"Our Security Auditor Is An Idiot" (Old)

It's five years old but this is the first time I'm seeing it, so here it is. I'm sure someone out there will get a laugh out of it.


That was a good read. Thanks for sharing.

Pretty amazing read. Sounds like a social engineering attempt to me.

Unix systems don't store passwords to begin with.

They typically store salted one-way hashes.

Simply, lets imagine that only 4 digits were allowed as passwords, like a bank pin. If your password was 1234 (not reccommended) a valid hash might be 10, assuming the systems algorithm is "add the digits" (not recommended).

But, the hash would be the same for 4231 and 6004, etc.*

Salting your hash is a way of protecting everyones password from hashing the same on different systems by adding a little something unexpected at the end. So a simple salt might double your hash and add 11 (recommended because everyone knows prime numbers are way more secure).

So now whats in the system is 10 * 2 + 11 = 31, not 1234.

Therefore to know for sure, you would have to ask everyone what their password was and then hash and salt it and see if matches what the system has.

*Yes, in the real world, even with 56 byte hashes, there is a infestimally small chance your password would work on some else's account, but your not trying right?

And the original article where he describes what the hackers / penetration testers did, including pretending to be his wife to get into and lock him our of his cell phone and running a phishing scheme tricking the guy into downloading malware allowing the hacker to take over his Mac.