So, the other day I was asked to run a security scan of an app as part of my supplemental duties as a non-attached member of a third party group. Sure no problem. Well, actually, I haven’t used the tool since I got the new system at the office, lemme make sure I can still access it.
Yep, there’s the prompt for a login. <look up my password information> … wait, no? Crap. I thought that was what I changed the password to. Oh, right, they changed the username to make it more obvious what the account was for … talk to the group lead, he doesn’t remember either. He hasn’t been on in longer than me.
He takes me over to the guys who admin the server. The guy we need to talk to is out, as is the second best bet. So I ask person C, who I know is covering some of A’s projects while he’s out. But they don’t know. They suggest D. We (three of us now, me, boss, and C) traipse over to D’s office. Some discussion, C admits that E would be a better choice, but E is talking to their boss … So D brings out his security notebook, and starts paging through it. ”You’d be amazed at how much is in this book. I’ve got every password on every system.” ”Except the one we want?” “Well, you might be right. I don’t see anything for that server. Maybe see if E is done talking to Boss2?” … No. But I talk to C for a bit on something else, Boss1 keeps talking to D on some subject, then is heading back to his office when Boss2 finishes, so I call Boss1 back to talk to E at least long enough to provide validation for my request for the password to an account who’s name I don’t know … Yeah, THAT’s not fishy at ALL.
Finally get the account name (it was pretty self evident), and got the password reset since E didn’t have it noted anywhere either (They may not have it written down, since they can always just reset it). FINALLY!
Elapsed time: 1hr.
Went back, started configuring the scan tool (Piece of …) (that took about 2 hours, but I pushed it off some to do some other tasks vaguely related to my normal job). At some point in the afternoon, Boss3, who owns the app I’m scanning, sends me an email with “test account information”, the URL and the username I need to login. Great. It’s a dummy test login for the QA server, I don’t think anything of there not being a password in the email (it’s qa, so I wouldn’t have winced too bad at getting “Password: abcd1234″ in the email with the username “Username: qatestacct1″ …)
Wrong. Needs a password. Well hell, go over to Boss3′s office, but he’s left for the day. Call Boss1, he says “oh yeah, I have the password” and gives it to me once I grab a pen. Turns out my pen doesn’t work, but it scratches enough to let me read it 5 seconds later to type it in. And it doesn’t work. Well, he said it wasn’t case sensitive, but we’ll try it the cases. He said “oh” and i took that as the letter, but maybe he meant the number? number and cases? hrrm.
Go find Boss4, who replaced Boss1 in his other duties when he moved to a new position, and is theoretically (I believe) above Boss3. Maybe they’ll know who to ask, anyway. They send me to G or H, and takes me to G’s desk. G doesn’t know, he takes me to H. H isn’t there, but his stuff is so he’s not gone yet just out for a drink or maybe he’s looking for a password somewhere … Anyway, go back to my desk, try a few other things and some regular work, get up a few minutes later and go check and H is there, but he’s putting on his walking shoes (vs work shoes), so he’s obviously getting ready to leave. Damn good timing on my part. Some back and forth with me, G and H, H gets what I’m looking for and writes me down the password (case insensitive still). Looks only vaguely like what Boss1 gave me earlier. As in it shares some characters, but not most of them. But it works! I can now log in to the app, so I can now run the scan.
Elapsed time, Password 2: 45 minutes.
*sigh*
And the best part? I’m fairly sure the scan is basically going to give me meaningless gibberish, because the “approved scanning tool” sucks.
Oh, and by the time I launched the scan? Boss 1 was gone. It was his last day, he’s off to a new project at some other site. Which means I’m the only person left on the team, and I’m kindof curious why he’s calling me for the results this week …
