Twin brothers wipe 96 government databases minutes after being fired

Posted by jnord 1 day ago

Twin brothers wipe 96 government databases minutes after being fired(arstechnica.com)

459 points | 381 commentspage 4

unixhero 10 hours ago|

The handwriting was very solid.

cyanydeez 1 day ago||

so, apparently, the passwords were stored in cleartext.

whynotmaybe 1 day ago|

Remind me of a forum a long time ago that sent me my password in clear when I used the "forgot password" link.

When I advised them that it was a bad idea to store password in clear, they answered that they keep it in clear so that they can send it when someone forget.

Defeated by such argument, I deleted my account.

miki123211 19 hours ago|||

There was a screenshot of some website floating around a few years ago, where if you entered the correct password but a wrong username, it would helpfully tell you which user the password is really for.

mekdoonggi 18 hours ago|||

But did they handle the edge case of two users having the same password?

sparqlittlestar 9 hours ago||

"That password's already been taken by user 'mekdoonggi'"

nodesocket 18 hours ago|||

Product manager; “That’s a great UX.”

syntheticnature 20 hours ago||||

In my free time, I help maintain the web presence for a small non-profit org with memberships. The original system when I started helping was a bespoke system that was smart in many ways (essentially a static site generator with membership control years before SSGs were cool, with regular automated tests), but the guy who wrote it absolutely insisted on storing passwords in plaintext and could not be convinced otherwise. Eventually he had to drop the volunteer position due to other things in life, and the first thing we did was correct this issue.

scorpioxy 1 day ago||||

I've got a better one. I once had the same argument mentioned to me by my manager at the time when I pointed out that passwords were being stored in clear text. That it needs to be this way so that it is read/sent when the users forget their passwords(which happened a lot). I tried to explain that typically a "reset password" flow is used for that but that fell on deaf ears. That system contained healthcare data.

Something bad did end up happening due to that lax security and there were oh so many meetings about it.

bluefirebrand 19 hours ago||

> Something bad did end up happening due to that lax security and there were oh so many meetings about it.

This is the sort of thing that makes me want to check out of the whole circus. Here I am, telling you ahead of time, and you ignored me

So how there's a circus that we could have avoided and not only do I get zero recognition for identifying the threat ahead of time, the people who ignored me keep their jobs and turn it into a zoo where everyone is scrambling in endless meetings

And I've seen it play out a few times. After a point, why bother...

scorpioxy 14 hours ago||

Yeah, I can relate. It's a problem if you don't bother since you won't be doing your job to the best of your abilities and it's a problem if you do since you might get in trouble with the management for not being a "team player" or some other silliness. Without meaningful consequences, I don't see this situation changing.

moebrowne 18 hours ago||||

> Defeated by such argument, I deleted my account.

I'd bet your account wasn't actually deleted, just marked as deleted or inactive.

asveikau 17 hours ago||||

Circa 2012 the San Francisco water bill pay was able to send me my password in plaintext when I forgot it. I was scandalized. But the alternative was to not pay the water bill, so I just made extra sure the password was very random and wasn't one that got re-used anywhere... I think they fixed this issue in the years since.

SoftTalker 19 hours ago||||

Gnu Mailman still does this, and sends a monthly reminder email of your password.

tetris11 23 hours ago|||

Greetings, Bioconductor

game_the0ry 19 hours ago||

No back ups? Skill issue.

Tangurena2 18 hours ago||

Not many people test their backups. I've encountered some situations where the backups didn't work. And one previous employer who was so lazy that he didn't rotate the backup tapes so that the one tape cartridge was used so long that the oxide layer was rubbed off of the tape - so it was no longer brown but was transparent instead (imagine adhesive tape with no adhesive).

zeroonetwothree 17 hours ago||

The article says that they did have backups

ge96 18 hours ago||

Some good handwriting

taffydavid 17 hours ago||

> While this was going on, the brothers held a running conversation. (The government is not clear about whether this took place over text, instant message, or in person.)

Explain to me how we can have a transcript of a conversation without knowing whether it was in person or not. I'm baffled by this sentence.

killingtime74 15 hours ago|

Probably confession

xbar 12 hours ago||

Hire ethical people.

kittikitti 17 hours ago||

This is very surprising that they would pass a background check. I've been denied an offer because of a low credit score multiple times.

DeathArrow 9 hours ago||

<In the US, fired and laid-off workers often have their digital credentials deactivated before they learn about the loss of their jobs; indeed, the inability to log in to a corporate system may be the first an employee knows of the situation.

They still can install traps that detonates if they are fired. A simple cron job is enough to break havok.

anaidenov 5 hours ago|

Claude: drops production zone with the database and backups

Meatbags: hold my beer...

More comments...