’t need it and it wasn’t on dev anyway.  but since I also told them to make production look like dev, one would have thought that it being on dev would have given them pause.  But yeah, that one was me :o

Comments Closed

Counterintuitive Much?

Programming, Site Maintenance | Posted by attriel September 4th, 2008

I was working on my other blog a little while ago.

First off, Kiir noticed the avatars on someone else’s blog and realized that ours supports them by default.  so she wanted an avatar.  She went and set up her account, getting it all set up nicely with a nice pic, rebuilding it a few times as she figured out the (apparently undocumented) size she could use.  Apparently it can take an 80×80 (gravatar this is) and it auto-resizes whenever someone requests a different size.  More to the point, it takes the smaller image, resizes it UP to 80×80, and then can resize down.  So her 50×50 didn’t turn out so well.  Actually, I think 80×80 is what I told her from something I read after she did 50×50.  I think she said it was noticeably larger still.  So yeah.

Then she went to look at the blog.  and her avatar wasn’t showing.  So she was fiddling with her gravatar account and her commenters account.  And there I am trying to get it working for her.  I’m looking at the IMG SRC (which, it turns out, auto-rebuilds to the ACTUAL src, which was the fallback default, rather than the full URL, so that confused me for a bit).  Then I’m digging through the code for the template, maybe guy broke it somewhere (yeah, because, you know, I’m the first person to ever try using gravatars on that theme).  digging, looking, debugging, wtfing.  Find the full URL.  Falls back to the default.  Try it piecemeal, and it worked all the way to the end.  Seriously, it took me 10 minutes and I eventually fell back to using vi and diff to fin the difference between the working URL that I put together and the broken one that it was using.

Near as I can tell?  One of them had ;r=G and the other had &r=G. There was also a difference in image sizes, technically.  I don’t know which of them was the broken part.  I’m guessing the & vs ;.  But it works for the other persons avatar, so thats obviously not it either.

So then I’m looking at the admin options, because maybe this is some kind of cached response thing … or something.  I finally turned off the default avatar, figuring maybe that’d flush whatever it was.  And suddenly it worked!  So I turned it back on, and it didn’t work anymore.

So, now, my other blog doesn’t have a default avatar.  Not sure about this one yet.  It doesn’t have any comments, so I’m not real concerned.

Comments Closed

Design by Defect

Code Follies | Posted by attriel September 2nd, 2008

Imagine if you will.  A room with 4 people for a meeting.  Two of them are coders.  Developers.  It’s a design meeting.  Lets call them A and N.  The other two people we’ll call D and C.  Because that way the letters are nice and random ;)

The meeting is talking about the design and design decisions behind a new content framework for a series of sites.  Rather than investing in a CMS that might do most of what they want badly, the customer has asked for a custom built deal to perform the functions they need well.  (OK, that’s a bit of a stretch.  Group S convinced the customer that this was the best way to do it, but the customer isn’t necessarily convinced they need anything more than their current “bob edits the HTML files for us” system).  A has just been invited to the meeting, apparently related meetings have been going on for months.

N, the other developer, has a system he worked on previously that he feels can be easily retooled to provide CMS functionality without having to start from scratch.  Reusability of code, cool.  Reusability of code from another client while working for a different company, questionable.  Reusability of an inventory tracker as a CMS framework … uh … When you have to start wedging site design ideas around the existing code so you don’t have to rewrite it … 

D is a manager.  His major contribution to the meeting was fairly benign.  Basically, anytime N asked a question about how this or that should work, D deferred to C or sent the question back to N.  He also nailed the manager ability to agree with everyone in the room, even when they disagree with each other.

C is an idea man.  He generates ideas, mockups, etc.  He doesn’t work on the code, directly.  During the meeting he shoots down multiple design choices due to the customers being, effectively, retarded imbeciles.  

So, during this multi-hour meeting, you have A making repeated comments and suggestions based on a total lack of background.  N making choices and declarations based on how the sites can best be modeled as inventory.  And C firing down ideas due to customer incompetence.  N and C both keep making suggestions based on, effectively, retaining the current system and model.  Which is Bob edits html files by hand on the server.  D’s major contribution is repeated use of statements like “outside the system”, and then wanting these tasks that exist outside the system to be triggered or to effect a change in the system.  Without them being connected.  Every user role that comes up is “Well, that would be Bob”, the only example in every mockup is a section that, within the first 20 minutes, is written off as not-exemplary of the rest of the system. 

In the end, it’s a poorly implemented system based on a defective design, intended to minimally meet abysmal requirements for a product that the customer isn’t even sure they want.  What could POSSIBLY go wrong?

Comments Closed