Gawker tech boss admits site security was crap Gawker Media plans to overhaul its web infrastructure and require employees to use two-factor authentication when accessing sensitive documents stored online, following an embarrassing attack that completely rooted the publisher's servers. The publisher of Gawker, Gizmodo, and seven other popular websites also plans to, gasp, …
In my experience, as a systems analyst and programmer, it is always better to tell a customer "sorry this was my fault" in stead of blaming the OS or the programming language or the hardware or anything else. Works better that way, very well in fact, but in order to stay employed your boss has to understand that too. And it hurts sometimes, and it works only if you know the problem can be fixed. (soon)
We did a bunch of development work for two major universities in the UK. We were told that they just wanted the system to work, but didn't have the commitment to make any effort to invest in any security. We pushed back as hard as hell, they overruled us. Very strongly in fact!
There's two universities (at least) out there in the UK who's core systems are completely open to the most basic injection attacks, which would expose a lot of confidential data. I'm afraid I blame short-term thinking and a basic lack of managerial understanding for this. I cannot believe how hard we tried to tell them what the risks were, and how patronising and over-ruling they were in response. We were 'banned' from putting in any kind of security measures!
Does anyone else in IT recognise this? Third party managers with little or no understanding of the situation, arrogantly defending a position with little or no understanding of the repercussions?
Surely mitigating potential SQL injections is a basic behind the scenes task on the part of developers- surely it's our job to make sure we're only ever using paramterised queries and never trusting any user data to be sane? Unless they were mandating urls with complete SQL queries in them, how is this a problem for a developer?
Thats what wikileaks is for, Publish the correspondance.
anyhoo a job that is not done properly is not worth doing. If you are asked to build a house you should always start with the foundations, you do not just build a house on the bare ground. I have to say its your fail, for just doing "what you are told" not what everyone (including those people whose data is at risk) expects of you. If you are going to do systems work do it properly.
OK...I need help people...my jaw dropped so far that it's locked open and if it weren't the middle of winter with four inches of snow on the ground I'd be in danger of swallowing flies. Someone get round here with a crow-bar or something.
However it is nice to have one's prejudices about the technical illiteracy of these worthless web2.0rhea w@nkers confirmed :-)
Companies focus upon the end result which is functionality, look and feel etc.
Security and stability only become issues *after* the fact. This is how lots of web businesses operate.
And from performance reviews of existing (current) live web apps, they are not the only company in this position - or worse.
Jacqui
DES is an encryption algorithm indeed... crackable by 5 year old kids using 10 year old hardware. Yet you would be terrified to know how many organizations use it to "secure" passwords and such sensitive things.
Then there's that stupid idea called 3DES, which seems to be the cheap VPN standard, and is also used in some SSL connections. I keep myself away from anything bearing the "DES" name.
Now that I think about it, DES is probably as "secure" as a bad hashing algorithm...
They've had shitty login code for a long time as well. Of course complaining about it through official channels make no difference when the retarded foxes are minding the coop.
How many companies have management unaware of how crap their sites are and how difficult it is for customers to tell them so?
In most companies management is a bunch of ignorants when it comes to security and quality. I could tell examples of a major stock exchange, a financial transaction (retail) software company and all of you can monitor what kind of security show Adobe and Microsoft are.
If I am making management aware of a security risk and I am being told to ignore it, the blame lays fully with management.
Maybe somebody can try to own one of the largest derivatives exchanges ? It's just a matter of exploiting Firefox 3.0 (yes !!) or using some old Flash exploits or some old Java Webstart Exploits. All Desktop machines are WIDE OPEN.
Before we don't see a major business crash and burn because of crappy security, there will be done exactly nothing to improve the situation. A major CEO needs to be fired very publicly because of neglecting IT security. Before this doesn't happen, nothing is going to change.
All the pointy-haireds always consider asking lawyers for guidance, but an IT security professional is only a smelly, long-haired underling to be ignored.
Am I the only person who uses throwaway addresses with nothing behind them when signing on the sites that I'm not absolutely certain about doing business with? Sure, this one "got" me but all I did was walk away from another free webmail account with no links to my "inner me". Oh no, now a bunch of gawker crackers know my middle name thinking it's my first and that my favorite color on that account was medium rare neoprene. Yeah, good luck with that guys. Perhaps it's time for a university course titled, "iCYA, tell the web data scrapers to kiss your arse".
"We did a bunch of development work for two major universities in the UK. We were told that they just wanted the system to work, but didn't have the commitment to make any effort to invest in any security. We pushed back as hard as hell, they overruled us. Very strongly in fact!"
Couldn't you have just written it properly in the first place?
"There's two universities (at least) out there in the UK who's core systems are completely open to the most basic injection attacks, which would expose a lot of confidential data."
You make it sound like you knew about these but chose to leave them in during development. If you know your code sucks this much, maybe you shouldn't be writing software.
Anonymous because this post is quite insulting.
In the interests of integrating with existing systems, many utterly retarded compromises may have to be made. As a contrived example; if you're being paid to build a service which accepts SQL queries over an unauthenticated, unencrypted HTTP connection, your avenues of sensible implementation are limited.
Although its a safe assumption that every coder other than yourself is an unprincipled incompetent cowboy (and indeed experience often bears this out) it isn't always the case.
And to those saying 'walk away'; we all have bills to pay. If you've clearly stated in writing that the system will be broken as specified, you may as well finish the job. You can always pad the costs to include arse-covering legal advice.
...I hope this ruins them and bankrupts them after they are unable to get the subscriber base back and advertising revenue falls through the floor.
Nothing personal, I don't use any of their sites and don't really care much about them in particular but hopefully if they crash and burn other companies will take note and actually spend some cash on their security and infrastructure which leaders to a generally stronger website ecosystem.
To Paraphrase Sir Humphry. The principles of good business sometime requires a human/company sacrifice.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
