Response to: Our Security Auditor Is an Idiot

reading time 3 min

Some thoughts on the SO question about the idiot security consultant that demanded a list of everyone’s plaintext password plus some rather impossible things.

If you haven’t read it, take a moment to do so now: “Our security auditor is an idiot. How do I give him the information he wants?”

First, I’d fire the guy and hire someone else, that’s a no brainer.

However, before I fired him, I’d do some “experiments”. First, I wonder what would have happened if we told him, “Oh, yes, I’d be glad to help. What is the command in CentOS that would give me this information?”

This would either call the consultant’s bluff, or reveal something more interesting. For example, I wouldn’t be surprised if the consultant’s answer was cat /etc/passwd. This might reveal that when he says “plaintext password” he meant “hash”. That’s a dumb mistake, but not entirely unforgivable if he made that juxiposition once. Once.

Second, I’d tell him, “We don’t have a log of password changes. We do require password changes every 90 days [include a screenshot of the password settings]. Can you recommend how we could log password changes in the future?”

If he is smart he’d say that such information will be in his final report. However if he is really smart he’d offer to sell a package that does that, perhaps some over-priced authentication server from Cisco or Oracle that he would charge a lot of money to install.

But honestly I don’t suspect he is a crank. I think he is a scammer. Suppose he’s a scammer that looks for non-technical clients, gets their passwords, steals their intellectual property, and sells it. Meanwhile he gives his clients a “security report” that is basically a mixture of things that would sound impressive to a non-technical client but is just a bunch of junk.

It would be the perfect scam: getting people pay him to steal their data. If that is what is going on, the “authentication server” he sells might be something he wrote that captures passwords and sends them to him.

If he is a scammer, it becomes very important to maintain the fiction that he is the smartest security expert ever, that anyone else is an idiot, and keep reminding you of those things. Scammer do this for two reasons: (1) it makes it difficult to come up with a response when you’re constantly being reminded how smart he is, (2) smart clients will go away, leaving him access to only the dumbest clients.

He really wants to eliminate the smart clients: they aren’t his market. The more he plays up the “I’m so smart” routine the better. Smart clients don’t believe him, assume he’s a crank, and go away. Problem solved. They never suspect he’s a scammer.

Dumb (I mean… technically non-savvy) clients believe he is smart, believe they have tons of problems that only he can fix, and latch onto him. He can bill them for years as long as he maintains the fiction.

This is basically how all scam artists work. The term “con man” is short for “confidence man”. They gain your confidence and then they can walk all over you. They must be good actors, business men, and criminals.

This is what Trump did to get elected. He kept reminding people how smart he is, that he knows all the best people, and so on. If you asked him to prove it, he told everyone what an idiot you were for doubting him. Fox backed him up and gave him suppressive fire every step of the way.

That shit works really well.

Tom Limoncelli

Tom Limoncelli

Recent Posts

  1. Facebook’s Metaverse Doomed to Fail
  2. Automating an un-automatable access issue
  3. How to disable stable-diffusion’s safety filter
  4. Usenix LISA is no more. Here’s my retrospective
  5. My new ACM Queue column: Operations and Life




I agree that this website may store my data to personalize my journey in accordance with their Terms & conditions

Powered by Hugo | Theme - YesThatTheme © 2017 - 2022 Tom Limoncelli