IIS Hacks | Server Resources

I’ll be honest…and I’m sure no one will believe me, but I have not snooped on anyone in my organization on purpose, but I have come across privileged information by accident. I do believe the 33% that said they snooped did not look at anything overly sensitive. I would hope 1/3 of IT staff are not that dishonest.

What would you do if one of your superiors asked to keep logs / screenshots of everything you did, so as to be sure you didn’t abuse your power?

How many IT admins have access to their superior’s confidential files and emails?

How many IT admins would hold their company ransom for a raise? threaten to quit? How many have hindered their company’s network when they quit or were fired?

Posted By Chris in General, Rants
No Comments |  Print This Post

1.       I listen to my users. I listen to what they are saying and how they say it. I understand their frustration and try to empathize with their problems. I try place myself in their situation and thus have a better idea of the urgency of their issue.

2.       I speak in terms they can understand. If there is no way to ‘dumb it down’ I tell them an anecdote or story that has similar structure, causes or outcomes that relates to their issue.  Ex. Telling them this particular issue happened last year to so-and-so and explained how everything was ok (or not).

3.       I make daily backups on tape, twice daily hard drive images of all servers, hourly backups of databases, remote to ftp backups, etc. I have a chart with the type of failure and the recommended action should I be inaccessible or recently deceased. NOTE: This is a serious issue. What happens if you are the only system administrator and you die in a car accident on the way to work? It is unlikely you can be replaced so soon, and even if you are, a new sys admin may not know the entire structure of your systems in time before a catastrophe happens. I had a system fail on me the FIRST day of work at a new job. I was being introduced to people in the office when it happened; I hadn’t even taken my coat off. Luckily the previous administrator had a somewhat planned system in place so I didn’t appear inept.

4.       I ask others what they want. Someone needs a new keyboard, I ask what they want! They want a dvorak or a qwerty keyboard, one of those angled ergonomic ones, who cares, they are all the same price. It pays off to have the user happy.

5.       I try my best to no make people feel dumb.

6.       I continue my education.

7.       I bite my lip when people are frustrated and take it out on me (see previous post). I realize computers are a big part of most businesses, and if they do not work properly or at all, users get very frustrated. Sometimes they cannot help becoming irritated. I tolerate a certain level of dissent, but I’m not a pushover either. A support role or service role requires a higher than average tolerance for confrontation.

8.       I don’t use TLAs in the presence of non-techies. (TLA = Three Letter Acronym)

9.       I try to standardize my equipment for ease of replacement.

10.   I give users the option of teaching them how to fix an issue, or just to have me fix it. Some people like to learn.

11.   I am firm about policy when I need to be.

12.   I hold all users to the same standard, regardless of place in the company. Watch out for this: you may get fired. But the reasoning is because if I let certain people get away with certain things, it may cause irreparable damage to the entire system. If I let management get away with downloading torrents of something, and they open a file up and it wipes their hard drive, it’s my butt on the line. Sometimes a good scare will get these free-willing people in line.

13.   I love my career.

Posted By Chris in General, Rants
No Comments |  Print This Post

Being a system administrator / electrical engineer / nerd, I get a number of people asking me computer and electronics related questions.
Sometimes I don’t know the answer (gasp!). The person who asked the question is completely surprised, disappointed, and even resorts to responses such as “I thought you were smart” or “Aren’t you the computer guy?” or my favourite “Didn’t you learn anything in University?”

My response is always a smile and a laugh, but far too often I have found myself biting my lip instead of saying what’s really on my mind.
So I’ve compiled a list of things to do and not to do when bugging your corporate nerd.

1. Keep it to the point. IT guys/girls don’t want a story (unless it’s funny), they want the facts, what was done and why, what happened, the sequence of events and outcomes. If the IT guy/girl wants to know something, he or she will ask.
2. IT guys/girls usually have a system of completing complaints and open issues. Some use bug tracking software, others use post-its, some use their brain to remember. They often have a system to prioritize issues as well. It can be an A/B/C or Critical/Non-Critical system. They are not ignoring you and will get to your problem eventually when the time is right. If you feel the issue is pressing, email him/her and explain why you think it is important and ask for an answer as to why/when it will be fixed.
3. Going over his/her head to his/her boss is a no-no. I had this happen once. A person was irritated that I was not getting to her problem fast enough. I explained why I wasn’t and she then told my boss that I wasn’t fixing her life-threatening situation. My boss talked with me and asked why I had not fixed her problem. I laid everything out and explained her problem and the other problems I had to deal with in the same timeframe. I explained the cost related impacts of all problems, the user impact, the customer impact, etc, in the end the boss agreed with me. I’m fairly easy going and forgiving, so I don’t hold a grudge, but some administrators do and will be less likely to fix your problem in a timely fashion.
4. Work after work. While some IT guys/girls live and breathe computers, others do not. Don’t pressure yours into doing work for you after work, or call with personal/home issues. I made the mistake of giving someone my cell phone number. They broadcast it across the company and I routinely get phone calls from employees asking computer questions in the evening. I don’t mind helping some people some time, but in a large company you can be on the phone all night with people just wanting a quick answer. IT guys/girls – get an unlisted phone number!
5. Don’t disguise home issues as work issues. We are not as dumb as you may think. When you try to mask a home computer issue as a work one it won’t work. I don’t care if you can’t upload photos to Facebook or your home computer has pop-ups on it. I will help people with a small issue, but if they keep coming to me with issues I will have to charge them a nominal fee, because they are simply taking advantage of my knowledge and time.
6. Your IT guy/girl is not socially awkward. I make the odd joke, I’ll laugh when something is funny, but I rarely get into a conversation for more than 10 minutes a day that is not work related. I’m not socially awkward; I am simply a product of my boring engineering education. I make jokes about calculus and I think of optimizing almost everything I see. I get my work done.
7. Unless you really know what you are doing, don’t try to fix things yourself. Just because you ran an antivirus program at home doesn’t mean you can screw with corporate computers. Yes they are the same, yes you may be able to do something, but the responsibility lies with the IT department and it is ultimately them who are responsible for any mishaps. Sometimes patches, software updates, etc, aren’t deployed in a corporate environment for a reason, so don’t be proud when you downloaded every patch for your system. You’ll only find out later that one of the patches breaks an internal function of the network or software.

Posted By Chris in General, Rants
1 Comment |  Print This Post

I was browsing around the MySQL bug section posting some bugs and looking for old ones that have been solved. I came across bug #2: Does not make Toast

I guess it’s funny in that nerdy way. So this begs the question: When will computers control toasters and other kitchen appliances? There are fridges with computers built into them, fridges with control systems, and computers put into fridges but no ovens or oven-fridge combinations that choose a recipe, mix it up and cook it based on a computer’s recommendation. I say, bring on the computer cook! Or the hydrating oven from Back to the Future Part II w/ the mini-pizzas.

Posted By Chris in General, MySQL, Rants
No Comments |  Print This Post

Coding Horror had an interesting piece on how CAPTCHA is broken. We all knew this.

Granted, CAPTCHA is very hard to break from a computer’s point of view, but it is also very hard to break from a human’s point of view. (see the image below, can you decipher it?) The more difficult CAPTCHA becomes for computers, the more difficult it becomes for humans. There are numerous times where I will not buy from a website because of the horrible CAPTCHA implementation.

Alternatives? How about questions! There are certain tasks computers fail at doing better than humans. Anything that a human can understand or interpret better than a computer will be a better safeguard.

On one of my websites I use random questions to perform verification. The problem with CAPTCHA is that the hacker knows he has to type into the box whatever is in the image. If you add a human only element, where the user has to understand and/or interpret a question, then it makes it infinitely harder to break. If you’re Ticketmaster, and using the English site in the US, you could ask a question such as: “We live in the _____ States of America” or something similar. As long as the users can spell “United” they can move on. What if, you say, the user cannot spell it? Well, chances are if they cannot spell it or know the answer, they won’t get the impossible CAPTCHA image either. Obviously hackers will compromise that question because they’ll get the answer and program it into their scripts, but if you have a database of questions large enough (say 5000 questions) each dynamically generated when you load the page, the likelihood of answering the question correctly is slim. Even knowing all the answers to all the questions is slim too! By having different methods of answering such as blanks, checkboxes, radio buttons, etc, it makes it more difficult. If the question is: “type cat with an ’s’ after the ‘t’ into the box below” it will fool any script UNTIL the hacker finds a pattern in the question or the answer to the question. Website’s CAPTCHA implementation is static based on an algorithm for image or text manipulation. Once it is broken, attackers can defeat the safeguard quickly and easily. Make the questions random and the database of questions large enough and you won’t have as big a problem. When we had the standard vBulletin CAPTCHA installed we got 100s of spam users/posts a day, once I implemented a few hundred random questions I haven’t got a single spam user (other than a REAL person) in almost 6 months. There are/will be some flaws, the questions themselves may be too difficult for people to answer, but considering the sad state of CAPTCHA as it is, when 50% of people can’t get the damn thing right, the questions aren’t such a bad idea.

Another idea is “Hot Captcha” which is a website that has photos of women on it. As the user you are supposed to choose the 3 ‘hottest’ women based on a popular culture criteria. The split is very obvious to a human, like comparing a monkey to Angelina Jolie, but not so obvious to a computer. This particular method would never actually work due to the nature of the images being analyzed, but the principle is there. Have simple objects and have the user identify them (square, circle, tree, kitten, etc).

Posted By Chris in General, Rants
No Comments |  Print This Post

This is not completely server related, so forgive me as I deviate.

When I posted a certain tip on using vBullet*n and Photopo*t, I didn’t realize what sort of avalanche of comments I would get. I get a few spam comments for each post, but I have received over 1000 spam comments based solely on those two keywords. Why? Bots scour the internet searching for “Powered by vBullet*n” and other related terms and then attack the forms on the pages of that site, trying to send comment spam on forums, etc. By posting those keywords into my tips earlier, it opened up the door for countless spam comments.

So a tip to those who have vBullet*n, photoPo*t or wordpress with those keywords in posts, try not to use those words on your site! If you do have the above mentioned forum software, pay for the de-branding option, it’ll save your forum a bunch of spam attacks and even bandwidth.

Posted By Chris in General, Rants
No Comments |  Print This Post