Investigate before posting...
Thanks, but I would rather hear it straight from the horse's mouth, once and for all.
I was a sysadm for SSD about a year and a half previous, and I still had an active account on a lab machine at SSD. I had discovered that a user at SSD had picked a dictionary word ("deacon") for a password on the lab machine.
Obvious question number 1: how did you "discover" that someone else pick a dictionary word?

Obvious question number 2: even though you were previously an admin there, you weren't at the time of your discovery... what were you doing on that machine? What were you doing there that led to your discovery of the dictionary password?

Obvious question number 3: as a sysadmin who supposedly is so concerned about security, I would think you would have emailed the new admin to have your account deleted as it is an obvious breach of security to have dormant accounts laying around. Why didn't you email someone to have this account closed as soon as your term there finished? If you were concerned about restarting activities here, then they could archive your files until your possible return, but it is without question a breach of security to leave this account open and a second breach to re-access this computer even though your duties there were finished ... mind telling us why these breaches were not sealed up?

Fearing that the SSD folks had stopped running crack regularly, I copied the SSD password file (using the cracked password from the lab machine) and found that my fears were justified. (The vice president's password was "pre$ident", for example.)
Obvious question number 4: instead of playing mother Teresa for the current sysadmin why did you not simply report this breach to the relevant authorities?
However, I now had vital information that I had obtained through the use of a cracked password, and I was in an awkward situation. Before I reported the findings to SSD, a co-worker noticed the crack runs (they were 6-8 days long!)

Obvious question number 5: you mean to tell me that you did not immediately report the first breach? Instead you decided, in a job that you no longer held, to continue to look for other breaches?

Obvious question number 6: didn't you have important work to do for intel on a particular project? Why did you devote your time and energy to an un-announced and un-paid-for project?

running under my own userID on the systems that we shared at HF, and feared the worst: that I had turned into a spy and was actually stealing secrets. Yes, as you can see, I made a number of bone-headed mistakes (not getting the rules about internet access clear, not reporting the single bad cracked password, and not immediately reporting the results of the crack run), and I probably should have been terminated for
Obvious question number 7: yes you did make a number of boneheaded mistakes. So, if that is the case, why don't you work to get the Oregon computer law rewritten so that boneheaded security breaches like the ones you clearly made do result in punishment because they do deserve punishment. It is scary to think that the law is so poorly written that when someone does something that is boneheaded and potentially injurious to a company that they might get away on a mere technicality like you are trying to do.

And it escapes me why you Mr. Juerd would think that someone with an old account on a machine that he was no longer sysadmin for would be "doing his job". This is insanity. He was doing someone else's job unless someone assigned him back to this machine to do his job here.

And if he was so security-minded, why didn't he install a program which prevented easily-cracked passwords during his reign as sysadmin there?

I see little difference in you doing that, and coming by my house with a set of lock picks to make sure my deadbolt locks are up to your standards.
-- somebody in the chatterbox, who shall remain anonymous until they acquiesce to public credit

In reply to Re: So merlyn why did you hack the password file? by princepawn
in thread Reaped: So merlyn why did you hack the password file? by NodeReaper

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.