Overconfident developers that choose to write their own cryptography code have plagued the information security industry since before it was even an industry. This in and of itself isn’t inhe…
Many years ago, a well known energy company had a perl script doing symmetric encryption to access root passwords of their Linux and Unix servers.
When used as intended, it would check whether the local unix user had been granted admin rights to that server, and generate audit logs of the request.
One could also copy the perl script, comment out the checks and audit logging, and request any and all root passwords.
The only saving grace was that the server was only accessible to existing sysadmins.
Many years ago, a well known energy company had a perl script doing symmetric encryption to access root passwords of their Linux and Unix servers.
When used as intended, it would check whether the local unix user had been granted admin rights to that server, and generate audit logs of the request.
One could also copy the perl script, comment out the checks and audit logging, and request any and all root passwords.
The only saving grace was that the server was only accessible to existing sysadmins.