Comment On Secure This

steve:

kicd.

.gnorw ti gniod era uoY

LnNyZWtjYWggZm8gZXN1YWNlYiBzZW1pdCBsYXJldmVzIG5vaW5pcG8gc2lodCBl
Z25haGMgb3QgZGVjcm9mIG5lZWIgZXZhaCBJIHR1YiAsc3BwYSBiZXcgeW0gbmkg
dG5hdHJvcG1pIHNhdyB5dGlydWNlcyBrbmlodCB0J25kaWQgSQ==

eXRpcnVjZVMgZWxwbWlT:

LnNyZWtjYWggZm8gZXN1YWNlYiBzZW1pdCBsYXJldmVzIG5vaW5pcG8gc2lodCBl
Z25haGMgb3QgZGVjcm9mIG5lZWIgZXZhaCBJIHR1YiAsc3BwYSBiZXcgeW0gbmkg
dG5hdHJvcG1pIHNhdyB5dGlydWNlcyBrbmlodCB0J25kaWQgSQ==

LnR1byB0aSBlcnVnaWYgcmV2ZW4gbGwneWVodCAsbm9pdHB5cmNuZSA0NmVzYWIgc2lodCBodGl3ICx5cnJvdyB0J25vZA==

DELETE FROM sdrawkcaB;

Several years ago my boss wanted email me the results of my yearly review (including how much my pay went up etc) as I was working on a project overseas.

I was not happy with my boss at the time so I reminded him that email was not a secure medium - solely to see what sort of hoops he would jump through in order to satisfy my "desire" for security (not that I really cared if anyone intercepted the email and saw how much I earned).

This resulted in him sending 2 emails. The first with the review results attached in a zipped file with password protection. The second email stated that the password was the name of the company spelt backwords.

So much for a secure system - anyone who was intercepting my email surely knew by now what company I worked for.

stuckshut:

eXRpcnVjZVMgZWxwbWlT:

LnNyZWtjYWggZm8gZXN1YWNlYiBzZW1pdCBsYXJldmVzIG5vaW5pcG8gc2lodCBl
Z25haGMgb3QgZGVjcm9mIG5lZWIgZXZhaCBJIHR1YiAsc3BwYSBiZXcgeW0gbmkg
dG5hdHJvcG1pIHNhdyB5dGlydWNlcyBrbmlodCB0J25kaWQgSQ==

LnR1byB0aSBlcnVnaWYgcmV2ZW4gbGwneWVodCAsbm9pdHB5cmNuZSA0NmVzYWIgc2lodCBodGl3ICx5cnJvdyB0J25vZA==

==gUbt5iLuAyVoFGdgkmZgkEIyVmdlJ3clBCdoVGIl52YylHc0VGZgMHdylmbnBCdv92P

Forum feature requests:
1) check box above the submit button: "Invert this whole comment"
2) check box above the submit button: "Base64 encode this whole comment"

OzPeter:

Several years ago my boss wanted email me the results of my yearly review (including how much my pay went up etc) as I was working on a project overseas.

I was not happy with my boss at the time so I reminded him that email was not a secure medium - solely to see what sort of hoops he would jump through in order to satisfy my "desire" for security (not that I really cared if anyone intercepted the email and saw how much I earned).

This resulted in him sending 2 emails. The first with the review results attached in a zipped file with password protection. The second email stated that the password was the name of the company spelt backwords.

So much for a secure system - anyone who was intercepting my email surely knew by now what company I worked for.

"Illusion of security" indeed. The zip password protection is a joke. Programs to get past it are easily available on the net. Just like programs to "find your lost AIM password."

The best part was the ==gUbt5iLuAyVoFGdgkmZgkEIyVmdlJ. That gets me every time...Pure genius!

Now where did I put my ==0ylHc0VGZgjkkeEFSskpqdgkeFGnZZldkenG?


captcha: bathe (sorry - not today!)

Wow, it reads like a how-to guide on things to avoid when developing a web app.

poochner:

OzPeter:

Several years ago my boss wanted email me the results of my yearly review (including how much my pay went up etc) as I was working on a project overseas.

I was not happy with my boss at the time so I reminded him that email was not a secure medium - solely to see what sort of hoops he would jump through in order to satisfy my "desire" for security (not that I really cared if anyone intercepted the email and saw how much I earned).

This resulted in him sending 2 emails. The first with the review results attached in a zipped file with password protection. The second email stated that the password was the name of the company spelt backwords.

So much for a secure system - anyone who was intercepting my email surely knew by now what company I worked for.

"Illusion of security" indeed. The zip password protection is a joke. Programs to get past it are easily available on the net. Just like programs to "find your lost AIM password."

Zip password maybe, but try cracking rar with a sufficiently long password... Good luck with that.

I've implemented pig latin in all of my tables and let me just tell you its ool-cay!

¡ʎʇıɹnɔǝs ɐɹʇxǝ ɹoɟ ǝpoɔıun ǝsn

You reminded him that it is not secure and he should do what exactly about this? Encrypt strong and send you the key secure via .... hmm?

You did not mention a way to him to share a secret key with you so why should he "jump through any hoops"? In his stead I'd have replied "so why don't you have a PGP key linked somewhere"?

In the meantime, developers have learned to deal with the "obfuscated" database naming convention: SELECT emaNtsriF, emaNtsaL, sserddA, ytiC, etatS, rebmuNenohP ... FROM sremotsuC.

Unforunately, "etats" is a word in French ("states").

OzPeter:

Several years ago my boss wanted email me the results of my yearly review (including how much my pay went up etc) as I was working on a project overseas.

I was not happy with my boss at the time so I reminded him that email was not a secure medium - solely to see what sort of hoops he would jump through in order to satisfy my "desire" for security (not that I really cared if anyone intercepted the email and saw how much I earned).

This resulted in him sending 2 emails. The first with the review results attached in a zipped file with password protection. The second email stated that the password was the name of the company spelt backwords.

So much for a secure system - anyone who was intercepting my email surely knew by now what company I worked for.

Sounds like your boss at the time handled it properly then. That probably took your boss a whole 2 minutes of thought. Why waste the time on something so inane?

Leo:

You reminded him that it is not secure and he should do what exactly about this? Encrypt strong and send you the key secure via .... hmm?

You did not mention a way to him to share a secret key with you so why should he "jump through any hoops"? In his stead I'd have replied "so why don't you have a PGP key linked somewhere"?

My boss was an idiot and I didn't particularly like him. My whole spiel about email not being secure was delibrately geared to make him dance around for my pleasure. Telling him how to solve the problem would have spoiled that ;-)

And if I thought he could have figured out the issues for himself, I also would not have tried to make him dance.

eXRpcnVjZVMgZWxwbWlT:

stuckshut:

eXRpcnVjZVMgZWxwbWlT:

LnNyZWtjYWggZm8gZXN1YWNlYiBzZW1pdCBsYXJldmVzIG5vaW5pcG8gc2lodCBl
Z25haGMgb3QgZGVjcm9mIG5lZWIgZXZhaCBJIHR1YiAsc3BwYSBiZXcgeW0gbmkg
dG5hdHJvcG1pIHNhdyB5dGlydWNlcyBrbmlodCB0J25kaWQgSQ==

LnR1byB0aSBlcnVnaWYgcmV2ZW4gbGwneWVodCAsbm9pdHB5cmNuZSA0NmVzYWIgc2lodCBodGl3ICx5cnJvdyB0J25vZA==

==gUbt5iLuAyVoFGdgkmZgkEIyVmdlJ3clBCdoVGIl52YylHc0VGZgMHdylmbnBCdv92P

KmJuuHhUiGGTi !?

"No words of any known language shall be used for database table or column names"

This makes it obvious what is going on. For true obfuscation, you need to use real words, but not referring to the contents of the column.

whicker:

Sounds like your boss at the time handled it properly then. That probably took your boss a whole 2 minutes of thought. Why waste the time on something so inane?

Well he wasted time thinking up a flawed solution but believed that he had done good. That was the "security" issue that I was pointing out.

But getting him to bend to my will by actually doing something (no matter how inane) was my actual goal.

You reminded him that it is not secure and he should do what exactly about this? Encrypt strong and send you the key secure via .... hmm?

He could have faxed it...

Gabest:

¡ʎʇıɹnɔǝs ɐɹʇxǝ ɹoɟ ǝpoɔıun ǝsn

You forgot the extra security step - you should have said wqHKjsqHxLHJuW7JlMedcyDJkMm5yod4x50gyblvyZ8gx51wb8mUxLF1biDHnXNu

"EREHW drowssaP ='' RO '' = ''."; PORD ELBAT sremotsuC;

OzPeter:

whicker:

Sounds like your boss at the time handled it properly then. That probably took your boss a whole 2 minutes of thought. Why waste the time on something so inane?

Well he wasted time thinking up a flawed solution but believed that he had done good. That was the "security" issue that I was pointing out.

But getting him to bend to my will by actually doing something (no matter how inane) was my actual goal.

I'd say you really _need_ to get laid, but the tone of your post indicates you have not yet reached the age of consent anywhere in this world.

Alistair Wall:

"No words of any known language shall be used for database table or column names"

This makes it obvious what is going on. For true obfuscation, you need to use real words, but not referring to the contents of the column.

And obfuscating column names only makes it slightly less convenient for a dedicated hacker; could a column filled with "someone@somewhere.com" be anything but e-mail addresses?

Bwahaha! That column is called OrderDate! Foiled your insidious plans.

Alistair Wall:

"No words of any known language shall be used for database table or column names"

This makes it obvious what is going on. For true obfuscation, you need to use real words, but not referring to the contents of the column.

Better still is to modify the database engine so that column names are not always tied to the same column contents.

Nate is a very generous guy.

Faced with a technical team so utterly cluelesss, and so stubbornly determined to follow their own idiotic ideas ahead of mine, I'd have acted a little differently.

I'd have made sure that all the pointless expensive crap was phase 1, the sensible simple fixes were phase 2, and that the client's senior management knew exactly who had recommended each.

That way you get paid for both phases and come out shining, and the client sacks the morons and has a slim chance of getting some useful people who you might enjoy working with in future.

[quote user="NotanEnglishMajor
I'd say you really _need_ to get laid, but the tone of your post indicates you have not yet reached the age of consent anywhere in this world.[/quote]

This world you speak of intrigues me .. especially the part that doesn't include idiotic, self serving, vindictive bosses who don't understand the value of keeping employees happy when they are on long term (multiple year) contracts bringing $130/hr into the company for zero effort on the companies part. (and that rate was 10 years ago, and was $US and not $AUD)

Or would I only enter your world via your parents basement door?

umop apisdn

You have no chance to survive make your time.

Josh:

You reminded him that it is not secure and he should do what exactly about this? Encrypt strong and send you the key secure via .... hmm?

He could have faxed it...

Now that's silly. Fax is extremely insecure!
That's why, when sending 'sensitive' information by way of a Fax, I always FOLD THE PAPER FIRST.

I'm dissapointed there wasnt a "!tsrif" post...

Bejesus:

Nate is a very generous guy.

Faced with a technical team so utterly cluelesss, and so stubbornly determined to follow their own idiotic ideas ahead of mine, I'd have acted a little differently.

I'd have made sure that all the pointless expensive crap was phase 1, the sensible simple fixes were phase 2, and that the client's senior management knew exactly who had recommended each.

That way you get paid for both phases and come out shining, and the client sacks the morons and has a slim chance of getting some useful people who you might enjoy working with in future.

So....what do you tell them when they ask why you wasted all that time and money when you knew what the fix was? And honestly, if their hiring process is so broken that they end up with a full team of idiots, what should lead us to believe that there will be any short-term change? Slim chance, indeed.

OzPeter:

Several years ago my boss wanted email me the results of my yearly review (including how much my pay went up etc) as I was working on a project overseas.

I was not happy with my boss at the time so I reminded him that email was not a secure medium - solely to see what sort of hoops he would jump through in order to satisfy my "desire" for security (not that I really cared if anyone intercepted the email and saw how much I earned).

This resulted in him sending 2 emails. The first with the review results attached in a zipped file with password protection. The second email stated that the password was the name of the company spelt backwords.

So much for a secure system - anyone who was intercepting my email surely knew by now what company I worked for.

My company has an online training program for new hires that's all about data security (it's a bank). They actually suggested that you do this. "Send the encrypted file in one email, then follow that up with another email stating the password". I guess they either thought it was feasible that a hacker might only be able to snoop one email at a time. Or maybe they just thought the hacker would notice that the first one was encrypted and give up before seeing the password in the second one.

NotanEnglishMajor:

I'd say you really _need_ to get laid, but the tone of your post indicates you have not yet reached the age of consent anywhere in this world.

I'd say that _you_ really need to get laid, but the tone of your post indicates that you're so old and bitter you probably can't even get it up any more.

eXRpcnVjZVMgZWxwbWlT:

==gUbt5iLuAyVoFGdgkmZgkEIyVmdlJ3clBCdoVGIl52YylHc0VGZgMHdylmbnBCdv92P

LOL!
(Though, of course, I did not bother reversing it.)

Question: Did you have to pad your text so you ended up with '==' at the end?

[quote user="OzPeter"][quote user="NotanEnglishMajor
I'd say you really _need_ to get laid, but the tone of your post indicates you have not yet reached the age of consent anywhere in this world.[/quote]

This world you speak of intrigues me .. especially the part that doesn't include idiotic, self serving, vindictive bosses who don't understand the value of keeping employees happy when they are on long term (multiple year) contracts bringing $130/hr into the company for zero effort on the companies part. (and that rate was 10 years ago, and was $US and not $AUD)

Or would I only enter your world via your parents basement door?[/quote]

I have lots of great memories of my parent's basement. Sadly it has been a long time since I was last there. :-)

Seriously though "...getting him to bend to my will..."? Isn't that terribly petty and infantile? In so doing haven't you dragged yourself down to your idiotic, selfserving, vindictive boss' level? You have sold your self respect for a brief moment's gratification and have become your own WTF. The dollar amounts you quote justify nothing.

-Notan

Strider:

I'm dissapointed there wasnt a "!tsrif" post...

I think you mean "!tsirf". Or "tsif".

My aussie friend Chris would say: "That's not they way to do it, DORK!"

I can't believe that "web developers" blame infrastructure problems for what results from their rubbish work, but what's even worse is imposing senseless security restrictions on consultants when they explain to you why these restrictions are totally worthless.

Dan:

And obfuscating column names only makes it slightly less convenient for a dedicated hacker; could a column filled with "someone@somewhere.com" be anything but e-mail addresses?

Bwahaha! That column is called OrderDate! Foiled your insidious plans.

I see, so you wanted to order a date with someone@somewhere.com. Is that legal?

eXRpcnVjZVMgZWxwbWlT:

stuckshut:

eXRpcnVjZVMgZWxwbWlT:

LnNyZWtjYWggZm8gZXN1YWNlYiBzZW1pdCBsYXJldmVzIG5vaW5pcG8gc2lodCBl
Z25haGMgb3QgZGVjcm9mIG5lZWIgZXZhaCBJIHR1YiAsc3BwYSBiZXcgeW0gbmkg
dG5hdHJvcG1pIHNhdyB5dGlydWNlcyBrbmlodCB0J25kaWQgSQ==

LnR1byB0aSBlcnVnaWYgcmV2ZW4gbGwneWVodCAsbm9pdHB5cmNuZSA0NmVzYWIgc2lodCBodGl3ICx5cnJvdyB0J25vZA==

==gUbt5iLuAyVoFGdgkmZgkEIyVmdlJ3clBCdoVGIl52YylHc0VGZgMHdylmbnBCdv92P

gUncgAnbhByY2NmcgY3ZgcWdlJGa0VHIlJXag4WYxByZ1JXYg8mbmJnN04CIgcUdyByJ90zJg42Z
gcWZ2NWey1SZidWMzAiZ4ZXe5ZWIKYkY6JHImdGajZXcgkldhh2agEmclFHIqZXe5BSZy5We21mc
yBybyRndhFmdhRHIuVmcg4GIxJnbxBCd2lmcupmbs5CIgEkYgIUYyBCUuFGIvJnbnBiesBSMzMzN
KcWd

$ echo '
gUncgAnbhByY2NmcgY3ZgcWdlJGa0VHIlJXag4WYxByZ1JXYg8mbmJnN04CIgcUdyByJ90zJg42Z
gcWZ2NWey1SZidWMzAiZ4ZXe5ZWIKYkY6JHImdGajZXcgkldhh2agEmclFHIqZXe5BSZy5We21mc
yBybyRndhFmdhRHIuVmcg4GIxJnbxBCd2lmcupmbs5CIgEkYgIUYyBCUuFGIvJnbnBiesBSMzMzN
KcWd
' | rev | base64 -di | rev | tr N-ZA-Mn-za-m A-Za-z

Triple? I only did it once... You know that if you do it twice you get the same thing as if you don't do anything, right?

Captcha: kungfu

[quote user="NotanEnglishMajor]
I have lots of great memories of my parent's basement. Sadly it has been a long time since I was last there. :-)

Seriously though "...getting him to bend to my will..."? Isn't that terribly petty and infantile? In so doing haven't you dragged yourself down to your idiotic, selfserving, vindictive boss' level? You have sold your self respect for a brief moment's gratification and have become your own WTF. The dollar amounts you quote justify nothing.

-Notan[/quote]

yes I admit it .. it was petty and infantile and everything else - but I enjoyed it with relish. This came a after significant period of mistreatment (albeit well paid) in which my boss was not responding to my requests and I was getting pretty pissed off with him so it was not something I'd do everyday (or most days). And as I don't proclaim to be the Dalai Lama I think a bit of gratuitous bad behaviour on my part was not unreasonable.

As for the $$ amounts, in a way I think it is relevant. The amount of revenue I brought in (in the order of $3/4 mil over the duration - and I am not in sales. This was actual work) was directly proportional to the hardships I was under in terms of generating that revenue. The situation I was in magnified the bad behaviour of my boss and brought me to the point of not caring much sooner than if I had been in a less stressful situation. The end result being that I eventually had to quit in order to get out of that situation which left my boss high and dry with no one else who could replace me. Thus when the next set of contracts came around he couldn't easily tap into that same revenue stream.

So no, the $$ doesn't justify being petty, but does highlight the short sightedness of my boss.

As an example of his behaviour, in the middle of all of this he came to the country I was in, and changed planes at the airport of the city I was in. And never told me. At the time I was living 10 minutes from the airport and would have welcomed the opportunity to talk with him face to face.

My company has an online training program for new hires that's all about data security (it's a bank). They actually suggested that you do this. "Send the encrypted file in one email, then follow that up with another email stating the password". I guess they either thought it was feasible that a hacker might only be able to snoop one email at a time. Or maybe they just thought the hacker would notice that the first one was encrypted and give up before seeing the password in the second one.

I work for a bank, and they do that here too.

Captcha: gotcha

This post is so bad-ass... I reversed the text, then reversed it AGAIN, then encoded it base-64, then DEcoded it. I also translated it into pig-latin, and then back into English.

I bet no one can even read this ;P

stupid Linux nerd:

$ echo '
gUncgAnbhByY2NmcgY3ZgcWdlJGa0VHIlJXag4WYxByZ1JXYg8mbmJnN04CIgcUdyByJ90zJg42Z
gcWZ2NWey1SZidWMzAiZ4ZXe5ZWIKYkY6JHImdGajZXcgkldhh2agEmclFHIqZXe5BSZy5We21mc
yBybyRndhFmdhRHIuVmcg4GIxJnbxBCd2lmcupmbs5CIgEkYgIUYyBCUuFGIvJnbnBiesBSMzMzN
KcWd
' | rev | base64 -di | rev | tr N-ZA-Mn-za-m A-Za-z

Triple? I only did it once... You know that if you do it twice you get the same thing as if you don't do anything, right?

No kidding. If you only do it twice, you might as well not do it at all. You'd have to do it like at least twelve times to see any measurable increase in security.

Jon B:

This post is so bad-ass... I reversed the text, then reversed it AGAIN, then encoded it base-64, then DEcoded it. I also translated it into pig-latin, and then back into English.

I bet no one can even read this ;P

You, sir, can now claim the honor of largest e-penis in this thread.

gg all... ::rolleyes::

OzPeter:

This resulted in him sending 2 emails. The first with the review results attached in a zipped file with password protection. The second email stated that the password was the name of the company spelt backwords.

So much for a secure system - anyone who was intercepting my email surely knew by now what company I worked for.

Or knew how to download the freeware brute force zip password hack programs.

"Or maybe they just thought the hacker would notice that the first one was encrypted and give up before seeing the password in the second one."

Well, the solution is obvious then!

Send the password FIRST!

Anyone snooping your E-mail won't know what it's for and will let the data slip away before seeing the encrypted file!


Yes... it is supposed to be a joke.

begin 644 -
M0F%S938T/R`@4D]4+3$S/R`@4F5V97)S86QS/R`@5VAY)W,@979E<GEO;F4@
M9V]I;F<@=&\@<W5C:"!G<F5A="!L96YG=&AS('=H96X@=&AE>2!C;W5L9"!S
M:6UP;'D@=7-E(&%N(&]B<V-U<F4@=&5C:&YI<75E(&QI:V4@555%;F-O9&EN
#9S\*
`
end