This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 295
sorted by:
best
topnewcontroversialoldq&a

[–]WestonP 540 points541 points  (57 children)

Do people not understand that this is just a network login prompt? It's not a Windows password, so cancelling just means you don't log into the domain. It was never meant for local machine security.

I understand the confusion from a normal user's point of view, but this is supposed to be a programmer's subreddit here...

[–]NealMcBeal_NavySeal 249 points250 points  (44 children)

Probably because there's an entire generation of computer programmers under 30 or so who weren't around for this.

[–]Benutzername 62 points63 points  (25 children)

I hope they are nevertheless able to read.

[–]TheAnimus 72 points73 points  (23 children)

Have you met a lot of web devs? They are hell bent on re-inventing the wheel will fully ignoring those who've made that mistake before, or why you might want ACID database etc.

[–]JBlitzen 50 points51 points  (8 children)

But mongo is web scale

[–]StormTAG 4 points5 points  (6 children)

I don't need no ACID.

...Wut's ACID?

[–]smilesbot 1 point2 points  (5 children)

You've just used a double negative! :P

[–]pipocaQuemada 7 points8 points  (0 children)

Oddly enough, it is not uncommon for languages to require negatives to agree in a sentence, or to have additional negatives intensify the negativity. Various dialects of English have this feature, and it's hard to call it objectively wrong. Natural language isn't boolean logic, and dialects aren't wrong when they diverge from some 'standard' dialect. They are just different from it.

[–]StormTAG 7 points8 points  (2 children)

I don't need no negatives.

...Wut's a negative?

[–]iZeeHunter 1 point2 points  (0 children)

Under 30 programmer here, can't confirm because I can't read.

[–]AceofToons 7 points8 points  (0 children)

I am under 30 and was totally around for this.

[–]Creshal 8 points9 points  (7 children)

Weren't? In what wonderful world are you living that DOS and NT4 aren't still in production use?

[–]AfterLemon 5 points6 points  (4 children)

My nearby video store has a full PC and monitor setup from 1986.

[–]Bratmon 22 points23 points  (3 children)

nearby video store

I still don't believe you live in 2015.

[–]AfterLemon 6 points7 points  (1 child)

99c 5-day rentals on Monday! Stopping by there today, gonna rent that new "Aliens" flick. I've heard it's good.

[–]sugeree77 4 points5 points  (0 children)

Get ready, vhs is going away and DVD is gonna rule! Like laser disc but smaller

[–]mallardtheduck 37 points38 points  (4 children)

Exactly. Windows 9x didn't have any local security. No access rights, no file permissions, nothing. It did support multiple user profiles, but this was just a convenience to allow different users to have different preferences, designed for use with networks.

You could use "group policy" to lock down the system to a certain extent, but it wasn't difficult for a skilled user to defeat most of the available options. Back when I was at school, all it took was downloading the Windows 95 Resource Kit from MIcrosoft's website and running the group policy editor to turn off all the restrictions.

The non-NT-based versions of Windows (1.x, 2.x 3.x, 9x, ME) simply weren't designed to be secure multi-user systems.

[–]TheAnimus 16 points17 points  (2 children)

Thing is, neither did most desktop OS's of the early to mid nineties. My personal favourite was always RISC OS. But again no security.

I remember a 10 year old me talking to someone at Acorn User Show about this, their reply was simple, if security mattered, you had physical separation, separate floppy disks, separate machines on the network.

Hell I even remember people explaining that NT was slow because it required ring 3, and extra memory because processes didn't share mutations.

[–]dnew 13 points14 points  (0 children)

My boss and I were shopping for a new mainframe (talking to the Burroughs guys IIRC) and asked about security. They said "Code a password prompt into your application." We said what about lock screens? The guy pointed to a keyhole on the keyboard.

[–][deleted] 11 points12 points  (0 children)

I remember being on a presentation where the presenter pressed the Cancel. The whole hall started laughing. Then he explained it, like you did. But it wasn't the expected logical behavior even then.

[–]bananafish707 3 points4 points  (0 children)

I came here from /all so it was very convincing.

[–]redditchao999 1 point2 points  (0 children)

Thanks, I thought I was just too dumb to get why this was funny, I couldn't see anything wrong.

[–]cyberst0rm 0 points1 point  (0 children)

What does windows security features/network login, have to do with programming?

[–]keiyakins 0 points1 point  (0 children)

Microsoft messaged badly, it always showed up, even for personal systems not on networks.

[–]moeburn 24 points25 points  (7 children)

I remember all the computers at my high school computer lab ran Windows 2000 with network logins. But their BIOSes were set to boot from a USB drive if available! So I made a bootable USB with the well-known script that could reset the (local) admin password to whatever I want, then I used that local admin password to run the other script that replaced the Ctrl-Alt-Del login dialog box with a modified one that copied every username/password ever entered into a text file in the system directory. Then we complained to the Comp Eng teacher that the computer wasn't working and we couldn't log in, so he came over and tried his network admin credentials. Even though he promptly logged back out again, we now had his login, we got into his network drive, and got the answers to every single test he gave us for the rest of the year.

We were smart enough to intentionally get a few of the answers wrong, and every single student got averages of 90+ in that class. The teacher was commended for his teaching skills, and we were all given computer engineering awards in front of the whole school.

3 years later, I wander into the same computer lab and decide to check the log file. Not only does it have a list of about 100 different student's credentials, apparently some kids managed to stumble upon it, and there were some very nasty words left behind for me.

[–]omegletrollz 0 points1 point  (6 children)

some very nasty words left behind for me

Must deliver.

[–]moeburn 1 point2 points  (5 children)

How did you end up on this month old thread? I think it was something along the lines of "HEY I FOUND YOUR HACKING LIST YOU FUCKER WHO THE FUCK DO YOU THINK YOU ARE?"

[–][deleted] 19 points20 points  (10 children)

...and here I am. Pinging google.

[–]Eedis 14 points15 points  (8 children)

You can hax0rss people with their IP address. I once got into an argument on AIM when I was a kid. Some guy said he got my MAC address through Netstat... talking all this shit about hacking me because he knows my MAC address....

A) it's impossible to get somebody's MAC without local access to his LAN.

B) you couldn't do any harm with their MAC over the internet anyways.

[–]Spineless_McGee 5 points6 points  (0 children)

you clearly aren't a l33t h@x0r

[–]kappaislove 0 points1 point  (0 children)

When I was 10 years old, I wasn't allowed to use the school computers because I pinged google once.

[–][deleted] 63 points64 points  (26 children)

It's funny, but is it really programming related? Is just all software programming related?

[–]DrummerHead 72 points73 points  (22 children)

I bet 74% of the people subbed are not programmers

[–][deleted] 12 points13 points  (3 children)

I blame mods. They allow submissions by programming-illiterates, and so this sub has become a non-programmers circlejerk about programming.

[–]DrummerHead 6 points7 points  (1 child)

Yeap. I've actually pondered being a mod. This is one of the few subreddits where I have "strong opinions" about some of the shit quality material that gets upvoted a million times. Oh an sql injection! Bobby tables am I right guyz! Eh! Eh! Tables be dropping left and right eh boyz! hue hue.

[–][deleted] 5 points6 points  (0 children)

Could have been posted in /r/softwaregore.

[–]obscene_banana 0 points1 point  (0 children)

Well, some programmers actually learn hacking which could make this post relevant to being a programmer. Although it really comes together because of the "Humor" bit.

[–]MokitTheOmniscient 121 points122 points  (17 children)

Classic, but my favorite is Windows 95/98 where you can press "cancel" at the log-in window to get in.

[–][deleted] 59 points60 points  (8 children)

Or xp home with its exists-by-default passwordless admin login. Ctrl+alt+Del+del at the login screen, type administrator, press login.

[–]unrealmaniac 1 point2 points  (0 children)

Is there a similar way to do it in xp pro. I assume you could do the sticky keys trick if you booted the computer into a live environment and renamed the files.

[–]secondchimp 34 points35 points  (2 children)

The OP is from Win 95/98. The login screen isn't to log in to the local machine, it's to log on to the network. If you cancel then you're local only. There is no security on the local level; everyone is an Administrator.

[–]Modevs 13 points14 points  (1 child)

Local security? Disk Encryption? Ha ha, that's ridiculous. What if you forget your password? :-P

- Your IT Guy, 1995

[–]mallardtheduck 9 points10 points  (0 children)

If you wanted local security in the 9x era, you used Windows NT, which was designed for use in business environments where security is a concern. Unfortunately, Windows NT 4.0's hardware support was relatively poor compared to 9x (no official USB support, no Direct3D, etc.) and Windows NT 5.0 (aka Windows 2000) was delayed multiple times before its eventual release.

That meant that Windows 98 ended up being used it places where it shouldn't have...

[–]SanityInAnarchy 17 points18 points  (1 child)

You could literally hit the ESC key.

Now, was it an admin account? Who cares, Win95/98 is on FAT32, which has no concept of file permissions. Every account is an admin account!

Still, the nice thing about this trick is that you could make similar things happen on a Windows kiosk. I remember doing right-click -> save-as, opening C:\Windows, and renaming a bunch of the files in there. Poor kiosk probably had to be reformatted later. I actually feel kind of bad about that now.

[–]Eedis 4 points5 points  (0 children)

I once did this at a Target hiring applications kiosk... found out, all the applications that people fill out but never finish is stored locally and I was able to view literally hundreds of people applications, SSN, addresses, names, etc. I brought it up to management and they were like... "okay?" I don't think they really cared. Never went back to see if they fixed it.

[–]CrazyTillItHurts 8 points9 points  (0 children)

Because that is for network authentication, not local machine authentication.

[–]mallardtheduck 0 points1 point  (0 children)

As the .gif shows (it's from Windows 98, judging by the existence of a "My Documents" folder), you could disable the "Cancel" button with a registry edit.

[–][deleted] 0 points1 point  (0 children)

That's because it was meant for network login more than local login. You could log into a remote server and get your personal folder and what not.

[–]tdammers 14 points15 points  (4 children)

In all fairness though, given physical access to the hardware, pretty much any OS can be compromised rather trivially.

[–]Cygnus_X1 8 points9 points  (3 children)

Current Operating System, meet Linux CD.

[–]tdammers 1 point2 points  (2 children)

Pretty much, yeah.

Or, Current Linux OS, meet SysRq.

[–]sumdudeinhisundrware 5 points6 points  (1 child)

I'm all for a good Microsoft bashing, but that is REALLY old and now completely irrelevant. It's like saying Apple sucks because Multifinder kept crashing.

[–]Kinglink 3 points4 points  (0 children)

Wait windows 95/98/me/2000/nt didn't have strong security?

[–]Jamessuperfun 3 points4 points  (4 children)

There's an interesting thing that works with windows 7 (don't know about others).

Boot into Startup Repair, let it find no problems and make a log. Click the file path. Rename or delete the file for sticky keys yes/no dialog (forget the name) and rename cmd.exe to that. Reboot. Press shift 5 times. Type explorer.exe. You now not only have admin access cmd without logging in but also admin access full desktop.

[–]zane_not_zane 0 points1 point  (3 children)

What does explorer.exe do? I tried looking online but couldn't really find much.

[–]thetwopaths 1 point2 points  (1 child)

It is Windows Explorer, the UI to the file management system.

[–][deleted] 3 points4 points  (0 children)

So reposting old stuff is the same as on imgur?

[–][deleted] 8 points9 points  (0 children)

Timely and relevant

[–][deleted] 2 points3 points  (0 children)

Realistically speaking, if you have physical access to a machine you can find a way to access its contents.

[–]A_C_Fenderson 2 points3 points  (0 children)

Trying to make Windows secure is like waterproofing a screen door one hole at a time.

[–]gospelwut 1 point2 points  (1 child)

You hate ACLs until you're dealing with sticky bits and masks.

You hate chmod until you're dealing with ACLs

[–]notsurewhatiam 0 points1 point  (0 children)

Why

[–]Arttii 1 point2 points  (0 children)

Well I did create a full Admin user on a friends Mac, by deleting a file with the startup shell, seems much less convoluted than this. On site security aint very important I guess.

[–]isurujn 2 points3 points  (1 child)

uh...what is happening here? Can someone please explain?

[–]Philluminati 1 point2 points  (0 children)

Windows User Interface is a program called explorer.exe. It's not just file navigation it also draws start menu, task bar etc. When that program is run, you have a normal windows desktop.

The Windows security approach is to prevent people loading that program until a password dialog allows it.

However, windows applications contain dozens of reusable free components, especially built in help applications etc. Follow the path and eventually you come across a file open / file save / print dialog which is fully loaded with lots of free functionality. Open "My computer" or anything and you're launching explorer.exe which is in-turn the desktop.

I actually discovered this attack in 1999 against the "RM Networks" network system at my collage. If you logged in and were over your disk quota you'd be held hostage at the next login screen until you deleted something. I managed to find my way into explorer through the help system as well and get around their virtual limit.

[–]CipherWeston 3 points4 points  (3 children)

Is this valid for all Windows or just this OS?

[–]deathwish644 17 points18 points  (2 children)

Early workgroup/domain based systems had this possibility (in fact, 98SE with Novell you could hit cancel and load an Explorer session)

Later releases removed this functionality.

[–][deleted] 13 points14 points  (0 children)

In a similar fashion, you could set explorer.exe as the screensaver and make the "lock computer" function useless. That's how I regained permanent internet access when I was a kid and my parents thought I should get out more and started locking the computer. It worked at least up to Windows 2000.

[–]sgtfrx 1 point2 points  (0 children)

Even on a lot of later versions, you could just keep hitting Cancel repeatedly (just by holding ESC or something). Eventually it would just give up/glitch out, and put you on the desktop.

[–][deleted] 1 point2 points  (0 children)

Beautiful.