• foggy@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    4 months ago

    I have posted about this before. I’m pretty sure I win.

    I’m not going to name names. I worked for a company, three of their clients include the United States Air Force, the United States army, and the United States Navy. They also have a few thousand other clients, private sector, public, and otherwise. Other nation states services as well.

    I worked for this company quite recently, which should make what I’m about to tell you all the more alarming. I worked for them in 2021.

    Their databases were ProgressABL. I linked it because if you’re younger than me, there’s a slim chance in hell you’ve ever heard of it. I hadn’t. And I’m nearing 40.

    Their front end was a bunch of copy/pasted JavaScript, horribly obfuscated with no documentation and no comments. Doing way more than is required.

    They forced clients to run windows 7, an old version of IE, all clients linked together, to us, in the most hilariously insecure 1990s-ass way imaginable, through tomcat instances running on iis on all their clients machines.

    They used a wildcard SSL for all of their clients to transact all information.

    That SSL was stored on our local FTP server. We had ports forwarded to the internet at large.

    The password for that ftp server was 100% on lists. It was rotated, but all of the were simple as fuck.

    I mean, “Spring2021”. Literally. And behind that? The key to deobfuscate all traffic for all of our clients!!

    The worst part was that we offered clients websites, and that’s what I worked on. I had to email people to have them move photos to specific directories to get them to stop failing to load, because I didn’t have clearance to the servers where we stored our clients photos.

    We had legit secure servers. We used them for photos. We left the keys to the fucking city in the prize room of a maze a 12 year old could solve.

    Holy shit.