So its a story,
Once upon a time or lets say A Few Months back this interesting thing happened.
I was studying Computers at this college whose name is not that important.
The college has a policy of maintaining student records using a Web-Based management System. The system maintains records for students. Students need to register for courses through this system. Near the end of semester, students have to take printouts of admit cards through this system to write exams. So this S#!T happened just around exam time of that semester. People were busy issuing print command for admit cards. The semester has not been that good or lets say I'd been so busy that semester that I just forgot the password I set for my account on that Student Record Management System.
I as a Good and a bit paranoid Internet User keeps changing the passwords on different websites and uses Different unrelated Passwords on different Websites. So frequently changed the password of that System too. It does not happen occasionally but it happened that day. I simply had no clue about the password I set for the system. After my brain denied any relevant information, I had no other way than to reset my password. The system doesn't have any instruction as to how to get the password reset. There was this friend of mine sitting next to me ordering printout for his hall-ticket. I called him(lets say his name was John), "Hey John, How to get password for this S#!77Y system reset?" He replied, "Dude, the system is run by college administration. Beginning of the semester, while registering for the courses, Ron too forgot the password. He had to go to the admin building of college to get his password."
I said, "Ohk! But there could have been easier ways to resolve these kind of issues. Those bunch of admins could have used the trivial techniques of resetting the password like those ques-ans based or emailing it to college email or some other similar method." Cursing the admin, I left the computer room, took my bike and moved from computer center to Admin building.Yeah, the college I was attending is a bit huge. The distance was around 400 metres. So I used my bike.
A bit about the Member information System, the college used:
The MIS (member information system) used by college is a product using Microsoft's Technology. The system was implemented using dot-net and ASP pages. Dedicated servers are present for hosting the system within the college.
So I reached the admin building, parked my bike and went upstairs to the computer support room. There was this guy, whom I didn't like a lot at first. I asked him, " Sir, I lost my MIS password. What is the procedure to get the password reset?" He was busy trying to align a page right for printing on the Microsoft word. Looking at me, He asked for my College Student Card. I handed my I-card to him. He looked at the card, then towards me.
He went back to the screen he was working on, Minimized the screen, On his Microsoft XP Desktop, he clicked on this application. A window appeared.
Just looking at the crappiness of the app-window, I figured out, The application was a trivial visual basic app written by a n00b who just started learning VB. Ok that VB app window had a text field and a big submit button to fill the space and at the top corner, an empty place.
I knew that he was going to reset my password using that not to great application. I stood there looking what he did.
He looked at my I-card, I handed him earlier and entered the Unique Roll Number from that card in the text Field.The page started loading.
(It didn't take that much time but I am moving in slow motion here because an interesting thing is about to happen.)
Ok so the page started loading, the empty top corner started getting filled with the image which I already knew will display my picture, the college took in the freshman year. But there was this "line of Text" which had already loaded on the screen and I din't notice because I was not anticipating it to appear. As soon as the page loaded completely, I was astonished to see what the "line of Text" said:
"Password for your account is admin12345"
Dammit, They created an application for showing me my Old Password. What the heck is it!!! (Obviously I din't set my password to be trivial admin12345 or god or similar). I now knew what password I set previously,
But Hey Douchebag,
1) You are not supposed to keep my password or of any other user in Plain Text.
2) Are you proud of the thing you did there! You created the crappy application for showing me that you don't save passwords in encrypted form.
I mean, reputed websites suffering from "Not Saving passwords in Encrypted form Syndrome", atleast don't claim to have saved my password in plain text. Bad People only do this good Deed of defacing them by throwing my Information on the Internet. #IronyAndPunIntended.
Trying to Recover from the horror I just saw, I took my bike and headed back to computer center, Obviously, I didn't enlighten him by telling above things on face. I really don't like getting into any argument with foolish people.
Getting back to the computer center, I moved to the same place I was working earlier. John was sitting there with printout of his exam admit card. He asked me, "Didya' get the password." I told, "Yeah, I just got back the Old Password I had set for MIS". He said, "Good For You, get the fsckin printout, and lets leave the place." I reiterated what I said, " The Bastard stored my password in plain text form and just told me that password."
John says, " What did you think when I told you that Ron had to go to the admin building of college to get his password.? They gave him His Password back.. Got it! I know its big deal for you to have bad decisions for storing user data... but its college issue dude. Don't try to change things.. Let it pass.." I replied, " Yeah, but Atleast they should tell us that don't give us your precious information, We are not going to take care of it." Babbling, I just got into the system using my OldPassword and ordered printout I had to take, Changed my password from that secure to a bit less secure one because I didn't want bunch of losers @admin to know the level of security I maintain for my data. We moved back to lets say, Juice Center and had drink and that's it. Done for the day..
Another day after that bad day.
College wifi was not working this day. So I went to the computer center for collecting some data I kept on the Intranet. There was this girl. Yeah, there is a girl in this story too. :)
So I met this girl from my class named Tina (Lets say her name is Tina).. She asked what I was here for. I told her, " to get some stuff done"... And moved to the computer seat next to her.
One more thing, Tina is sort of head of some group which I don't care about... She is one of the people from students who have to meet Admin people every month for Student-Admin meeting supposedly for benefit of students, for keeping problems and other stuff which could help students, you know those meetings which are just a formality to be followed every month..
So she asked me if I had something to put in the admin meeting next month. I said, Yeah the password should be stored in the encrypted form, md5 or sha or something which computer support people could handle...
She said, "Nah! its not something which we should put in these meetings. You know Its trivial matter. You can ask me for Internet connectivity in my room or similar issues to get resolved." I said, "It does not seem that you care about my problem. So, how about allowing git protocol for pulling changes from Open source repositories on Collge wifi. I have been using git over https but it would good if I could do it using git port.." She suggested me to discuss it with the Computer Support people and the people who are regulating Internet connectivity in the college campus.
I am not going to discuss the issue with the people who have a vb app to display my password. Or wait, I could use the dumb people for... Nah, that would make me a bad hacker....
Then Tina told me, "Its not a big deal to secure the password on MIS... I din't even change the default password.
College give us the password of the form #username#YearofJoining eg. for john the default password could be john2011..
Lets say for Tina, it was "tina2011"
She left the computer center after that. I just logged into her MIS account using username: tina and password: tina2011 successfully. There it was, all information at your expense. My tiny brain could not think of any valid reason to not change the default password..
Tina is a great girl. I didn't want her to harm in any way. But there I was.. I had to do it anyway.
Thoughts running in my mind: There is a account which don't belong to me but I can access it. What would happen if I changed the password and this girl had to get it the way I got it back. Bang! I am evil... Hahaha.. (Ok Haha was not any part of that thought :) )
So I did the exact thing my tiny brain told me to do. I changed the password to lets say one of "FsckYouAdmin" or "AdminSucks". That's it. This is all I did. I am not happy for what I did. But I did it.
Next Semester starts:
We had to register for the course which we wanted to take that semester. I did it using the MIS and the not-so-secure password I set after knowing that Admin don't care about my data.
The next day after the Advanced-Algorithms class, Tina came to me and said, "You know, We have got the passwords to be stored as md5checksum and now as the passwords are not known to anyone we have to reset it via college mail and college mail password reset is via some office in admin building but the guy will not show you your old password. He will reset it to something trivial and tell you that word. You can change it later when you log in. But you know I am really upset with you. You are happy now, aren't You!.
You moron, You know how embarrassed I was when the guy at computersuport office showed me the password "FsckYouAdmin" (or "AdminSucks") and asked me not to use the words like these.. I am a post bearer from students and he knew about that. So no actions were taken but who knows, there is a possibility that action could have been taken against me or any other with those kind of passwords. After all, when the power is with people with not so many perspectives or ideas, anything is possible."
I totally understood what she meant when she said, "Anything is possible with the current college admin".
I don't feel that guilty about what I did with Tina. Hey, I just changed the password. She should have changed it anyways. The MIS store details about home address, Parents' information and other things too. Its not a bad idea to change the default password anyway.
Moral of the story:
1) Take care of Users' data. Users are the most important assets anywhere.
2) Passwords are the words which nobody should know except user who generated it. Its duty of the admin to protect it for the users.
3) I don't attend a great college. The college has just a big name. and reputation but I am not satisfied by whats happening here. My friends says, You r gonna' see worse things once you leave the college, I don't agree.
Note: I don't claim all the information is correct in this essay (or story or whatever). But I guarantee that its is inspired by what is happening around. Bad guys are throwing the secret passwords stored by websites maintained by Worse people in plaintext form on the Internet with what-so-ever intentions.
The companies which don't respect Users' data and privacy are not good things on this earth.
I would love to kick the Job at a company of this kind for the one which does understand users' value better.
Once upon a time or lets say A Few Months back this interesting thing happened.
I was studying Computers at this college whose name is not that important.
The college has a policy of maintaining student records using a Web-Based management System. The system maintains records for students. Students need to register for courses through this system. Near the end of semester, students have to take printouts of admit cards through this system to write exams. So this S#!T happened just around exam time of that semester. People were busy issuing print command for admit cards. The semester has not been that good or lets say I'd been so busy that semester that I just forgot the password I set for my account on that Student Record Management System.
I as a Good and a bit paranoid Internet User keeps changing the passwords on different websites and uses Different unrelated Passwords on different Websites. So frequently changed the password of that System too. It does not happen occasionally but it happened that day. I simply had no clue about the password I set for the system. After my brain denied any relevant information, I had no other way than to reset my password. The system doesn't have any instruction as to how to get the password reset. There was this friend of mine sitting next to me ordering printout for his hall-ticket. I called him(lets say his name was John), "Hey John, How to get password for this S#!77Y system reset?" He replied, "Dude, the system is run by college administration. Beginning of the semester, while registering for the courses, Ron too forgot the password. He had to go to the admin building of college to get his password."
I said, "Ohk! But there could have been easier ways to resolve these kind of issues. Those bunch of admins could have used the trivial techniques of resetting the password like those ques-ans based or emailing it to college email or some other similar method." Cursing the admin, I left the computer room, took my bike and moved from computer center to Admin building.Yeah, the college I was attending is a bit huge. The distance was around 400 metres. So I used my bike.
A bit about the Member information System, the college used:
The MIS (member information system) used by college is a product using Microsoft's Technology. The system was implemented using dot-net and ASP pages. Dedicated servers are present for hosting the system within the college.
So I reached the admin building, parked my bike and went upstairs to the computer support room. There was this guy, whom I didn't like a lot at first. I asked him, " Sir, I lost my MIS password. What is the procedure to get the password reset?" He was busy trying to align a page right for printing on the Microsoft word. Looking at me, He asked for my College Student Card. I handed my I-card to him. He looked at the card, then towards me.
He went back to the screen he was working on, Minimized the screen, On his Microsoft XP Desktop, he clicked on this application. A window appeared.
Just looking at the crappiness of the app-window, I figured out, The application was a trivial visual basic app written by a n00b who just started learning VB. Ok that VB app window had a text field and a big submit button to fill the space and at the top corner, an empty place.
I knew that he was going to reset my password using that not to great application. I stood there looking what he did.
He looked at my I-card, I handed him earlier and entered the Unique Roll Number from that card in the text Field.The page started loading.
(It didn't take that much time but I am moving in slow motion here because an interesting thing is about to happen.)
Ok so the page started loading, the empty top corner started getting filled with the image which I already knew will display my picture, the college took in the freshman year. But there was this "line of Text" which had already loaded on the screen and I din't notice because I was not anticipating it to appear. As soon as the page loaded completely, I was astonished to see what the "line of Text" said:
"Password for your account is admin12345"
Dammit, They created an application for showing me my Old Password. What the heck is it!!! (Obviously I din't set my password to be trivial admin12345 or god or similar). I now knew what password I set previously,
But Hey Douchebag,
1) You are not supposed to keep my password or of any other user in Plain Text.
2) Are you proud of the thing you did there! You created the crappy application for showing me that you don't save passwords in encrypted form.
I mean, reputed websites suffering from "Not Saving passwords in Encrypted form Syndrome", atleast don't claim to have saved my password in plain text. Bad People only do this good Deed of defacing them by throwing my Information on the Internet. #IronyAndPunIntended.
Trying to Recover from the horror I just saw, I took my bike and headed back to computer center, Obviously, I didn't enlighten him by telling above things on face. I really don't like getting into any argument with foolish people.
Getting back to the computer center, I moved to the same place I was working earlier. John was sitting there with printout of his exam admit card. He asked me, "Didya' get the password." I told, "Yeah, I just got back the Old Password I had set for MIS". He said, "Good For You, get the fsckin printout, and lets leave the place." I reiterated what I said, " The Bastard stored my password in plain text form and just told me that password."
John says, " What did you think when I told you that Ron had to go to the admin building of college to get his password.? They gave him His Password back.. Got it! I know its big deal for you to have bad decisions for storing user data... but its college issue dude. Don't try to change things.. Let it pass.." I replied, " Yeah, but Atleast they should tell us that don't give us your precious information, We are not going to take care of it." Babbling, I just got into the system using my OldPassword and ordered printout I had to take, Changed my password from that secure to a bit less secure one because I didn't want bunch of losers @admin to know the level of security I maintain for my data. We moved back to lets say, Juice Center and had drink and that's it. Done for the day..
Another day after that bad day.
College wifi was not working this day. So I went to the computer center for collecting some data I kept on the Intranet. There was this girl. Yeah, there is a girl in this story too. :)
So I met this girl from my class named Tina (Lets say her name is Tina).. She asked what I was here for. I told her, " to get some stuff done"... And moved to the computer seat next to her.
One more thing, Tina is sort of head of some group which I don't care about... She is one of the people from students who have to meet Admin people every month for Student-Admin meeting supposedly for benefit of students, for keeping problems and other stuff which could help students, you know those meetings which are just a formality to be followed every month..
So she asked me if I had something to put in the admin meeting next month. I said, Yeah the password should be stored in the encrypted form, md5 or sha or something which computer support people could handle...
She said, "Nah! its not something which we should put in these meetings. You know Its trivial matter. You can ask me for Internet connectivity in my room or similar issues to get resolved." I said, "It does not seem that you care about my problem. So, how about allowing git protocol for pulling changes from Open source repositories on Collge wifi. I have been using git over https but it would good if I could do it using git port.." She suggested me to discuss it with the Computer Support people and the people who are regulating Internet connectivity in the college campus.
I am not going to discuss the issue with the people who have a vb app to display my password. Or wait, I could use the dumb people for... Nah, that would make me a bad hacker....
Then Tina told me, "Its not a big deal to secure the password on MIS... I din't even change the default password.
College give us the password of the form #username#YearofJoining eg. for john the default password could be john2011..
Lets say for Tina, it was "tina2011"
She left the computer center after that. I just logged into her MIS account using username: tina and password: tina2011 successfully. There it was, all information at your expense. My tiny brain could not think of any valid reason to not change the default password..
Tina is a great girl. I didn't want her to harm in any way. But there I was.. I had to do it anyway.
Thoughts running in my mind: There is a account which don't belong to me but I can access it. What would happen if I changed the password and this girl had to get it the way I got it back. Bang! I am evil... Hahaha.. (Ok Haha was not any part of that thought :) )
So I did the exact thing my tiny brain told me to do. I changed the password to lets say one of "FsckYouAdmin" or "AdminSucks". That's it. This is all I did. I am not happy for what I did. But I did it.
Next Semester starts:
We had to register for the course which we wanted to take that semester. I did it using the MIS and the not-so-secure password I set after knowing that Admin don't care about my data.
The next day after the Advanced-Algorithms class, Tina came to me and said, "You know, We have got the passwords to be stored as md5checksum and now as the passwords are not known to anyone we have to reset it via college mail and college mail password reset is via some office in admin building but the guy will not show you your old password. He will reset it to something trivial and tell you that word. You can change it later when you log in. But you know I am really upset with you. You are happy now, aren't You!.
You moron, You know how embarrassed I was when the guy at computersuport office showed me the password "FsckYouAdmin" (or "AdminSucks") and asked me not to use the words like these.. I am a post bearer from students and he knew about that. So no actions were taken but who knows, there is a possibility that action could have been taken against me or any other with those kind of passwords. After all, when the power is with people with not so many perspectives or ideas, anything is possible."
I totally understood what she meant when she said, "Anything is possible with the current college admin".
I don't feel that guilty about what I did with Tina. Hey, I just changed the password. She should have changed it anyways. The MIS store details about home address, Parents' information and other things too. Its not a bad idea to change the default password anyway.
Moral of the story:
1) Take care of Users' data. Users are the most important assets anywhere.
2) Passwords are the words which nobody should know except user who generated it. Its duty of the admin to protect it for the users.
3) I don't attend a great college. The college has just a big name. and reputation but I am not satisfied by whats happening here. My friends says, You r gonna' see worse things once you leave the college, I don't agree.
Note: I don't claim all the information is correct in this essay (or story or whatever). But I guarantee that its is inspired by what is happening around. Bad guys are throwing the secret passwords stored by websites maintained by Worse people in plaintext form on the Internet with what-so-ever intentions.
The companies which don't respect Users' data and privacy are not good things on this earth.
I would love to kick the Job at a company of this kind for the one which does understand users' value better.
No comments:
Post a Comment