Originally posted to the Scary Devil Monastery on 2002.03.27:

This isn't the first time I've been aghast at what the chemistry
department over here at $UNI has done[1][2], but it's the first time
someone over there has actually attempted to imply that I'm somehow
responsible for their breakage, all the way over here in the math
department.  That irritates me, but I knew the risks when I took the
job.  What gets to me is that they've managed to find someone to get
them the equivalent of BlackEyes Defender or ZonedAlarms for their
shiny Beowulf cluster, and the head of the department has decided that
this acquisition somehow makes him competent to run their computers,
AND I CAN'T LART HIM.  Again, the second isn't all that unusual, but
the first and third...  And by all that's holy, what fscking traitor
decided to port that kind of alarmist ambulance-chasing crap to a
system that at least has a running chance of working correctly once in
a while, has logs that CAN be trivially parsed, and then *DOESN'T
BOTHER*?

So anyway, I get an e-mail titled: "Hack attempt(s) by $OURSERVER upon
$THEIRSERVER", forwarded by the campus central computing folks,
complete with an autogenerated syslog segment, traceroute, and netstat
output at the bottom.  What does the netstat output show?  Remarkably,
exactly two connections: one between a high port on their machine to
port 25 on our machine, and one between port 113 on their machine to a
high port on our machine.  The syslog segment?  That tcpwrappers
refused a connection to in.identd.

I take the time to confirm that my own logs match theirs, note
absently that their clock is six hours off, possibly because whoever
is passing for an admin over there doesn't understand the difference
between GMT and local time, and then boggle for a moment at an admin
mistaking it for an attack.  Then I skip back up to the top of the
log, which reads:

> Possible unauthorized access attempt(s) made upon our machine
> by $OURSERVER. Possibly an authorized user from an unauthorized
> location. 
> Probable HACKER in control of that machine, scanning for vulnerable
> machines to subvert.

"Oh yeah," I think to myself, "this is the department without any real
technical staff," and fume for a bit about people writing tools
specifically designed to alarm the incompetent into bothering their
betters.  I check the name of the submitter and fail to recognize it,
and then call the number for the main campus IT guy handling this to
ask him why he failed to squelch this before it got out of his mailbox
and into mine.  Main campus IT can make my life difficult if they
choose, so I do it politely.  I politely explain (just in case he also
doesn't have a frigging clue how to read the excruciatingly clear log
transmitted with the message) exactly what happened, and ask (with my
irritation becoming audible) just who this guy is (unvoiced: "...and
can I lart him heavily?").  Ah, the head of the department ("...No.
Damnit."), and he's got quite a history of making similar complaints.
The central IT guy mentions that he thought that it was just a simple
connection, but he just needed to ask me to make sure. ("... and I
will cheerfully bother you again if I need to cover my ass."  Which I
can understand, I suppose; the atmosphere over there is worse than the
corporations I've worked in, but it still annoys me.)  I mention that
I don't envy him his job in educating the luser, thank him for his
time, and hang up, so the only witness to my subsequent comments is
the PFY, who has been watching this entire progression with great
amusement -- see if he finds it as funny in a couple years when I move
on and he gets my job.  I suppose I should be grateful, considering
some of the things in [2], that someone over there is bothering to pay
any attention to security at all.


[1] The first time was when one of their instructors came over to our
    building touting a perl script to handle some webform or another
    for some application system or another.  The details kind of wiped
    themselves from my mind after I was told that the script needed to
    be able to write its data to the directory in which it lived, and
    have the webserver pull that data directly to a browser later.
    Conversation fragment:
    
    "You need global write access to /usr/lib/cgi-bin?!  And
    passthrough read access to the things stored there?!"
    "Well, we just turned all the checkboxes for permissions on on our
    NT server and it worked just fine there.  Why can't you do that
    here?"

    It's a mark of pride that I've advanced to the point here where I
    could get away with not even bothering to hide my horror and
    disgust.  The individual in question politely accepted my short
    explanation about why it was a bad idea (though I saw the eyes
    starting to glaze over), and meekly accepted my judgement, so got
    away with only a light verbal larting.

[2] The second time, when one of our professors expressed a desire for
    a highly customized guestbook for sorts for alumni use (more an
    alumni registry than a guestbook, after what he wanted), the same
    individual pointed him at the chemistry department guestbook, and
    cheerfully hacked (except that in this case the image is more of
    an axe murderer than code artist) a copy of their QPFpevcgf
    guestbook until it more or less did kind of what he wanted, and
    then cheerfully told my department chair and our professor that
    she had a complete solution.  Somewhere in this process, I got
    told that she had something I ought to look at to possibly modify
    (I only find out afterwards that she's already demoed it as a
    complete solution that only needs to be dropped in).  A meeting
    gets scheduled.  I remember the name and shiver in foreboding.
    Surely enough, the following snippets show up in the conversation:

    "Can I hope that you've done some rudimentary security checks on
    this package?  Checked the web, poked at the code a bit, thought
    about possible issues?"
    "Oh, yes!  We've installed it on three machines and it worked on
    all three of them!"

    "Oh, I've modified it so it can write to another location now.  It
    just dumps all the fields to a text file specified in the script
    separated by vertical bars, and then parses that later for the
    display."
    "So what happens when someone inputs a vertical bar in the web
    form?"
    [awkward silence]
    "I don't know, I never really thought about it."
    [more awkward silence followed by a short lived change of topic]
    "Oh, I think it strips the vertical bars out of the submissions.
    In fact, I'm sure of it."
    (Yeah, sure you are...)

    "Well, over in our department, nobody really worries about
    security."
    "Well, you'll worry about it the first time a teenager with no
    social responsibility decides to use you as a comfortable point
    from which to attack everyone else, and does away with all your
    data because he needs more room."
    "Oh, no, every year or two we get broken into and have to delete
    everything and reinstall the servers, but it's no trouble."
    (... boggle ...)

    You'd think that by this point she would have been embarassed
    enough at herself to apologize for taking my time and setting up
    expectations in the department, but it took until I demonstrated
    that her modifications to the script to hardwire C:\WINNT (among
    other things) in several places was not going to allow the script
    to function cleanly on a *nix machine and noted that it would be
    faster for me to write one properly from scratch than to fix that
    one before she finally gave up.