Prank 'Give me a raise!' email nearly lands sysadmin with dismissal
Staffer learns hard way: boss jokes don't mix well with infosec demos
Who, Me? Welcome again to Who, Me?, where we invite Reg readers to begin the week crossing their fingers it will be better than those of our featured techies.
This week, meet "Damian", whose tale is a warning not to get too cocky when demonstrating a security glitch.
Damian's tale is of a time when he was working as an admin maintaining server backup software in the European region.
"We used BackupExec at that time," he said. "This software had the ability to email particular recipients if a backup job was successful/failed/pending, and so on."
As he was setting this up, Damian came across an undocumented feature or, rather, a security glitch.
"Basically, when you were setting up the email feature you had to manually enter the address for the 'From' field," he told us.
"Usually you would just put the servername followed by @<companyname>.com, and when the recipient would get an email it would show that it came from the server in question."
However, Damian had spotted that you could put any email address into this field and it would look like it had come from them – something that could obviously be exploited by a miscreant or mischief.
Early experiment in mass email ends with mad dash across office to unplug mail gatewayREAD MORE
Upon telling a US colleague about this (whom we'll call Joe Bloggs), Damian was asked to demonstrate the issue.
"So, I typed in the recipient name, 'Joe.Bloggs@xxxx.com', and in the Subject Field I put 'Give me a raise'," said Damian. "And in the From field I stupidly put in the email address of our CEO."
All should have been well – but after hitting send, Joe didn't get the email.
"Upon closer inspection," Damian recalled, "I had made a typo in Joe's email address."
Of course by this time, the cogs of email technology were in motion.
"The email servers did what they were supposed to do, and returned the email to the original sender, saying 'address not found'," Damian said.
"Needless to say, I hadn't made a typo in the CEO's fucking email address... so he promptly received an email with 'Give me raise' in the subject line!"
And, although it was misspelled, there was a pretty big smoking gun in the failed email – and as Reg readers will know, once the CEO is involved, someone must be blamed.
"The CEO calls senior IT and Joe gets hauled in because they figured the email was meant for him," said Damian.
Joe cracked under the pressure, but pointed out that Damian was illustrating a security issue with the software – and saved his colleague's head from rolling.
"I got bollocked but kept my job," Damian said. "Never sweated so much in my life!"
What's had you mopping your brow lately? Tell us about the time you took a security demo too far by emailing us here. ®
Sponsored: Becoming a Pragmatic Security Leader