How NOT to Protect Your Passwords

Check out this screen shot from an ESPN interview…

ESPN Interview

See that piece of paper taped to the wall right behind this guy’s ear? Yes, those are passwords, now conveniently displayed for all the world to see.

I didn’t personally see this interview, but Sophos speculates that it took place in a MLB press room where having the network names and passwords pasted to the wall is just easier than telling each journalist individually. While not the most secure practice, it probably only reached a limited number of eyes … until now.

Hopefully they’ve changed their passwords by now.

Attention! This is Real Life

A lot of the problems we encounter here on the in-the-wild testing blog stem from the fact that a surprising number of people apparently don’t know what “real life” is. Case in point – when hacking and defacing a website (which is an illegal activity just about everywhere) do not leave your personal contact information and location. Also having “no malicious intent” or “just trying to prove a point” are not really valid legal defenses. Granted, some people make money by finding a security flaw in a company’s system and quietly notifying said company of said flaw so it can be fixed and the hacker can hopefully be monetarily rewarded. But once you hack into a site and post a very public message on the homepage you leave that realm of “no malicious intent” and enter the land of “very real potential jail time.”

Unfortunately for one computer science student in India, he didn’t get the memo. This is what he put on the homepage of the site he hacked:

Not so smart hack job

That’s right, the defacement included the hacker’s name, current city of residence AND email address. According to Sophos, Shahee was hunted down and arrested within 24 hours of the security breech. His confessed, but said he “had no malicious intent.” Good luck with that one Shahee!