|
Was the business in a solid state when you crashed? That must have been hard!
If you can't laugh at yourself - ask me and I will do it for you.
|
|
|
|
|
SCuSI, but you SATA craziest things!
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
modified 11-Jun-21 13:59pm.
|
|
|
|
|
So two years ago, I created a service for a client, with which their suppliers could connect.
It's based on a "standard" (which turned out to be standard-ish) that even pre-dates XML.
So anyway, there isn't a GUI that the supplier can use to manage their account.
An account is created by the IT department, who creates a username and password and communicates that to the supplier.
Communicating passwords is a bit sketchy, but doesn't have to be a problem.
Turns out the IT department is using an ascending number (starting at 1) as a password and stores that in an Excel sheet
Apparently, the only check I have is that a password should be at least 8 characters.
I didn't think I needed more than that as we're talking about an IT department here.
They simply tell their suppliers "your password to log in is 00000001." and not a single supplier has complained yet.
Now, I just had a discussion about storing those passwords.
"It would be nice if we could send the users their password in case they forget."
Out of the question because I hash passwords before I store them.
"But we're not storing user data and it would be more practical if we knew these passwords... We won't be hacked and even if we were it wouldn't be a problem since the data is not very important..."
Why the am I even having this discussion in 2021 with a fellow IT professional!?
Still better than their current system which does not run on HTTPS and actually shows your password on screen
No one can fix it either because no one knows who made it or where/how it's hosted and it's not even that old yet
In case you're thinking this must be some small local shop, it's actually a pretty large multinational
|
|
|
|
|
Sander Rossel wrote: We won't be hacked and even if we were it wouldn't be a problem since the data is not very important...
So why bother having a username and password in the first place?
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Because the standard(-ish) requires it?
There are actually two usernames and passwords, one to get access to the service (basic authentication) and then one to get specific data (a token in each message).
Now get this, the basic authentication is the same for each user because some third-party app hard-coded it!!!
Really, this project is the gift that keeps on giving
|
|
|
|
|
Not surprised a bit!
"When the going gets weird, the weird turn pro." - Hunter S. Thompson
|
|
|
|
|
Sander Rossel wrote: Now, I just had a discussion about storing those passwords.
"It would be nice if we could send the users their password in case they forget."
Out of the question because I hash passwords before I store them.
"But we're not storing user data and it would be more practical if we knew these passwords... We won't be hacked and even if we were it wouldn't be a problem since the data is not very important..."
Why the [mastadon] am I even having this discussion in 2021 with a fellow IT professional!?
Still better than "It would be nice if we could see their passwords to login as them when they're reporting a problem to try reproduction to see if it's a real problem or user error". Not a multinational sized customer but still... 😭😭
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
I worked at a company that had an impersonate button in one of their apps.
It had to be a secret as it violated about every privacy law imaginable
Not as bad as your case as we couldn't see their password, but besides that it's pretty much the same.
|
|
|
|
|
For what they want to do, and considering that the people using it would be the same people who would be running/using reports dumping everything the users entered into the system (so they can fold, spindle, and mutilate it into an conclusion of "our system works, give us another grant to run it next year"), if they would give us a chance to breathe on the flood of new features an impersonate - for everything but saving as the other user - feature is what I wish we had time to give them.
As far as privacy rules go when we pushed on needing to do various GDRP related things if they wanted to expand into the EU "our research ethics commission is already so strict on what we're allowed to do that there's no way we'd need to change anything" (no one at my company has ever seen these rules ), and separately "we asked our universities legal dept and they said 'GDRP means we can do whatever we want'" . But all talk of doing stuff overseas stopped around that point in time. 🤔
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
I used to build in an impersonate option, completely bypassed the logon function and set the dev up as the user. Mind you they were desktop applications on a local network.
Never underestimate the power of human stupidity -
RAH
I'm old. I know stuff - JSOP
|
|
|
|
|
This brings up an interesting debate I have had with some management members of a corp I do software development for.
If the software belongs to the corp, and the person using it is an employee of said corp, and the software is only used for business related data... is it really an invasion of privacy to
1) know their password? or
2) impersonate their user for debugging purposes?
I honestly don't have an opinion on this. I have seen both sides of the argument... a case where the problem ONLY came up for that one single user and couldn't be duplicated in any other way... and a case where somebody maliciously used their ability to impersonate a user to get said user into trouble.
I guess as with many things in life, good judgement on need and urgency are better than absolute policy.
modified 14-Jun-21 5:52am.
|
|
|
|
|
HuntrCkr wrote: is it really an invasion of privacy to
1) know their password? or Yes always, there's a very good chance that user uses this password everywhere.
If you know their password you could probably login to their Facebook, Google, Instagram and bank accounts.
If someone hacks your database and the passwords are not sufficiently secured (and personally I think anything less than a strong hash is not sufficient), those hackers can now login to those accounts too.
And if those hackers post everything online, everyone can login to those accounts.
It doesn't matter what data a password secures, the password in itself is private and VERY SENSITIVE data.
In a perfect world it would be some "unhackable" randomly generated string of at least 24 characters, but we're living in a world where 123456 is still the most used password.
HuntrCkr wrote: 2) impersonate their user for debugging purposes? Depends what the system does.
In our case, the application had data on where users went, when they went and how they went.
It kept train tickets, parking tickets, locations, times, everything.
Now that's pretty sensitive information and the entire team had access to it because of some impersonation feature.
But let's assume it's all business data and not linked to any one person... Right now.
What if that data is added in the future?HuntrCkr wrote: a case where the problem ONLY came up for that one single user and couldn't be duplicated in any other way Been there, done that.
Schedule a call with the user, add boatloads of logging, get only that part what you need from the production database (preferably from a "privileged" individual who has rights to that database).
I've never actually needed impersonation to solve a problem.HuntrCkr wrote: a case where somebody maliciously used their ability to impersonate a user to get said user into trouble And that invalidates all reasons why you should have an impersonation button or make passwords recoverable
|
|
|
|
|
Sander Rossel wrote: Yes always, there's a very good chance that user uses this password everywhere.
If you know their password you could probably login to their Facebook, Google, Instagram and bank accounts.
If someone hacks your database and the passwords are not sufficiently secured (and personally I think anything less than a strong hash is not sufficient), those hackers can now login to those accounts too.
And if those hackers post everything online, everyone can login to those accounts.
It doesn't matter what data a password secures, the password in itself is private and VERY SENSITIVE data.
In a perfect world it would be some "unhackable" randomly generated string of at least 24 characters, but we're living in a world where 123456 is still the most used password. It's actually far worse than that... the users don't even get to choose their own passwords. They are assigned by IT (Not a policy I approve of or had any hand in), so the chances of that password being reused elsewhere is very slim, unless this might be the first password they ever use and they then decide to use it everywhere. But honestly, what's the chances.
Edit: Forgot to add that surprisingly enough, these password are quite strong passwords with no pattern on how they are created... not 24 char random strings, but at least decent enough to keep most at bay I would say. For example, Ap@rtmentDataC0nnect10n was one memorable one I saw (relax...no longer in use )
Sander Rossel wrote: Schedule a call with the user, add boatloads of logging, get only that part what you need from the production database (preferably from a "privileged" individual who has rights to that database). Did that before too when working with a client where impersonation was not possible. Sometimes the effort and time involved in getting multiple cycles of changes deployed to a production environment just to debug a problem is not realistic or in the client's best interests.
BTW, when I say impersonation, I am by no means advocating something like a button allowing ordinary or even support staff to impersonate someone. I mean impersonation by somebody that in any case has full access to the entire production database(s) and code base. Typically the most senior 2 or 3 devs/architects/whatever on the team would be my exception here, and as you say, only when the system does not store sensitive personal information.
Sander Rossel wrote: And that invalidates all reasons why you should have an impersonation button or make passwords recoverable Agreed... Passwords should never be stored readable, and impersonating someone should never be as simple as a button. I'm just saying that impersonation as a method for solving a serious problem should be a last resort, but not an absolute hard limit.
modified 14-Jun-21 6:30am.
|
|
|
|
|
By default I'd make impersonate read-only. If impersonate and save/update needs to be done, I'd make some explicit logging of every save made during impersonation mode.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
As a button I think it's a bad idea, but I do have in my code (an include file) a mechanism for me to impersonate any user. I don't see the same things as individual users - and the privilege scheme often means only a few users are affected by a problem. It's the way I avoid telling a user "it's fixed" because I did what I needed to do only to find out it wasn't fixed in their view.
Note that this only affects our internal (non-public-facing) website/applications. Not their email or anything like that. With myself, and so many others, working remote and the company personnel in more than one location, this is really pretty essential a feature. Available only to those with admin access to server files and only if they know where to look.
Considering I could modify data in the tables, anyway, there's no particular reason for anyone to get upset (if they knew).
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
That reads like a story from TheDailyWTF
|
|
|
|
|
Did I post on the wrong forum again?
|
|
|
|
|
It certainly is a good story to read while relaxing in a lounge chair to lounge music B)
|
|
|
|
|
I'm not gonna hint at the sector, but I know of a vendor that sells pretty darn critical software packages, and they get secured by a physical hardware key.
Under the hood, it uses decentralized DB shards that connect to a central authentication DB, and only when the entire network is properly meshed, does the hardware key authenticate.
And if you don't have enough money for a key, or a certified authentication server, you can just access the DB manually and turn off the security.
Yeah. Great design guys. 10/10
|
|
|
|
|
Psychic Type - Pocket Monsters[^]
Be me, 1999, watch some Pokémon before going to school.
Bring your Gameboy with the Pokémon Red game and dominate the schoolyard because you have the best Pokémon
Be me, 2021, the original Pokémon series is being added to Netflix!
Haven't really cared for Pokémon in the past 20 years, but it's still a great franchise, so what started as watching an episode for fun ended in watching the entire series and playing Pokémon Yellow on a Gameboy emulator
And then of course I had to listen to this track!
I have no idea who Psychic Type is, except that he probably loves Pokémon, has a preference for psychic Pokémon (because they are obviously the best) and knows how to create some great trap remixes.
So for you Pokémon and trap lovers out there, sound of the week!
And his other tracks are awesome too
|
|
|
|
|
I wasn't expecting to go on a nostalgic trip so early this morning...
I didn't do much with Pokemon beyond the gameboy games, but I do have some fond memories of staying up late with my brother and playing through them. We both had copies of Crystal and Ruby, so those got most of the attention. I like Crystal enough to have, within the last year, purchased the 3DS emulated version and invested a few hours into it.
|
|
|
|
|
I'm currently watching the Indigo League series, but Misty doesn't have her Togepi yet, and Team Rocket doesn't have their Wobbufet...
Apparently, that's the Johto League, but somehow I can't really remember any other Pokémon except the original 150 and Togepi and Wobbufet (and some odd ones I saw when I zapped channels when I was already a few years older).
Honestly, it got a little confusing after the first series and 150 Pokémon.
Or, as the Greek tragedy goes...
When Oedipus reached Thebes, he encountered a Sphinx. "If you want to pass this point alive, you must answer my riddle: What goes on four legs in the morning, on two legs at noon, and on three legs in the evening?", the Sphinx asked. Oedipus pondered for a moment. "Probably one of those new Pokémon", he finally replied. "There's like 600 of them, I'd be surprised if one of them DOESN'T change its number of legs whilst evolving". "Fair enough, man", spoke the Sphinx. "I can't reasonably expect you to remember all their names. You may pass."
|
|
|
|
|
I was too old to engaged with Pokemon but music has always been in my life
Now that we have YouTube old music seems to have found a new place to be
remembered
This is a off the wall YouTube Channel that I stumbled upon the guy has
a novel idea that said it really boils down to a time killer with music
How one of the songs on this video was written provides a rabbit hole
worth your time Who would have thought "867-5309/Jenny" would be a hit
[^]>21-02 King of the Desert 2.1 (Video 19-17 Remixed) - YouTube[^]
And Yes I have driven this Highway The ONLY way to survive it is with music
|
|
|
|
|
Choroid wrote: 867-5309/Jenny The what now?
Choroid wrote: 21-02 King of the Desert 2.1 (Video 19-17 Remixed) Who knew watching a guy drive while listening to some classic rock could be so enchanting!
Fun fact, that road is about three quarters of the length of the whole Netherlands
What is it they say?
The difference between Europe and the USA is that a two hour drive is long in Europe and short in the USA while a building that's a 100 years old is young in Europe and ancient in the USA.
Can't remember exactly, but something like that.
|
|
|
|
|
Today's paid-for ads in Chrome include the "7 Day Bigger Butt Challenge" from betterme.com, but, the number-two slot is not, as usual, filled by a bra ad from Wacoal, or, an ad from a Chinese manufacturer of industrial pulverizing machines, or, an ad for a new model Porsche Carrera 911 S that in Thailand would cost over US$ 370K.
Don't they know that I'm an old man who rides a bicycle, that i don't wear a bra, that the only pulverizing i do is with garlic, that i don't drive ?
AI ?
«One day it will have to be officially admitted that what we have christened reality is an even greater illusion than the world of dreams.» Salvador Dali
|
|
|
|
|