As I expected, booting the unidentified shithead off of that client’s server caused all kinds of screaming. The unidentified shithead was essentially who I thought it might be. The client didn’t understand the ramifications of giving a vendor the root password for their internet server, and didn’t know that the as-yet unidentified shithead was in there making a terrible mess of things using wrecking ball tactics. I’d nicknamed him Tasmanian Bonehead.
Only because it wouldn’t do to call him Tasmanian Shithead in email going to the client company.
After all kinds of mean and nasty things were said to impugn my proficiency in the effort to regain root access on that server, and the client teetering on the edge of insanity instructing me to give up the password, one of my colleagues somehow showed up on-site — 900 miles away. He wasn’t aware of any of this, as he’s on the Windows side of things taking care of their office network, and was there for some other reason. While the office manager was telling him about what was going on, I was writing the email message telling them that I can no longer be responsible for the security of their system. As I was rereading it to make sure it was right, my colleague was educating the office manager about why I was perfectly right to do what I had done and how they were shooting themselves in the head by giving the root password to a vendor. Then my phone rang, and I told the office manager that I was just about to send her an email. She said, “Don’t send it yet”, and told me that she had seen the light and hoped like crazy that I hadn’t handed over the keys to the kingdom (the root password) yet.
While we talked, my colleague invited himself into the CEO’s office to educate him as he’d just educated the office manager. That was awfully nice of him. Come to think of it, he’s the one who referred that client to me in the first place. He and I have been working together now for something like 15 years, referring clients back and forth, helping out on technical problems, and so on. And there he was educating the CEO for me. Helluva guy.
That set up the fun. The client told the marketing agency that I’d set them up with a normal user account with sufficient privilege to do everything they might reasonably need, and that if they had any problems they should address them to me. Murphy’s Law is fucking relentless: Tasmanian Shithead got to work and ran into problems that were once again attributed to an improperly configured server, and instead of taking it up with me it went to the client CEO.
Tasmanian Shithead didn’t want to take it up with me. I kicked his ass out of that server on Sunday in what amounted to a heads-up Unix-fu match between two root users, and then he/they said all kinds of mean and nasty things about, well, me, basically, by claiming that the server was horribly misconfigured and that’s why their shit doesn’t work. Now he’s expected to talk to me?
My phone rang this evening and Caller ID showed a number in the 713 area code. Oh, hey, Tasmanian Shithead, whoever he is, in in the 713 area code. Let the games begin!
As far as his problems go, after we hung up I found that he’d installed a WordPress plugin without reading the instructions, so it was only partially installed, and that he’d installed another plugin containing a coding error that was obvious as balls on a tall dog in the error logs. The only configuration error on the server was the one that allowed him access to it. :D
But what I really wanted to know was who gave him the root password in the first place. No one at the client company would cop to it, and to the best of my knowledge the only ones who had it were the client CEO and I. I asked, but his response was, “Oh, I have my ways. I’d rather not say”. Tasmanian Shithead is apparently far more accurate than I’d suspected!
In the end he not only told me how he’d got the password, he spent three or four minutes digging around to find the damning email message and read it aloud to me. He told me a few more things I wanted to know and thought it was his idea to do it, and even told me some useful things I wouldn’t have thought to wonder about. Before he gave up the goodies, he tried to outgeek me by talking about the various ways of getting passwords, and the great irony of the whole thing is that we spent about five minutes talking about social engineering.
I wonder if it’s hit him yet that after kicking his ass on Sunday I engineered his ass on Wednesday and it worked even after we’d just talked about it. In fact, that was why we talked about it — he wanted a dick swinging contest and I wanted information. It took two hours, but I got a lot more than I’d hoped for.
He might not realize it yet. He’s probably too busy fuming over the email message I sent to him, as I promised I would, telling him what I’d found. And CC’d to all of those people to whom all of those mean and nasty things were said about me, too. But in it I was very nice and took a friendly conversational tone because by golly I’m just a helluva nice guy.