Whomever set up the servers must have had a hard time figuring out how to get the web server open to the “outside” while still being able to talk to the database server on the “inside.” So, he simply assigned both of them a routable IP address and exposed them to the “outside.” It didn’t help that all of the administrator passwords were kept as their default.

No matter, Jack was able to get it working and, after leaving the hosting facility, immediately called up his boss to explain the lax security situation. His boss had a rather odd explanation:

I know the security isn’t perfect, but this is an area we need to tread lightly on. The guy we’ve hired to maintain our servers has some mental issues and doesn’t respond well to criticism or working on Saturdays. I’d rather not upset him now, but I promise, we’ll get there soon.

Three months later, the servers are still completely unsecured and open to the Internet. One of them is currently participating as a zombie in a bot-net. And they’re still housed in one of the world’s most secure underground datacenters.