azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e18792ecf747fa5e7eda39cc4bf35b6b32a8998b
claudetools/clients/glaztech/reports/2026-06-05-tom-message-draft.md
Mike Swanson 21043d42bd glaztech: minimal-Tom remediation path (v0.2) + Tom outreach draft 
Grok + Gemini consensus reframe of the way forward: ACG-owned containment
(E-bucket, DB de-privilege, WAF, SQL network segmentation) is the real C0
reduction; the audience/network split is real only for the employee surface.
Tom's one within-skill ask = parameterize the 59 quo() SQL queries (ACG hands
him the exact lines); tokenized payments is a deferred scaffolded sub-project.
Steve Eastman gave ACG blanket approval to proceed (Tier A execution-cleared).
Includes a relief-framed draft message to Tom.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 10:18:55 -07:00

2.8 KiB
Raw Blame History

Draft message to Tom (for Mike's review before sending)

Channel: suggest a direct email or Teams/Slack to Tom — NOT buried in the #32378 security ticket (that ticket carries the full alarming findings; this message is intentionally light and solution-focused). Tone goal: lead with relief; one concrete, bounded ask; respect the 20 years; no threat-model dump.

Subject: Glaztech site — what we're handling, and the one spot we'd love your help

Hi Tom,

First off — thanks for everything you've kept running on the site over the years. It's a lot, and the last thing we want is to pile onto your plate. So here's the plan: we're taking the heavy lifting on the security side ourselves.

On our side — you don't need to touch any of this:

  • Locking down the server and tightening the database permissions
  • Putting a web application firewall in front of the site
  • Tightening the network/firewall around the database server

There's one place where your hands are really the right ones. There's a specific set of ~59 older SQL queries in the site that build their statements by stitching text together. We'd like to switch those to use parameters instead — it's the single highest-value code change for hardening the site, and it's a contained, repetitive update (no redesign, no new frameworks). We'll hand you the exact list — the files and line numbers — so you're not hunting for them. If it's easier, we'll hop on a quick call and walk the list together.

There is a bigger item further down the road — modernizing how saved cards/payments are handled — but that's a project we'll plan and scaffold with you when there's bandwidth. No rush, and we'll do the legwork around it; it's not something we're asking you to take on right now.

That's really the whole ask for now: the 59 queries (with the list in hand), and we cover the rest. Let me know what works for the walkthrough.

Thanks, Mike / Arizona Computer Guru

Notes for Mike (not part of the message)

  • Prerequisite before sending: ACG should run the §2a source grep first so the "exact list of 59 lines/files" is actually in hand when Tom replies — don't promise the list and then make him wait. (Assessment C3 names the files: ach.aspx.vb, quick-pay-ach.aspx.vb, quick-pay-pnc.aspx.vb, quick-pay.aspx.vb, order-detail* + the quo() definition.)
  • Held back deliberately (keep the first ask minimal): the customer-vs-employee path-map review and the /emp/ VPN-gating. Raise those as a separate, lighter touch once the 59-query ask is moving, or have ACG derive the map from logs/source and just confirm a couple of points with him.
  • Not mentioned: the full threat model, plaintext passwords, the domain-admin/msdb/xp_cmdshell chain — all ACG-side, handled without burdening Tom.
Reference in New Issue View Git Blame Copy Permalink