Email us! Subscribe to Liquidmatrix!

Security Anecdotes

Author: Dave Lewis
August 22, 2007 at 12:18 pm · Filed under Dumbass, Humour

There are some days (usually when I work from home) where I have a moment of pause and reflect on some of the pearls of wisdom I have gathered over the years. Here is a sampling of some of my favourites. Enjoy.

  • “Of course it’s secure, we have a firewall.” (comment made by a Fortune 500 VP)
  • “We have two factor authentication, a) username b) password”
  • “We don’t need to harden internal servers, we have a firewall”
  • ‘UDP is far more reliable than TCP” (a former CTO imparted that one)
  • “No one can hack the application because it uses SSL”
  • “Disable “view source” in the browser to secure the application”
  • “Just disable the users telnet client” (comment made in relation to an internet facing ecommerce app)
  • “Just fdisk the hard drive to wipe the data” (made prior to disposal)
  • “I have a complicated SSID that people will not be able to guess” (indeed)
  • “That’s not the way the application is supposed to work so, users will not see that behaviour.”
  • “Cross Site Scripting? Just disable javascript.” (Sigh)
  • “You can see that data because you are using a proxy. If you go directly to the web app it is secure.”
  • “The storage tapes do not have to be encrypted because no one will have a device to read these tapes.”
  • “We use base64 encryption.”
  • “Oracle 8 is totally secure. There is no reason to upgrade.”
  • “Yes, I know what a cross over cable looks like”
  • “It’s 100% secure.”

Got any gems that you would like to share? I’d be willing to build out this list as a permanent fixture on the site.

Tags: , , ,

Tag It:
  • Digg
  • del.icio.us
  • Slashdot
  • Technorati
  • SphereIt
  • StumbleUpon
  • Fark
  • YahooMyWeb
  • Furl
  • Spurl
  • Ma.gnolia
  • NewsVine
Related Articles:

  • iPod Crime Wave? Yes, And More

    • myrcurial said,

    August 22, 2007 @ 2:25 pm

    And the cross-over cable guy STILL can’t tell the difference.

    Steve Dispensa said,

    August 22, 2007 @ 10:36 pm

    “We have two factor authentication, a) username b) password”

    Amazingly enough, I recently had lunch with a senior security official at a bank, who told me that the term “two-factor authentication” is defined very broadly from the perspective of FFIEC compliance - it can simply be two different passwords, or a password plus the fact that you’ve connected from that IP address before, or other similarly vague things.

    The accepted security-industry definition of two-factor is much stricter than this federal standard.

    Benny K said,

    August 23, 2007 @ 1:45 am

    Some of my own:

    * Why do we need to secure this? We are not a bank. (from the CTO of a manufacturing company)
    * We need to get this fixed. We’ll worry about security tomorrow (yeah right)
    * We have no security policy
    * Why can’t we allow ipsec from the vendor into this blackbox in the corporate LAN? (aka preventing the huge hole in the firewall)

    And if you need more IT humor, just hit the BOFH archives.

    PortSwigger said,

    August 23, 2007 @ 10:16 am

    A vendor’s response to notification of a format string bug:

    “I don’t understand. You should be typing your password. Where are all those %n’s coming from?”

    taylor said,

    August 24, 2007 @ 8:48 am

    upon notifying a security hardware vendor that their device reboots when running an snmpwalk against it, i was told “you shouldn’t do that - we don’t support snmpwalk”.

    Security Anecdotes « From The Watch Tower said,

    August 24, 2007 @ 10:09 am

    [...] Site [...]

    Dave Lewis said,

    August 28, 2007 @ 9:27 pm

    @Steve, Benny, Portswigger, Taylor and Myrcurial

    Thanks everyone for your comments! I loved the snmpwalk and %n lines. Brilliant!

    Abuse Desk said,

    November 2, 2007 @ 5:52 pm

    Here’s a few you might find amusing. From actual conversations with IT site admins on business class service.

    “If thats so vulnerable, why hasn’t it been attacked yet?” — customer questioning advice to firewall a server better

    “But I thought Firefox was a firewall!!” — customer being advised on need to firewall their LAN.

    “I’m not sure why you are calling this abuse, it’s not like he’s doing it on purpose.” — customer objecting to being held accountable for their malware infestation

    “You guys call here, you little pissant trying to tell me about my computers” — some self described network administrator complaining of being notified his LAN was overrun by spambots and malware.

    “I have a Law Degree from Harvard…. I don’t need you to tell me how to troubleshoot.” — customer complaining when given troubleshooting advice

    “I checked the machine and it was not connecting anywhere on port 25. It was only connecting on port 80 to find hosts to compromise so I have no indication that it sent any spam.” — customer baffled as to how his LAN could be outbounding malware spams.

    “Loyalty tests have been given to all computers on the network, and all failing members have been purged. The streets run red with blood.” — amusing customer who audited his LAN successfully.

    “We have a pix box so am I correct in assuming that acts as a firewall?” — alert customer

    Dave Lewis said,

    November 2, 2007 @ 8:00 pm

    @Abuse Desk

    OMFG That was hysterical!

    Thanks!

    CJ said,

    December 21, 2007 @ 10:19 am

    My all-time favorite archive of lame excuses to not secure something:

    http://www.crypto.com/bingo/pr

    Dave Lewis said,

    December 21, 2007 @ 10:52 am

    @CJ

    Love it! Too funny, thanks for that.

    RSS feed for comments on this post · TrackBack URI

    Leave a Comment