Programmers with network engineering skills

William Herrin bill at herrin.us
Thu Mar 8 18:47:09 CST 2012


On Thu, Mar 8, 2012 at 5:24 PM, Lamar Owen <lowen at pari.edu> wrote:
> (18) No, our control protocol doesn't have authentication,
> it's up to the network to keep undesired users out. (I won't
> say what this software is, but suffice to say the package
> in which it was a part cost over $250,000).

Ten years ago there was a database this was true of: Filemaker. It was
designed to reside on a Windows network share but the files could be
placed on a Linux server instead. If you chose option 2, you got a
custom protocol presenting the database as an array of bytes
consisting of the entire raw database file.  Logging in meant that the
Windows app read the the file header, jumped to the user/password
section,  read the users and passwords and compared with the one you
supplied.

The TCP-based protocol requested no authentication: it received only a
byte offset and length in the raw file.

A colleague and I were asked to install an ISP billing system (!!)
built on top of this database. On objection, the ISP's owner insisted.
I understood where he was coming from: he was a technical guy who
built the then-existing system with scripting and an old DOS-based
database which he alone could operate, requiring him to spend gobs of
his time on the repetitive and thankless task of processing payments
month after month after month after month. He damn well wanted a
replacement and didn't much care what. Still...

We ended up stuffing the billing app on to a Windows Terminal Server,
rigging the server to run that app as the shell, and isolating the DB
machine behind it. Office users connected to the virtual server rather
than running the app locally.

The web portal for the billing app was fun too: it had the standard
stupidity where you change the sequential customer userid number in
the URL and got the next user's data without having to authenticate as
that user. We solved that one with a front end which handled auth and
re-wrote the customer request to the heavily firewalled web portal.

As I recall, we named the DB machine "HeartOfGold" because (A) it
contained all the customers' financial data and (B) there was
something improbable and more than a little crazy about how it came to
house the billing system.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004



More information about the NANOG mailing list