Storytime: My new internship - Advice?

michael_hackson

michael_hackson

Hi again FreeBSD Community. I pop in every now and then and been sitting in Windows environments for some time
and recently gotten back to FreeBSD. Hope that you are doing well.

I have started a new internship. Funny thing with my +two years of experience in Customers Service/Service Desk, some hobbyist education in IT/Networking, Web Development and Programming,
I land an internship for - you have guessed it right - Customers Service.

Having the needs for constant stimulation and access to testing things I do all my job assignments by the first to the second of the working hours of the +8 hours work day.
And with no extra assignments possible I spend my spare time testing the security policies and functions of the systems that we use.

So far I have found two minor potentially, not so important Data leaks, security issues in policies with the passcode system to the building,
as well as a major Denial of Service exploit that hasn't been recognized by the remote development team.

This took me about one week to find. And being a sensible human being I have gently and calmly tried to alarm about the situation, since this Denial of Service would generate a chunk of havoc.

Conclusion:
I get new guy treatment, every personnel is blatantly uninterested in both security or making any adequate changes to anything.
I spoke about this with my dad, who has same interests as I do, and he strictly advised me to contact another part of the company and opt for an employment more fit for my interest in
the IT career path.

For all that is necessary I believe this information and solution to the exploit will at some point reach some authorized personnel as a "good-will"-package from me.

In the meantime, when the client to my videogame was down that I wanted to relax with, I kind of just started to write the code for the exploit.

To be clear, what makes it alarming is that any person will need no kind of internal access to use this exploit, and I kind of thought of putting the theory into practice
and have actual runnable code before I even present this to any other person or instance within the company. I mean ... I could be wrong ... in theory ... and everything is fine and dandy.

That is where I am at now.
Do you have any similar experiences and/or advices regarding this situation?

Kind regards,
michael_hackson
 
Go trough a lawyer. There ought to be some who may even do this pro bono. A lawyer can forward your messages and then refuse to snitch on you because of the special client relationship. If you don't shield yourself, and the havoc done by your exploits is high enough, the company may well try to shoot the messenger. Not worth it.
 
Crivens said:
Go trough a lawyer. There ought to be some who may even do this pro bono. A lawyer can forward your messages and then refuse to snitch on you because of the special client relationship. If you don't shield yourself, and the havoc done by your exploits is high enough, the company may well try to shoot the messenger. Not worth it.
Click to expand...
You have a very great point here ... didn't consider that outcome at all.
In my country we may employ lawyers a little differently but I believe we have an agency to contact for topics like this. I should check what options they provide with.

Thanks!
 
Questions:
is it part of your intern responsibilities to test security? If not, then DONT! In most companies that will be seen as improper system use and would most likely affect your "grade" as an intern...possibly with them kicking you out of the internship.

Second, I understand and remember the great hope and motivation to jump in and be a contributor...Fact is though, you won't be taken seriously until you have several years of experience under your belt.

Companies are all highly political. As an intern the best you can do for yourself is to adopt the attitude of knowledge sponge and kiss their ass by letting them see themselves as the experts and you as the mere student. Just soak it all in for a couple of years, then you can form your opinions based on real experiential knowledge.
 
One of the most important books I found to be read in preparation for corporate was Sun Tzu - The art of war.
Don't even hint at that it is you doing this. Leave no traces. Prepare cover. Prepare for blowback.

Companies not on their toes for security don't deserve to thrive. I have no pity for them.
 
kent_dorfman766 said:
Questions:
is it part of your intern responsibilities to test security? If not, then DONT! In most companies that will be seen as improper system use and would most likely affect your "grade" as an intern...possibly with them kicking you out of the internship.

Second, I understand and remember the great hope and motivation to jump in and be a contributor...Fact is though, you won't be taken seriously until you have several years of experience under your belt.

Companies are all highly political. As an intern the best you can do for yourself is to adopt the attitude of knowledge sponge and kiss their ass by letting them see themselves as the experts and you as the mere student. Just soak it all in for a couple of years, then you can form your opinions based on real experiential knowledge.
Click to expand...
Also a great advice, perhaps a key one, since it matches well with the input I got from my counterpart in a phone call. Your and her advice is to take responsibility in the role and strictly do as I am told and let the other things pass.

For my own sake, I will finish the program since it's a great developer experience and personal pride, and thoughtfully let nothing or even a whim of a codeline enter anywhere officially, nor privately.
 
I suggest you look at the history of Randal L. Schwartz with Intel and the State of Oregon.

What he was trying to do was improve security at Intel. That got him convicted on three felony counts.

Twelve long years later, with a lot of help (because he was very well known in the Perl community) his conviction was expunged.

If you are not tasked to examine security issues at your place of work, then don't -- assuming that becoming a felon and spending some time in jail is unattractive to you.
 
michael_hackson said:
Conclusion:

I get new guy treatment, every personnel is blatantly uninterested in both security or making any adequate changes to anything.

I spoke about this with my dad, who has same interests as I do, and he strictly advised me to contact another part of the company and opt for an employment more fit for my interest in the IT career path.

Click to expand...

Your Security Program Is ⋯ (profanity alert)

– via <https://mastodon.sprawl.club/@ludicity/111853234711536138> via Wravoc @wravoc@infosec.space

"This describes every interaction I've ever had with enterprise security teams, and if you replace the word "security" with "data", it almost describes them too. And most importantly, it is filled with the seething invectives required to keep my heart pumping: …"


Thankfully, my (at-work) interactions have been entirely positive …

grahamperrin said:
… Touch wood, never any complaint about my maverick choice of primary operating system. Possibly partly because there's a long history of me taking responsible private and public approaches to security issues …
Click to expand...
 
My advice: Be professional about it.

Maybe report it in the style of FreeBSDs security advisories:
Code: 
Topic: vulnerability in ..
Category:
Module:
Announced:
Affects:
Corrected:
CVE Name: none
  
I.   Background
II.  Problem Description
III. Impact
IV.  Workaround
V.   Solution
 
George said:
My advice: Be professional about it.

Maybe report it in the style of FreeBSDs security advisories:
Code: 
Topic: vulnerability in ..
Category:
Module:
Announced:
Affects:
Corrected:
CVE Name: none
 
I.   Background
II.  Problem Description
III. Impact
IV.  Workaround
V.   Solution
Click to expand...
That won't shield you from incompetent judges. Having a felony charge for hacking to your name does not really increase your employability.

Background: some local dude currently gets raked over the coals for telling a company that they were exporting all their customers data into the internet (they had a password hard coded into a binary, which led the judge to label "notepad" to be a hacker tool. You just open the file and scroll down untill you read "mysql://comanyserveropentotheinet.com ... verysecretcoolword" or such.)
 
The saga continues

Nice to see some more advices in the thread. I am on to my third week of Internship and have found some minor data leaks, that I have directly reported to my boss in charge of me, and we have then let the security issues reenter the void of ignorance where they shall reside, since they only would lead to minor company losses.
This week I am finalizing the part of the workplace education that includes courses on the Swedish laws for Employment and Workplace Environments. Set by law, specified with regulations, every employee has a responsibility to report all security issues, within my sector, that is a clear risk for either: Damage of wares, Risk for misuse of security equipment, Risk for accidents, and Risk for crimes.

Following on my education I inconveniently and also conveniently found out that every employee in my work force, including me as an intern, can access super administrator role of the system - in context meaning that any person with ill intent can close down the whole business in the whole Nordic Region and if there is no redundancy solution an incident would crave a whole Nordicwide reinstallation and setup ...

Good to know is that I also learnt from another colleague that the company has a delta minus this year of 5 million USD, that has to strike down on salaries and employees as well as some trade business agreements. I met a disgruntled employee and made a quick check on her being, since disgruntled employees are always a high company risk, as she was nailing the chair in front of me with her fingers. Her agitation kind of confirmed the situation the company is in.

So ... I decided as first thing finding this out, without using any of my newly assigned permissions - since that is outside of my current permissions, and would also be misuse and possible crime - to host a short meeting, inviting my boss in charge and also the system admin on my workplace. I let it be an open door meeting to include the team and provide with education.
Funnily enough is that the model set in the Swedish regulations for Workplace Environments follows the FreeBSDs security advisories very closely (which is understandable).

I reintroduced the first big threat I found and I also provided them with the solution for it. The sysadmin confirmed that Norway already has had incidents involving this security risk so the dev team *coughs* is "working" on to find a solution - that I presented.

I introduced the next topic that I now have super administrator role access and stating that I shall never have that as an intern, and that it's also questionable that every employee has this same permissions set and allowed in their roles.

What makes both topics a very high security risk is that this system access can be gained without using any means of activity of crime, no set of attacks or anything, they are just laying there floating and also why I just saw them when following the education program.

I presented two common risk groups:

For issue 1: A common outside company teenager with an interest in computers and video games that is playing with bots and ai generation.
For issue 2: A disgruntled within company employee that the company misses - that we also have currently as of this moment and year.

Result:

My boss in charge was impressed but she felt the meeting was unnecessary (she finds everything unnecessary which is one sole reason why I decided on hosting the meeting).
My sysadmin in chock, starting with denial processes - telling me it's impossible, I have no super admin access - over to - who gave you admin permissions - over to - personal attacks of me misusing my role and the system.

One good colleague finding my meeting to be of wrong approach.
Another good colleague finding my meeting very valuable, interesting and a good and a rightful approach
Third good colleague gaining his own confirms that "Yes, the person holding this meeting is retarded".

After the chock the sysadmin started to repress and didn't want anything to do with it. I kind of requested that she may at least have an interest in confirming that this is actually possible by showing her how it is done and then we take away all permissions that I should never have to begin with, with nothing done with them.

3rd stage, as we assembled and left the meeting room, she went into combat mode starting to demand me to show her how it is done, now she went decisive of finding out, and I was glad for the determination of finding out.
There were still some sporadic statements of: "How did you ill-use the system now, what code did you use to access this?" and I calmly replied that all these permissions, that may need to be addressed, are already assigned to all of us.

When showing her how she threatened and told me this is one reason of termination of employment and I told her that she is right and that if she is looking for a bad guy I can understand if she views of me as one.

She finished with "Good" and left the area, in hold with the newly gained information.
I wrote to her in our internal system that I need her help to reset the super admin to what it was so I have no knowledge of the settings (not that it matters much in this sandbox of the outsourced system we use, but this is simply the "best" secure practice we would have at this moment).

Current state:

The whole workplace now knows that I know things. Most of them have a bad view on me and make only minimal contact that the workplace craves.
My close friend confirms that this may jeopardize my employment, as you also have pointed out, as I also know.

What I at least know is that I have gained a lot of horrible knowledge about how badly a business is run and also that I addressed the issues in accordance with the Swedish regulations and practices within workplace environments.

Kind regards,
michael_hackson
 
What you describe is what I have encountered in most places I’ve worked, and as you have discovered your approach is not appreciated.

Time to move on but think you’ll have similar experiences elsewhere but you might get lucky.
 
My advice

10 look for a better job, don't waste your time there
20 apply for real jobs, not 'intern' positions
30 goto 10

Really, don't hesitate. You might not think so, but <<<your most precious asset is your time>>>; so don't waste any more of yours on them. Dust off your CV and start applying for other jobs, and find yourself a better number. You might be pleasantly surprised at what you find if you start looking. Maybe have a look at what opportunities there are in cyber security, there's a big demand for people who can do that right now. Or if that's what you're interested in, see if you can get on a course to learn it, or join a company that is working in that field.

Just don't go joining a russian/chinese hacking outfit! ;-)
 
Yeah. I am pondering over the job situation, also because they wouldn't give me a direction whether they would even convert the Internship to an actual employment with salary when I raised the topic in-before-this to get a hold to things.

Current upside:
The job is for this trample of water, unfulfilling, something I do at the rate of three times the speed of the employees they had before me (since I simply want to have things done and hate having unfinished things on schedule, and that I value time studying their provided material. No langoliers will ever get the hold of me.

I always push them for more assignments and growth, showing they are the bosses, but since majority are airheads and just want to have a "good time" when working I am left with time for basically anything I like to put my time in, as long as I sit on the office chair being their good dog, that is kind of how this whole chronicle started. Taking part in the Swedish Agency of Employment Programme I also have a requirement to take any opportunity that I am given so I can't really be too picky either.

Also, getting this employment showing I can do fair amount of work also made the person I am dating, come to realisation, after six month, that I actually not am retarded, so updating her on details ensures I get the person treatment and not the common lost-case treatment.

Since it's only trample of water I am also alert and focused when I arrive at home and can take extra part time job as a developer remote, and if I get that type of job offer I can consider taking that full time - downside there is that I perform best either in office environments or on hybrid.

Thank you very much for your inputs!
 
Quick update:

Sysadmin went through the permissions today and reassigned me to a role with permissions more fitting the internship/employment, stripped out of the permissions to gain Super Admin access. They also hurried to gain the documents, that I requested, I always should sign regarding security when treating customer and people data within the company

There was a downtime and avoidance when shit hit the fan but now I can actually see that they took the information I gave and do something with it. Even the people that not really like me make extra effort now to listen to what I say when making conversations.

It looks good I must say, even if the system is still a children's sandbox. xD

I made sure to give the sysadmin the thumbs up and cred for assigning me a role more fitting for the internship/employment. She seemed glad about it.
 
michael_hackson said:
now I can actually see that they took the information I gave and do something with it
Click to expand...
That’s what I meant in my earlier reply. Don’t jump to conclusions - people are busy, they’ll need time to process stuff, they‘ll add to their possibly long TODO list, they’ll have to juggle what you are saying with their line managers telling them that there are urgent font and colour changes and their juniors moaning about other workers etc etc etc.

Nothing might change and you might get ignored anyway but it might just be processes, protocols, chains of command, areas of responsibility, etc making everything x10 slower than you’d expect.
 
TBF, I can totally relate to to this...

In my case, I discovered that some bosses are just un-informed and can make moronic decisions.

I was on staff for a contractor who's doing work at a client site. Contractor provides staff members, client owns site and everything else, including the IT infrastructure. My role was to provide IT support for the other staff that the contractor provides - as in, teach contractor's staff to use client's IT infrastructure in accordance with client's policies. So far, so good, right?

I went back and forth between contractor and client, resolving user permissions/passwords/access/licensing/etc. And became very good at it, too. I got some limited permissions that allow me to do a surprising amount of troubleshooting and fixing problems as admin on a limited class of machines. I basically learned where to go and how to properly describe an issue, so I get stuff done very quickly. Or I quickly would discover that a proper fix is out scope for my role, best I can do is make notes and let client's IT team and contractor bosses know. I actually gained credibility among most of my coworkers, and a lot of client's staff that way. My role is time-consuming at times (big workplace, after all), but saves a lot of time, because I know what I'm doing.

Well, client wants me to be able to access the machines I support remotely, so that I can troubleshoot better. Remember, client owns the entire IT infrastructure. Client gives me a special license for appropriate software (and no, brand does not matter for this story). I start remoting in, collecting screenshots, making notes on problematic network settings that get quickly resolved, and the like. Client's IT team actually likes me where I am, because I do provide solid information on exactly what the problem is, unlike everyone else on the contractor's staff. The underlined part becomes important later, I promise.

Well, remoting into machines (They're Windows, not UNIX) is not exactly smooth sailing. Some techs on contractor's staff do not take kindly to the idea. There are complaints about illegal hacking :)rolleyes: ), privacy concerns :)rolleyes: Really? on a work machine that does not even belong to the contractor's company? Client has every right to remote in and check on problems), and disrupting work. Well, the last one was resolved by telling me it's now part of the job protocol to seek permission before remoting in. Sure, NBD there. Remoting does also uncover some networking issues that have nothing to do with the node/host, and now I can report on that, to the delight of client's local IT team.

One day, I'm attending to a ticket that a contractor tech cannot access an internal web site that the client set up. I get in touch with the tech, asking for hostname. It actually took several days, because trying to ask contractor staff for the hostname of the machine they're using is largely a labor of Sisyphus. Putting the request in simple terms, showing them how to do it, talking to tech's direct supervisors (also on contractor's staff) about importance of knowing how to do it - that leads to absolutely nowhere, conversation just dies in its tracks. Emails never get returned, nobody asks how to find out the hostname... Some people are worse than others. Some do provide the hostname with some difficulty, and some... react like I just killed someone right in front of them. And no, I'm not joking, I've had it that bad. The contractor tech (who filed the ticket) was among the few who had that kind of awful reaction to what should be a very simple request for information.

Well, I finally squeezed the hostname and permission (to remote into the machine) out of that contractor tech. It was a simple job to fix with local admin privileges, but it was just a local band-aid fix. Yeah, part of a bigger problem. I terminate my connection to the contractor tech's machine (subject machine), and close the ticket. Just 20 minutes later, someone else remotes into that same host. Contractor tech assumes that it is me, and complains to direct supervisor (also on contractor staff, that is important) that I remoted in without permission and was disruptive to the workflow. Somebody tries to collect info on what happened, but in the end, it was my word against the tech's. I offered logs from my own machine - nobody was interested.

Since it was a matter of conflicting claims between two staff members of the contractor, I ask my direct supervisor (also on contractor staff) what to do. (BTW, story was over as far as the original ticket was concerned. Computer belongs to client, work on it was done for the client and I got the workflow unstuck.) And my direct supervisor told me to fire off an email to a weird client address. No, that's not the correct procedure for resolving technical problems on our site. The email address actually was a legitimate one, in the client's directory, just not something I normally interact with. I complied, fired off an email with a cc to my direct supervisor. As far as my direct supervisor was concerned at the time, story was over with that. Well, story was not over, not by a long shot!

That email that I sent - it turned out to be input into a new ticketing system that the client's IT department was testing. A totally separate, internal project that was not even on my radar until now. Not everyone on the local IT team was aware of it, either (Well, the client is a REALLY big workplace). A few days later, I got a reaction from a far-flung part of the client's IT department, asking me to collect logs on the subject machine. I made an effort to do that, and, as per work protocol, I let the client's local IT team know what's going on. Turns out, that weird request should have gone to the cybersecurity guy on client's local IT team, not me. And the team testing that new ticketing system has actually screwed up, and later I heard it took a lot of meetings to sort it out and trace it back to the email my direct supervisor told me to send.

One positive outcome of this story was that supervisors on the contractor side of things did start accepting it when I tell them "I fix the problem the way I do because we have to respect the client's policy on IT infrastructure". And prior to me stepping into the role, there was a LOT of attempts by the contractor to override the client's IT policy, which is frankly there for a reason... :rolleyes:
 
You must log in or register to reply here.
Back
Top