In an Internet sort of way, I've been a public figure for a long time, due to my involvement with the OpenBSD project.

But the cool thing is, MOST of the people in my immediate life don't know that. I've got an "OPENBSD" personalized license plate, but 99.999% of the people that see it have NO idea what it means. I'm fine with that.

At a job I had some time ago, we had need to set up a computer for people to move files in and out of. No big deal, so my boss had me do the initial install on the machine, then hand the rest of the job to another coworker to finish up the software configuration.

The next morning, I come in, sit down at my computer, and there's an e-mail from an Internet Service Provider in (if I recall correctly) Australia, saying that a computer coming from an IP address my company managed was trying to attack the computers at his company. I looked at the IP address, and sure enough, it's one of ours. Worse, it looks familiar...yes, it's the machine I just set up the night before. I looked at the system, and I see a new account set up, with the username, "test". As soon as I saw that, I guessed what the password probably was, and tried it. Sure enough, login: "test". Password: "test".

You see, you just can't let a machine exposed to the Internet have trivial password. My coworker had set up the "test" account, and figured it was safe because no one knew about the machine. But they don't have to know about the machine -- programs crawl the Internet constantly looking for systems with insecure accounts. They found this one less than 12 hours after it was setup, and installed on it the same kind of program that had found it, testing for insecure passwords and account names all over the Internet.

I disabled the machine -- wiped it completely, in fact. Once a machine is compromised, you can't trust it, so a complete wipe and reload was appropriate. I replied to the e-mail I got, apologizing for the problem and giving the sender a brief run-down of the problem, and summed it up with "And beatings were applied".

A few hours later, I got a response back, thanking me for dealing with the problem and, "Are you the Nick Holland with the OpenBSD project?" Of all the times to be recognized! You see, OpenBSD is very security focused...and what happened on our box was a very basic error to have happen.

The good news is, I think the person who created the "test/test" user learned his lesson and has gone on to be a very good system administrator.

Copyright 2021, Nick Holland
Return to War Stories
Return to Nick Holland's Home Page