Rendered at 00:02:20 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
scottlamb 5 hours ago [-]
> [Opexus] said that “the individuals responsible for hiring the twins are no longer employed by Opexus.”
Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).
I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc.
yaur 2 hours ago [-]
Terminating access and rotating passwords (if needed) while the person is in the meeting but has not yet found out they are being let go has been SOP for at least the last 20 years
lazyasciiart 13 minutes ago [-]
Amateurs. My employer does mass layoffs by terminating access to everything except their email account at 3am, and then sending an email to the victim saying “you were let go at 3am”. Managers get to figure out who’s left on their team by pinging everyone when they learn about it at work.
tempaccount5050 5 hours ago [-]
When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence. This is absolutely a standard and has to be for these kinds of positions. I've never worked anywhere where it wasn't for the majority of IT staff. You meet with HR, someone clears your desk, and security walks you out.
scottlamb 5 hours ago [-]
> When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
bigiain 36 minutes ago [-]
For most of my career (over 30 years now) where I've had sufficient access privileges to matter, I've fairly diligently maintained a "Important credentials and access" list, which I've sent to my employer when leaving, strongly advising them of the need for them to disable or rotate those credentials.
This especially includes creds like root or admin level access to AWS/GCP/whatever-cloud-or-hosting-service, and other critical creds like user/password management, domain name registrations, AppleStore and GooglePlay accounts, source code repos, documentation and internal tooling, external services like observability/analytics/crash-trcking. It also keeps a current(ish) list of all clients/projects where I've had any access at all, listing things like API keys, ssh keys and bastion hosts, project or platform admin creds, as well as systems like databases (SQL and KV caches), firewall rule specific to me.
I also try to list anything else I could, if I were a malicious disgruntled ex employee, use to cause grief to the employer or their clients.
I point out in this email that if I were to be rouge, I'd most likely have intentionally left something out or left behind backdoors or timebombs, and while I am not that kind of person and I have not done those things, they owe it to themselves and their clients to have someone else senior and experienced enough to carefully audit everything to ensure I cannot access anything.
I send this from a personal email account, so I still have timestamped records of having sent it. If an ex employer ever gets hacked shortly after I leave, I want evidence I did everything I reasonably could to remind them to lock me out.
(Writing this down reminds me it's been a while since I updated this - I guess thats something I'll ned to get on to soon.)
stronglikedan 3 hours ago [-]
The first option is flipping one switch. The second option is flipping some switches now, and flipping the rest later. Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there. There's plenty of ways to communicate with ex-colleagues that don't involve company resources or opening the company up to liability.
mcmcmc 2 hours ago [-]
Let’s not forget the third option: proper security practices and principle of least privilege. No one should have been able to do this in the first place. Why were they able to get plaintext passwords with a simple query? Why did they have delete permissions on production db tables? Why were they able to modify system logs and delete backups?
mquander 2 hours ago [-]
> Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there.
Isn't this an unrealistically black-and-white mode of thinking? Humans are complicated and have many values and perceived responsibilities. It's not healthy for them to throw them all out and act as if they only have one responsibility that needs to be maximally upheld at all costs. They should balance their actions thoughtfully.
avereveard 49 minutes ago [-]
System security is not a human value. Access key rotation effective immediately is a compliance requirement, and completely orthogonal to human decency, which is delivered trough garden leave or severance, not extended system access
lazide 51 minutes ago [-]
So, never lived in corp land? Healthy isn’t on most corporations radars except where it causes liability to them.
fc417fc802 1 hours ago [-]
I'd argue that failing to segregate things so that there's a switch for the sensitive stuff and a separate switch for the not-sensitive stuff is an operational failure. A rank and file employee having access to his email account should never pose a serious liability to the business.
tempaccount5050 5 hours ago [-]
Yeah I don't see why that's necessary. I'm sure you can always reach out to HR and ask (I have facilitated this in the past, pulling contact lists and phone numbers) but that also gives them ways to exfiltrate data. It's company data. Just think of all the info you have in your inbox. Unless you've managed offboarding for high level IT positions it seems harsh, but the risk is just too high to allow the user to do that stuff themselves.
scottlamb 5 hours ago [-]
> Just think of all the info you have in your inbox.
Meh? Sure, stuff that would help assemble a credible phishing attack, but not customer SPII or huge amounts of intellectual property or anything. If the assumption is that employees' inboxes are full of dangerous things, I would focus on fixing that.
fc417fc802 1 hours ago [-]
No you don't get it, we have to take a harsh approach to firing people because we keep pallets of high explosive in the break room and management doesn't want to change that. /s
BrandoElFollito 5 hours ago [-]
High level IT positions are not risky. This is the db admin who can do most of the damage.
stego-tech 4 hours ago [-]
There is a middleground, but it requires conscious effort to prop-up, support, and maintain over the long haul: off-boarding centers.
I worked for a Big Tech company that actually did this, and it made the transition a lot easier. You could still access corporate resources necessary for the transition (HR, benefits, internal job postings, training offerings, expense reporting, etc), check-in with colleagues 1:1 (who would be warned this person was no longer part of the org, attachments could be blocked to prevent exfil, etc), and still send/receive email internally (though external was blocked by default and required justification).
You can safeguard your corporate infrastructure without actually cutting everything off entirely and sending someone home to stew angrily about it. In fact, there might be (as yet undocumented) advantages to letting folks exist in that transition period on that segmented infrastructure, so as to identify potentially bad actors before they can do harm and see about mending bridges.
Of course all of that requires conscious investment in projects with no clear quarterly/yearly KPIs to measure cost or success against, so most employers will never remotely consider it.
skinfaxi 4 hours ago [-]
Your last sentence sums it up. I was blown away by the system you described that would allow for such a humane transition through such a difficult time. At least process wise it seems like a good place to work.
stego-tech 2 hours ago [-]
It really was. I’d gladly go back, too, but they’re not hiring IT folks with my skills atm.
mistrial9 3 hours ago [-]
you left out the people who enjoy the suffering and pain of the person it is being done to, while they supervise (and film it, in some cases)
repelsteeltje 3 hours ago [-]
I suppose that's a very powerful way of preventing "accidents" on termination. But isn't that just theatre? I mean - as though termination is the one and only case where an employee with the power to destroy the company gets angry and might do something really stupid?!
suburban_strike 1 hours ago [-]
It's not theater, it's defense against aggrievement. Termination is a traumatic event that threatens your ability to exist or provide for dependents. People [rightfully] don't handle exile well.
Someone with an interest in scuttling your company could just as easily maintain a low profile and do it at any time. Termination forces execution into a more-predictable timeframe. Once notified, the malevolent only have opportunity to exfiltrate or sabotage whatever they can reach in the time it takes to walk them out the door.
European laws require us to give people something like two months' notice. Even then we don't trust them; we pay them their salary and tell them to stay home.
lesuorac 4 hours ago [-]
Yeah but if you defense against somebody erasing a database is "we remove their access when they're fired" then your defense is garbage.
Like there's so many other attack vectors besides an upset ex-employee.. Like all those articles about NK employees who presumably are trying very hard not to be fired. Or employees using company provided insecure email software leaving them vulnerable to ransomware et al.
tempaccount5050 4 hours ago [-]
I'm talking about off-boarding not general day to day security.
scottlamb 57 minutes ago [-]
But I'm talking about general day-to-day security too. What stops a single disgruntled employee from doing this before being fired? And if you have a good story there, why do you need the most extreme approach to "off-boarding"?
It makes sense to terminate someone's high-risk credentials immediately when they're fired. But it's extremely worrying if every credential held by every employee is considered high-risk. It suggests a bigger failure. "Unilateral access to a database filled with plain-text passwords" shouldn't ever exist. "Email account filled with dangerous stuff" should at least be unusual.
ponector 1 hours ago [-]
If you don't trust your people so much, why to hire them in a first place?
Looking at it from Europe - it is such a weird inhumane practice.
Someone decided your position is redundant. Okay, shit happens, economic downturn, etc. Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
ddosmax556 1 hours ago [-]
Looking at it from Europe, this definitely also happens. It depends on the situation. I know of ppl who were kept bcs the parting was in good faith (which was less a firing and more an agreement that parting is in everyone's interest), but I also know of ppl who had their access revoked before firing bcs it wasn't. The latter had unilateral system access as well, which added to it. It's not about humane or inhumane, it's about risk. The 3-6 months being nice is also a fairytale that I have only ever heard in a positive light from employees who are not particularly ambitious or awake or in any way satisfied with their jobs or the prospect of a future job. On the other hand from the perspective of employers it's consistently hard to effectively restructure, it's expensice and awkward to have to pretend to want to keep someone around that you or they don't want around.
It's just one of these rules that unfortunately in Europe allow people to view life purely as the time between jobs. I'd never tell that to someone's face but it's simply a fact that the world stops of people don't work and no matter what the ideal world looks like in your dreams, working is the only real way forward for anything. It's part of the reason why Europe is falling behind on everything.
joe_mamba 38 minutes ago [-]
>If you don't trust your people so much, why to hire them in a first place?
It's not about trust, it's about risk and most companies operate on liability. If society ran on trust alone, we wouldn't need contracts, door locks, passwords, IDs, judges, security cameras, jails, police, etc.
You can verify someone's performance at the job interview, you can't verify their trustworthiness, especially once they've learned they lost their job, even trustworthy people react irrational once emotions hit making snap decisions they'll later regret without thinking of the consequences on the spot, and you see innocent people suddenly turn vengeful or violent and break the law (just look at relationship breakups and domestic violence).
You can't predict such reactions, so best to prevent them instead of chasing damages from them later through the court system.
Put yourself in a business owner's position for a minute. Nobody wants to be the "this former employee set my building on fire after I gave his notice, by leaving him in the flammable material warehouse unsupervised, because I wanted to show him that despite the layoff I still trust him".
For some businesses and jobs the trust alone is enough, for other jobs that involve access to sensitive data or money, it's straight to paid garden leave because nobody wants to risk it.
>Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
Yeah, that happens sometimes like for CxO's, managers, execs who get generous golden parachutes/severance packages, but for rank and file workers in the trenches, having to show up to a workplace you know you'll soon loose, for several more months of work till it's finally over, feels like torture unless you're getting a crazy severance package. That's like your wife telling you "honey, I'm divorcing you, but I still want you to live with me for 3-6 more months, and perform your regular duties".
lazyasciiart 10 minutes ago [-]
All the couples I know who are divorced did continue living together after one of them said it was over, I think the longest time actually was about 6 months.
joe_mamba 8 minutes ago [-]
Yeah but did they still keep banging and cuddling like before the divorce announcement? They probably weren't doing much of that anyway if they got divorced but you get my point.
beAbU 4 hours ago [-]
Having people with that level of access without some form of two-person-control is already a sign of incompetence.
dullcrisp 4 hours ago [-]
Twins can defeat two-person control (okay I know one of them was locked out).
scottlamb 1 hours ago [-]
You always have to be careful about overfitting to a specific scenario like "this but if they had also forgotten to lock out the other evil twin". I'd prefer a system that is robust to a malicious employee (more likely: compromise of an employee's credentials) but has a slight gap in the "evil twins" scenario over one that prevents all post-firing malicious access from twins but doesn't consider at all what happens if a current employee's credentials are compromised.
saghm 4 hours ago [-]
Maybe they did, but since they were twins...
dylan604 3 hours ago [-]
This takes the whole "you must mean my evil twin" to an actual example. Maybe this is more "you must mean my other evil twin". Part of me really wishes their names were Daryl
reactordev 4 hours ago [-]
They do all of that now though...
In the US, they'll terminate your access while you're on the Teams Meeting behind the scenes and if you have any gaps, issues, blips, or smudges in your resume it gets thrown into the recycle bin by some AI agent.
paulpauper 5 hours ago [-]
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately
The employee is always the last to know. This is standard fare.
aksss 3 hours ago [-]
> a more balanced version: <bunch of weedy ACLs, judgement calls, liability/>
Too complicated and subjective, stinks of more risk.
Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count). It's standard practice for involuntary terms at all companies we work with, whether employee is IT or not. If a company is not doing this already, I'd encourage them to.
scottlamb 1 hours ago [-]
> Too complicated and subjective, stinks of more risk.
I actually think there's less risk, because it's not as narrowly focused on what a just-fired employee can do. That's not the only scenario of concern.
> Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count).
Interesting. Thanks for the perspective. I've been fortunate enough to not be on the receiving end of a lay-off, knock on wood. It's happened to my teammates/reports though. Wasn't my decision. :-(
zuzululu 1 hours ago [-]
I'm just amused how these people were even hired to begin with ? They don't seem to be Americans? How were they even allowed to work on sensitive systems? Why was this even allowed? So many questions.
At 4:58 pm, he wiped out a Department of Homeland Security database using the command “DROP DATABASE dhsproddb.”
At 4:59 pm, he asked an AI tool, “How do i clear system logs from SQL servers after deleting databases?” He later asked, “How do you clear all event and application logs from Microsoft windows server 2012?”
In the space of a single hour, Muneeb deleted around 96 databases with US government information.
dolebirchwood 10 minutes ago [-]
They were born in Maryland, and apparently quite skilled (or at least skilled at cheating their way through their studies, if not genuinely technically skilled).
>> They don't seem to be Americans?
How did you conclude that? Just their names?
jasonwatkinspdx 42 minutes ago [-]
I would imagine they lied about having a felony conviction on their job applications, and that for whatever banal reason any background check service they used didn't flag it, or the contractor was so grossly incompetent they didn't even check.
Beestie 53 minutes ago [-]
I don’t know where to start with this other than to point out that there is no way in hell these two clowns had the security clearance necessary to access a prod DB at DHS. I can only assume they stole creds from another employee who had that level of clearance. Also, tax records are not stored in a DHS domain .
I think this story has been sanitized to mask some details which is ok I guess but I ain’t buying the back story.
nomilk 6 minutes ago [-]
> “Delete their filesystem as well?” he said.
> “Smart idea,” said Muneeb.
Seems obvious they weren't destroying databases out of malice (i.e. retribution for being fired), but in order to cover something(s) up..
soVeryTired 5 hours ago [-]
> On March 12, 2025, a search warrant was executed at Sohaib’s home in Alexandria. Agents grabbed plenty of tech gear but also turned up seven firearms and 370 rounds of .30 caliber ammunition. Given his former crimes, Sohaib should have had none of this.
For god's sake, don't commit crimes while you're committing crimes.
tclancy 4 hours ago [-]
I was kind of hoping he sprinted out his back door which happened to be on a state line and then mailed his guns back to his house, just to try to cover everything.
colechristensen 27 minutes ago [-]
There is a strong bias towards stupid criminals getting caught.
paulpauper 5 hours ago [-]
Only commit one crime at a time
vvpan 37 minutes ago [-]
Serially.
chatmasta 24 hours ago [-]
> At 4:58 pm, he wiped out a Department of Homeland Security database using the command “DROP DATABASE dhsproddb.”
This article is hilarious. The two bickering brothers remind me of the guys in the Oceans movies played by Casey Affleck and Scott Caan. It’s amazing they got this close to sensitive data.
game_the0ry 5 hours ago [-]
> At 4:59 pm, he asked an AI tool, “How do i clear system logs from SQL servers after deleting databases?” He later asked, “How do you clear all event and application logs from Microsoft windows server 2012?”
So many red flags, I can't even.
t0mas88 2 hours ago [-]
> In the space of a single hour, Muneeb deleted around 96 databases with US government information. He downloaded 1,805 files belonging to the EEOC and stashed them on a USB drive, then grabbed federal tax information for at least 450 people.
Maybe whoever runs infosec at that place should also be fired?
oliyoung 58 minutes ago [-]
Brave of you to assume they had anyone running infosec by the sounds of it
jiggawatts 4 hours ago [-]
I love how this leaks out the fact that the DHS is running production databases on operating systems that are months away from end of extended support.
Windows Server has 5 years of mainstream support, 5 years of extended support, and then an extra 3 years paid Extended Security Updates (ESU) support. For 2012 and 2012 R2 that ends in October 2026.
The three years of ESU exists only for organisations like government departments that would rather pay Microsoft millions of dollars for patches than pay a competitive wage and hire competent IT staff that can complete upgrade projects on time.
mpyne 29 minutes ago [-]
> The three years of ESU exists only for organisations like government departments that would rather pay Microsoft millions of dollars for patches than pay a competitive wage and hire competent IT staff that can complete upgrade projects on time.
I'm not going to say the wages are fine but the issue is likely not to be the competence of the IT staff, but rather the overbearing IT management processes the U.S. Federal government uses. "Enterprise change management" processes separate from the already-long cybersecurity review processes can add weeks or even months to system updates.
In that kind of construct, you optimize for fewer but larger changes and then it's no surprise to see that there's no time in the project update schedule to update the OS in addition to making all the other long-overdue library / middleware / application changes that also are pending once a change finally can be made.
chatmasta 1 hours ago [-]
It’s a contractor to the DHS, but I’m not sure that makes it worse or better.
harrisi 3 hours ago [-]
It can be quite politically valuable to kick the can to the next administration.
jiggawatts 2 hours ago [-]
The day-to-day operation of large government bureaucracies is surprisingly immune to elections. The same people stay in the same job for decades, the "churn" only happens at the highest levels, and even those positions tend to outlast changes in the current political party in charge.
bozhark 43 minutes ago [-]
Did you not see what happened in the last year to federal workers?
kQq9oHeAz6wLLS 27 minutes ago [-]
To be fair, this transpired last year, so they actually had one year and some months before losing extended support.
That said, they should have migrated it years ago.
darkwater 4 hours ago [-]
Yep, Windows Server 2012 being a big one :o
insane_dreamer 1 hours ago [-]
> So many red flags
starting with Windows Server _2012_ :O
lostlogin 5 hours ago [-]
Ready access to AI tools sure makes vandalism easy.
BoneShard 1 hours ago [-]
A tool which is supposed to supercharge you - supercharges you.
game_the0ry 5 hours ago [-]
Ai is just a tool. You can kill with hammer, doesn't mean you ban hammers. And they could have used stack overflow instead of ai.
xethos 4 hours ago [-]
The tools we use are not neutral. A sword can be made to work like an axe, but we use axes for chopping wood because a sword makes a shitty axe. A sword is designed to kill people. The handle, the mass, the weight distribution, and every other aspect I am not qualified to get in to, means swords are designed to kill. They are a tool, and their use is not neutral.
This is a clear example, but I don't believe any tools are neutral. Your immediate fallback was to a hammer, not a mouse, with the obvious corrollary being to bludgeon, but the same line applies. Tools are not neutral, and that's why when you looked for something that causes harm, you grabbed something that's objectively been serving a dual-purpose for hundreds of years. Nobody's using a computer mouse to bludgeon someone to death; it makes a shitty bludgeon, and the design of the tool reflects that.
That's also why these comparisons always fall back to knives, or hammers, or the AK-47: they are dangerous tools that are designed to make killing easier. Nobody is making these comparisons to more benign tools, like desk lamps, coffee cups, or car stereos, and it's because tools are not neutral, and none of my examples are designed to make direct, bodily harm, easier.
My larger point is that nobody - nobody - defaults to telling us the coffee mug is unregulated, as AI allegedly ought to be. They always compare it to something much more commonly used as a weapon; something that, when asked to name a household object likely to be used as a weapon, the average person would guess.
dullcrisp 1 hours ago [-]
Your point is that people make a stronger argument even when a weaker one would be sufficient?
collingreen 4 hours ago [-]
My god, they didn't say ban ai they said it makes vandalism easy.
No need to knee jerk react to an argument that hasn't been made.
fc417fc802 41 minutes ago [-]
It's not knee jerk to respond to an obvious contextual implication.
fugalfervor 4 hours ago [-]
You are the first person in this conversation to mention banning. I am not sure what your comment has to do with anything.
fn-mote 4 hours ago [-]
This vandalism is a joke. You could find the method in an XKCD comic.
The fact that they didn't already know how to do it is the crazy part.
plagiarist 4 hours ago [-]
They forgot a
> "How do I clear chat logs from LLM?"
I guess?
bmitc 23 hours ago [-]
Those two in the movies were always a highlight for me, especially when the one joins the other in the Mexican factory riot.
noboostforyou 3 hours ago [-]
One of my favorite lines "Peligroso es mi nombre medio" (which of course is not grammatically correct in Spanish) and then his short inspirational speech invoking general Zapata were great.
How did they get access to 5k passwords? Are they being sent/stored in cleartext? This is the most baffling part of the article for me.
The second part I'm unclear about is how you could pass SOC2 when you aren't terminating account access simultaneously with the employment termination.
inetknght 5 hours ago [-]
From the article, it sounds like the passwords are indeed stored in cleartext:
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
giantg2 4 hours ago [-]
It still blows my mind. Shouldn't the government audit their contracting companies for egregious issues like this? Seems extremely reckless not to.
at-fates-hands 3 hours ago [-]
I'm pretty shocked as well. I thought every company stopped doing this like 20 years ago? Even for a legacy system that is a long time to continue storing credentials like that.
__turbobrew__ 18 minutes ago [-]
My wife works in IT at a mid sized city. They still store credentials in source control.
jeremyjh 1 hours ago [-]
20 years is rookie numbers in these systems. I guarantee it’s been at least 40 years since a single fuck was given.
GorbachevyChase 4 hours ago [-]
Policy and practice might not be the same thing. The company and the entire management staff should be on somebody’s blacklist for future procurement.
giantg2 4 hours ago [-]
The whole point of stuff like SOC2 and audit to verify that policy is actually implemented. Seems like nobody actually checked.
kube-system 4 hours ago [-]
SOC2 requires an audit. But one of the weaknesses of SOC2 is that the audit mostly checks to determine that you are following whatever your policy is. It doesn't verify that your policy is rigorous.
skinfaxi 4 hours ago [-]
Depends on what their offboarding policy is. If it's 72 hours or something they would not breach policy.
BrandoElFollito 5 hours ago [-]
And how exactly do you want to store passwords if not in plain text (and then encrypted of course)? 5k is a lot, the authorization process is broken, but this is not related to how the passwords are stored.
The only solution is correct access segregation and a bastion
Dangeranger 4 hours ago [-]
You should never store passwords in plain-text, encrypted or not, you should always use a one-way cryptographic hash like bcrypt [0], scrypt [1], or PBKDF2 [2], combined with a single use salt [3] and optionally a pepper [4], and then store the output of the hash in the database.
To confirm a user supplied password matches you run input into the same hash function again with the salt+pepper and compare it to the value in the database.
That way if the database is stolen, the attacker cannot recover the contents of the passwords without brute forcing them. Encrypting passwords is not recommended because too often attackers are able to recover the encryption keys during the same attack where the password data is extracted.
Hashed, you store them hashed (and salted). A breach should never reveal passwords.
jm_l 4 hours ago [-]
Typically you store a hash of user passwords instead, then when logging in you hash the user password client-side and compare the hashes. This acts like a one-way function that protects the password while letting the user authenticate themselves.
CyberLily 4 hours ago [-]
Hashing passwords client-side is generally a bad idea, since it means that the hash effectively becomes the password. For example, if I have a database row that has the hash of the password and a bad-guy gets access to the database, they will get the hash. The benefit of a hash is that it is a one-way operation, I can't figure out the plaintext from the hash, so my account is safe. If the password is hashed on the client, and sent to the server the attacker doesn't need to reverse the hash, they can just send the hash in the request. Instead, you should send the password to the server (using TLS encryption) and do the hash and compare on the server.
fc417fc802 25 minutes ago [-]
Hashing client side is sufficient because the only service you can breach with the hash is the one you already had to breach in order to read the database.
Of course performing an additional server side hash on top of the client side one is good defense in depth because there's at least some chance that it might make things more difficult for a rogue insider and doing so costs approximately nothing. But it certainly isn't critical because by the time you're dealing with a rogue insider things are already looking quite bad.
jmull 3 hours ago [-]
You actually want to one-way passwords both client-side, for transport, and again server-side, for storage/comparison.
Otherwise, there's a hole, between the end of the TLS connection and where the server-side encryption happens, where the password is in plain text. Think logs and load-balancers and proxies.
While the client-side hashing doesn't help protect your site a lot (as you say, the hashed value the client sends effectively becomes the password), it helps protect the users who use the same password across multiple sites.
Notice in this case, that's exactly what the brothers are accused of doing: using credentials harvested from their site to log into other, potentially more lucrative accounts.
I didn't see if that's the hole the brothers exploited but it very well could have been.
The client-side encryption may have been all that was missing in this case.
Tangurena2 4 hours ago [-]
Also, you need to add salt. Otherwise every person using "Password123" has the exact same hash. Before they broke their search engine, it was common to google the MD5/MD4 hashes to "decrypt" or "unhash" them.
necovek 30 minutes ago [-]
And rainbow tables appeared too.
jmull 3 hours ago [-]
People shouldn't be downvoting this...
Hashing client-side is a good idea. You must also hash server-side, for storage/comparison.
Otherwise, an insider may be able to harvest the original password, from logs, proxies, load balancers, etc. that requests pass through after the end of the TLS connection, on the way to the db.
They can then try the credentials on other, perhaps more lucrative sites. That's what the brothers are accused of doing here, so client-side hashing (or just simple encryption) may have been the missing piece of security that would have thwarted the credential stealing.
necovek 24 minutes ago [-]
I wonder how common are setups where an internal person has access to the TLS private key part of the certificate or access to a network equipment that all traffic passes through, yet they cannot access the inputs required for hashing/encryption client-side?
This seems to mostly prevent accidental logging and is thus a matter of defense in depth, stopping malicious actors from exploiting it later — but an actively malicious IT person would not be deterred.
fc417fc802 17 minutes ago [-]
Yes limited protection against insiders is good defense in depth but not the primary purpose which is to protect end user accounts on other services in the event that you are breached.
necovek 13 minutes ago [-]
My question still stands: how do you disallow cleartext password extraction if you are breached, assuming all your IT infrastructure and code is now accessible to an attacker?
I am talking about not logging them ever, using internal TLS and strong hashing in general, and wondering what exact value is added on top with client side hashing.
ellg 4 hours ago [-]
I hope youre joking
kjs3 3 hours ago [-]
I don't think those words mean what you think they mean.
jjk7 4 hours ago [-]
Assuming you're serious? Store passwords with salted one-way hashes.
liendolucas 3 hours ago [-]
I can only think of a scenario where this is still valid: spying.
The minimum one can do is have a different randomized password for every service on a possibly completely offline password manager.
Yes, you will depend on a password manager at all times, but at least the blast radius is minimized to the affected service.
chrisra 1 days ago [-]
I have no problem with my credentials being revoked everywhere before I know about a layoff. I don't really care how I learn about it, just please don't make me come in to the office.
nine_k 6 hours ago [-]
> just please don't make me come in to the office.
But how do you pick up the stuff from your desk? I once lost a nice pair of headphones this way.
jimmaswell 4 hours ago [-]
I've never had a job with a permanent individual desk like this. The one in-person real job I had, it was only shared working space that different people used at different times of the day or on different days, and I think you were discouraged from leaving anything. The idea of there being "your desk" with a framed photo of your kids and favorite coffee mug seems like a nearly extinct piece of nostalgia. It must have been nice in a way, far preferable to the new style of open office at least.
pavel_lishin 4 hours ago [-]
May I ask how long you've been working?
I'm in my early 40s, and I've never had a job where we've "hot-desked" like that, even when a company was out-growing an office.
antod 2 hours ago [-]
I'm on my third job since COVID. None have dedicated desks, and this ranges across startups, corporates and large govt agencies.
Every job I had before COVID back to when I started back in the early/mid 90s had dedicated desks.
paulpauper 5 hours ago [-]
ship it?
jagged-chisel 6 hours ago [-]
Meh. Don't leave anything at work. Forgo the convenience and carry your things on your commute. Use a bag. If there's "too much stuff", that's a sign to pare back what you "need" at work.
whatshisface 5 hours ago [-]
I know this is not a good year on the job market, but if you are traveling to work with a "go bag" and not leaving coffee mugs on your desk to prepare for being laid off maybe it is time to carry that go bag to some other buildings...
nkrisc 4 hours ago [-]
The obvious middle ground is don’t leave anything valuable at your desk that you wouldn’t want to lose. You shouldn’t leave valuable stuff at your desk even if you don’t expect to be laid off. Unless you work in a very secure environment, you don’t really know who will be sniffing around your desk.
Go ahead and leave a coffee mug, who cares if you lose a coffee mug?
pavel_lishin 4 hours ago [-]
I would be devastated if a few of my coffee mugs were eaten by a firing/layoff. (But I would also not bring those specific coffee mugs to the office, either.)
jdev-hn 5 hours ago [-]
[dead]
afavour 5 hours ago [-]
God, if we're at the point where we're so paranoid about being laid off that we don't dare leave a single piece of personal property in the office then I think we're in a very dark place indeed. Can’t imagine the mental damage from considering losing your job every single day you wake up.
alexjplant 4 hours ago [-]
I never left anything valuable or personal at my desk when I worked in an office simply because I had a very nonzero number of colleagues who acted like animals. My fizzy waters, coffee, and snacks would be consumed without permission or replenishment. Chairs, monitors, and input peripherals would get swapped without asking. Desks surfaces would be sat on with chairs used as footstools. Corporate effluvia of all types would end up on my "unused desk" because I wasn't in at the exact moment some roving bandit walked by looking for a spot to dump their crates of paper and binders.
Some people simply have no regard for others and will mess with or jack your shit. Don't give them the chance.
eks391 4 hours ago [-]
I always thought it was weird that all of the equipment issued to me beyond the laptop was registered to me, such as the monitors and desk phone. Your comment enlightens me... That's wild to imagine folks just swiping things from other peoples desks. We even have storage rooms of office supplies where someone could drop off their crate of paper and binders if they had one for some reason.
buckhx 4 hours ago [-]
well this did just happen to me. laid off while taking care of my father in laws estate and my personal belongings were thrown away. 7 years at the company as an EM ftr.
cromka 6 hours ago [-]
I had my gym stuff in a gym locker. The reason I was able to commit to a gym routine was being able to get off my desk, get down the elevator, enter the gym and change in gym clothes in literally 5 minutes. I would never be willing to commute with all that gear. And I never got that gear back.
Still a net positive in my experience.
eks391 4 hours ago [-]
Same, almost. When I was a student, I rented a locker near the showers so I could start my day at the school gym, shower, and go to my first class.
My workplaces have not had gyms, but I bought equipment for my home that maintains the streamline. I haven't been perfect at my routine because my work schedule isn't consistent which is annoying, but I do still get some exercise in at least twice per week with it. I doubt I'd be getting at least that otherwise.
forlorn_mammoth 4 hours ago [-]
If they are keeping your personal possessions, isn't that theft?
BrandoElFollito 4 hours ago [-]
Yes, I will bag my two tree-sized plants, 4 paintings, 1 old map, 2 posters, drawings of my kids, figurines and a few more things. Ah yes, the ball I sit on.
I spend in the office more time than at home so I want a nice environment.
ccimmergreen 22 hours ago [-]
So this was why the FBI Director Kash Patel was in a panic when he couldn't log in one day. Revoking credentials before firing someone makes a lot of sense in security.
lostlogin 5 hours ago [-]
> So this was why the FBI Director Kash Patel was in a panic when he couldn't log in one day
Ever tried to login with two factor and justify a maxed out company card while high as a kite and drunk?
It’s stressful.
deepsquirrelnet 6 hours ago [-]
Professionally, he spells his name thusly: FBI Director Ka$h Patel, so you know he’s serious.
tty456 5 hours ago [-]
Written in bourbon
metalman 16 hours ago [-]
no, becaus the simple and pragmatic solution for ANYONE who is subject to arbitrary termination, is to litter everything they build with caltrops and dead man triggers
and then hint that they will go into "consulting" when fired.
I know of one case where this was totaly unintentional, and a machinest at a local pulp and paper plant had self delegated to
write the software that controlled tension
on the giant machines in the mill, but as it was his only real forey into sofware, nobody else could operate it, and they fired him after a manegment reshuffle, and then after the next scheduled shut down, nothing worked right, greasy dusty ancient screen with a blinking cursor was what they had, plugged into the important bits of a half sqare mile plant.
still funny to think about!
cj 6 hours ago [-]
Or if you don't want to booby trap your code, buy one of those tiny devices that make a cricket noise randomly every 5-15 minutes, and hide it somewhere in the restroom.
These are too obvious - 5-15 minutes gives your victim way too many opportunities to narrow down the location.
What you really need is one that chirps once every (multiple of) 20-28 hours (with weighting towards 23-25 to keep it roughly around the time you set it going and an infrequent skipping of a day.) Also with different volumes and, ideally, different chirps. Occasionally a double chirp just for extra insanity causing.
(A Michael Jackson "hee heee" would be another good option.)
HeyLaughingBoy 3 hours ago [-]
Next time I'm bored and need a project, I'm building that ;-)
therobots927 6 hours ago [-]
That is some top notch wrongthink… HN does NOT find it funny!
xingped 24 hours ago [-]
[flagged]
PowerElectronix 3 hours ago [-]
He may be a bad person but he has a very pretty handwriting.
disqard 3 hours ago [-]
Your comment made me go read TFA, and yes, that is rather pretty handwriting.
JumpCrisscross 3 hours ago [-]
> Muneeb and Sohaib Akhter, now both 34, had been in trouble before. Back in 2015, the brothers pled guilty in Virginia to a scheme involving wire fraud and computers. Muneeb was sentenced to three years in prison, while Sohaib got two.
After their stints in jail, the brothers worked their way back into the tech world. In 2023, Muneeb got a job with a Washington, DC, firm that sold software and services to 45 federal clients; Sohaib got a job at the same company a year later.
What in the actual fuck. I'm all for giving people second chances. But maybe some ringfencing?
JuniperMesos 1 hours ago [-]
No, this is exactly what giving people second chances looks like. It means taking a risk that they're the sort of person who is likely to commit a crime and who will commit a crime again after being given the second chance. The only way to prevent this is to have a blanket policy against giving second chances to people convicted of crimes, which harms people who genuinely intend to reform and not commit crimes again, and who you cannot systematically distinguish from chronic criminals.
notahacker 51 minutes ago [-]
There are literally thousands of occupations a former computer based wire fraudster can be given a second chance in that aren't here's a computer full of sensitive government files, with CRUD privileges.
Like... I think ex drugs dealer deserve a chance of legitimate employment, but perhaps doling out prescription drugs is best left to someone that doesn't need a "second chance" to demonstrate they're unusually trustworthy and unlikely to be tempted by the possible side incomes.
notahacker 59 minutes ago [-]
The fraud conviction seems totally inappropriate for a government contractor and yet... somehow totally appropriate for someone appointed to work directly for the upper echelons of federal government. Hell, everyone else hacking government officials emails and tax returns and randomly deleting stuff for the lolz in February 2025 was being paid by DOGE.
colechristensen 23 minutes ago [-]
The article isn't particularly clearly written, but it seems like their background checks were bad and were fired once management figured it out.
libpcap 6 hours ago [-]
Nice handwritings, though.
capibara13 5 hours ago [-]
A true professional always makes sure to leave their workspace completely spotless before going home
lostlogin 5 hours ago [-]
So no guns and ammo?
nostrademons 6 hours ago [-]
> Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter.
WTF?
dzonga 5 hours ago [-]
prosecute the company too.
storing passwords in plaintext should be persecuted & having unlimited access to customer databases.
3 hours ago [-]
iJohnDoe 21 hours ago [-]
It’s crazy that people are desperate for jobs and these clowns get hired.
alphawhisky 10 hours ago [-]
Well, who else would you hire for the circus?
hunterpayne 6 hours ago [-]
Perhaps don't hire people who act as foreign adversaries for government work? Is that really such an absurd proposition?
titanomachy 5 hours ago [-]
You can’t assume someone is foreign based on their name.
In fact I’d guess they’re not, since they’ve been employed on government projects since a young age.
leptons 5 hours ago [-]
>who act as foreign adversaries
This does not mean they are from another country.
ChrisMarshallNY 6 hours ago [-]
I don't think they were spies. They have ethnic names, but it sounds like they are just good ol' red-blooded Yankee crooks.
JuniperMesos 1 hours ago [-]
No one named Muneeb or Sohaib Akhter could possibly be a Yankee crook. They might well be legally American citizens, I don't know and don't particularly care. And they're certainly crooks. But they're not Yankee crooks.
If someone is an immigrant from the part of the world that generates names like Muneeb or Sohaib Akhter, and they really intrinsically care about assimilating to Yankeedom, they should probably actually change their name about it. That's a good signal that they're serious.
GorbachevyChase 4 hours ago [-]
I can understand wanting to be perceived as being on “the right team” but that comment is so silly that it undermines credibility. To put it otherwise, could you imagine a scenario where I had a labor, arbitrage opportunity that involved a higher paying job in Shanghai, China and that I had lived there for a few years to do that. Let’s also say that I was found guilty of some similar crime. Would you call me a good old fashioned red-blooded Chinese crook?
It’s OK to acknowledge that economic migrants are a thing, and that they likely have only transactional interest in where they live, such as a Bengali construction worker in Dubai, for example. That’s just part and parcel of labor mobility. For better or worse, shareholders, or middleman representing shareholders, have decided this sort of thing is a really good idea in the US, and now around half the population falls in that bucket. It’s a free country, and freedom means being free to choose short term interests. That also means you’re free to support such policies because they are good for Blue-team redistricting so we can provide free healthcare to all 8 billion people in the world somehow.
But please, nobody becomes a Yankee by the mere fact of standing on the ground. If you want that pejorative title, then you need to earn it.
ChrisMarshallNY 4 hours ago [-]
It was a silly comment. It was meant to be.
As opposed to...
lostlogin 5 hours ago [-]
> Perhaps don't hire people who act as foreign adversaries for government work?
Hilarious in the context of this administration.
4 hours ago [-]
toast0 4 hours ago [-]
Yeah. Here in america, we demand domestic adversaries!
leptons 5 hours ago [-]
Uhh... The guy in charge of the whole thing does things a foreign adversary would do. Has for years and he's back for round two. He even tried to overthrow the government once.
phendrenad2 41 minutes ago [-]
Maybe they're really, really good at leetcode. You can't pass up talent like that. </sarcasm>
nrmitchi 3 hours ago [-]
This whole story is just line after line of utter incompetence.
The "after they were fired" sounds catchy, but isn't even the biggest failure.
This organization shouldn't be permitted anywhere near government, or any non-public, data/information.
waterTanuki 24 hours ago [-]
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
It should be a federal crime with prison time to make a DB for a federal agency and not hash and salt passwords or other auth credentials.
wildzzz 4 hours ago [-]
It's probably some sort of crusty old application written before salt and hash was SOP. No agency is going to spend money on hardening something non-critical unless there's an incident or there's free money to do so. And that application was likely written by some contractor who's no longer around or has the source code available so any fixes would require an entire redo. And while you're redoing the whole thing, let's add in a bunch of features and scope creep to balloon the cost and schedule. Oops, the new contractor writing the app is overrun so let's bail and go back to the old version.
mijoharas 13 hours ago [-]
This is what I want to know. Are there any consequences for this contractor? At least fraud or negligence or something?
5 hours ago [-]
kaikai 1 days ago [-]
How on earth did someone previously convicted of what sounds like hacking get job access to so many prod government databases? Wild that it took them so long to get caught.
AlexB138 6 hours ago [-]
I had the same questions. Apparently discovery of the prior conviction is what lead to them being fired:
> When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025
That prompts the question of why background checks are so lax that they were hired before this was discovered.
charonn0 6 hours ago [-]
The company involved here is apparently based in Washington, DC, which has a "Ban the Box" ordinance that limits employment background checks for most kinds of jobs. And apparently DC's version of the law is particularly strict.
giantg2 5 hours ago [-]
Shouldn't this force companies that need to pass a SOC2 out of the district? Doesn't SOC2 require background investigation of personnel with access to sensitive systems?
anonSrEng202309 6 hours ago [-]
And I recently couldn't get a job through a federal contractor for a federal position (requiring NO security clearance) because they didn't like something on my credit report.
sieabahlpark 6 hours ago [-]
[dead]
ge96 4 hours ago [-]
Some good handwriting
game_the0ry 5 hours ago [-]
No back ups? Skill issue.
Tangurena2 4 hours ago [-]
Not many people test their backups. I've encountered some situations where the backups didn't work. And one previous employer who was so lazy that he didn't rotate the backup tapes so that the one tape cartridge was used so long that the oxide layer was rubbed off of the tape - so it was no longer brown but was transparent instead (imagine adhesive tape with no adhesive).
zeroonetwothree 4 hours ago [-]
The article says that they did have backups
kittikitti 4 hours ago [-]
This is very surprising that they would pass a background check. I've been denied an offer because of a low credit score multiple times.
taffydavid 4 hours ago [-]
> While this was going on, the brothers held a running conversation. (The government is not clear about whether this took place over text, instant message, or in person.)
Explain to me how we can have a transcript of a conversation without knowing whether it was in person or not. I'm baffled by this sentence.
killingtime74 2 hours ago [-]
Probably confession
4 hours ago [-]
cyanydeez 1 days ago [-]
so, apparently, the passwords were stored in cleartext.
whynotmaybe 23 hours ago [-]
Remind me of a forum a long time ago that sent me my password in clear when I used the "forgot password" link.
When I advised them that it was a bad idea to store password in clear, they answered that they keep it in clear so that they can send it when someone forget.
Defeated by such argument, I deleted my account.
syntheticnature 6 hours ago [-]
In my free time, I help maintain the web presence for a small non-profit org with memberships. The original system when I started helping was a bespoke system that was smart in many ways (essentially a static site generator with membership control years before SSGs were cool, with regular automated tests), but the guy who wrote it absolutely insisted on storing passwords in plaintext and could not be convinced otherwise. Eventually he had to drop the volunteer position due to other things in life, and the first thing we did was correct this issue.
miki123211 6 hours ago [-]
There was a screenshot of some website floating around a few years ago, where if you entered the correct password but a wrong username, it would helpfully tell you which user the password is really for.
mekdoonggi 5 hours ago [-]
But did they handle the edge case of two users having the same password?
nodesocket 5 hours ago [-]
Product manager; “That’s a great UX.”
asveikau 4 hours ago [-]
Circa 2012 the San Francisco water bill pay was able to send me my password in plaintext when I forgot it. I was scandalized. But the alternative was to not pay the water bill, so I just made extra sure the password was very random and wasn't one that got re-used anywhere... I think they fixed this issue in the years since.
scorpioxy 20 hours ago [-]
I've got a better one. I once had the same argument mentioned to me by my manager at the time when I pointed out that passwords were being stored in clear text. That it needs to be this way so that it is read/sent when the users forget their passwords(which happened a lot). I tried to explain that typically a "reset password" flow is used for that but that fell on deaf ears. That system contained healthcare data.
Something bad did end up happening due to that lax security and there were oh so many meetings about it.
bluefirebrand 6 hours ago [-]
> Something bad did end up happening due to that lax security and there were oh so many meetings about it.
This is the sort of thing that makes me want to check out of the whole circus. Here I am, telling you ahead of time, and you ignored me
So how there's a circus that we could have avoided and not only do I get zero recognition for identifying the threat ahead of time, the people who ignored me keep their jobs and turn it into a zoo where everyone is scrambling in endless meetings
And I've seen it play out a few times. After a point, why bother...
scorpioxy 28 minutes ago [-]
Yeah, I can relate. It's a problem if you don't bother since you won't be doing your job to the best of your abilities and it's a problem if you do since you might get in trouble with the management for not being a "team player" or some other silliness. Without meaningful consequences, I don't see this situation changing.
moebrowne 4 hours ago [-]
> Defeated by such argument, I deleted my account.
I'd bet your account wasn't actually deleted, just marked as deleted or inactive.
SoftTalker 6 hours ago [-]
Gnu Mailman still does this, and sends a monthly reminder email of your password.
tetris11 10 hours ago [-]
Greetings, Bioconductor
paulsutter 5 hours ago [-]
Deleting data like that is a crime investigated by the FBI. In a very sad story, a brilliant former coworker made a mistake of deleting data after leaving employment and ended up in prison. Brilliant guy, momentary mistake. Overzealous employer.
jongjong 2 hours ago [-]
This makes sense but also an employee who is dishonest is also a security risk; fired or not.
It's ridiculous that companies don't seem to care about ethics. They never seem to select candidates based on proven ethics. They don't even ask any such questions.
For example, I've been in at least 2 situations where I had the ability to inflict major damage to companies which had treated me very poorly and I could have legally gotten away completely whilst doing variants of 'the wrong thing' and profiting but I didn't do it because I have principles. Unfortunately it seems that few people do nowadays. Leaders are fooling themselves if they think they can completely factor out ethics and make it all about aligning incentives. Incentive alignment creates its own problems as this alignment requires constant maintenance and it's both expensive and detrimental in the long run. These people will tend to sabotage every aspect of their responsibilities which isn't directly measured... In order to gain leverage. It's not clever. It's crooked. Should not be rewarded.
My experience as a software developer is that managers alway have lots of blind spots and the wrong people will take advantage of all of them, even when it negatively impacts the company.
dionian 4 hours ago [-]
The penmanship of the guy is extremely neat, like, uncannily so
ck2 4 hours ago [-]
imagine the delete-fest the current whitehouse is going to do in a few years
all with pardons waiting so they can't be convicted
they might not even wait a few years
Tangurena2 4 hours ago [-]
"Legal Eagle" has a new video about this. The administration's viewpoint is that the Presidential Records Act is unconstitutional, plus the President owns every document, so he can't be forced to return anything because it belongs to him.
chinathrow 3 hours ago [-]
They might not leave, at all.
htx80nerd 4 hours ago [-]
>Muneeb and Sohaib Akhter
typical american names
chasing 4 hours ago [-]
Don't be a bigot.
htx80nerd 2 hours ago [-]
oy cant say bad things or make jokes about people who did terrible thing cuz their not white. my mistake m8
ImPostingOnHN 1 hours ago [-]
if they did terrible things, why are you ignoring that and focusing exclusively on their ancestry?
Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).
I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
This especially includes creds like root or admin level access to AWS/GCP/whatever-cloud-or-hosting-service, and other critical creds like user/password management, domain name registrations, AppleStore and GooglePlay accounts, source code repos, documentation and internal tooling, external services like observability/analytics/crash-trcking. It also keeps a current(ish) list of all clients/projects where I've had any access at all, listing things like API keys, ssh keys and bastion hosts, project or platform admin creds, as well as systems like databases (SQL and KV caches), firewall rule specific to me.
I also try to list anything else I could, if I were a malicious disgruntled ex employee, use to cause grief to the employer or their clients.
I point out in this email that if I were to be rouge, I'd most likely have intentionally left something out or left behind backdoors or timebombs, and while I am not that kind of person and I have not done those things, they owe it to themselves and their clients to have someone else senior and experienced enough to carefully audit everything to ensure I cannot access anything.
I send this from a personal email account, so I still have timestamped records of having sent it. If an ex employer ever gets hacked shortly after I leave, I want evidence I did everything I reasonably could to remind them to lock me out.
(Writing this down reminds me it's been a while since I updated this - I guess thats something I'll ned to get on to soon.)
Isn't this an unrealistically black-and-white mode of thinking? Humans are complicated and have many values and perceived responsibilities. It's not healthy for them to throw them all out and act as if they only have one responsibility that needs to be maximally upheld at all costs. They should balance their actions thoughtfully.
Meh? Sure, stuff that would help assemble a credible phishing attack, but not customer SPII or huge amounts of intellectual property or anything. If the assumption is that employees' inboxes are full of dangerous things, I would focus on fixing that.
I worked for a Big Tech company that actually did this, and it made the transition a lot easier. You could still access corporate resources necessary for the transition (HR, benefits, internal job postings, training offerings, expense reporting, etc), check-in with colleagues 1:1 (who would be warned this person was no longer part of the org, attachments could be blocked to prevent exfil, etc), and still send/receive email internally (though external was blocked by default and required justification).
You can safeguard your corporate infrastructure without actually cutting everything off entirely and sending someone home to stew angrily about it. In fact, there might be (as yet undocumented) advantages to letting folks exist in that transition period on that segmented infrastructure, so as to identify potentially bad actors before they can do harm and see about mending bridges.
Of course all of that requires conscious investment in projects with no clear quarterly/yearly KPIs to measure cost or success against, so most employers will never remotely consider it.
Someone with an interest in scuttling your company could just as easily maintain a low profile and do it at any time. Termination forces execution into a more-predictable timeframe. Once notified, the malevolent only have opportunity to exfiltrate or sabotage whatever they can reach in the time it takes to walk them out the door.
European laws require us to give people something like two months' notice. Even then we don't trust them; we pay them their salary and tell them to stay home.
Like there's so many other attack vectors besides an upset ex-employee.. Like all those articles about NK employees who presumably are trying very hard not to be fired. Or employees using company provided insecure email software leaving them vulnerable to ransomware et al.
It makes sense to terminate someone's high-risk credentials immediately when they're fired. But it's extremely worrying if every credential held by every employee is considered high-risk. It suggests a bigger failure. "Unilateral access to a database filled with plain-text passwords" shouldn't ever exist. "Email account filled with dangerous stuff" should at least be unusual.
Looking at it from Europe - it is such a weird inhumane practice.
Someone decided your position is redundant. Okay, shit happens, economic downturn, etc. Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
It's just one of these rules that unfortunately in Europe allow people to view life purely as the time between jobs. I'd never tell that to someone's face but it's simply a fact that the world stops of people don't work and no matter what the ideal world looks like in your dreams, working is the only real way forward for anything. It's part of the reason why Europe is falling behind on everything.
It's not about trust, it's about risk and most companies operate on liability. If society ran on trust alone, we wouldn't need contracts, door locks, passwords, IDs, judges, security cameras, jails, police, etc.
You can verify someone's performance at the job interview, you can't verify their trustworthiness, especially once they've learned they lost their job, even trustworthy people react irrational once emotions hit making snap decisions they'll later regret without thinking of the consequences on the spot, and you see innocent people suddenly turn vengeful or violent and break the law (just look at relationship breakups and domestic violence).
You can't predict such reactions, so best to prevent them instead of chasing damages from them later through the court system.
Put yourself in a business owner's position for a minute. Nobody wants to be the "this former employee set my building on fire after I gave his notice, by leaving him in the flammable material warehouse unsupervised, because I wanted to show him that despite the layoff I still trust him".
For some businesses and jobs the trust alone is enough, for other jobs that involve access to sensitive data or money, it's straight to paid garden leave because nobody wants to risk it.
>Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
Yeah, that happens sometimes like for CxO's, managers, execs who get generous golden parachutes/severance packages, but for rank and file workers in the trenches, having to show up to a workplace you know you'll soon loose, for several more months of work till it's finally over, feels like torture unless you're getting a crazy severance package. That's like your wife telling you "honey, I'm divorcing you, but I still want you to live with me for 3-6 more months, and perform your regular duties".
In the US, they'll terminate your access while you're on the Teams Meeting behind the scenes and if you have any gaps, issues, blips, or smudges in your resume it gets thrown into the recycle bin by some AI agent.
The employee is always the last to know. This is standard fare.
Too complicated and subjective, stinks of more risk.
Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count). It's standard practice for involuntary terms at all companies we work with, whether employee is IT or not. If a company is not doing this already, I'd encourage them to.
I actually think there's less risk, because it's not as narrowly focused on what a just-fired employee can do. That's not the only scenario of concern.
> Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count).
Interesting. Thanks for the perspective. I've been fortunate enough to not be on the receiving end of a lay-off, knock on wood. It's happened to my teammates/reports though. Wasn't my decision. :-(
https://www.somdnews.com/archive/news/19-year-old-twins-high...
I think this story has been sanitized to mask some details which is ok I guess but I ain’t buying the back story.
> “Smart idea,” said Muneeb.
Seems obvious they weren't destroying databases out of malice (i.e. retribution for being fired), but in order to cover something(s) up..
For god's sake, don't commit crimes while you're committing crimes.
This article is hilarious. The two bickering brothers remind me of the guys in the Oceans movies played by Casey Affleck and Scott Caan. It’s amazing they got this close to sensitive data.
So many red flags, I can't even.
Maybe whoever runs infosec at that place should also be fired?
Windows Server has 5 years of mainstream support, 5 years of extended support, and then an extra 3 years paid Extended Security Updates (ESU) support. For 2012 and 2012 R2 that ends in October 2026.
The three years of ESU exists only for organisations like government departments that would rather pay Microsoft millions of dollars for patches than pay a competitive wage and hire competent IT staff that can complete upgrade projects on time.
I'm not going to say the wages are fine but the issue is likely not to be the competence of the IT staff, but rather the overbearing IT management processes the U.S. Federal government uses. "Enterprise change management" processes separate from the already-long cybersecurity review processes can add weeks or even months to system updates.
In that kind of construct, you optimize for fewer but larger changes and then it's no surprise to see that there's no time in the project update schedule to update the OS in addition to making all the other long-overdue library / middleware / application changes that also are pending once a change finally can be made.
That said, they should have migrated it years ago.
starting with Windows Server _2012_ :O
This is a clear example, but I don't believe any tools are neutral. Your immediate fallback was to a hammer, not a mouse, with the obvious corrollary being to bludgeon, but the same line applies. Tools are not neutral, and that's why when you looked for something that causes harm, you grabbed something that's objectively been serving a dual-purpose for hundreds of years. Nobody's using a computer mouse to bludgeon someone to death; it makes a shitty bludgeon, and the design of the tool reflects that.
That's also why these comparisons always fall back to knives, or hammers, or the AK-47: they are dangerous tools that are designed to make killing easier. Nobody is making these comparisons to more benign tools, like desk lamps, coffee cups, or car stereos, and it's because tools are not neutral, and none of my examples are designed to make direct, bodily harm, easier.
Murder by ethernet cable: https://www.gainesvilletimes.com/news/dead-woman-found-in-pa...
Murder by laptop: https://www.riverfronttimes.com/william-lynn-gunter-sentence...
Murder by cellphone charger: https://lawandcrime.com/crime/pennsylvania-man-admits-to-str...
Murder by desk lamp: https://www.pressdemocrat.com/2009/01/08/man-beaten-to-death...
Stabbing by coffee mug: https://www.muscalaw.com/blog/north-port-two-women-attack-co...
No need to knee jerk react to an argument that hasn't been made.
The fact that they didn't already know how to do it is the crazy part.
> "How do I clear chat logs from LLM?"
I guess?
The second part I'm unclear about is how you could pass SOC2 when you aren't terminating account access simultaneously with the employment termination.
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
The only solution is correct access segregation and a bastion
To confirm a user supplied password matches you run input into the same hash function again with the salt+pepper and compare it to the value in the database.
That way if the database is stolen, the attacker cannot recover the contents of the passwords without brute forcing them. Encrypting passwords is not recommended because too often attackers are able to recover the encryption keys during the same attack where the password data is extracted.
[0] https://en.wikipedia.org/wiki/Bcrypt
[1] https://en.wikipedia.org/wiki/Scrypt
[2] https://en.wikipedia.org/wiki/PBKDF2
[3] https://en.wikipedia.org/wiki/Salt_(cryptography)
[4] https://en.wikipedia.org/wiki/Pepper_(cryptography)
Hashing passwords has been a thing for at least 50 years now. V3 unix had /etc/passwd which hashed all user passwords. Notably, these hashed passwords in early unix have been cracked: https://arstechnica.com/information-technology/2019/10/forum...
I guess you got your answer.
Of course performing an additional server side hash on top of the client side one is good defense in depth because there's at least some chance that it might make things more difficult for a rogue insider and doing so costs approximately nothing. But it certainly isn't critical because by the time you're dealing with a rogue insider things are already looking quite bad.
Otherwise, there's a hole, between the end of the TLS connection and where the server-side encryption happens, where the password is in plain text. Think logs and load-balancers and proxies.
While the client-side hashing doesn't help protect your site a lot (as you say, the hashed value the client sends effectively becomes the password), it helps protect the users who use the same password across multiple sites.
Notice in this case, that's exactly what the brothers are accused of doing: using credentials harvested from their site to log into other, potentially more lucrative accounts.
I didn't see if that's the hole the brothers exploited but it very well could have been.
The client-side encryption may have been all that was missing in this case.
Hashing client-side is a good idea. You must also hash server-side, for storage/comparison.
Otherwise, an insider may be able to harvest the original password, from logs, proxies, load balancers, etc. that requests pass through after the end of the TLS connection, on the way to the db.
They can then try the credentials on other, perhaps more lucrative sites. That's what the brothers are accused of doing here, so client-side hashing (or just simple encryption) may have been the missing piece of security that would have thwarted the credential stealing.
This seems to mostly prevent accidental logging and is thus a matter of defense in depth, stopping malicious actors from exploiting it later — but an actively malicious IT person would not be deterred.
I am talking about not logging them ever, using internal TLS and strong hashing in general, and wondering what exact value is added on top with client side hashing.
The minimum one can do is have a different randomized password for every service on a possibly completely offline password manager.
Yes, you will depend on a password manager at all times, but at least the blast radius is minimized to the affected service.
But how do you pick up the stuff from your desk? I once lost a nice pair of headphones this way.
I'm in my early 40s, and I've never had a job where we've "hot-desked" like that, even when a company was out-growing an office.
Every job I had before COVID back to when I started back in the early/mid 90s had dedicated desks.
Go ahead and leave a coffee mug, who cares if you lose a coffee mug?
Some people simply have no regard for others and will mess with or jack your shit. Don't give them the chance.
Still a net positive in my experience.
My workplaces have not had gyms, but I bought equipment for my home that maintains the streamline. I haven't been perfect at my routine because my work schedule isn't consistent which is annoying, but I do still get some exercise in at least twice per week with it. I doubt I'd be getting at least that otherwise.
I spend in the office more time than at home so I want a nice environment.
Ever tried to login with two factor and justify a maxed out company card while high as a kite and drunk?
It’s stressful.
I know of one case where this was totaly unintentional, and a machinest at a local pulp and paper plant had self delegated to write the software that controlled tension on the giant machines in the mill, but as it was his only real forey into sofware, nobody else could operate it, and they fired him after a manegment reshuffle, and then after the next scheduled shut down, nothing worked right, greasy dusty ancient screen with a blinking cursor was what they had, plugged into the important bits of a half sqare mile plant. still funny to think about!
https://annoyingpcb.com/
What you really need is one that chirps once every (multiple of) 20-28 hours (with weighting towards 23-25 to keep it roughly around the time you set it going and an infrequent skipping of a day.) Also with different volumes and, ideally, different chirps. Occasionally a double chirp just for extra insanity causing.
(A Michael Jackson "hee heee" would be another good option.)
After their stints in jail, the brothers worked their way back into the tech world. In 2023, Muneeb got a job with a Washington, DC, firm that sold software and services to 45 federal clients; Sohaib got a job at the same company a year later.
What in the actual fuck. I'm all for giving people second chances. But maybe some ringfencing?
Like... I think ex drugs dealer deserve a chance of legitimate employment, but perhaps doling out prescription drugs is best left to someone that doesn't need a "second chance" to demonstrate they're unusually trustworthy and unlikely to be tempted by the possible side incomes.
WTF?
storing passwords in plaintext should be persecuted & having unlimited access to customer databases.
In fact I’d guess they’re not, since they’ve been employed on government projects since a young age.
This does not mean they are from another country.
If someone is an immigrant from the part of the world that generates names like Muneeb or Sohaib Akhter, and they really intrinsically care about assimilating to Yankeedom, they should probably actually change their name about it. That's a good signal that they're serious.
It’s OK to acknowledge that economic migrants are a thing, and that they likely have only transactional interest in where they live, such as a Bengali construction worker in Dubai, for example. That’s just part and parcel of labor mobility. For better or worse, shareholders, or middleman representing shareholders, have decided this sort of thing is a really good idea in the US, and now around half the population falls in that bucket. It’s a free country, and freedom means being free to choose short term interests. That also means you’re free to support such policies because they are good for Blue-team redistricting so we can provide free healthcare to all 8 billion people in the world somehow.
But please, nobody becomes a Yankee by the mere fact of standing on the ground. If you want that pejorative title, then you need to earn it.
As opposed to...
Hilarious in the context of this administration.
The "after they were fired" sounds catchy, but isn't even the biggest failure.
This organization shouldn't be permitted anywhere near government, or any non-public, data/information.
It should be a federal crime with prison time to make a DB for a federal agency and not hash and salt passwords or other auth credentials.
> When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025
from https://www.justice.gov/opa/pr/federal-jury-convicts-virgina... which is a better source on this.
That prompts the question of why background checks are so lax that they were hired before this was discovered.
Explain to me how we can have a transcript of a conversation without knowing whether it was in person or not. I'm baffled by this sentence.
When I advised them that it was a bad idea to store password in clear, they answered that they keep it in clear so that they can send it when someone forget.
Defeated by such argument, I deleted my account.
Something bad did end up happening due to that lax security and there were oh so many meetings about it.
This is the sort of thing that makes me want to check out of the whole circus. Here I am, telling you ahead of time, and you ignored me
So how there's a circus that we could have avoided and not only do I get zero recognition for identifying the threat ahead of time, the people who ignored me keep their jobs and turn it into a zoo where everyone is scrambling in endless meetings
And I've seen it play out a few times. After a point, why bother...
I'd bet your account wasn't actually deleted, just marked as deleted or inactive.
It's ridiculous that companies don't seem to care about ethics. They never seem to select candidates based on proven ethics. They don't even ask any such questions.
For example, I've been in at least 2 situations where I had the ability to inflict major damage to companies which had treated me very poorly and I could have legally gotten away completely whilst doing variants of 'the wrong thing' and profiting but I didn't do it because I have principles. Unfortunately it seems that few people do nowadays. Leaders are fooling themselves if they think they can completely factor out ethics and make it all about aligning incentives. Incentive alignment creates its own problems as this alignment requires constant maintenance and it's both expensive and detrimental in the long run. These people will tend to sabotage every aspect of their responsibilities which isn't directly measured... In order to gain leverage. It's not clever. It's crooked. Should not be rewarded.
My experience as a software developer is that managers alway have lots of blind spots and the wrong people will take advantage of all of them, even when it negatively impacts the company.
all with pardons waiting so they can't be convicted
they might not even wait a few years
typical american names