Hacker News new | ask | show | jobs
by bluesmoon 1312 days ago
In 1999, I was an intern at a company in India. We wanted to put a machine in a datacenter, and the datacenter admin asked us to set the Administrator password to "password". Turns out that all the other companies that put their boxes in that datacenter did the same. Infosys was one of those companies.

I wrote more about it here: https://tech.bluesmoon.info/2017/04/a-tale-of-datacenter-sec...
1 comments
belter 1311 days ago
Epic! Hope you don't mind my quote here. I enjoyed it :-)

"...I glanced over at the other boxes, and they all had stickers on them saying "Administrator/password"...The three of us from TSPL looked at each other, and our president told me to decide. I asked the datacenter guy why he needed that. He said that sometimes they need to shutdown the boxes so they can move them to a different power strip. I asked him if it would be sufficient to give him an account that only had local access and could only reboot the box. He thought about it for a bit and said yes... So I created a new account that required a physically attached keyboard for login, and all it had was the ability to reboot the box. Our app was set up to start up automatically on boot, so we weren't worried about someone having to start it. DC guy physically locked the box to a rack, showed us that he was keeping they key, and we headed back to the office...

...We now needed to test our setup, so we asked everyone in the office to let us use the internet connection. We tried accessing our app, and it worked!...

...Since I had Admin access to our box, I was also able to open the "Network Neighbourhood" of our box in the datacenter. On that network, I saw all the other hosts that were in the datacenter. They had names identifying them from India's largest IT companies. These were companies I'd initially though of interning at...I looked at our president and grinned, and he looked back and said, "Send me a safe summary report when you're done" and walked off to his office.

I double clicked on one of the other big boxes and was prompted for a username and password to connect to it...

You can probably guess what happened next ;)..."

link