HP did a booboo, and left an admin ID in one of its systems.  Shame on HP.

Then they didn’t respond to the white hat guy who found it and tried to tell them.  So he went public.

Going public with these findings, after giving the company time to respond and fix them, is a good thing.  Three weeks might be fast – companies are not as nimble as individuals.

What I find interesting is that the researcher hinted at the password without providing it.  He gave the hash of it – the non-plaintext version that gets stored instead of the password itself being stored.  So the technically curious (including me) wanted to find out what this 7-character password is.  There are sites that work backward from the hash to the password – not necessarily doing the math, but using rainbow tables or something similar to do the one-way translation, so they can do the reverse search.

So I found out what the password was.  Nothing significant to me, nothing obscene, nothing outstanding – just a simple, slightly obfuscated password.

The part I find most interesting is the level of interest in the hash.  I’m seeing an awful lot of that 4c50 listed.  If I owned the system that HP sold, I’d be shaking in my boots right about now.  Even non-malicious hackers will want to get in and look around, and some of them will accidentally change something.

Last20hashes