From: Ben@lspace.org (Ben) Subject: The PFY cracks down Date: Thu, 11 Mar 1999 22:15:22 GMT As I close my eyes there's a ringing in my ears. I open my eyes blearily, it's the phone. "I thought you fixed that." says the boss, reclined, feet on the table, inches from the handset. "I did. You left the office unlocked last night and the BBTFH came in and did something to it so I can't disable it again." The boss, arms folded, taps his fingers on his opposite arm and then reaches down to press something on his keyboard. The phone stops abruptly. "What did you do?" I ask, but he's already asleep again. Time passes. Later I get up to stretch my legs and leave the office. A mistake, I feel, in hindsight. As the door to the safe haven closes behind me I can see the boss grinning at me through the door and hear the unmistakable *snick* of the lock. I'm trapped, with nowhere to go except out into the lusers' domain. Putting on a brave face and hefting the large screwdriver I always carry during work hours I enter the nearest storage room and remove the kettle lead from one of the freezers. All I need now is a network cable and I'll be safe. No one asks you for help if you're moving purposefully with two of the three articles I'm collecting. Given enough time I should be able to wait out the boss and get back into the room. Just as I'm in the process of disconnecting the networked door security computer from the wall someone clears their throat behind me. ... I have two options; I can turn and say I'm very busy, can they see me later, or, I can say "What?". For some reason I choose to go with the second option. "What?" It's the receptionists, en masse. It looks like they drew lots to come and find me, disagreed with the result and pushed one of their kind along the hall until they found me. "We have a new camera in reception for taking pictures for the new ID cards and we were wondering if you could show us how to use it?" "No." "Oh." ... I straighten and walk off. Behind me I can practically hear the neurons firing. There's a muffled and hurried conversation but I've turned the corner. The only thing I can imagine is that they're planning a second assault. "We wouldn't bother you, only it's a digital camera. And you said after we broke the computer last time to tell you if we ever wanted to use anything bigger than the desk calculator." O.K. I admit it, they've piqued my interest and I break one of the golden rules of BOFHism[1] and let my expression change. Allowing myself to follow them to Reception I find a Kodak DC220. Not what you'd expect for use in an institution for taking photo ID pictures, but I notice it has an interface for connection to a Windows box. Not my platform of preference, but it gives me something to work with. After scribbling down some unintelligible instructions and telling them to go off and read them over and over again until they understand them I have a look at the camera. It's a standard point and gawp type of affair. After quickly working out the quality settings I get one of them to take my picture on high quality then set the thing to low, lossy, he-could-be-anyone mode. Not having me actually acknowledge their existence so much ever before they're effusive in their thanks and don't notice me swap their fax and phone lines over as I bend to tie my laces. I try to see if the boss has opened the door to let me back in yet. Arriving back I find the door is, yes, open but the place is deserted. I take a look at his machine. It's locked tight; the keyboard cover is padlocked on and he's fitted his keyboard plug with what looks like a grounding wire which trails off inside the trunking on the wall. No joy there then. My machine is obviously hung (guess who?). Across the screen are printed the words "Gone home. Back... oooh, maybe tomorrow." Luckily I've set it to dump the essential system stuff to the server when anyone but me uses it, so I do a quick rebuild and contact Pete. Pete's doing a project on network monitoring and configuration and was hoping to come in and see how we do it here. The boss was against it on the grounds that no-one but him, and occasionally me, should know what we do and how we do it. I ring Pete up and tell him he can come in, but that if he reveals anything of what he sees I know where lives. I also know his IP address, his MAC address, his router's address, the contents of the directory marked /images/ and the main vulnerabilities of his operating system. Suitably chastened Pete arrives later and I give him a tour of the facilities. He's a little puzzled by the piece of UTP (with an RJ-45 at one end and a mains plug on the other) in the perspex box marked 'Last Day', which is over the door, but I don't enlighten him. After showing him round the various bits of kit in the room, during which time he makes copious notes on a pad which he doesn't put down, we wander over to the machine room. I show him the router and the main switches, at which he nods appreciatively and makes the right noises. We move onto the servers and I point out carelessly that the SDS isn't officially recognised to exist by the administration. That's 126Gb of storage no-one but me and the boss know about. He scribbles. If even a small amount of this gets out, things could get sticky for the boss, and that means live wires in the covering of my chair. We exit the machine room. I decide to take him to see the lusers. Entering the lift I press for level four. The lift voice screams something in Arabic, which I am reliably informed by the person who blew the PROM, translates as 'Prepare to die, you son of a pig!' and up we go. To the words 'Die in the hell of boiling oil!', rendered into Mandarin the doors open on level 4. I doubt anyone will call the engineers until someone figures out what the phrases actually are. Anyway, any calls to the engineers are routed to a sex line now and I've drilled the locks on the maintenance panel. Pete follows me out and into one of the labs. I carefully keep my eyes on the far wall as I walk towards some of the networking equipment in the locked cabinet at the far end. Pete, on the other hand, makes the mistake of looking at what the lusers are doing on the lab tables. One look at the biological remains on display and he's dropped his eyes, his notebook and his lunch, all over some samples marked "Biohazard" in big red letters. There's an outcry in the lab and two uberlusers rush up with a mop, bucket and a bottle of some kind of disinfectant/bleach. In gloves and surgical masks they sweep the entire contents of the table into a bag and dash out of the room. After I lead him out of the room, under the spotlight glares of the lab leader and get him cleaned up in the toilet he asks where his notebook is. "I'm afraid it's contaminated some biological specimens which had to be destroyed. If you look out of this window you can probably see it happening." I point out of the toilet window down to the ground where the two bemasked lusers are stuffing the bag into a small opening at the bottom of a large chimney. "Argh! My notes!" ... He wipes his mouth. "You bastard." he says quietly, and off we go. We drop back down in the lift to the words 'You are the spawn of Satan' in ancient Greek and I bid a pale and much quieter Pete goodbye. He's got the makings of a fine sysadmin. It's Friday the next day. Known within the office as the Day of Rest. No sign of the boss by midday so I assume he's decide to have a long weekend. Idly I decide to explore the router's featureset for anything new since the upgrade we did. IOS 12 is officially only available as a factory install on Cisco routers, but having your own supplier with an inside angle is always useful. It looks like the features I suggested have been included, including more additions to the 'ip accounting' commandset. For something to do I set it running and go to lunch. When I come back I export the stats to a spreadsheet and sort by bytes transferred. We have a winner! Luser X has, over the course of three hours managed to get over five hundred meg from what looks like a news server which I'm not mistaken goes through the transatlantic link. That pisses me off. Not only do we have a perfectly good news server that carried all the groups that you should need to have access to, but our building is getting charged for the bits he's sucking down. I do a quick search on his IP number and find out which port he's in. Not only is he in the wrong one from the one I allocated him, but he's still going. Before I can go up and have it out with him the next router up from ours throws a fit and decides that packets travel best in circles. In the ensuing few hours while I try to fix what the sysadmin in charge of that router has done I don't have time to think much about Luser B. Damned. Come the end of the day, and well past the time people stay on a Friday, I wander up in the lift ('A plague of maggots on your house!', Icelandic) and wander into his lab. Coming up behind him I can see lots of open windows on his box and an email in progress. I cough, just to see his reaction. The lights are mostly off and there's no-one in the big lab but him. He jumps up, looking guilty as hell. "Hi there. I'm just here to swap your connection back to the other one. As you can see ports come in pairs and you appear to have plugged the printer and your computer in the wrong way around." He's clearly off balance and says "O.K." Before I can get anywhere near the screen he says "I'll just turn off the machine for you..." and powers down the machine at the wall. ... Oooookay. A big flashing neon sign saying "K3w1 w4r3z d00d h3r3!!!!111!!!" would have been less obtrusive than power cycling a windows box without shutting it down. But there you go. I thank him, do the quick swap and wander out of the lab. Before I go home I reset the accounting stats and lock the door. Come Monday afternoon (still no sign of the boss, but I have an email from the_boss@ski.resort.ch with some trademark signs of the boss' handiwork, so I reason he won't be back for a few days) I have a quick trawl for the IP traffic over the weekend and find two main perpetrators. My pal in the lab all on his own and another to a .pt machine. Tracing to the source I find it's a Realaudio feed of live Portuguese radio. If it wasn't for the fact the feed went across the pond and back I'd only cut off his fingers. As it is, something more drastic is called for. It's time for accesslists 101. I fire up a link to the router, an editor, write a few quick lines of IOS, paste them into the telnet session and ^Z out. After lunch I dig out an old SNMP trap program and set it to show me the output from the router and wait. I don't have to wait long; within minutes there are lusers banging their empty heads against the 'firewall'. Some of them try once and stop. Our download dude just keeps on trying. After two hours I take pity on his machine and send it some fragmented packets. It chokes fatally. I put another Windows logo on the side of my box and draw a black line through it. After a while I wander up to reception and 'borrow' the camera. Heading up in the lift ('Yitrib biet abuch!'[2], Arabic again) I snap off some pictures of the Portuguese radio freak through the door and copy them up to my machine. With a few tweaks I can have him breaking and entering on the security tape, or sitting in front of a computer screen filled with porn. Taking my best efforts I post them anonymously to the building's newsgroups and make a note to procure the latest security video for editing... [1] A cross between Nilhism and Taoism, only with more bitterness [2] 'May your father and his progeny be annihilated', or close to it. A mortal insult apparently. Ben -- I'm sorry, you must be confusing me with someone who gives a damn.