Rainer Rehak, Stefan Ullrich
Leo was already looking forward to her year of voluntary service, especially since it would allow her to put her tech know-how to use—as it should. But when the HR manager takes Leo on a tour of the facilities, Leo does something of a double-take: the offices of the IT department at the charitable organization “Auxil.io” are situated on the building’s top floor—plenty of natural light, surprisingly little cable clutter. At the last door before the conference room, there’s a jovial middle-aged man standing there with outstretched hand: “I’m Mr. Barner, pleased to meet you.” “I’m Leo,” the freshly-minted intern responds, “the pleasure is mine.” He shows her to her workstation—a set of drawers containing paper, pen and glue, a thin client placed beside a TFT monitor on the desk. Leo asks the IT manager, Mr. Barner, “Can I hook up my laptop as well?” “Of course, we also have Wi-Fi.” „I’d prefer an RJ45 port,“ Leo replies. „Unfortunately, we don’t have anything like that.“ Leo looks down at the thin clients and the IP telephones. „I’ll take these too,“ she points to an open port. „Oh, you mean Internet, of course, we should still have Ethernet cables around here somewhere.“
In the coming days and weeks, the stark reality of what she initially thought was some kind of bizarre joke revealed itself: IT manager Mr. Barner did not know enough about technology—he was more of a power user than a systems administrator. Most of the tech issues that arose were trivial in nature anyway—for the most part, a quick internet search did the trick. But Leo’s stomach turned when Mr. Barner demonstrated the remote maintenance software “S-Tel” that he’d programmed himself. It was written in a scripting language that might have sufficed for personal homepages, but was hardly suited to handle the needs of such a large organization as “Auxil.io.” Already during the brief introduction she took note of a serious security flaw: There was no password prompt when the “S-Tel” page was accessed from the company’s facilities. “Yeah,” Mr. Barner explained, “I enabled all the IP-addresses on site to speed things up when an error occurs. Besides, that way, users can perform simple fixes themselves.”
The remote maintenance software could be accessed externally using an encrypted https-connection. Requests to S-Tel were usually sent through a browser form via POST. The software allows you to set various filters and to refine search queries. Certain filters and search queries can be bookmarked in the URL, so they don’t have to be entered manually each time they are needed. Leo thought that was highly suspect, so she tried to manually enter a few common variables into the URL, and voila!—she was able to take complete control of the system (except for the media database) using GET-parameters. Only one more step before she gained access to the S-Tel address via http—that is, without encryption, and from there she also had complete control of the system.
Not until the weekend did she try accessing the system from home. Yep, even though there was a password prompt, she was able to access the entire data base directly using a simple admin script. Leo decided to tell Mr. Barner what she found. Unfortunately, though, he was out on vacation for the next two weeks, as she learned from the automated reply to her email, and Leo didn’t want to wait that long. On Monday, she went straight to the business manager, Ralph, who was making himself Rooibus tea in the kitchenette. He interrupted her after only a few words: “It can’t really be that urgent. It can wait until Urs gets back.” Urs? She guessed he was referring to Mr. Barner.
As luck would have it, it was only a few days before an incident occurred: The server kept crashing, logins didn’t work and the server’s ventilation was running at top speed. Unfortunately, Leo didn’t know the root password, but remembered that Mr. Barner had jotted it down on a yellow Post-it note. As soon as she sensed that no one was watching, she reached into the drawer, found the note, and logged on to the server. The hard drive was filled to the last byte! “Oh boy,” she thought, “the /var-directory doesn’t have its own partition, and Urs probably hasn’t even heard of logrotate, either.” The record showed several attacks on the server, the corresponding log files were several gigabytes in size and so ended up filling up the disk.
She deleted the oldest log files, shut down the web server and ssh daemon and went to Ralph. He was already on his way to her and snapped: “What did you do to the system, nothing works anymore!” Leo defended herself, saying that she’d rather shut down the system than keep a potentially compromised server online. “That’s not your call to make! We’re calling Urs right now.” There wasn’t much Mr. Barner could do from a distance—he was an entire continent away, and dead tired to boot.
Leo had yet to actually use the file server, and hadn’t yet synchronized the calendar to her cell phone, so she had no idea that the S-Tel server was also the company’s cloud. The server for thin clients wasn’t affected, so at least the employees could still read and write emails. In Leo’s eyes, the incident was just a minor annoyance, but Ralph forced her to restart the server. Which she did, albeit reluctantly.
When Mr. Barner returned from vacation, she was invited to a three-way meeting. Ralph and Mr. Barner sat beside one another at a table, Leo on a chair in the middle of the conference room. What had been billed as a “meeting” felt to her more like a tribunal. It sure was odd that these technical problems started happening as soon as she showed up. When she defended herself and called Mr. Barner’s competence into question, she was charged with being “ungrateful” and “backbiting.” The HR manager decided to preliminarily restrict Leo’s access to critical systems. Then she was laid off.
That first night, she was on the verge of tears, but the next night she decided to prove just how incompetent “ol‘ Urs” was. Of course she would wait until she’d landed a new position. But then, she would hack into the system and fill up his cloud directory with cat pictures or enter all manner of embarrassing appointments into his publicly accessible calendar. But within a few short weeks, she’d forgotten all about that. Her new office was great, with super friendly colleagues—all surprisingly young and technologically well-versed. Out of sheer curiosity, she clicked on the old familiar Auxil.io URL only to find that the same vulnerabilities were still in place. She shot off an email to Mr. Barner and Ralph, “No offense, but you know that any hater could come along and simply paralyze your entire system, right?” She didn’t think anything of it. Until one day she received an invitation from the police department: she’d been reported for sending a threatening email, and she needed to clear things up.
Questions:
- What do you think about the ethics of Leo obtaining the access data without permission?
- Shouldn’t Mr. Barner have appointed someone to take over his position while he was on vacation?
- Is it OK for Leo to simply shut down the server simply because she believes it’s the right thing to do?
- Shouldn’t she have insisted on better data protection after the first breach?
- Auxil.io is a non-profit organization where everyone works for little or no salary. Mr Barner had already gone above and beyond what was expected of him in his job description. Isn’t it understandable that he was trying to make less work for himself?
- Ralph is active in the peace movement, still living in a “little commune”—as he calls his shared flat—and he judges his employees’ skill level more with his gut. What ethical and moral obligation does he have in this matter?
- Is there any moral obligation for employees to have some knowledge of the technical systems they use? Shouldn’t they have already noticed that S-Tel wasn’t secure?
Published in Informatik-Spektrum 40(1), 2017, S. 114-116.
–Translated from German by Lillian M. Banks
Kommentare