Scott Robinson (quadhome) wrote,
Scott Robinson

Month 1 Complete!

The month hasn't gone quickly, but that is because it has been full of new things.

As I had mentioned earlier, I'm living in Richland and attending an internship at PNNL. The work there is challenging, interesting, and worst of all secret. Enough of that. While I wait for the Fat Man / Little Boy combination I just dropped on my skin to work its magic, it's story-time!

I accidentally hacked into a website at work. You see, Battelle, the organization administrating PNNL, is primarily a research company. Therefore, when you hire on they have you sign a document stating all ideas you think up while employed with them are their property. It's your responsibility to write and give them up. However, this doesn't necessarily mean that employees want to go through this process.

Each division has their own methods of encouraging the inventing process. In the case of IS&E (my division), we have a seed proposal contest. There is a website that opens up for a couple weeks where any IS&E employee can submit their good idea. You just need to do a single page write-up with the background and core idea. A review committee then takes those proposals, votes, and gives some minimal amount of cash to the winner in order to seed their idea. Afterward, all the proposals are made public - presumably to ferment more good ideas.

I didn't quite understand that last part.

I submitted a proposal, because I figured it would be the good intern thing to do. My proposal's URL was something like "http://secretserver/proposal?ID=81". On the left bar of the webiste is a link that says, "browse proposals." Well, I think, screw using whatever crappy Web 2.0 controls they have setup for surfing the proposals. I'm curious what other people have thought up. So, I decremented my URL to "80." Heeeey, this is a pretty cool idea - though not something I would really be interested in. Poof again - ok, this idea isn't so great...

And on and on and on my cubicle-mate and I kept going. We read through every single proposal. Then we got to ID #20. WARNING: Nerd speak starts here. The website rendered properly, but the text displayed an internal MySQL error message. This particular error message made me think the ID parameter was being passed in unquoted and an SQL injection attack would be possible. I tested the theory by supplying an ID of "= and found confirmation. I promptly e-mailed the administrator of the website and life went on.

But, not really. The administrator was nice guy and patched up his hole, and thanked me for my sharp eyes. Several hours later, he sent me an accusatory e-mail about how I was such a black hat and could get in trouble for having read all the proposals! Comparisons and analogies were made to HR records and what deep shit I hypothetically could be in.

I was shocked! The site says "browse applications" on the side and "share" on the top! What have I done wrong?! I clicked on those links - which then redirected me to a page politely informing me the proposals are to be publicly available July 1st.

Well, crap. I apologized and he said it was ok. I forwarded all relevant communications to my bosses, just to be honest and open. Some of them thought it was funny, and some of them recommended I stay closer on task.

I guess this makes me a work blogger. Here is hoping I don't get fired for giving up the goods! Until next time, when I'll talk about the other interns, my hilarious workspace, commuting, tacos, and roommates Julie and Johnna...

Tags: spewing
  • Post a new comment


    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.