![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png)
Dear christ almighty.
Hot on the heels of the "Top Ten Ways to Get Fired for Breach of Security" article, one of our client companies tries DAMN hard to beat the raw idiocy level of the day. This may be perhaps the most rampant example of corporate stupidity I've ever heard of, and that takes some doing.
One of our client companies is setting us up with FTP to send them PGP-encrypted files. No big deal; industry standard.
Their system is set up as ANONYMOUS FTP. They renamed "anonymous" to something else, and then based on the PASSWORD you enter... which is your company's name... they make assumptions as to who you are, and direct your file to a potentially appropriate directory.
Why the HELL would you use ANONYMOUS FTP for a business application?
So now I have login credentials for every single company they do business with. Anybody who knows the renamed Anonymous account name can log in, though, since every combination of letters is acccepted as a valid password. Actually, I don't know every company's login info... I don't know OURS. Our directions were "Your username is XXXXXXX and your password is your company name." If I log in using "$CompanyName" as a password, I can't LS or PUT. Same with "$Companyname", same with "$companyname.". Could be that they want some permutation of "$CompanyName, Inc." but I refuse to stay up all night playing guessing games,
I have difficulty putting into words how amazingly flabbergasted I am at this colossal monument of stupidity.
Hot on the heels of the "Top Ten Ways to Get Fired for Breach of Security" article, one of our client companies tries DAMN hard to beat the raw idiocy level of the day. This may be perhaps the most rampant example of corporate stupidity I've ever heard of, and that takes some doing.
One of our client companies is setting us up with FTP to send them PGP-encrypted files. No big deal; industry standard.
Their system is set up as ANONYMOUS FTP. They renamed "anonymous" to something else, and then based on the PASSWORD you enter... which is your company's name... they make assumptions as to who you are, and direct your file to a potentially appropriate directory.
Why the HELL would you use ANONYMOUS FTP for a business application?
So now I have login credentials for every single company they do business with. Anybody who knows the renamed Anonymous account name can log in, though, since every combination of letters is acccepted as a valid password. Actually, I don't know every company's login info... I don't know OURS. Our directions were "Your username is XXXXXXX and your password is your company name." If I log in using "$CompanyName" as a password, I can't LS or PUT. Same with "$Companyname", same with "$companyname.". Could be that they want some permutation of "$CompanyName, Inc." but I refuse to stay up all night playing guessing games,
I have difficulty putting into words how amazingly flabbergasted I am at this colossal monument of stupidity.