1
56

[–] Men13 1 points 56 points (+57|-1) ago 

Would take less than an hour in a home computer to brute Force if they salted the passwords, which given how stupid these requirements are - I'm sure they didn't.

If they didn't salt the passwords, it'll literally a fraction of a second to break.

But as a person in the industry, I can tell you how this happened:

Government is forced to use "lowest bid" contractor to build the site.

Government creates a document of what needs to be done, as explicit as possible, because they know the people who will implement it will do everything in their power to intentionally misread the specs.

Contractors read the spec, and spend most of their time investigating what they can do (intentionally) wrong while still adhering to the spec. Not cheaper mind you - but intentionally wrong even if it's more expensive.

Then contractors bid a ridiculously low amount, counting on the post-bid changes they will charge to fix everything they did wrong.

It is these changes that makes them money, so they have to make sure there's as many of these as possible.

This is one of those things. The contractor deliberately decided on such a weak password scheme. The government spec probably said something like "you have to make sure passwords are at least 8 characters long, and have at least one number and one letter". But since they never said you have to allow more than 8 characters or that passwords have to be case sensitive, the contractors created the least secure scheme that would work - intentionally - so they could later say "oh! You should have said so! We would have bid $10k higher if we're known!"

This always happens when you use outside contractors based on lowest bid.

Other countries use government employees for this - which results in a better product (because they actually care about the product, unlike contractors).

6
20

[–] Pessimist 6 points 20 points (+26|-6) ago 

"Other countries use government employees for this - which results in a better product (because they actually care about the product,"

Oh, Wow! Good one! You really had me going until that part!

5
14

[–] speedisavirus 5 points 14 points (+19|-5) ago  (edited ago)

Yeah, calling instant bullshit. The caliber of a government employee is literally the bottom of the barrel. If they were good they wouldn't be working for the government. Unless it's literally a function only the government really employs for.

0
2

[–] Inconceivable2 0 points 2 points (+2|-0) ago 

Not everywhere in the world. America has slit its own throat with affirmative action, minority hiring quotas and lower requirements for everyone except whites. Put low IQ shitskins in front of a computer and they will type shitty and be as lazy as possible. IIRC, they can't be fired no matter how bad a job they do (or don't do).

Travel the world a bit and you'll see that much of the problems are a uniquely American issue.

[–] [deleted] 0 points 2 points (+2|-0) ago 

[Deleted]

0
1

[–] Men13 0 points 1 points (+1|-0) ago 

Well, you know, it works.

1
11

[–] prairie 1 points 11 points (+12|-1) ago 

0
1

[–] Men13 0 points 1 points (+1|-0) ago  (edited ago)

Exactly. And the only way to solve it is if the government itself (government employees) is implementing it (not just writing the spec, but implementing it as well).

0
8

[–] Pepper-theDoctor 0 points 8 points (+8|-0) ago 

To be fair, a government employee did write the specs wrong in the first place. Not likely they would've built it right even if they hadn't used a contractor.

0
4

[–] B3bomber 0 points 4 points (+4|-0) ago  (edited ago)

It takes actual tech people to understand tech. But but but we hired the pajeet firm who consults cheaply!

0
2

[–] bob3333 0 points 2 points (+2|-0) ago 

Because they outsourced their IT.

0
1

[–] Men13 0 points 1 points (+1|-0) ago 

No, they didn't write them wrong. It's impossible to write 100% defensively. If someone wants to intentionally misread it, they always can

0
5

[–] MaxAncap 0 points 5 points (+5|-0) ago 

Not cheaper mind you - but intentionally wrong even if it's more expensive.

who are those hardcore guerilla shitlord capitalists?

0
5

[–] Naught405 0 points 5 points (+5|-0) ago  (edited ago)

Like 1/3rd of the US domestic economy (not necessarily all shit tier contractors, it's easy to stand out in a field filled with shit tier results and get relationships where they won't bid for anyone else)

Wescam, Flir, W3, Honeywell, and 1000 other companies you never heard of because they don't do anything else. If you want I can source you an FAA compliant LCD screen. It s 640 by 480 resolution and costs $1000 per diagonal inch. The standard/most common model is 7"/$7000. It is a Chinese panel glued into a metal box with cannon plugs replacing soldered into the regular ports. But that price includes 2 years of on site support and service and verification of the (not included) installation in your aircraft... so there's that I guess.

0
0

[–] Men13 0 points 0 points (+0|-0) ago 

It's more expensive, but still cheaper than the "change" fee. So capitalists would rather do it wrong and make more money (because fix > price of doing wrong).

1
22

[–] tendiesonfloor 1 points 22 points (+23|-1) ago 

This is the same government the liberals want running healthcare and the Internet.

2
18

[–] express-o 2 points 18 points (+20|-2) ago 

The most telling thing here is that the passwords are "not case sensitive". This means that the passwords are stored within their system in plain text. They are not encrypted. There is no salt. If your password is "BlowMe21" then "blowme21" (or any variation of capitalization) will work. Knowing that the password is exactly 8 characters also makes this even more ridiculous. It is beyond trivial to break. This is a system that was designed to be broken. IANL but it smells like criminal negligence.

0
19

[–] everef 0 points 19 points (+19|-0) ago 

While I agree that they're probably being stored in plain text, this does not prove it. They could always lowercase the password before hashing it.

0
4

[–] express-o 0 points 4 points (+4|-0) ago 

You are quite correct, thank you for pointing that out. They could certainly force lower case (or upper case) all passwords and then encrypt them. Encrypted or not, still pretty sloppy security.

0
1

[–] rndmvar 0 points 1 points (+1|-0) ago 

Oh, it's worse than just lower casing the password. Either this is an ancient DB that only stores letters in one case (how many exploits would it be vulnerable to by now?), or they're lower casing inputs because they're not sanitizing their inputs in any other fashion ("' DROP TABLE" becomes "'drop table").

0
7

[–] speedisavirus 0 points 7 points (+7|-0) ago 

No, it does not mean they are plain text. If you can't think of a way they can still be hashed and not be case sensitive I will request you never work in technology.

0
2

[–] express-o 0 points 2 points (+2|-0) ago 

lol you are correct. Thank you.

0
1

[–] Naught405 0 points 1 points (+1|-0) ago  (edited ago)

No. It would be very hard to show criminal liability in a gov contract case because of the way they are negotiated, unless a contractor lied or expressly violated the specific terms of the contract. Also your comp sci is ... lacking.

1
10

[–] elitch2 1 points 10 points (+11|-1) ago 

I could brute force that with my phone. Quickly.

[–] [deleted] 0 points 8 points (+8|-0) ago 

[Deleted]

0
6

[–] elitch2 0 points 6 points (+6|-0) ago 

Jesus Christ. This page, enough said.

0
6

[–] http404 [S] 0 points 6 points (+6|-0) ago 

Also, that website has hours.

Online Services Availability

  • Monday-Friday: 5 AM - 1 AM ET
  • Saturday: 5 AM - 11 PM ET
  • Sunday: 8 AM - 11:30 PM ET

0
5

[–] VoutGuy 0 points 5 points (+5|-0) ago 

I've NEVER seen case insensitive password.

So safe.

0
5

[–] TrueAmerican 0 points 5 points (+5|-0) ago 

it's so the new passwords can jive with the old systems they have... they are too lazy/cheap to upgrade...

0
5

[–] bourbonexpert 0 points 5 points (+5|-0) ago  (edited ago)

8 carchters? one number?

niggers1 solved!

0
1

[–] IAmYourDad 0 points 1 points (+1|-0) ago  (edited ago)

Here, this is better.

n1993rsi

load more comments ▼ (28 remaining)