I can see both of your viewpoints, here. I wouldn't make the blanket statement that OP is incorrect. The fact that you have only seen this a handful of times in your career is not surprising. This sort of silly bullshit is far less common nowadays. However, as OP has stated, these things were somewhat more common a while back. Mind you, much of this very poorly written software is still being used in dusty corners by large companies. You should keep an open mind when testing and not dismiss these things are outright impossible or else you're going to miss a lot of bugs :P
Some of the most interesting issues seem pathological at first blush. Can you really think of no scenario where there would be an sql injection string as a password? Perhaps some try-hard came along before you and attempted sql injection on the user creation form that resulted not in sql injection, but in the password being set to the literal string that the person used as input.
I realize that in this scenario it is literally designed-in, but I understand the point the author is trying to prove. If a "scanner jokey" gets results that tells him or her there is SQL injection, a competent tester will try to verify what their tool is telling them. If the tester is doing that in this case, they'll find other injection strings not working and (hopefully) start looking under the hood to see what is going on and discover this pathological hard-coded pw and be able to tell the client that. Maybe it's the work of a malicious dev?
I agree that a pentester with a lot of experience will have skills that are honed to find common bug patterns, but it's nice to be able to find these seemingly bizarre issues and have an explanation for the client. It shows you really understood the app and what it's doing.
My opinion: This person used someone else's electronic credentials to perform a task without asking for permission. This person did not have the proper level of access on their own account to perform this action, so they used someone else's (likely the "VP" who they were working with on that project). This would/should get you fired at many places.
Not sure what the down voting is about. Things that lead me to this conclusion: "...and remind you that this is the hacker company. Of course this is all a lie: that's how you get fired." And "It was clear that the person who talked to me had no idea what she was talking about. She quickly confessed as much to me." The author is referring to the HR member who was conducting the investigation. It was probably a technical task that the author of the article performed with someone else's creds or by bypassing some security system (checking in code, deploying code to prod., etc.) which is why the HR member "had no idea what she was talking about [and] quickly confessed to [the author] as much." The HR team was highly interested in finding out "...whether somebody had asked me to do it" and "...if you were not sure of what you were doing, why didn't you ask your manager?" HR wanted to know if the anonymous author had permission to perform the task since the anonymous author's account did not have the appropriate permissions to do so. "If a week prior, I had typed a few different keystrokes, I would never have been in that room."
Also, I forgot this relevant quote: "Yes I did it, and nobody made me. I was working on a special project with a VP at that time, and he had nothing to do with it."
This person used someone else's electronic credentials to perform a task without asking for permission. [...] This would/should get you fired at many places.
You mean that thing that happens all the time at every office?
I have a post-it note on which my boss wrote his password for me, specifically because he was sick of my asking whenever I needed to be granted access to new things. I can't think of a single job I've that involved computers where I wasn't given access to user accounts that were not mine for reasons of expediency in the face of inflexable permissions systems.
>I have a post-it note on which my boss wrote his password for me,
thus it means explicit (and in writing! - good for you :) approval by the boss, and the boss bears primary responsibility here. In case of the original article it is pretty clear that the author didn't bother to get at least even informal approval from the higher-ups (even just mentioning that he is going to perform the task in that specific way in a conversation with that VP would go a long way) - that is a basic skill(or even i'd say "instinct") of covering your own lower behind one has to apply while working at a BigCo, be it Facebook or IBM.
I would imagine at a place the scale of Facebook, where logging and accountability trails are as important as they must be at Facebook, this kind of transgression is categorically different from the one you describe.
I'm not really surprised by this. Starting to smoke and continuing to smoke are bad life choices and indicate a lack of will power and long-term thinking. Yes, cigarettes are incredibly addictive and quitting is hard (I smoked for 6 years when I was a teen and young adult). The same poor life choices and lack of long-term planning also lead to a low-income existence. Not applying yourself in school because you'd rather "have fun now." Not attending college. Not eating healthy foods. Not exercising. Smoking cigarettes. The fact that these things are all related shouldn't be a mystery or revelation. Poor people smoke more because poor people make bad choices in general.
"Why stop? You are going to die anyway. And don't you deserve to die? You are smoking after all. No point in stopping now. Not like your life was ever going to go anywhere."
We are always hiring. Matasano specializes in application security. We break web applications, desktop applications, mobile applications on all platforms, and hardware. We perform network penetration tests and security architecture reviews. Our consultants have a wide range of skills such as firmware, bootloaders, drivers and kernel modules all the way up to web applications using Node and everything in between. We release bleeding edge security research and speak at all major security conferences (BlackHat, ToorCon, ShmooCon, etc.).
We are looking for people who are passionate about information security. No prior consulting experience necessary. We also hire Summer interns each year in New York, Chicago, and Sunnyvale.
