I have posted about this before. I’m pretty sure I win.
I’m not going to name names. I worked for a company, three of their clients include the United States Air Force, the United States army, and the United States Navy. They also have a few thousand other clients, private sector, public, and otherwise. Other nation states services as well.
I worked for this company quite recently, which should make what I’m about to tell you all the more alarming. I worked for them in 2021.
Their databases were ProgressABL. I linked it because if you’re younger than me, there’s a slim chance in hell you’ve ever heard of it. I hadn’t. And I’m nearing 40.
Their front end was a bunch of copy/pasted JavaScript, horribly obfuscated with no documentation and no comments. Doing way more than is required.
They forced clients to run windows 7, an old version of IE, all clients linked together, to us, in the most hilariously insecure 1990s-ass way imaginable, through tomcat instances running on iis on all their clients machines.
They used a wildcard SSL for all of their clients to transact all information.
That SSL was stored on our local FTP server. We had ports forwarded to the internet at large.
The password for that ftp server was 100% on lists. It was rotated, but all of the were simple as fuck.
I mean, “Spring2021”. Literally. And behind that? The key to deobfuscate all traffic for all of our clients!!
The worst part was that we offered clients websites, and that’s what I worked on. I had to email people to have them move photos to specific directories to get them to stop failing to load, because I didn’t have clearance to the servers where we stored our clients photos.
We had legit secure servers. We used them for photos. We left the keys to the fucking city in the prize room of a maze a 12 year old could solve.
Holy shit.
Yikes man, so much to unpack here.
They used a wildcard SSL for all of their clients to transact all information.
glances at my home server setup nervously
Lol you can totally do it in a home server application. It’s even okay if I’m a e-commerce store to use wildcard for example.com and shop.example.com. not a best practice, but not idiotic.
Not idiotic unless you also have a hq.example.com that forwards a port into your internal network…
…where ftp://hq.example.com takes you to an insecure password shield, and behind it is the SSL certificate, just chillin for anyone to snag and use as a key to deobfuscate all that SSL traffic, going across your network, your shop, your whole domain.
oh… oh no
Well now I feel better thanks hahaha
Coffee shop open WiFi on the same network as the main retail central point of sale system server for several stores.
I’m like 99% sure that goes against PCI compliance, they could get slapped pretty hard with some fines or lose the ability to take cards at all.
https://www.forbes.com/advisor/business/what-is-pci-compliance/
My partner worked for a local council. They reset your password every 90 days which prevented you from logging in via the VPN remotely. To fix it you’d call IT and they’ll demand you tell them your current password and new password so they can change it themselves on your behalf.
Even worse, requesting a work iphone meant filling out an IT support ticket. So that IT could set up your phone for you, the ticket demanded your work domain username and password, along with your personal apple account username and password.
My current job.
Many SQL servers use scripts that run as domain administrator. With the password hard coded in.
Several of the various servers are very old. W2K, 2003, 2008. SQL server, too.
Several of the users run reports via rdp to the SQL server - logging in as domain admin.
Codebase is a mashup of various dev tools: .net, asp, Java, etc.
Fax server software vendor has been out of business for a decade. Server hardware is 20 years old. Telecom for fax is a channelized PRI carrying POTS - and multiport modem cards.
About a 3rd of the ethernet runs in the office have failed.
Office pcs are static IP. Boss says that’s more secure.
We process money to/from the Fed.
The last line was the least surprising after hearing all that.
Ah the sweet security that is a static IP lol
Source control relying on 2 folders: dev/test and production. Git was prohibited due to the possibility of seeing the history of who did what. Which made sense in a twisted way since a previous boss used to single out people who made mistakes and harras them
When you lift up the red flag and there are more red flags underneath.
Just share a git user, come on. Have everyone check in under the same name “development” or whatever, but no version control whatsoever?
It’s it too soon to say, “letting Crowdstrike push updates to all your windows workstations and servers”
Wells Fargo. I worked for them for a few years and I have never banked with them after witnessing the travesty of inefficiency and incompetence, literally in my face.
Contrasted with Bank of America. Clean efficient operations with an eye towards doing the best thing. I’ve been a customer of BofA for a couple decades now.
Nice try, ad!
Can you rephrase your outrage in the form of a question?
“Gadzooks! Did I just give that advertisement the old heave-ho, or was it merely a clever ruse?”
BofA deez nuts lmao gottem
Do they have secure two-factor yet or it is still SMS?
Using Filezilla FTP client for production releases in 2024 hit me hard
I must have missed that one, what’s going on with Filezilla?
It had a major security problem in like 2010. Later everyone moved to git and CI/CD so nobody knows what happened after that.
Freight shipping company still running on a custom AS400 application for dispatch. Time is stored as a 4-digit number, which means the nightside dispachers have their own mini Y2K bug to deal with every midnight.
On one hand, hooray for computer-enforced fucking-off every night. On the other hand, the only people who could fix an entry stuck in the system because of this were on dayside.
Apparently, this actually isn’t uncommon in the industry, which I think is probably the worst part to me.
I had a boss at an animation company (so not exactly a hub of IT experts, but still) who I witnessed do the following:
-
Boot up the computer on her desk, which was a Mac
-
Once it had booted, she then launched Windows inside a VM inside the Mac
-
Once booted into that, she then loaded Outlook inside the Windows VM and that was how she checked her email.
As far as I could ascertain, at some point she’d had a Windows PC with Outlook that was all set up how she liked it. The whole office then at some point switched over to Macs for whatever reason and some lunatic had come up with this as a solution so she wouldn’t have to learn a new email thing.
When I tried to gently enquire as to why she didn’t just install Outlook for Mac I was told I was being unhelpful so I just left it alone lol. But I still think about it sometimes.
I’m not certain that it’s still the case but several years ago Outlook for Mac was incapable of handling certain aspects of calendars in public folders shared groups and there was some difficulty with delegation send as.
At the time the best answer I had was for the Mac users to use Outlook as much as possible and then log into webmail when they needed to send us. It’s been a few years so I can’t help but think it’s been fixed by now. Or the very least equally broken on PC.
-
I was hired to implement a CRM for an insurance company to replace their current system.
Of course no documentation or functional requirements where provided, so part of the task was to reverse engineer the current CRM.
After a couple of hours trying to find some type of backend code on the server, I discovered the bizarre truth: every bit of business logic was implemented in Stored Procedures and Triggers on a MSSQL database. There were no frontend code either on the server, users have some ActiveX controls installed locally that accessed the DB.
every bit of business logic was implemented in Stored Procedures and Triggers on a MSSQL database.
Provided the SP’s are managed in a CVS and pushed to the DB via migrations (similar to Entity Framework), this is simply laborious to the devs. Provided the business rules are simple to express in SQL, this can actually be more performant than doing it in code (although it rarely ever is that simple).
There were no frontend code either on the server, users have some ActiveX controls installed locally that accessed the DB.
This is the actual WTF for me.
There was no version control at all. The company that provided the software was really shady, and the implementation was so bad that the (only) developer was there full time fixing the code and data directly in production when the users had any issue (which was several times a day).
deleted by creator
A behavioral health company with 25 iPads deployed to field employees as patient data collection devices all signed into the same iCloud account instead of using MDM or anything.
They all had the same screen lock PINs and though most of the data was stored in a cloud based service protected by a login, that app’s password was saved by default.
I was a backend developer for a startup company where:
- Windows servers without any firewall and security hardening.
- Docker swarm without WSL. We had to use 4 GB Windows base images for 50MB web apps.
- MSSQL without any replication and backups.
- Redis installed on Windows via 3rd-party tool that looked like a 2010 era keygen generator.
- A malware exploited the Redis * what a surprise * and kept killing processes to mine crypto on CPU…
- VPS provider forgot to activate new Windows Server on production and it kept restart for every 30 minutes until I checked the logs and notified them about the missing license.
I left there after 6 months.
The blind determination to use a desktop OS to do a server’s job.
This was 5 years ago at a usd200mil multinational…
The email system was pop3. There were no document backups. There was no collaboration tools. There was no IT security. You could basically copy company data out and no one would ever find out. The MS Office license was bought singly. Ahem!
