Hacker News new | ask | show | jobs
by scoot 483 days ago
> my employer recently bought another outfit that does that does just that [leaves passwords in cleartext], and fixing it is not a near term option

Could you expand on why not? I can't think of a good reason why this isn't a relatively quick fix. What's the blocker?
2 comments
delichon 483 days ago
It requires programming in a language specific to one little known db product, in an extremely brittle and spaghettified code base . There's exactly one person in the company who kinda knows how to do it, and they're unavailable for the foreseeable future on higher priorities. We don't have the money to throw at new hires or huge porting projects.

Imagine software that has been in production since the 80's, was written by a very inexperienced dev and has since been continually "organically" upgraded to handle any new promise that a nontechnical product manager feels is necessary to solve the immediate problem of an angry customer. It's a Jenga tower with a reset button.

link
scoot 483 days ago
> they're unavailable for the foreseeable future on higher priorities

Need I respond to that?

link
delichon 483 days ago
If you know the secret to getting a company to prioritize potential security problems that haven't yet emerged in forty years over meeting payroll, please share.
link
grayhatter 483 days ago
why does it sound like you're defending the argument of;

I couldn't act ethically because I had to make money.

link
delichon 483 days ago
My paycheck depends on reconciling myself to it. Should I quit possibly my last job before retirement in a bleak job market to protest my manager's decision to protect her job and mine by putting revenue before protecting jane@doe.com's login from being stolen for the Nth time? Am I the bad guy?
link
grayhatter 483 days ago
It's not my place to define your ethics for you. I'm pointing out so any other readers can be innoculated from accidentally stumbling into this ethical minefield.

I'm not telling you stealing bread so your family doesn't starve is unethical, I'm pointing out it's stealing.

No idea if you're the bad guy, but you're not the ~~good guy~~ hero, no.

link
ben_w 483 days ago
(not op, just hypothesising)

> I can't think of a good reason why this isn't a quick fix.

What if there's some IoT product with no update mechanism and the access password to function is stored on all of them in plain text?

link
scoot 483 days ago
Possibly, but that's a very different scenario to a database of cleartext passwords (which is what I assumed was meant), as each device would have to be identified and compromised to access a password to a device which at that point is already compromised...
link