No, stereotypes aside, hackers who code diligently tend to wrap their "actual work" schedule around their external obligations, and while the morning is generally filled with distractions like dealing with "morning people", after lunch (an on into the evening) there are generally far fewer interruptions. I can honestly get much more done with an uninterrupted four hours than I can in the entire eight office hours of random phone calls and emails coming in, and I am no longer a "young person", and I'll do some stuff at night just because I know it'll take half the time if I'm not interrupted and I've had a few hours to at least intermittently mull it over. If you're having peaceful mornings, I envy you.
If we're putting stereotypes aside, wouldn't we also put aside the word "hackers"?
In the xz case, the term may be accurate, but we don't know the identity of the culprit(s) and have no empirical basis for even speculating about the work schedules of such people.
> If you're having peaceful mornings, I envy you.
Well, I don't work in an office. I work alone. Like a stereotypical "hacker".
Maybe Satoshi just wants to live a life quieter than what he could possibly be living if everyone knew they controlled billions in really, really lightweight currency.
I wouldn't even hand it to normal, "stable" people without some guidance. Not everyone handles losing their marbles with grace and aplomb. It's not in the average person's skillset to be able to say, "it's just the drugs" and keep their cool.
One of the other reasons not to give it out freely is that it varies wildly in effect depending on who exactly takes it. I certainly don't lose my marbles when I'm on it, but plenty of people have lost their sanity from it, sometimes for months, years or even life. Not to mention HPPD can sometimes appear, ranging from just "weird" all the way to distressing or madness-inducing.
Think of it like prepping your inner landscape for a "vehicle rollover". Eat properly, get proper sleep, and get yourself in order, because soon anything you not securely stowed in your head is gonna be flyin' around in your noggin like a bunch of crumbled fast food bags, dropped change, and empty soda cans.
Frankly I think they should just take their lumps and shut up. Other bits of the article mention that apparently Heise Online was able to freely download a copy of the binaries (passwords included!) from Modern Solution's website in 2021 and I'm going to guess based on that that other people probably did know about this who were reasonably moral about it, and the company was likely ignoring the issue... ...until someone offering competing services noticed it and said something, at which point they panicked and decided it was still cheaper to shoot the messenger than to hire a couple of highly-caffienated teenagers to fix their trash architecture.
> And if you went somewhere you're not supposed to and found out it's a master key by trying it in those places you're not supposed to access, you'd be accused of trespass.
Hard no. That analogy fails because all the contractor needed to type was `SHOW DATABASES` which would be the same as looking around and seeing everyone else's stuff just sitting around in piles, completely unsecured.
If you rented a storage room and the place was so lazy as to use one key for all the doors, that would be one thing, but in this case the storage facility used the same key for all the doors and also completely lacked interior walls to separate people's stuff into individual rooms.
> That analogy fails because all the contractor needed to type was `SHOW DATABASES`
No, what the contractor needed to do was extract those credentials, create a manual connection and manually execute arbitrary queries. Not one of these three steps is part of how the database was meant to be used (i.e. specifically through the use of the software).
Also, again: I'm not arguing that the company's security practices were in any way acceptable. But that doesn't mean what the contractor did was in any way authorized behavior. That you can doesn't mean you're allowed to.
The problem with your analogy is that in this case the contractor was specifically hired to figure out why when they opened the door the room inside was filled to the ceiling with cheese. OF COURSE one is going to open the door to try and at least verify that there is in fact a bunch of cheese in there.
> There is _zero_ reason for you to _use_ exposed credentials if you find them. It adds nothing to the "security research" you may be doing.
Bullshit. For one thing, he wasn't doing "security research" he was trying to fix a problem his client was asking him to fix that directly involved the MySQL database in question. He literally stumbled across the security problem by accident. For the other, the vendor should be facing an investigation into exactly why they thought it was a good idea to have thousands of customers and millions of euros "protected" by one single password that was stored in plaintext on thousands of customer's machines. In a number of places that could easily result in criminal liability on their part--which is probably exactly why they contacted the authorities.
...and I'll point out that he didn't actually even have to know what these credentials were. With elevated privs on the local system, one can merrily let the application connect to the database server and then snatch that socket up and do with it whatever they wish and then the same information would have been revealed--that every one of MS's customers could quite readily access all the data of every other customer.
...except it was not the source code. Apparently right there in the application in cleartext. If what the investigator intended didn't matter, then what the vendor intended doesn't matter, either.
He literally opened the application binary in a text editor to look for clues (despite the fact that there are common tools like `strings` for this) and saw the credentials, and since he'd been specifically hired to fix a problem with the database, he used those credentials to connect to the database. `SHOW DATABASES` would be a perfectly normal thing to type at this point, and apparently once he saw that these credentials granted access to everything he immediately stopped and logged out.
If his lawyers had been better this would have never made it to court. Liability should have fallen on the contract customer, but for certain the design of Modern Solution's software and application were nothing short of wildy irresponsible. If they really face no risk for this, it's time for all German companies to start contracting firms in other countries where idiots aren't allowed to leave thousands of customers data exposed to the first schlub who happens to notice them.
