Not signed in (Sign In)

Welcome, Guest

Want to take part in these discussions? Sign in if you have an account, or apply for one below


Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

Welcome Guest! Want to take part in these discussions? If you have an account, sign in now.
If you don't have an account, apply for one now.
  1.  permalink
     
    This is a post to discuss the way the store network is setup. The purpose of this thread  
    is NOT to screw Fry's. I'm sure most of us would love that, but in actuality this post  
    will hopefully help them to put better security practices into effect. I don't know if the  
    stores configure their networks differently, so as far as I know this only applies to  
    Store 25 (San Marcos).  
     
    Since we have non-employess that read these posts, I'm going to try to explain everything  
    I know about the Fry's network.  
     
    First of all, there is only one computer in the store that has total internet access. It  
    is located in the Service department in a red-carpeted area, and is commonly referred to  
    as "the red carpet computer". This computer is not on the same network as any other  
    computer in the store, so it doesn't have access to the Samba Server, the pos, or even the  
    credit card application. Customers are allowed to use this computer to look up information  
    relative to the products they are buying while an associate stands watch behind them.  
     
    The rest of the computers have VERY limited access to the internet. There are only 3  
    websites that I know of that can be visited, which are:  
     
    http://www.frys.com (also http://www.outpost.com)  
    http://www.microsoft.com  
    https://webmail.i.frys.com  
     
    Everything else returns a 403:Forbidden. I have not looked into outside access to the  
    network yet, so everything below is going to assume internal access.  
     
    Unfortunately, this store does not have any kind of wireless access. The only wireless  
    network in the store is in service department, presumably so they don't have to go to the  
    red carpet computer to use the internet. I believe it is protected with WEP encryption,  
    but I can't remember.  
     
    All of the other computers use the Novell ZENworks client, which can be read about here:  
    http://en.wikipedia.org/wiki/Zenworks  
    From what I can tell, version 3.0 is the latest being used (whereas version 7.0 is the  
    latest release). As far as I know, the only login that allows adminstrator access is the  
    service department login. However, I've noticed that it is possible to login to the  
    workstations individually as "Administrator" with no password.  
     
    The store uses several shared folders on a Samba Server named "fss025db". The two main  
    folders that are accessible from nearly every computer in the store are "psqldata" and  
    "public". The red carpet computer seems to have access to several more shares, but I  
    haven't had time to check it out.  
     
    The public folder contains all the files needed for the operation of the Novell client  
    used for logging into the network. I haven't found anything too interesting here, except  
    that I was unable to copy 'command.com' in the 'V6.22' folder because my computer claims  
    it is a virus, with the annoyingly cryptic explanation "Virus identified fis". The public  
    folder is read-only access.  
     
    The psqldata folder is far more interesting. Various folders on this drive contain just  
    about everything used in the store, including:  
     
    - All the programs used in the store, like the P.O.S., scheduling app, price changer, cage program, delivery scheduler, and something called Store Master that I'm not sure what it does. These can be found in ~/pos/EXE, but none of them can be used without the proper login.  
     
    - The schedules for the entire store and several various coverage reports. These usually have a .rpt extension, and can be read quite easily if opened in WordPad. They can be found in ~/kronos/COVERAGE.  
     
    - Sales reports for the store. These are the same format as the schedules and coverage reports, but I can't remember which folder they're in as they weren't one of the things I was able to grab.  
     
    - Messages from corporate about changes in the store. Again, it wasn't in the folders I was able to get but I remember it being pretty obviously named 'corporate' or  
    something.  
     
    Now, it seems like an incredibly unsafe practice to have all these kinds of files easily  
    accessed by any computer in the store. Without even trying I now have a lot of information  
    you'd think would only be given to those in management positions. Now the absolute worst  
    part of this is that the entire psqldata folder is read/write access, meaning that a  
    disgruntled employee could delete EVERYTHING. Sure, there's bound to be backups, but just  
    think how fucked the store would be for a few hours while they figure out what the hell is  
    going on. I can't fathom the reasoning behind making the root folder read/write instead of  
    just the folders used for scheduling and such. I'm sure this will have repricussions for  
    them someday if they don't change it.  
     
    I think I'll end this post there and see if anyone has anything else to add before going  
    any further.  
     
    Edit: Typed this elsewhere, so I fixed the layout so it's MUCH more readable.  
     
    Removed by admin
  2.  permalink
    Excellent analysis, I visit store 25 all the time (hope to work there someday, still in high school) and I've never seen the "Red Carpet Computer".... is there actually a red carpet near it? The only computer I've seen go anywhere other than the three domains you listed is a computer in the memory/networking area, I saw an associate on corsair.com checking for RAM compatibility. Anyway, this is pathetic, you'd think Fry's of all stores would have a decent POS system and well-secured network. Also what's with the supervisor passwords (on the POS)? Every time I want to return something, or every time I buy something that has to be retrieved from the cage, I always have to wait while they get a supervisor to put in their password... I don't mind the wait at all, but it seems pretty pointless. Sups always put in the password without even looking at the screen or asking what's going on, so it seems pretty pointless to have them there at all.
  3.  permalink
    I forgot about the Corsair thing. It's called the "Corsair Memory Configurator" and is actually a locally stored page.  
     
    The passwords are merely another poorly designed security protocol. The idea is that the sups will have to ok the use of gift certificates, returns, and verify that the cashiers got the right thing out of the cage. It's one of Randy's great policies that you should never trust the employee. The problem is that it is way overused and the sups never double-check anything since they're so busy.
    •  
      CommentAuthorasdf
    • CommentTimeDec 11th 2007
     permalink
    How do you know so much? I think they are mapping the database network drive directly to the systems then using an odbc connector to access that file. Its really stupid way of doing these things especially when it comes to security and performance. Can you imaging all those file locks? No concurrent writes can happen and you must wait for the flock to release. I just can't understand why they did not build service orientated architecture the normal way.  
     
    Oh yeah btw you should be able to access many vendor websites like sony, samsung, lg, emprex, sprint, nextel, at&t, fujitsu and other major manufacturers website. They need these sites open for financing, signing up people for services, driver and software downloads, and other informational purposes.
  4.  permalink
    I'm not sure what you mean, but everything I know I've learned from simply exploring. Heavily exploring the shares I can access, taking files home with me, and keeping my eyes and ears open are all regular practices for me. The sad thing is, instead of people like me being listened to and/or being asked for help, we're usually just fired, no matter what organization you're a part of.
  5.  permalink
    And yes, the area that the computer is in actually has red carpet. It's to the right of service, right before the manager's office.
  6.  permalink
    Oh yes, the one with the crappy black Daewoo CRT monitor, I remember now. It's always on the Fry's credit card app.
    •  
      CommentAuthorPunkzilla
    • CommentTimeDec 12th 2007 edited
     permalink
    weirdlookinguy:Oh yes, the one with the crappy black Daewoo CRT monitor, I remember now. It's always on the Fry's credit card app.
     
    It's a white NEC CRT, and it's after the manager's office, right after you take a right once you enter the store.I shit trains, Now what?
  7.  permalink
    Apparently there are a lot of folders accessible on the network that you can't readily see. I found a storage area used by the internal mail system that had a lot of files, like the templates for signs, various sheets, schematics, and lots of coachings on various employees. It was located at something like "//FSS_025/MAIL/COMPUTERS/MANAGERS", with one for every department. I know the format is just about the same for other stores, because I can see the shares for every Fry's store on the network, I just can't access most of them.
  8.  permalink
    Right, the one with the white NEC monitor. It's inside the service dept. area, but there's a plexiglass window and a counter separating it from the service area, right?  
     
    I thought you meant the one with the black Daewoo monitor (I think it says LuComs on it, but it's actually a Daewoo). I notice details like this everywhere I go but I never look at the floor :D
  9.  permalink
    I'm not a computer wiz, but I was bored one day and decided to play around with the command prompt. Playing around, I was actually able to access what seemed to me as home office computers. I rember it being G:/ or something similar- I poked my head around various files before I was scared off by the manager. The file system seemed very unsecure, as far as I know I was actually able to access and modify(?) home office files. Does anyone know more about this?
    •  
      CommentAuthorasdf
    • CommentTimeDec 19th 2007
     permalink
    Yeah the files are mapped right on the server. You can easily wipe out the network drives. Plus you should be able to edit core database files with OpenOffice Database as it has the ability to read db files with an ODBC connector.