
Auditor's response to "Our security auditor is an idiot" (Update 3) - sharjeel
http://serverfault.com/q/293217
======
reitzensteinm
If this is real, I'll be stunned if the auditor keeps his job.

Then again, after working at startups my whole career, maybe I'm just naive
about how messed up the real world is.

~~~
patio11
Customers of a particular gigantic consulting company have to be routinely
dissuaded from "passwords _similar_ to _any_ old passwords should not be
allowed", which is often in bid documents. To a man, when told the requirement
is unsound, they suggest infinite retention of passwords in plaintext plus
Levenstein distance and ask the consultancy why their engineers couldn't come
up with that obvious solution themselves.

The reason for this requirement to repeatedly pop up in bid documents is
misapplication of a poorly drafted standard by people who are theoretically
experts at enforcing it's normative intent.

I would love to throw in an additional anecdote here, but it would violate a
confidence. Pretend that $500k had been allocated to produce a list of plain
text passwords and a combination of bureaucratic inertia, competence issues,
and internal politics made that requirement an unstoppable freight train. That
gives you the flavor of it.

~~~
robtoo
Lots of security standards require passwords to have at least one digit. Lots
of security standards require passwords to be changed every so often.

The end result? A user starts with the password "Seekrit1" when they join the
company, then the next month they change to "Seekrit2", "Seekrit3", and so on.

This is hardly what the security policy intended, so stopping that happening
isn't actually a bad idea.

Obviously storing a complete password history in plaintext (which would even
have to be online for the consultants' plan to work) is ridiculous, but pre-
calculating a bunch of hashes of similar passwords every time a new password
is set would certainly be feasible.

Changing passwords is usually a rare occurrence, but making this at least
slightly computationally-expensive shouldn't be a problem. Of course, the more
expensive the password-hashing algorithm, the fewer "similar" passwords you
would reasonably be able to pre-calculate, which is an odd trade-off to have
to make a call on.

One thing to be wary of, though: by pre-calculating and storing a bunch of
hashes of similar strings, this opens you up to (what might be called) a
related plaintext attack. I have no idea if existing password hashes are
specifically designed to be resistant to this, but would guess not. (edit: I
didn't think this sentence through correctly. Thanks, Joachim)

~~~
brazzy
> Lots of security standards require passwords to be changed every so often.

Which is almost as idiotic as storing a complete password history in
plaintext, because it pretty much guarantees that passwords either (as you
note) follow a simple pattern, or if that is made impossible, are written down
in an easily accessible place.

~~~
fab13n
A very convenient place to store and retrieve them is under a "passwords"
folder in your private mail account or your Dropbox, both of which get
synchronized with your unprotected smartphone...

------
JacobAldridge
When "I have been in this industry longer than anyone on that site" is a
cornerstone of your defence, you've already lost. Also, I know the UK has
really strict laws, but I doubt he'd be able to sue for "liable".

~~~
dredmorbius
It's a flat lie as well.

He doesn't know, and can't know, everyone commenting to HN. At best hes
fabricating. I was going to top post that but checked first to see if anyone
had surfaced that line.

The auditor is an idiot and feels cornered.

Also: "I'm going to assume you do not have PCI installed on your servers".

PCI is an auditing standard. Not something "you have installed on your
servers".

And I guess I'm getting too far ahead of myself, because the OP comments on
this in his serverfault posting.

Classic! "PCI SSC have responded and are investigating him and the company. "

I'd say samarudge did a bang-on job here.

~~~
jhamburger
He should have explained that the servers don't have any more PCI slots
available.

------
dasil003
I can't help but feel there is some kind of social experiment going on here.

I mean I know there are a lot of incompetent people out there, but a security
auditor asking for a list of plaintext passwords is not something that should
take more than an email or two to resolve even in Bizarro world. "Techies"
exhibiting this kind of willful ignorance are usually a bit better and hiding
under their rock.

~~~
InclinedPlane
I take it you've never worked with someone who was truly incompetent. Often
such people have some sort of defense mechanism that allows them to cover up
their incompetence with some degree of effectiveness. But sometimes it shines
right through, and then you end up gobsmacked that it's even possible for
someone to be that ignorant/illogical.

But it does happen, I've seen it too many times.

~~~
dasil003
Sure, but such people can not remain the lynchpin of a PCI auditing operation.
I mean how many WTFs from anyone who has half a clue have to be sent to the
brass at this company and the ones they are auditing on behalf of before
someone thinks "holy shit our entire reputation and business is being flushed
down the toiler on a daily basis?"

It just doesn't pass the smell test for me. I don't know what it is, but
something is missing from this story.

~~~
InclinedPlane
Maybe not forever, but long enough to cause pain in your life? Sure. Perhaps
the company was bought or created by someone with too much money and not much
domain expertise and then they gave their incompetent relative a position
without much oversight. Wouldn't be the first or last time that happened.

~~~
dasil003
Yes, but if your payment gateway is going to shut you off based on this
nonsense you call them up and explain the situation to them and then they
investigate. There are too many parties involved for this kind of willful
ignorance to be the last word.

I dunno, maybe it's true, but for me the story still isn't adding up.

------
yaix
The auditor was actually serious. Wow. I really thought he just wanted to
check the reaction of the admin, to see if he'd actually hand over sensitive
stuff.

~~~
astrodust
The auditor has a hugely inflated ego, something that might be a sign you're
dealing with a narcissist. It's a pretty huge claim to make that you've "been
in the industry longer" than anyone else, but that's the sort of thing you'd
say when you're that kind of person.

Everything they said is surely made up, and if you challenge them on their
facts, they'll attack you in return.

~~~
cstross
Yup. Sounds like a fairly classic case of workplace sociopathy -- the
sociopath who gets promoted because they tell lies and bully the folks below
them into obedience. ( _Not_ the kind of -- much rarer -- sociopath who is
violent or robs banks, but still a royal pain in the ass to run across in a
business context because any attempt you make to deal with them technically
will result in manipulative social retaliation rather than "oh, my bad".)

------
AgentConundrum
Please tell me this is a troll. I mean, I've seen some pretty incompetent
people doing jobs they're not cut out for before, but I really want to believe
this level of incompetence can't actually find jobs.

~~~
fadzlan
Some people excel.... on well... giving good interviews.

Back then, I used to believe that people know what they are doing, but since
I've lived long enough know, maybe not.

You gotta be careful, people like that will come to personality attack when
push come to shove. When facts are against them, it is now time to yell.

~~~
billybob
"Some people excel.... on well... giving good interviews."

The sort of interview that this guy would do well in is a poorly-conducted
one. A simple question like "what does it mean to hash a password and why
would one do that?" or "what is PCI?" would expose his incompetence.

~~~
kgermino
Your assuming that the person interviewing him knew what the answer was
supposed to be. It sounds like the incompetence goes all the way up and he was
probably hired by a businessman who had no idea what PCI even is, much less
the details of proper security.

~~~
billybob
Right. But we're both making the point that "gives a good interview" is
contingent on "isn't given a good interview."

------
Confusion
What's interesting is that the PCI standard seems to be unclear in this
respect. He quotes from the standard:

    
    
      8.4 Render all passwords unreadable during transmission
      and storage on all system components using strong 
      cryptography.
    

This seems to leave room for passwords to be encrypted instead of hashed. I'd
even say it suggests they should be encrypted instead of hashed, by not
distinguishing between 'during transmission' and 'during storage'.

At the very least, quoting this isn't going to convince someone that passwords
should not be decryptable.

~~~
Terretta
It's not unclear, and you're right. It has to be encrypted on the wire and in
storage. This paragraph does _not_ say you must hash, or must not be able to
get the plaintext passwords back.

~~~
pyre
That may be, but even if PCI doesn't require you to have the passwords
unrecoverable, I'm pretty sure that transferring all of them in bulk to
someone else via email should violate some part of PCI. Even if that person is
an auditor. The potential for abuse is too high.

~~~
mckoss
Actually, hashed password ARE recoverable, technically. Though it would take a
VERY long time to brute force the original passwords.

~~~
Confusion
In theory, there are infinitely many passwords that map to the same hash, so
not all passwords are recoverable. In practice most passwords will be
recoverable (given enough computing power), because there will only be a
single 'reasonable' match (you will probably find only one for passwords of
reasonable length).

------
hermannj314
From the perspective portrayed in this article, the auditor seems misinformed
about fundamentals in his industry and his response to being called on this
seemed superficial and borderline childish.

It must be difficult to be ridiculed in a public form of your own profession.
Not to mention being called stupid and ignorant for misunderstanding
something. I hope I always have the humility to admit when I'm wrong, but also
have the patience and understanding when other people don't.

------
iuguy
A colleague of mine once had to stand one foot on top of the other and chew
his own lip when an SI's "security expert" introduced himself as an 'old-
school CISSP' just to stop laughing out loud at him.

There are many idiots in the information security industry (I should know, I
are one) - we're doing our best to get rid, but more keep showing up.

~~~
__rkaup__
Can you explain? I have no idea what a CISSP is.

~~~
iuguy
It's full name is the Certified Information Systems Security Professional.
There's a good writeup of the problems with CISSP here:

[https://infosecisland.com/blogview/15450-My-Canons-on-ISC-
Et...](https://infosecisland.com/blogview/15450-My-Canons-on-ISC-Ethics-Such-
as-They-Are.html)

and here:

[http://erratasec.blogspot.com/2011/07/ethical-problems-of-
ci...](http://erratasec.blogspot.com/2011/07/ethical-problems-of-cissp-and-
isc2.html)

It's often described as 'a mile wide and an inch deep'. However, it's not
really the example of broad security knowledge it sets out to be and is
considered a joke certification in my niche (technical security).

~~~
pnathan
Interesting. I've been considering working towards it, but if competent
security professionals think it's a joke.... :-)

------
16s
Quite a few managers and auditors really don't understand the difference
between a password hash and a password.

I expect the auditor was asking for password hashes, although he was using the
phrase "plaintext passwords". Who knows, but that part of the story may just
be a wording misunderstanding.

Not everyone speaks geek, and it's important to know when you're talking to
someone who does not ;)

Edit: Not sure why this is being down voted as it is a true statement. I've
had to explain what a password hash is on several occasions. And even after
that, there was still some misunderstanding/confusion.

~~~
sdkmvx
There's still the question of why he would need the password hashes. Assuming
he wanted the plaintext passwords to see if they are 'complex' and 'strong,'
he would have a hard time telling that from the hashes.

5f4dcc3b5aa765d61d8327deb882cf99 and 05b28d17a7b6e7024b6e5d8cc43a8bf7: Which
is a dictionary word and which is a string of punctuation? (I didn't salt :))

~~~
MostAwesomeDude
John says the first one is "password", in under a second. I'll wait for a few
hours to see if I can get the second one speedily. (By the way, this is why
you shouldn't use MD5!)

~~~
ominous_prime
md5 doesn't have anything to with it. sha256 _maybe_ takes 10% longer to
compute the hash.

~~~
kingkilr
Which is useful if you're brute forcing, md5 is also algorithmatically broken
AFAIK.

~~~
tomjen3
Define broken. It is possible to generate (within reasonable time) two files
which have the same md5 sum, which means you shouldn't use it to sign anything
somebody else have given you.

On the other hand collisions between two different files are still not
something you would ever expect to see in the wild so if you are trying to
find duplicated files, then you don't have to worry.

------
techiferous
"any inventive suggestions for how to troll him [the security auditor] a bit?"

Nothing productive could come of that. This situation is not for your
entertainment. Just move along...

------
kaeluka
the Daily WTF - live!

------
keithpeter
As I live and work in Birmingham, UK, I hope this is all an elaborate hoax.

~~~
nagrom
I really hope you're not a security auditor? ;-)

------
dougws
I haven't been in the industry that long, but I've encountered a few "security
professionals"--auditors, penetration testers, etc. All of them have been
totally incompetent; they could tell you the definition of, say, a SQL
injection attack but had no idea how to really analyze a system. On the other
hand, all of the great programmers I've met have had a really good grasp of
security. I'm starting to think that if you don't write code, you're not
qualified to audit it.

------
marcamillion
At first, I thought that this was a bogus post...but it seems to be real - or
this guy is keeping up with the story.

------
Auguste
That security auditor could give a lot of the guys featured on The Daily WTF a
good run for their money.

------
motters
Argument from authority. Nice try.

------
codeglomeration
This sounds more like social engineering to me. My first thought was this was
a hacker who took control of an email address from the security firm, and just
tried to exploit the weakest link in order to get plaintext passwords.

------
blahblahblah
Apparently, neither of these guys paid attention in high school civics class.
Slander involves oral, not written, communication. Libel (not "liable") is the
term for a tort involving false and damaging written communication.

------
jarin
Incompetent people in the security field really need to be called out like
this.

Incompetent developers generally only hurt the company; incompetent security
professionals hurt every single customer as well.

------
antihero
If it's in the UK they may be liable under the Data Protection Act, too.

~~~
sunchild
I like the auditor's take on this:

"I see no data protection issues for these requests, data protection only
applies to consumers not businesses so there should be no issues with this
information."

The Data Protection Act applies to individuals within the EEA trusted circle
nations, full stop. Whether or not the information being requested requires
individual consent under the DPA is a different point altogether.

------
diminish
Dreaming of a world without passwords... Any ideas?

~~~
AppSec
The problem with not having passwords is that it usually requires an authority
to distribute keys (and not retain the initialization parameters for that key,
_cough_ RSA _cough_ ). And that could potentially require a third party having
access to information a lot of people don't want. Or trusting the government
to generate them -- which opens up another can of worms.

Things like OAuth and/or federated login still rely on a password at some
level.

Pick your poison (personally, I wouldn't mind using an RSA Soft Token type
technology with federated access requiring token + pin, but that's just me).

