• @masterspace@lemmy.ca
    link
    fedilink
    English
    183 months ago

    There was a previous article on this with more explanation that I’m struggling to find.

    The gist was that they do hash all passwords stored, the problem was that there was a mistake made with the internal tool they use to do that hashing which led to the passwords inadvertently going into some log system.

    • @BearOfaTime@lemm.ee
      link
      fedilink
      -23 months ago

      “mistake”

      I call BS. The reviews I’ve gone through for trivial stuff would’ve exposed this.

      This was intentional.

      • @HiddenLayer555@lemmy.ml
        link
        fedilink
        English
        63 months ago

        Hanlon’s Razor revised: Never attribute to malice what can be attributed to incompetence, except where there is an established pattern of malice.

        • @BearOfaTime@lemm.ee
          link
          fedilink
          12 months ago

          Then incompetence at a level that’s incomprehensible.

          A code review certainly exposed this, and some manager signed off on the risk.

          Again, changes I make are trivial in comparison, and our code/risk reviews would’ve exposed this in no time.

      • @masterspace@lemmy.ca
        link
        fedilink
        English
        43 months ago

        Yeah, cause trivial systems are a lot easier to parse and review. At a base level that’s nonsense logic.

        • @BearOfaTime@lemm.ee
          link
          fedilink
          02 months ago

          My point being the extensiveness of a review process.

          The more important a system, the more people it impacts, etc, the more extensive the review process.

          Someone chose to ignore this risk. That’s intentional.

          • @masterspace@lemmy.ca
            link
            fedilink
            English
            12 months ago

            You quite frankly, don’t know what happened and if you’re confident it’s intentional, all that says is that you’re a grump who likes to complain.

        • @BearOfaTime@lemm.ee
          link
          fedilink
          12 months ago

          I generally agree.

          But any decent code review process would’ve exposed this, or at least a data surveillance system that checks this stuff. I’ve received a few notifications about my logs storing inappropriate data, as a result of a scanning system.

          Some manager knew about this during a code review, and signed off on the risk because it was only in-house.

      • @moody
        link
        13 months ago

        A mistake doesn’t mean it’s an accident. A mistake means they made the wrong choice.