Forget You Ever Knew How To Do That!
(Photo credit: peakcare.blogspot.com)
Derek, I wanted to talk to about a potential security flaw one of our support engineers worked out.
Yeah?
Well, they realized that we are storing the user passwords in an unencrypted format. We’ve just XOR’d the data. But, that’s simply security through obscurity. If our engineers could figure it out so can someone else.
Did they document this?
Sure, in fact they build a simple program. Just point it at a postoffice and it will list the user name, alias, system password and then a personal password if they set one up.
Go back and tell the support operator that this is a VERY bad thing he’s done. He should delete all copies of the program and the original program files for it. If HR finds out who he was, he could be fired. YOU didn’t help write it did you?
Not the response I was expecting. Forget you ever knew how to do this? Pretend it didn’t happen? Stick your head back in the sand?
I was working for WordPerfect in Orem, UT. I was supporting WordPerfect’s email program, called WordPerfect Office. The password hack program was written by Trevor.
Rodney, got a minute?
Sure, Trevor.
You’re on Post Office 14, right?
Yeah.
You’re email alias is RODNEYB, your system assigned password is X14J7B and you set a personal password of fluffythedog?
He was a childhood pet. But, that’s really cool. How did you do it?
Pretty simple really. Just an XOR filter.
You should tell development about it.
No. I don’t think they would appreciate it.
I don’t know. I’ll talk to them.
Don’t tell them it was me.
Obviously Trevor had a better feel for office politics than I did. But, this was an example of a core deficiency that WordPerfect Corporation had. Not just the password issue. It was 1990. NO ONE had strong security. But, the idea that rather than discuss and address weaknesses, they should be hidden and that the company would go to lengths to keep them hidden.
I guess their thought was, this was SUCH a big security hole that telling anyone about it would drive people away from Office toward our competitors. But, the idea that they wanted support people to also be in the dark was troubling and fairly typical. WordPerfect had an arrogance that was mostly undeserved.
I once had a Vice President tell me, “We don’t want to hire people who have an MBA. We will teach you everything you need to know about the software industry.” And while the industry was still really young, about 10 years after the release of the IBM PC, software development wasn’t new.
But, WordPerfect would rather reinvent the wheel than adopt industry standards. After a decade at Microsoft I remember thinking how few Program Managers WordPerfect had. They had programmers, and they had testers, and they had support. They didn’t really have the “mostly” techy guys who were there to translate “tech-talk” into real world experience. I think this was due to the fact the company was founded by a Computer Science professor and a Computer Science major. And then they caught the market wave perfectly and were suddenly the biggest word processor company in the world.
The problem was that the WordPerfect guys thought they were successful mostly because they were so smart and partly because of luck. In actuality, it was the other way around.
So, I went back to Support and assured Trevor that I hadn’t told anyone his name, but that development wanted him to delete all copies of the program. In fact, I think I got an email from the head of Office development asking if I had verified that all copies, including printouts were destroyed.
Yeah. We stuck our heads back in the sand. But I’m not sure that’s a workable long term strategy. Less than 5 years later, WordPerfect no longer existed as a company.
Rodney M Bliss is an author, columnist and IT Consultant. He lives in Pleasant Grove, UT with his lovely wife and thirteen children.
Follow him on
Twitter (@rodneymbliss)
Facebook (www.facebook.com/rbliss)
LinkedIn (www.LinkedIn.com/in/rbliss)
or contact him at (rbliss at msn dot com)
Very true. It’s always a bad idea to ignore issues and pretend no one else would ever find it.
Especially if it’s a problem that isn’t going away. If our firewall died. And it left us vulnerable for a couple hours, THAT you can keep quiet until you fixed it. But if your architecture is flawed, you should at least share that, or acknowledge it in your own company.
One of my heroes was Richard Feynman. He worked on the atom bomb at Los Alamos, and he had a habit of pointing out the Emperor’s lack of clothing.
Everyone in the facility had government-issue filing cabinets with built-in combination locks. These could be programmed by the user to any 3-digit combination, with each digit ranging from 0 to 59. In theory, that’s 216,000 possible combinations. Feynman got to thinking, however, that every single secret of the atomic bomb research was kept in these cabinets around the base, and he began to wonder just how secure they were.
Fiddling with his own lock, he discovered that they were really sloppy–as long as you were within + or – 2 of each digit of the combination, the lock would open. That effectively reduced each digit from 60 possibilities to 12, which meant only a grand total of 1,728 possible combinations. Moreover, people tended to unlock their cabinets in the morning and leave the dial sitting on the last number, which meant that there were only 144 possible combinations–something he could work out by trial and error in just a few minutes.
Feynman being Feynman, he got the habit of idly fiddling with coworker’s locks while chatting with them. They thought he was just fidgeting, but in reality he was steadily cracking the combinations to their cabinets. Within a month, he had a list of over 100 names and combinations–and he quickly developed a reputation as “the guy who can get your cabinet open if you forget your combination”. Feynman would go back to his office to “get his screwdriver”, but then would peek at his list and get your combination. He’d futz with your lock for 5 minutes to make it look like he was really trying to crack the safe, and when he felt like he’d done enough theater, he’d dial in your combination and open your cabinet. (On one occasion he did actually have to fiddle with the lock for a hour because he didn’t know the guy’s combination. He started at 0-0-0 and worked through the 1,728 possible combinations until he hit on the right one.)
After a while, as the amount of research mounted and the danger of storing it so insecurely increased, his conscience got the better of him, and he reported the problem with the locks to the base commander, adding as additional proof that he had assisted over 20 people in “cracking” their own cabinets.
The next morning a top-priority memo was distributed to all base personnel. It read simply: “Effective immediately, do not allow Richard P. Feynman near your combination lock.”
Sadly, the U.S. government does not appear to have gone out of business. Oh, wait…
(For people reading this in the future: it’s currently day 3 of the government shutdown of 2013: http://en.wikipedia.org/wiki/United_States_federal_government_shutdown_of_2013 )
Feynman was brilliant and funny. Love the story.