Re: Police secret password blunder

[Valdis.Kletnieks () vt edu]

On Wed, 05 Apr 2006 09:00:09 PDT, Jeff Rosowski said:
> > Why stop there? It gets better if you are a little more patient:
> > http://www.google.com/search?q=%22View+TABLE%3A%22+ID+%22Full+Name%22+email
+password+Organization+site%3Acustomscripts.police.nsw.gov.au&btnG=Search
> > Hey, Nicole and Webb have the same password as me!
>
> I'm still wondering why the passwords were being stored as plain text.

Perhaps because the programmer was a clueless dweeb who probably didn't even
know that the literal string  "zz' OR 1==1 --", when seen in a name, address,
or phone number field, is a Super Secret Leet Code that means the computer
should bend over, grab it's ankles, and prepare for an SQL injection....

Or more likely, reality and/or management dictates intervened.  Many years ago,
a file with plaintext passwords got 0wned on one of our servers.  Why were they
plain text?  Well, there was a cryptic comment in one source code module that
said something along the lines of "This is Bad. Fix it the next flag-day update
we get approved".  Of course, it took a 0-day hole in the Gopher server some
time after the programmer had left to finally force approval the flag-day
update that hadn't happened....

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.