I’m not really sure how much this is related to automation, but I just have to get this out.
I feel kind of insulted right now. If the speed and force of my typing is any indication of my mood, then I’m sure the whole office knows I’m pissed (I’m typing this on a IBM Model M keyboard). Why am I pissed? Well, at my day job, I’m working with a new vender to help do some e-commerce integration with our accounting package and a set of new websites we’re developing. Again, the experience I’m about to share is pretty close to my first impression of them.
If I Give You Remote Access, Respect It!
This company was trying to troubleshoot a bug and couldn’t figure it out without getting access to our main server in the office. So, with them being hundreds of miles away, naturally they ask for remote access. I agree.
They then send me an email with instructions for allowing the remote connection. I’ll just paste what they sent me, minus the important bits, and let’s see if you can spot what’s so fucked up about what they’re doing…
Hi Adam, One of our developers requires a remote connection to your machine to investigate the on-premise component of <redacted>. Please find below instructions for making your computer available for remote connection via GoToMyPC.com: eMail: <redacted> Password: <redacted> NickName: **Company Name** AccessCode: <redacted> If GoToMyPC is already installed on your computer, there should be a little green and white MYPC logo by the clock in the bottom right hand corner. If it is there, please right click on the icon and choose ‘Register’. You will be prompted for the information above. If GoToMyPC is not already installed on your computer, please go to www.gotomypc.com and log in using the eMail address and password provided above. When you log in, you will see a list of computer with a ‘Add Computer’ button at the bottom. Please click on the button and allow the GoToMyPC software to install (should only take a minute) [PLEASE NOTE: When installing GoToMyPC and registering the computer, this must be done on the machine you are physically in front of (not over a network). This is a built in security feature.] Once the software is installed, you will be asked to re-start. This is not necessary for the product to function. You will then be prompted for the information provided above. Please let us know when you are available for us to connect. Thank you and Kind Regards, <redacted> <redacted> Help Desk Administrator
Let me just say that I don’t have any real experience with GoToMyPc.com, fortunately for me, I didn’t really need it to be able to tell how ridiculous this is.
This company is providing the login credentials for their main account and asking me to log into it and add my server. Please remember that I’m their client. They don’t know me. I don’t work for them. And, they emailed these credentials.
I logged in. Guess what I see? I see a list of all their clients’ servers who’ve also followed these instructions. Next to each computer on the list is a button that would allow me to connect to them! WTF!. They essentially gave me access to every one of their clients’ servers where their backend accounting software is installed. What the fucking fuck? Are they brain dead? This is where all clients’ customers’ financial and PII data is stored.
I’m not an idiot, I didn’t connect to any of them.
Quit Emailing Credentials
I’m a good guy. I’m not going to do anything with this information besides complain. Yes, I’ll complain to them too. But there are plenty of people in the world who don’t have such good intentions. Seriously, we read about big companies getting breached every week.
Quit emailing passwords and other sensitive information. When you send an email it naturally gets copied several times over. And, more people than your intended recipient have access to the computers where that email is replicated. That’s the reason why secure protocols exist.
How Long Has This Been Going On?
There’s no way to know the answer to that question for sure, but I can make a few guesses based on how people choose passwords. I didn’t include the password above, but let’s just say that it ended in
2011, like the year. It’s currently July, 2012. So my guess is that they’ve been using GoToMyPc.com like this for a year or more and they haven’t changed the password.
It’s GoToMyPc, Not LetMeGoToYourPc
I’m fairly certain that the GoToMyPc.com service wasn’t designed to be used this way. There are client/support style remote access services out there that allow tech support personal to access client computers in the right way (certainly a more secure way).
Other Interesting Bits…
When I logged into their account (per their instructions) there were roughly 20 client computers available for connection, including the Help Desk Administrator that sent me the email! Apparently you can access their clients’ computers as well as several computers within their company network! This isn’t a small company either, which makes this even more scary.
It may be in their best interest to give a shit after all if people can get into their network (probably not though)!
Anyway, I’m done ranting. Even though it probably won’t change their behavior, I’ll let them know that I don’t think this is a good idea. That’s the least I can do.