back to article Rise up against Oracle class stupidity and join the infosec strike

Information security and privacy are important. Stop being Oracle-class short-termist assholes. Stop waffling, dodging and procrastinating. Get your heads out of your asses and start doing something to improve things for everyone. You. Yes, you there reading this article. I don't care who you are, you have the power to be part …

Page:

  1. Anonymous Coward
    Anonymous Coward

    First, I stand for TLS, not SSL.

    ... and I'll go get my coat now.

    1. Trevor_Pott Gold badge

      Re: First, I stand for TLS, not SSL.

      Hah! Fair point. I think of TLS as "SSL" even though I know the difference. Same purpose, same libraries, same modules...guess I'm just getting old; conflating things that are "close" because of implementation rather than provenance.

      1. Drs. Security

        Re: First, I stand for TLS, not SSL.

        and indeed, because of old cypher suites as easily vulnerable as well.

        Just because of all the issues rightly portrait in this article.

        1. Anonymous Coward
          Anonymous Coward

          Re: First, I stand for TLS, not SSL.

          Switching from SSL to TLS, and disabling old cipher suites, will have only minimal effect on the information security problem. I would be relatively happy for these to rot for a while *IF* people were actually using the time saved on dealing with some of the real issues.

          1. Anonymous Coward
            Anonymous Coward

            Re: First, I stand for TLS, not SSL.

            Right now, it cut me away from some older Dell systems remote management web tools, which I still use in a lab to run tests. I will have to revert them to unencrypted communications.

      2. Dan 55 Silver badge

        Re: First, I stand for TLS, not SSL.

        They only changed the name to TLS to please Microsoft anyway...

      3. streaky

        Re: First, I stand for TLS, not SSL.

        SSL is dead! Long live SSL!

        I usually find it's easier just to call everything TLS and not support any SSL versions, there's been good computational reasons to do this since long before POODLE et al which is why I was having a good chuckle at rest of world when it happened.

  2. Steve Gill
    Facepalm

    Rise up Techie Introverts and be ...

    oh :(

    1. Trevor_Pott Gold badge

      Re: Rise up Techie Introverts and be ...

      Yep. That's a big problem right there. I don't really have a solution to that. Maybe it requires an extrovert to start taking a stand so the rest will follow. Maybe it requires massive encouragement across the industry. Maybe social media can help. But we need to get everyone - even the introverts - to stop allowing badness to ensue through apathy. If anyone comes up with magical solutions to motivate, I'd love to hear them! :)

      1. John G Imrie

        Re: Rise up Techie Introverts and be ...

        Well a lot of us Techie Introverts read El Reg so can we get our beloved Red Top to launch a campaign to help us ram the problem down the PHB's throats.

        Failing that I'll see about organising a badge or T Shirt. Something along the lines of 'I know where your personal details went last night' might be fun.

        1. Anonymous Coward
          Anonymous Coward

          Re: "I know where your personal details went "

          Or, perhaps: "which corporation has leaked or sold your personal information today?"

          1. Charles 9

            Re: "I know where your personal details went "

            "Or, perhaps: "which corporation has leaked or sold your personal information today?""

            What happens when the answer comes back, "ALL of them", and you're faced with a desperate need to put food on the table? Principles are tough to defend when you're starving...

            1. Mike Moyle

              Re: "I know where your personal details went "

              "It's 2015: Do you know where your personal information is?"

          2. Captain DaFt

            Re: "I know where your personal details went "

            How about:

            "Google knows more about you than your mother does."

            "Everytime you go online, an advertiser is listening."

            "If you won't tell it to strangers in public, why the Hell do you post it on Facebook?"

            Maybe I should write a book?

      2. Anonymous Coward
        Anonymous Coward

        Re: Rise up Techie Introverts and be ...

        I've taken a stand, by refusing to commit to allowing company data to be sent out unencrypted, only be to be bulldozed aside by middle management with zero clue about security, the task is then given to someone they know won't argue and will just do it.

        1. Trevor_Pott Gold badge

          Re: Rise up Techie Introverts and be ...

          Taking a stand doesn't mean you'll win. But for it to work not everyone who takes a stand has to win. Even a small percentage winning some of the time can begin to change things, and make security the new normal. That can start to make those who don't provide security for their products seem a worse deal.

          Persistence is required. And a diversity of people willing to take a stand in a diversity of situations. But the attempt is not irrelevant simply because not all will succeed in all situations all of the time.

      3. Anonymous Coward
        Thumb Down

        Re: Rise up Techie Introverts and be ...

        ".....even introverts"? It's the introverts in there fixing the shitty IT practices. Server admins afraid to patch, devs that know NOTHING about AppSec, flat networks ......Any/Any.

        Have never met an extroverted IT practitioner (a rare species to begin with), that I didn't want them to just get out of the way.

  3. Anonymous Coward
    Anonymous Coward

    will it really help?

    Trevor,

    All good and well and I only already know how it feels when this exact behaviour is costing employment.

    As long as senior management can still hide below their desks and are not made painfully accountable for all the security blunders that are made, nothing is going to change.

    For the last 10 months I've done my stinking best to get a governmental joint to listen and improve security, all I get for it is (precisely) nothing in return.

    Will you give up writing for the Register if they don't switch to HTTPS like you demand in your article?

    And yes I'm posting this anonymously which I normally wouldn't dream of doing, only to make sure I even can get a new job after this current one expires because I already did what you propose us senior information security experts to do.

    Internet and privacy are unforgiving.

    1. Trevor_Pott Gold badge

      Re: will it really help?

      Fortunately, I don't have to make that choice. The Register is, in fact, working on HTTPS support (or so I have been told). But you know what? Yeah. In the long run, if I couldn't convince them that it mattered - especially for a technology site! - I'd probably take my content elsewhere. I don't want to, but I really do think ethics matter.

      Someone has to say "no, I won't take that job". I've started to do just this with some of my sysadmin clients. I think it's valid to think about it applying to writing, too.

      There is room for discussion about taking things to extremes though. If your employer is making headway and clearly working on the problem, it's probably not going to help anything if you pull the rip cord. But if they just stubbornly don't care about their customers to the point that they ignore security why would you believe they give a bent damn about you?

      But before we can hammer out these sorts of fine details we need to start having the discussion about infosec professional ethics in the first place. Glad to see some readers are willing to join in.

      1. Anonymous Coward
        Anonymous Coward

        Re: will it really help?

        precisely why the fact my contract wasn't extended is such a double feeling.

        On one hand you lose some personal security, on the other hand: do I really want to work for an organisation that doesn't fucking care about their user data, that of millions of citizens (including obviously my own)?

        Where compliancy is more important then fixing security risks and the only answer to malware is blocking "private" webmail sites?

        And then management thinks we are "secure" again?

        No thanks.

        Then again my dear Trevor, name me any company that does take this seriously before they've been hacked and shamed into submission.

        1. Trevor_Pott Gold badge

          Re: will it really help?

          Hence why I think both legislation and grassroots nerdrage are required. Corporates are not going to give fucks without both things occurring.

          1. Fatman
            Joke

            Re: will it really help?

            <quote>Hence why I think both legislation and grassroots nerdrage are required. </quote>

            I hope you `like it hot`, because it will be a cold day in hell before legislation gets passed that brings individual responsibility down on the heads of damagement.

            Corporates OWN the government and legislators in MANY countries.

            AFAIAC, trying to 'raise awareness' from within is a potential resume generating event.

            Good luck getting a job when the corporate overlords make these kind of remarks regarding your time with them:

            1) doesn't take direction well

            2) can't see the `bigger picture`

            3) not focused on the company's goals

            4) too many personality conflicts

            and I could go on, so I hope you get the idea. You seem to forget the cardinal; rule of HR:

            When the prospective employee's version of events conflict with those of management; those of management are PRESUMED to be correct.

            1. Trevor_Pott Gold badge

              Re: will it really help?

              Assuming your take on things to be correct, how is it rational to take a job knowing that there will be a lax attitude to security, this will lead to security breaches and you, as the minion "just following order" will be the schlub on the hook to take the blame?

              How is it rational to say "I'll take some easy money now, knowing that there is a really good risk that shit will hit the fan, I'll get blamed, and end up unemployable in this field forever after that point"? Wouldn't it make more sense to put your labour into another profession where you can actually expect long term employment, instead of an abrupt, messy - and potentially expensive - sacking, followed by being reverted to essentially "unskilled labour"?

              1. fajensen
                Flame

                Re: will it really help?

                People have mortgages to pay; I think it is pretty rational to weigh up the risks of: "me eventually getting blamed for letting "Evul Hax0rs" stonk on some database" or "me getting evicted next month because of ... Principles".

                In Other Words: If you don't like working with shit, don't work with IT!

                Chose an Evolutionary field - electrical engineering, aerospace, ship-building et cetera ... do not chose a Revolutionary one, where every five years new, brighter, more shiny (and cheaper) young things emerge equipped with the latest fad in tools & methods.

      2. Naselus

        Re: will it really help?

        "Fortunately, I don't have to make that choice. The Register is, in fact, working on HTTPS support (or so I have been told)."

        Are the consultancy firm you work for doing so, too? Only, I just tried going to https://www.egeek.ca/ (free plug!)... and that doesn't work. Only http://. Same goes for https://Webreaktech.com, the firm's review website. Seems like you're not entirely practicing what you're preaching here. Seems to me, someone over at eGeek should really make a stand about this sort of thing, and withhold their valuable consultancy hours until management do something about it.

        1. Trevor_Pott Gold badge

          Re: will it really help?

          Actually, we are working on HTTPS for all our sites. (There are about 12, including trevorpott.com)

          The issue we're facing is one of limited IP addresses. I know that HTTPS should work with multiple sites to a single IP on newer browsers, but I would really like to ensure that we have backwards compatibility support. So I'm in the process of evaluating load balancers and how it is they might (or might not) solve the problem.

          In the meantime, we have (to my knowledge) removed from all our sites any member sign-ups on publicly published pages. We have informed our existing members that we're looking to alter our entire security stance on the sites, including eventually altering where the login pages are, switching to .hta access and more.

          We've been mostly working on behind the scenes security in the past month. Database and operating system hardening. Automated updates for Wordpress. Security plugin testing and hardening for wordpress. Selective writelock cascades for any site which doesn't have to be writable for that particular timeframe...we've also gone over the code and the databases to make sure we weren't pwned at any point in the past.

          Because we aren't in the process of building an active forum presence that requires readers to sign up or subscribe, bur primary focus from a security standpoint has been to ensure that we aren't hosting malicious stuff that could infect readers. HTTPS support is on the list in the near term, but as the sites are (at the moment) publicly facing read-only (rather than interactive) sites, we felt the other security issues had priority.

          If you feel there is a really good reason to push HTTPS above the rest of our security efforts to get it done sooner, please, make your case! We're entirely open to it!

          1. Tomato42
            Stop

            Re: will it really help?

            @ Trevor_Pott: winXP is dead, don't let the zombie roam the streets

    2. Martin Gregorie

      Re: will it really help?

      Oddly enough, yes, there are some governments and companies that can do a good job. Here's an example.

      I'd been having a problem renewing a passport (no, not a UK one, but I'm not about to say who in case it embarrasses somebody who doesn't deserve that). The initial part of the online dialog was plain text (no problem there - nothing private involved at that stage), but Firefox 39 refused to start an encrypted connection for the next section (inputting details of the old passport), with the error page making it obvious that this was due to FF39 refusing to use an outdated cypher and the server insisting on it. I had a brief e-mail interchange with the sysadmins, who agreed this this was a problem that would be rectified. They also said that their change process couldn't do the update within my timescale and suggested a temporary workround which got the job done. Result.

      Thanks, El Reg, for the article that highlighting the fact that the FF39 release forced the pace by deprecating the older and most broken SSL cyphers. I just didn't expect it to be so immediately useful.

      This short (two e-mails each way) and very helpful exchange with the sysadmins in the passport office proves that some governmental departments are helpful and responsive, and will fix problems when brought to their attention.

      I just wish I could say the same about HMG and the numptys running it. The latter don't have the brain to recognise that a clueless, tech-free bunch like GDS will never do anything except squander money.

  4. shub-internet

    Sue the directors

    Target's failure in the USA has shown the rich that they, personally, are now vulnerable as they can be sued for being inadequate directors (effectively). As a result, one organisation that is a mesh of small & medium networks is having a serious onslaught at the network architecture to make penetration actually difficult, as opposed to a script-kiddy job. The only thing that motivates directors to do something about this is to sue them personally. I can see this up close & personal as the local network crew are on 7x12 hour days at the moment, rebuilding and reworking.

    1. Roo
      Windows

      Re: Sue the directors

      "I can see this up close & personal as the local network crew are on 7x12 hour days at the moment, rebuilding and reworking."

      ... So the work is being timeboxed to what can be accomplished by tired folks thrashing their way through 84 hour weeks. That probably won't end well. Best of luck with that.

  5. naive

    Security needs to be moved down

    What is perhaps a way to improve security on a more structural manner is moving concepts of organizing memory as implemented by 3GL's data structures, down to the level of hardware. Since the 80's some new languages came into use, but on machine instruction level, most stayed the same, memory is just one large desert of bytes, which can be changed at will. The last feature is abused by hackers, while 3GL programmers can not address memory directly, the hackers can use x64 machine code.

    If instruction set extensions, for example instructions for array manipulation, including bound checking and protection for the memory used by arrays from alteration by general purpose machine instructions, the probability for buffer overflows would be reduced as soon compiler builders start using these instruction in the code generation.

    This idea just covers part of the problem, but a closer alignment between data structures widely used in programming languages, and enforced use of specific machine instructions to access and change these data structures on machine language level would probably have prevented a significant percentage of recent security issues. As a side effect, overwriting random parts of memory would be harder, since it would be riddled with protected spaces, which can not be updated by generic memory update instructions. All is written with the idea that plain K&R C is a 2.5GL, offering little protection from programming errors.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security needs to be moved down

      Security needs to be move UP (to design phase), not DOWN (to hardware where the software people will ignore it).

      Most of the major security issues are not buffer overflows, they are badly configured systems, taped together with untested scripts, and left to rot in cupboards for years without patching. Oh, and users. The fleshies always screw things up if the system lets them.

      Security is a system problem. Stop thinking of it as (only) a coding problem.

      1. LucreLout

        Re: Security needs to be moved down

        @Pete H

        Stop thinking of it as (only) a coding problem.

        I dearly wish I could make some of my colleagues understand that security IS a coding problem, not just something for the networks guys to fret over. Seriously, I've seen systems broadcast trade data to anything subscribing to them - no security at all, and no comprehension of why that is unprofessional.

        Security is everyones job. There are no roles in IT or even using IT where that is not the case.

    2. Anonymous Coward
      Anonymous Coward

      "for example instructions for array manipulation"

      You mean, for example, the "BOUND" instruction introduced by the 80286?

      Often the hardware has protection features often ignored by system and application software - and sometime it is the culprit, as in the SMM bug unveiled yesterday. And when the bug is in hardware, it's even more difficult to fix...

  6. Stevie

    Bah!

    "Our jobs?"

  7. Roo
    Windows

    Bellyaching & refusing to sign the cheques isn't enough on it's own.

    "We need to agitate internally within our organizations to stop buying from vendors who don't have a strong public – and practical – commitment to security."

    Techies agitating against shit solutions has always happened, and always will, and I don't think any evidence that it has had a significant impact on purchasing habits across the industry at large. At the end of the days while techies grumble the PHBs are out playing golf with the salesdroids and signing the cheques.

    "We need to stop buying consumer gear from companies that refuse to pay more than lip service to security. We need to show that we will use our wallets with purpose, not merely convenience."

    So you've stopped paying the vendor for crapware, are you going to close your business down while you wait for the vendor to produce something decent - or are you going to run an alternative ? For folks who like to stay in business the only answer is to find an alternative, so these people need viable alternatives, and they need to know they exist if change is going to happen. They also need less FUD in the form of articles telling people that there are no viable alternatives to sticking with the same flawed product lines they already use.

  8. Anonymous Coward
    Anonymous Coward

    Problem with security is that it stops people doing what they want to do. To the bosses, you are "that paranoid arsehole who is always trying to spoil our fun". Anything approaching decent security involves sacrifice and changing ways of doing things; which a great many people are not prepared to do. They want the shiny toys; the IoT; the voice-activated personal assistants; and either don't know or don't care what the price is. And by the time the bill presents itself, it's too late.

    You can try to head off the worst of it; but there's just too many flaws; too many ways in. So to others you're the guy who is constantly carping about things that haven't happened yet.

  9. Anonymous Coward
    Anonymous Coward

    ...

    Yawn

  10. Anonymous Coward
    Anonymous Coward

    That way lie dragons

    First, bravo for your manifesto.

    Second - a warning. I went through the same realization 4 years ago and decided to become an ethical technologist. My mantra was only be excellent, never write code with known defects or that would directly be used to harm others. What followed was a highly entertaining sequence of events involving being arrested, losing my job, becoming homeless and almost starving to death. In the USA.

    Was it Vaclav Havel who said something about he didn't plan on becoming a dissident, it was a byproduct of trying to be excellent?

    1. elDog

      Re: That way lie dragons

      Merlyn, is that you?

      Randal Schwartz was also taken to task by a very large US company (Intel) for trying to improve security within. But that was 20 years ago so some things don't change.

  11. alain williams Silver badge

    Ethics in business ...

    is, unfortunately, rapidly dying. Make money no matter how - who cares how?

    One other story today is shops in airports telling customers that they needed to see their boarding passes ''for security reasons'' - when the true reason is that if the customer is flying out of the EU then the VAT does not need to be paid to the tax man and the shop pockets the difference.

    Sales assistants were telling the customers fibs. While some of them might not have known the real reason someone did and was happy to have the customers lied to. This is a complete abomination. If they lie on things like this - what else will they lie about ?

  12. Anonymous Coward
    Anonymous Coward

    > We can do these things. We should do these things. Even if they cost us our jobs.

    All that will happen is that the situation will get much, much worse as those with the passion and intelligence to stand up are quickly replaced by the immoral, the careless and the stupid.

  13. ecarlseen

    Real geeks roll their own home routers.

    "Hell, when was the last time you, the information technology experts reading this article, bothered to check if you could update your home routers?"

    Well, they run OpenBSD, so yeah, they're upgradable, and whatever few remotely-exploitable flaws exist will be patched post-haste. And they're clustered, so I can do this with zero downtime.

    1. Trevor_Pott Gold badge

      Re: Real geeks roll their own home routers.

      Well, I use OpenWRT. So that's upgradable. Not everyone is allowed to do this, however. My ISP, for example, usually freaks out if you don't use their shitty Actiontec modem/gateways. I was able to score an appropriate VDSL2 modem-only unit from ebay and put my own router behind it. But what if I had had an Actiontec? I can't really do much to it. I'd be entirely at the mercy of the ISP.

      This is a really bad situation.

    2. P. Lee
      Mushroom

      Re: Real geeks roll their own home routers.

      My home router is "end of life" or so Cisco says. And yet, it does ADSL2+ as does my telco. It does all the usual static and dynamic routing. It passes traffic as it always did.

      And yet... no more patches will ever be available for it.

      Why is this allowed? If ADSL was obsolete, I could understand it, but why are companies allowed to abandon products. Sure Cisco wants to sell me a new one, but I think the mindset of, "its old, it has to be replaced" needs to go. Perhaps if they spent more time refining the software and less time marketing new kit things might be better. The chips in these systems are pretty standard. I can't help but think that incompatibilities are deliberately created to prevent long life and upgrades, just like in tablets and phones.

      I like dedicated equipment because it tends to be reliable. Putting an ADSL modem in a server always makes me nervous. I suppose what we really need is a nice little switch/router reference platform from ARM or MIPS running a small *BSD or something like that. The only people I've seen doing such things are quite expensive. Maybe Xiaomi or someone like that could help out?

  14. Anonymous Coward
    Anonymous Coward

    Easy to bitch about other people's work

    I'm puzzled about your use of "Oracle-class" since as an independant consultant you seemingly have no idea just how hard execs in big companies like Oracle have been busting peoples' balls for the past several years to find and fix security problems. It's easy to sit in your little cube and say "I wouldn't have made that mistake, but it isn't necessarily true. Security is the #1 issue for big IT companies right now. Like it or not, every complex system (even Intel chips) has bugs, and they can't all be fixed in a week.

    Sure, we can debate whether bug bounties are useful or not, Dilbert covered that 20 years ago: http://www.dilbert.com/strips/comic/1995-11-13/ , but suggesting that it implies a lack of interest in security is nonsense. When you have a backlog of CVSS 10 bugs to fix already, having some bright spark pop up with "I've found another, give me $10K or I'll publish next week" doesn't exactly help.

    As other posters above have noted, the way people use software (rubbish passwords, never configuring encryption, clicking on unsafe email) is at least as big a problem. A knee jerk reaction of "I found a bug, line the bastards who wrote this up against the wall" isn't going to help.

    Teaching users about security is a thankless, uphill task. We all know that the $10 router on eBay is probably insecure, but I'll guarantee you that if you put another secure one up at $40 many people would still buy the $10 one, just because it's cheaper.

    1. Trevor_Pott Gold badge

      Re: Easy to bitch about other people's work

      Who is asking they be fixed "in a week"? The issue is taking information security seriously and doing everything reasonably possible to ensure that it not be given lip service only. For a company Oracle's size, that absolutely includes bug bounties.

      But bug bounties aren't the real issue. The Oracle-class stupidity is bemoaning user and researcher attempts to discover bugs in the first place. The concept that a company's need to protect its intellectual property and/or near-monopoly with an EULA should come before security is not only assinine, it is dangerous.

      Oracle has been pretty clear about putting security far behind commercial interests for a very long time now. This lady has just been the first to be honest about it. And they threw her under the yacht for doing so!

      If yoru software is so awful that you have a "line of CVSes to fix" then you should be out there, fixing those. They shouldn't stay unfixed for ages. And you shouldn't be objecting to people adding new ones to the list.

      More to the point, you should have layers of QA, proper unit tests and proper security testing before things go out so that the number of CVSes starts dropping over time.

      I don't expect any company to magically solve all security problems over night. I don't expect all code to be without flaw. I absolutely do expect companies - especially large ones - to make security the primary priority. Ahead of new features. Ahead of release dates. Ahead of any other priority in their software.

      Corporate profit should not come before information security, especially for vendors as large (and profitable) as Oracle. The hell of it is that it doesn't take a whole lot of investment to resolve this. For a company Oracle's size adding a few hundred extra bodies to security testing design and then to QA (those who implement the tests) and drawing out releases a little so that the bugs can be solved before going out...that's nothing.

      And throwing a few measly million at the research community to find bugs in your software is a minor expense for an Oracle. Especially since the stuff the researchers find is going to be the same stuff so easily visible to blackhats using those very same techniques.

      Nobody should get to avoid responsibility for security just because they believe they have a $deity-given right to ignore security in the quest for money.

      1. Anonymous Coward
        Anonymous Coward

        Re: Easy to bitch about other people's work

        But you forget the IT people don't have influence over the accountants. The accountants have to handle the budgets and are under fiduciary duty to minimize costs. And accountants can take a look at fines and figure them to be less even accounting for the lawyers to negotiate the fines down than replacing anything. Plus the executives can grease palms in the legislatures. For them, shirking responsibility and making governments look the other way with overwhelming influence is cheaper than doing things right. And since you can't directly pin DEATHS to IT the way you can with cars, planes, factories, and so on (which is why they're regulated and IT is not), there's little public real outcry to change things. Fortunes and identities can be rebuilt, so they don't draw as much ire. You MUST threaten the one irreplaceable thing—life—to get any real righteous indignation.

        1. Trevor_Pott Gold badge

          Re: Easy to bitch about other people's work

          Bad IT in a car can indeed kill people.

          Bad IT in planes has killed people.

          Bad IT in medical equipment has killed people.

          Bad IT in AI-equipped auto-death weapons inevitably will kill people.

          And on and on and on....

          1. Charles 9

            Re: Easy to bitch about other people's work

            But in each and every one of those scenarios, there's something between the IT and the life involved. Since IT is mostly nonphysical, it's hard to DIRECTLY pin the blame on the IT to the point the average joe has no recourse but to blame it and nothing in between.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like