A cautionary tale of virtual floppies and all too real credentials

Only a complete banker would map that to... oh dear...


Who, Me? With the weekend gone, like the contents of a file share after a hasty execution of a seemingly innocuous script, pause for a second before tackling the week's shenanigans with another Reg reader Who, Me? moment.

Our reader, Regomised as Dave, told us of his time working in the IT department of a bank "at the end of the eighties or the early nineties."

Dave toiled away in a small team, responsible for automation in the foreign branches of the institution. His use of Turbo Pascal (of which this hack has many fond memories) dates things somewhat, and the tools he wrote were used to connect the bank's software (running on Datapoint gear) to PCs and SWIFT ST200 terminals.

SWIFT, the Society for Worldwide Interbank Financial Telecommunication, is now approaching its 50th anniversary and is a key part of the world's financial infrastructure. It lobs transaction information around between over 11,000 institutions, although at the time of our story it enjoyed approximately 3,000 customers.

"The ST200 wasn't directly linked," explained Dave, "but data was transferred to and from with floppies that were prepared or read on a PC."

A simple, if time consuming process compared to the connectivity of today.

Dave was in an overseas branch and needed to make some modifications to the PC application.

"The branch's sysadmin was so kind to set me up a PC under his usercode," he told us, "and because the PC he used had no floppy drive he mapped a network subdirectory as the A: drive."

While floppy drives have all but disappeared nowadays, they were ubiquitous back in the day. Not having one was a sign of either a bean-counter let loose at the specifications or some decent network hygiene.

The usercode thing though? We're not so sure about that.

Novell was the networking software of choice for the branches, and it took but a simple map command to create that virtual floppy drive.

Dave got to work: "When preparing a floppy that had to go to the ST200 my application first deleted all files and directories (recursively) that were on that thing.

"So when it started doing that, I expected it to be quickly finished as my test 'virtual floppy' was empty."

It was, after all, just an empty network directory, right?

Let the arse-swooping panic commence!

"I was horrified when I saw a parade of filenames flashing by, including some things that really resembled user data files and network software files.

"I've never hit Ctrl+C so fast in my life!"

Dave began the walk of shame to the sysadmin's office, but before he reached the door "I saw one person after the other go into his office to complain about problems with the network. He was bewildered."

Regular readers will have guessed what had happened by now; the sysadmin had forgotten to map the network directory as "root". Worse, Dave was using the sysadmin's usercode and so his application was able to start a recursive deletion adventure down to the very bowels of Netware. Even Novell's own system files had not been spared.

"If I would have looked at 'A:' from a command prompt I would have noticed," sighed Dave.

The gang eventually managed, with the help of a second server and oh so many backup tapes, to get things up and running again, "but we learned to use 'map root' and, more importantly, that even a sysadmin should have a normal user account for the non-sysadmin stuff..."

Ruefully, Dave added: "and nowadays you don't even think about giving anyone access to your environment."

Wise words. Just a shame it took the near takedown of the bank's branch to learn them.

Ever found yourself with a bit more power than expected and abused it in the proper manner? Or felt the world drop out of your bottom as the names of irreplaceable files whizzed by? We've done at least one of those things. Surely your experience is worth a confession to Who, Me?


Biting the hand that feeds IT © 1998–2020