GARY'S NIGHTMARE SHIFT.

Gary arrives at 6am. First disaster: someone broke in through Door 21 overnight and stole a filing cabinet full of recipes. The door was wide open — no lock, no cover. Anyone walking past could see exactly what was being carried out.

That's FTP — file transfer in the open, totally unencrypted. Port 21.

Worse, the burglar listened through Door 23 — a glass door Gary used to shout orders through to the kitchen. Passwords, stock codes, everything — the whole street heard it.

That's Telnet — cleartext remote access. Port 23. Gary's wife makes him nail both doors shut and replace them with Door 22 — a thick steel door with a deadbolt. Same jobs, but now nobody can see or hear a thing.

That's SSH — Port 22. Files securely? SFTP and SCP go through Door 22 as well.

8am. The postman shoves outgoing letters through Door 25 — anyone can push letters through without showing ID. Gary upgrades to Door 587 — same slot, but now you flash your badge first.

SMTP Port 25 = send without authentication. SMTP Submission Port 587 = authenticated sending.

Two postboxes for incoming. Door 110: the postman hands letters and immediately shreds his copy. Door 143: letters stay in the postbox too — readable from phone, laptop, anywhere.

POP3 Port 110 = download and delete. IMAP Port 143 = sync everywhere. Padlocked: IMAPS Port 993, POP3S Port 995.

9am. The serving hatch — Door 80. Customers hear everything: names, card details, orders. A customer complains. Gary installs frosted glass and a whisper slot — Door 443. Now orders are private.

HTTP Port 80 = the open web. HTTPS Port 443 = encrypted with TLS.

A woman asks for BestBeans.com. Gary points to the phone book on the wall — Door 53. Quick lookups through the small window (UDP). Copying the whole book? Full door (TCP zone transfer). That's DNS.

DNS Port 53 — UDP for queries, TCP for zone transfers.

A new shop across the street has no address yet. "I NEED A NUMBER!" The council desk shouts back the address over UDP. That's DHCP.

DHCP Ports 67/68 — hands out IP addresses over UDP.

10am. Three stockroom doors left wide open overnight — Door 3306 (MySQL), Door 5432 (PostgreSQL), Door 1433 (Microsoft SQL). Anyone off the street could walk in. Gary nearly has a heart attack. His wife shouts: "THESE SHOULD NEVER FACE THE STREET."

Databases: MySQL Port 3306, PostgreSQL Port 5432, MSSQL Port 1433. Internal only. Never exposed.

11am. A staff directory — Door 389 — a big open binder anyone can flick through. His wife locks it in a glass case — Door 636. Same directory, now encrypted. She also installs a ticket booth — Door 88 — where staff prove who they are once and get a golden ticket that opens every door.

LDAP Port 389 = open directory. LDAPS Port 636 = encrypted. Kerberos Port 88 = golden ticket, prove once.

Lunchtime. Two bouncers. Door 1812, RADIUS: checks your name, cups his hand and whispers your password, but says everything else out loud. Fast, UDP. The WiFi bouncer. Door 49, TACACS+: takes you to a back room and whispers everything. Thorough, TCP. The Cisco bouncer.

RADIUS Port 1812/UDP — encrypts password only. TACACS+ Port 49/TCP — encrypts everything. "Which is more secure?" → TACACS+. Always.

Afternoon: A courier tosses a tiny package through Door 69 — no questions, no receipt. That's TFTP. Staff pass spreadsheets through Door 445 — SMB. Gary monitors the espresso machine via Door 161 (SNMP). When the fridge alarm goes off, it buzzes through Door 162 — an SNMP trap. Every door posts its log through Door 514 — Syslog. Gary's IT mate logs in remotely through Door 3389 — RDP.

TFTP Port 69/UDP. SMB Port 445. SNMP Port 161/UDP, traps Port 162/UDP. Syslog Port 514/UDP. RDP Port 3389.