Subscribe to PostsSo, I’m sitting there, minding my own business because it’s towards the end of the work day and I just want to get home. Then an email comes in, another security audit is coming down the pipe. No big deal, been through them before, but they are a pain in the ass.
I figured what the hell, I’ll read through the requirements to see what they are looking for. I get to about line 5 of the email, and right there, amidst all the other ludicrous requests is them asking for my “/etc/shadow report”. There is no “report” that can be yielded from the shadow file, other than brute forcing the passwords and seeing what comes up. I know for a fact that these jackasses aren’t bright enough to actually asking for that, so that must mean… The light comes on, WHAT IN THE *censored* DO THEY NEED MY SHADOW FILE FOR? IT’S GOT ALL THE GODDAMN PASSWORDS.
Well, I start thinking, could just be a test, seeing if I’ll just upchuck the guts to my servers without asking why. So, I grind out a short email to the ol’ manager stating the fact (adlib here) that I wouldn’t give that file to my own mother.
Gets to be time to go, and as usual, I do a quick round to make sure none of the developers need anything from the “server god” before I go home for the day. I pop my head into the manager’s office, exchange a little chit chat. He then informs that “they (meaning the audit firm) got a lot out of us last time and I’m sure there is something in the contract.” I about breached my BVD’s on the spot.
Now, I don’t want to make it look like my manager is the devil himself. He does try hard afterall, but that comment got me thinking there is no conductor on this train and I’m just behind the coal car. This is gonna hurt.
So, if I am, in the end, forced to surrender that file to the audit team, I do so under protest. Nasty, rioting in the streets type peaceful protest. If and when my servers are r00ted, every swingin’ richard better be there with me while I rebuild. Everyone down from the CIO of the Americas to the audit team.
**Edited by Request**
Leave a reply
