The Day Batman Almost Got Me Fired
The email was pretty innocuous.
TO: Vera Critchfield (verac)
FROM: Bruce Wayne (DarkNight)
SUBJECT: Phone Schedule for next week
Rodney asked me if I ask you what next weeks phone schedule is. I need his help on Friday. So, he's hoping he can be done by 5:00 pm.
Batman
It was a valid email message dutifully delivered by our corporate WordPerfect Office 3.0 Connection Server. Of course, it wasn’t from Bruce Wayne and he never signs his emails “Batman” anyway. I was exploiting a “feature” of the Office 3.0 system.
Vera, my manager, was not amused.
Did you know that abusing the corporate email system was grounds for termination?
Ah. . .
And impersonating another person on the email system is also grounds for dimissal.
Okay. . .
Don’t do it again!
Sorry, it was just a joke. I wasn’t trying to pretend to be anyone else.
Wow. You’d think some people would have more of a sense of humor. Vera was the team manager for the WordPerfect Office support team. I was a support engineer supporting our new email system. The flaw I’d exploited was very simple. WP Office was what was called a store and forward email system. And it was file based. That meant that when you sent an email, it got created as a file and then placed in a special directory or folder on the server. There was a program, called the Connection Server who’s job it was to poll that directory every couple of seconds and if it found a message, it would look at the TO: address and route it accordingly.
In order to have Bruce Wayne email my manager, I did two things. First, I installed Office on my local computer. Then, I went in and created two post offices. One was WAYNEMANOR, the other was the post office my manager was on. I created an account for Bruce at WAYNEMANOR and one for Vera on her post office. Then, I logged in as Bruce and composed the message and hit send.
The email got created and dropped into the outgoing mail folder. Kind of like putting the flag on the mailbox up. However, rather than run the Connection Server, I copied the file to our corporate folder and the next time the corporate Connection Server came by, it picked up the email and delivered it.
Those of us in support didn’t consider it a big deal. In fact, we had been sending emails to one another from Mickey Mouse, Thor, and the 1980’s equivalent of Miley Cyrus.
Management wasn’t in on the joke, nor were they interested in finding out just how vulnerable the system was to spoofing. Their reaction tended to be “Don’t do that again. . .and forget how you did it this time.” I’ll write more on that philosophy tomorrow.
This experience with Vera was a real wakeup call for me. It was the first time I started to see the difference between “us” and “them.” I thought we were all an “us.” We weren’t. And most likely neither are you.
When I became a manager, I resolved to not overreact when my staff pulled a prank. In fact, while taking over one team, in my first team meeting, I announced,
Messing with someone else’s unlocked computer. . .
Ah man, here it comes!
. . .is now an official team policy.
Really?
Don’t leave your computer unlocked or someone might sent out an email from you describing your love for sheep!
(Photo credit: angelcatuk.blogspot.com)
Interesting thing, that team started locking their computers more. Trust your staff and they will trust you.
Rodney M Bliss is an author, columnist and IT Consultant. He lives in Pleasant Grove, UT with his lovely wife and thirteen children.
Follow him on
Twitter (@rodneymbliss)
Facebook (www.facebook.com/rbliss)
LinkedIn (www.LinkedIn.com/in/rbliss)
or contact him at (rbliss at msn dot com)
Did the exploit get fixed?
It was an architecture design flaw. When they switched from a file based email (each message is stored as a separate file) to a client/server model where everything was stored in a database, it was no longer an issue.
Tomorrow I’m going to talk about an even more serious design flaw and an even more stupid corporate response to it.