(Photo credit: peakcare.blogspot.com)
Derek, I wanted to talk to about a potential security flaw one of our support engineers worked out.
Yeah?
Well, they realized that we are storing the user passwords in an unencrypted format. We’ve just XOR’d the data. But, that’s simply security through obscurity. If our engineers could figure it out so can someone else.
Did they document this?
Sure, in fact they build a simple program. Just point it at a postoffice and it will list the user name, alias, system password and then a personal password if they set one up.
Go back and tell the support operator that this is a VERY bad thing he’s done. He should delete all copies of the program and the original program files for it. If HR finds out who he was, he could be fired. YOU didn’t help write it did you?
Not the response I was expecting. Forget you ever knew how to do this? Pretend it didn’t happen? Stick your head back in the sand?
I was working for WordPerfect in Orem, UT. I was supporting WordPerfect’s email program, called WordPerfect Office. The password hack program was written by Trevor.
Rodney, got a minute?
Sure, Trevor.
You’re on Post Office 14, right?
Yeah.
You’re email alias is RODNEYB, your system assigned password is X14J7B and you set a personal password of fluffythedog?
He was a childhood pet. But, that’s really cool. How did you do it?
Pretty simple really. Just an XOR filter.
You should tell development about it.
No. I don’t think they would appreciate it.
I don’t know. I’ll talk to them.
Don’t tell them it was me.
Obviously Trevor had a better feel for office politics than I did. But, this was an example of a core deficiency that WordPerfect Corporation had. Not just the password issue. It was 1990. NO ONE had strong security. But, the idea that rather than discuss and address weaknesses, they should be hidden and that the company would go to lengths to keep them hidden.
I guess their thought was, this was SUCH a big security hole that telling anyone about it would drive people away from Office toward our competitors. But, the idea that they wanted support people to also be in the dark was troubling and fairly typical. WordPerfect had an arrogance that was mostly undeserved.
I once had a Vice President tell me, “We don’t want to hire people who have an MBA. We will teach you everything you need to know about the software industry.” And while the industry was still really young, about 10 years after the release of the IBM PC, software development wasn’t new.
But, WordPerfect would rather reinvent the wheel than adopt industry standards. After a decade at Microsoft I remember thinking how few Program Managers WordPerfect had. They had programmers, and they had testers, and they had support. They didn’t really have the “mostly” techy guys who were there to translate “tech-talk” into real world experience. I think this was due to the fact the company was founded by a Computer Science professor and a Computer Science major. And then they caught the market wave perfectly and were suddenly the biggest word processor company in the world.
The problem was that the WordPerfect guys thought they were successful mostly because they were so smart and partly because of luck. In actuality, it was the other way around.
So, I went back to Support and assured Trevor that I hadn’t told anyone his name, but that development wanted him to delete all copies of the program. In fact, I think I got an email from the head of Office development asking if I had verified that all copies, including printouts were destroyed.
Yeah. We stuck our heads back in the sand. But I’m not sure that’s a workable long term strategy. Less than 5 years later, WordPerfect no longer existed as a company.
Rodney M Bliss is an author, columnist and IT Consultant. He lives in Pleasant Grove, UT with his lovely wife and thirteen children.
Follow him on
Twitter (@rodneymbliss)
Facebook (www.facebook.com/rbliss)
LinkedIn (www.LinkedIn.com/in/rbliss)
or contact him at (rbliss at msn dot com)