Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "why sa"
-
Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”
Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”8 -
Pm: OK what you've got here?
Me: a bug, haven't tested yet
Pm: *grabs a phone* follow me we will do it
Me: mkay
Pm: *attaches it, goes to the DOM inspector, starts clicking random divs* OK where the fuck the canvas is?
Me: uhmm there in this tree
Pm: *inspects the canvas element for a few sec* what do you think?
Me: ... ... Well the bug was that it wouldn't resize properly after you change to landscape
Pm: *rotates the phone back and forth looking at the canvas properties*
Pm: gotcha, see? Width and height
Me: yes, those are the default html prope...
Pm: now see, there's another width and height. That's the malfunction right there. I'm telling you.
Me: no, this is css. It overrides the html properties there
Pm: well, say what, it doesn't
Me: no it does, that's how html works for decades already
Pm: but why does that not work properly then? Mm? *stares at me wide open*
Me: well I need to do some testing before I can sa...
Pm: then what do you think we are doing now?
Me: we jus...
Pm: *gets a phone call, stands up and walks away*4 -
Fantasizing about stabbing SharePoint in the throat, I'm being forced to contact Microsoft tech support, so I need to obtain our software assurance account info.
Our company's rep sends me our SA account numbers (assuming that was all I needed) and the link to create an incident.
Step through Microsoft support ticket 'wizard' which ends with requiring a login with a Microsoft account.
Me: "What login account should I be using?"
Rep: "You shouldn't need one. Just use the SA account number and access ID I sent you."
Me: "There is no entry for those values. I step through a support 'wizard' and the final page redirects me to the Microsoft login page."
Rep: "Use your work email address."
Me: "I can, but I shouldn't have to use my personal outlook email address. Can I just send you the issue and you submit the ticket? After the ticket is created, all the correspondence will be through email anyway."
<30 min. later>
Rep: "I just linked your work email address to your company's account. You should be able to login now."
Me: "Same error. I think you're messing with me."
<30 min. later>
Rep: "Select the option to create an account with your own email."
Me: "Now I know you're messing with me. Already tried that and received the error 'You cant sign up here with a work or school email address'."
Rep: "Weird...I guess Microsoft changed their policy."
Me: "So now what?"
<1 hour later>
Rep: "You might have to send me your SharePoint issue and I'll get a ticket created. After the ticket is created, I'll change the contact email address to you."
WHY DIDN'T YOU DO THAT TWO HOURS AGO!
Whew! Thanks devRant...that's better. I put the knife down and now only want to punch SharePoint in the face.3 -
It's been a good month where honestly I had nothing to rant about. Pretty much doing my own project setting up ELK.
But last few days I had to return to the reality called teammates....
It where it ok... I mentored one of them, then did the code review yesterday
And that's when the shit hit the fan.
I told them to do X but then they did Y instead thinking that they were smart.
In hindsight they seem to have no idea wtf they were doing, inexperienced and couldn't even use console.log and JSON.stringify to debug object states...
Which course now reminded what's wrong with this team, you got people jumping around stacks and projects so they're all mediocre on all of them. Rather than having specific people being good at one of them (aka more experienced than a noob).
And if course this morning, manager asked me to look into something on a program I haven't support in a while (there are a free people that are more experienced and know the current state better). And he said this is quick and urgent... And actually when he said that I'm like uh.... don't think so....
And last thing is we had to rerun a report in production so needed the shipper ten to do it. Asked them look yesterday, users were waiting.
Today... Still not done. And well I actually can run the report myself locally.. takes 5mins but in production they need to reload the data but that should take at most 20mins... Either way... Nothing was done.
Oh and I just remembered I raised a request to it SA group to have some not script installed... That not done either.
And this is why relying on others it at least these people is a bad idea..... Unless your are capable of firing them...