Birmingham? I think I know this guy - we have a client based there and are three years into a war with their PCI auditor, who are dangerously incompetent. They were adamant that we should be able to decrypt PANs (credit card numbers) - we still haven't complied, as we quite deliberately don't store them and just transit them.<p>It's not a phishing scam, this is pretty much state of the art in the UK - and try being a 32 year old "kid" company director while the 55 year old "security engineer" who seems to have never used a computer and thinks a network is a maritime term plays the "seniority" card in front of a client of the same generation.<p>The sad thing is I've seen two retailers drive themselves hard into the ground over the last eighteen months by listening to this variety of chumbly wotsit rather then someone who actually knows what the hell they're talking about.<p>One spent about £8M on their PCI auditor over six months, then went bust, blaming us, the platform provider - who are PA-DSS and ISO certified. The auditor blamed us too, then folded up shop and moved to Spain.<p>PCI experts are the new SEO experts.
Well, if the auditor wants to play willy-measuring tactics: I've been using Unix since 1982 (Bell Labs Version 7, since you asked), and I rather suspect that I've more experience than he has.<p>UNIX and derived/lookalike systems like Linux have _always_ stored passwords one-way encrypted. I have precisely no idea how he expects the sysadmin to provide a list of plaintext passwords, short of replacing the passwd utility with a hacked one that stores the pre-crypt version somewhere for retrieval, or asking staff to email their plaintext passwords to the poor sap he's badgering.<p>Either way, a massive security breach. The whole point of one-way encryption is that there is no persistent trace left of the original plaintext password. This guy's way of auditing security recalls the Spanish Inquisition's way of auditing witchcraft. Damned if you do; damned if you don't.<p>His company's far better off using a payments provider with a clue - and a competent auditor.
"I'm going to assume you do not have PCI installed on your servers as being able to recover this information is a basic requirement of the software."<p>I already fell off my chair.
Hmmm... perhaps the auditor should be informed that if he persists in requesting for user account and passwords in the guise of a security audit, you will have no choice but to report him to the FBI or MI5 as a suspected phishing scam operator who may have already compromised prior clients in similarly.
Does nobody find it unprofessional, perhaps even untrustworthy, to not only discuss the private dealings you have with other companies but also copy+paste e-mails? Even if they're idiots? I don't think you want to go down that road... <i>"Well I thought the guy from Company X was an idiot, so why was it wrong for me to repost our private conversation?"</i>
Its likely this isn't a troll post.<p>The security community has a whole lot of idiots in it who figured out that they can get a CISSP and turn themselves into a security auditor and get paid extremely well while getting to enjoy acting like tyrants. In reality they're not fit to manage a McDonalds.
It seems that the auditor wanted a fancier designation and decided upon "security auditor".<p>It is also possible that the auditor in question worked in a (physical) security agency in past life and failed to understand that computer security is not quite the same.<p>That seems to be the only plausible explanation for demanding actual plain-text passwords (past/present/whatever) and so on.
A brilliant troll / piece of entertainment. The author basically reveals it here in Update #3:<p>> Our software has now moved onto PayPal so we know it's safe.