This blog is highly personal, makes no attempt at being politically correct, will occasionaly offend your sensibility, and certainly does not represent the opinions of the people I work with or for.
HTTP is your friend (or the story of a hack)
avatar
Two days ago, I started to write a command line client for Hypercube. It was actually the third implementation (I don't remember the first one, and the second one simply used to hijack the ajax gateway -- sending and receiving xml documents). This third implementation was meant to experiment with the new json based stuff. In itself it is very simple: a little command line tool which sends commands to the server using http. It's specifications are lightweight, it's principles are elementary and it fits in less than 150 lines of code. I was particularly keen to write it because as much as the web front end of Hypercube is nice looking, I am still faster on an xterm (rather than clicking around on a screen); not to mention opening new ways to automatically test Hypercube.

The little problem that I had was that I obviously needed to be on the bank intranet to use it. Nothing would have been nicer to be able to use it from the external world, sitting in some random hotel room in Japan, for instance. Of course if one day I do find myself sitting in some random hotel room in Japan and get an email from someone needed something requiring my Hypercube credentials, I can always connect to the VPN server and do the job. But being who I am, I was wondering whether I could not have my client connecting to my servers without using any of my bank intranet credentials (not VPN, no ssh etc.). I wasn't sure that it could be done. After all, this is meant to be impossible, and generally believed to be impossible (at least very hard). What makes it harder is the fact that those server are obviously not connected to the internet.

I was about to give up and do more interesting things, when I remembered that something has always bugged me inside. The very basic idea of "information flow". Independently of all security measures and all protections that companies (in particular banks) put in place to protect themselves, the matter of fact is that data does flow from the external world to the internals of the bank. When a trader is sitting at his/her desk and reads bloomberg.com and suddenly sees something which sparkle and idea and decide to do a given trade, information did flow from the external world to the internal world of the bank and had some effect.

I then decided that it could be done. On a purely mathematical (almost philosophical level) data does flow from outside to inside the bank. This fact being fully acknowledged by my mind, my only problem was now to find a way to master this flow, and make it work for me. I thought about it few minutes and while doing so I purposely ignored everything I have ever heard software developers, IT managers and that kind of folks say. I mentally came back to the basics: mathematical description of the problem, mathematical solution of the problem. The solution then came quite naturally.

I suddenly went to one of my colleagues and said to him "you remember that client that I showed to you yesterday ? I may have found a way to to use it from the external world", he looked at me, smiled at me, and said "so... you have found a trick". I replied yes, but that to be sure I would like to actually see it working. It took me one hour, not because it was difficult, but because needed to write few lines of code in VBA. Exactly 16 lines of VBA code running as an Excel macro. And God knows that writing in VBA is painful to me (every line almost kills me).

Anyway, it did work (I tried from the McDonald's wireless network) and I don't remember having felt more exited in my life! Soon after I went to one of the Unix admin to show him what I had done. I was expecting a "Ho yes, we know this...", but his look at my screen suggested that he had never seen that one before. He looked a bit concerned but I ensured him that it was just a proof of concept. The interesting thing is that when I eventually showed him the blueprints of the solution, it was obvious that the only way to prevent this ever happening in the future was to disallow internet access from anywhere in the bank, meaning shutting the entire bank down :-)

Anyway, I think that the morality of this story is the following: never believe when people say that something is impossible when basic considerations show that they are not impossible.
[ add a comment ]

Archives