azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e18792ecf747fa5e7eda39cc4bf35b6b32a8998b
claudetools/clients/glaztech/reports/2026-06-05-tom-message-draft.md
Mike Swanson 21043d42bd glaztech: minimal-Tom remediation path (v0.2) + Tom outreach draft 
Grok + Gemini consensus reframe of the way forward: ACG-owned containment
(E-bucket, DB de-privilege, WAF, SQL network segmentation) is the real C0
reduction; the audience/network split is real only for the employee surface.
Tom's one within-skill ask = parameterize the 59 quo() SQL queries (ACG hands
him the exact lines); tokenized payments is a deferred scaffolded sub-project.
Steve Eastman gave ACG blanket approval to proceed (Tier A execution-cleared).
Includes a relief-framed draft message to Tom.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 10:18:55 -07:00

45 lines
2.8 KiB
Markdown
Raw Blame History

# Draft message to Tom (for Mike's review before sending)
**Channel:** suggest a direct email or Teams/Slack to Tom — NOT buried in the #32378 security ticket
(that ticket carries the full alarming findings; this message is intentionally light and solution-focused).
**Tone goal:** lead with relief; one concrete, bounded ask; respect the 20 years; no threat-model dump.
---
**Subject:** Glaztech site — what we're handling, and the one spot we'd love your help
Hi Tom,
First off — thanks for everything you've kept running on the site over the years. It's a lot, and the
last thing we want is to pile onto your plate. So here's the plan: **we're taking the heavy lifting on
the security side ourselves.**
On our side — you don't need to touch any of this:
- Locking down the server and tightening the database permissions
- Putting a web application firewall in front of the site
- Tightening the network/firewall around the database server
There's **one** place where your hands are really the right ones. There's a specific set of **~59 older
SQL queries** in the site that build their statements by stitching text together. We'd like to switch
those to use parameters instead — it's the single highest-value code change for hardening the site, and
it's a contained, repetitive update (no redesign, no new frameworks). **We'll hand you the exact list —
the files and line numbers — so you're not hunting for them.** If it's easier, we'll hop on a quick call
and walk the list together.
There is a bigger item further down the road — modernizing how saved cards/payments are handled — but
that's a project we'll plan and scaffold **with** you when there's bandwidth. No rush, and we'll do the
legwork around it; it's not something we're asking you to take on right now.
That's really the whole ask for now: the 59 queries (with the list in hand), and we cover the rest.
Let me know what works for the walkthrough.
Thanks,
Mike / Arizona Computer Guru
---
### Notes for Mike (not part of the message)
- **Prerequisite before sending:** ACG should run the §2a source grep first so the "exact list of 59 lines/files" is actually in hand when Tom replies — don't promise the list and then make him wait. (Assessment C3 names the files: `ach.aspx.vb`, `quick-pay-ach.aspx.vb`, `quick-pay-pnc.aspx.vb`, `quick-pay.aspx.vb`, `order-detail*` + the `quo()` definition.)
- **Held back deliberately** (keep the first ask minimal): the customer-vs-employee path-map review and the `/emp/` VPN-gating. Raise those as a separate, lighter touch once the 59-query ask is moving, or have ACG derive the map from logs/source and just confirm a couple of points with him.
- **Not mentioned:** the full threat model, plaintext passwords, the domain-admin/`msdb`/`xp_cmdshell` chain — all ACG-side, handled without burdening Tom.
Reference in New Issue View Git Blame Copy Permalink