Gawker Media plans to overhaul its web infrastructure and require employees to use two-factor authentication when accessing sensitive documents stored online, following an embarrassing attack that completely rooted the publisher's servers. The publisher of Gawker, Gizmodo, and seven other popular websites also plans to, gasp, …
They can't be a very large business with honesty like that. Kudos for owning up to being crap. Brickbats for being crap in the first place.
In my experience, as a systems analyst and programmer, it is always better to tell a customer "sorry this was my fault" in stead of blaming the OS or the programming language or the hardware or anything else. Works better that way, very well in fact, but in order to stay employed your boss has to understand that too. And it hurts sometimes, and it works only if you know the problem can be fixed. (soon)
Management and security woes
We did a bunch of development work for two major universities in the UK. We were told that they just wanted the system to work, but didn't have the commitment to make any effort to invest in any security. We pushed back as hard as hell, they overruled us. Very strongly in fact!
There's two universities (at least) out there in the UK who's core systems are completely open to the most basic injection attacks, which would expose a lot of confidential data. I'm afraid I blame short-term thinking and a basic lack of managerial understanding for this. I cannot believe how hard we tried to tell them what the risks were, and how patronising and over-ruling they were in response. We were 'banned' from putting in any kind of security measures!
Does anyone else in IT recognise this? Third party managers with little or no understanding of the situation, arrogantly defending a position with little or no understanding of the repercussions?
But then who gets the blame when it all goes wrong? Even if you point out that they were warned at the time, it's considered irrelevant.
show me the money
You (or your company) seem to be just as culpable for failing to walk away from a contract that opens you up to major liability.
Mike, that's nonsense. You cannot force an employer to take your concerns with the seriousness they deserve, you can only strongly and professionally advise them. If they choose to ignore you, that's their mistake.
Surely mitigating potential SQL injections is a basic behind the scenes task on the part of developers- surely it's our job to make sure we're only ever using paramterised queries and never trusting any user data to be sane? Unless they were mandating urls with complete SQL queries in them, how is this a problem for a developer?
Thats what wikileaks is for, Publish the correspondance.
anyhoo a job that is not done properly is not worth doing. If you are asked to build a house you should always start with the foundations, you do not just build a house on the bare ground. I have to say its your fail, for just doing "what you are told" not what everyone (including those people whose data is at risk) expects of you. If you are going to do systems work do it properly.
I would have blamed the pope
They *weren't* using SSL??
OK...I need help people...my jaw dropped so far that it's locked open and if it weren't the middle of winter with four inches of snow on the ground I'd be in danger of swallowing flies. Someone get round here with a crow-bar or something.
However it is nice to have one's prejudices about the technical illiteracy of these worthless web2.0rhea w@nkers confirmed :-)
Still not happy
Screw them still, I hate the fact my details are out there because of them.
Yes, that's terrible
BTW, how's that rash?
Another case of bolting the stable door after the horse has already bolted.
minimal cost development
Companies focus upon the end result which is functionality, look and feel etc.
Security and stability only become issues *after* the fact. This is how lots of web businesses operate.
And from performance reviews of existing (current) live web apps, they are not the only company in this position - or worse.
"Nothing short of a full site rewrite is going to keep Gawker online at this point,"
Refreshing to see a refusal to blame everyone else.
It's ALL Crap!
Given the proliferation of breeches in security, it's all just smoke and mirrors trying to make the common user FEEL secure.
Re: It's ALL Crap
Just because breeches are nowadays considered antique trouser technology, the basic manufacturing principles have not greatly changed and indeed many modern trousers may not be as secure as some designs of breeches.
DES isn't a hash
DES isn't a hashing algorithm. If they were using it to protect passwords, then that's an even worse idea than using MD5.
DES is an encryption algorithm indeed... crackable by 5 year old kids using 10 year old hardware. Yet you would be terrified to know how many organizations use it to "secure" passwords and such sensitive things.
Then there's that stupid idea called 3DES, which seems to be the cheap VPN standard, and is also used in some SSL connections. I keep myself away from anything bearing the "DES" name.
Now that I think about it, DES is probably as "secure" as a bad hashing algorithm...
It's the syndrome, stupid
They've had shitty login code for a long time as well. Of course complaining about it through official channels make no difference when the retarded foxes are minding the coop.
How many companies have management unaware of how crap their sites are and how difficult it is for customers to tell them so?
It's easy to blame the programmers...
but how much did they pay for the website in the first place?
Was there any budget for security enhancement, or security requirement, in this project?
I mean, What you Pay Is What You Get (WYPIWYG).
Doing the wrong thing is excusable just so long as it was cheap?
YES IT IS RIGHT, IF YOU GET A DIRECT ORDER.
In most companies management is a bunch of ignorants when it comes to security and quality. I could tell examples of a major stock exchange, a financial transaction (retail) software company and all of you can monitor what kind of security show Adobe and Microsoft are.
If I am making management aware of a security risk and I am being told to ignore it, the blame lays fully with management.
Maybe somebody can try to own one of the largest derivatives exchanges ? It's just a matter of exploiting Firefox 3.0 (yes !!) or using some old Flash exploits or some old Java Webstart Exploits. All Desktop machines are WIDE OPEN.
Before we don't see a major business crash and burn because of crappy security, there will be done exactly nothing to improve the situation. A major CEO needs to be fired very publicly because of neglecting IT security. Before this doesn't happen, nothing is going to change.
All the pointy-haireds always consider asking lawyers for guidance, but an IT security professional is only a smelly, long-haired underling to be ignored.
What you Pay Is What You Get (WYPIWYG)
Unless you're in government when you pay several hundred times more than what you get.
Am I the only person who uses throwaway addresses with nothing behind them when signing on the sites that I'm not absolutely certain about doing business with? Sure, this one "got" me but all I did was walk away from another free webmail account with no links to my "inner me". Oh no, now a bunch of gawker crackers know my middle name thinking it's my first and that my favorite color on that account was medium rare neoprene. Yeah, good luck with that guys. Perhaps it's time for a university course titled, "iCYA, tell the web data scrapers to kiss your arse".
What the huffing fell is Gawker, and why would I care?
Did some webtards get pwnd? Are they crying an iRiver? Does it effect anybody who's not a total hipster spanner? No, thought not.
I'm amazed that you're in that select crowd of Daily Telegraph readers who can comment on something they know nothing about, taking more time to do so than looking up the references.
...and this is the fault of the company hiring you?
"We did a bunch of development work for two major universities in the UK. We were told that they just wanted the system to work, but didn't have the commitment to make any effort to invest in any security. We pushed back as hard as hell, they overruled us. Very strongly in fact!"
Couldn't you have just written it properly in the first place?
"There's two universities (at least) out there in the UK who's core systems are completely open to the most basic injection attacks, which would expose a lot of confidential data."
You make it sound like you knew about these but chose to leave them in during development. If you know your code sucks this much, maybe you shouldn't be writing software.
Anonymous because this post is quite insulting.
Writing in a secure way should be the norm, not something to bolt on later.
It might well be their fault
In the interests of integrating with existing systems, many utterly retarded compromises may have to be made. As a contrived example; if you're being paid to build a service which accepts SQL queries over an unauthenticated, unencrypted HTTP connection, your avenues of sensible implementation are limited.
Although its a safe assumption that every coder other than yourself is an unprincipled incompetent cowboy (and indeed experience often bears this out) it isn't always the case.
And to those saying 'walk away'; we all have bills to pay. If you've clearly stated in writing that the system will be broken as specified, you may as well finish the job. You can always pad the costs to include arse-covering legal advice.
if the site ran on Windows Server...
...everyone would be blaming Microsoft.
Not if it was *still*
written in clearly insecure PHP. And as everyone knows PHP is TRWTF, unless its VB6
...I hope this ruins them and bankrupts them after they are unable to get the subscriber base back and advertising revenue falls through the floor.
Nothing personal, I don't use any of their sites and don't really care much about them in particular but hopefully if they crash and burn other companies will take note and actually spend some cash on their security and infrastructure which leaders to a generally stronger website ecosystem.
To Paraphrase Sir Humphry. The principles of good business sometime requires a human/company sacrifice.
Or, put another way:
"We're shit and we know we are
we're shit and we know we are
we're shit and we know we are
we're shit and we know we are"
<Repeat ad nauseum>