back to article Rise up against Oracle class stupidity and join the infosec strike

Information security and privacy are important. Stop being Oracle-class short-termist assholes. Stop waffling, dodging and procrastinating. Get your heads out of your asses and start doing something to improve things for everyone. You. Yes, you there reading this article. I don't care who you are, you have the power to be part …

  1. Anonymous Coward
    Anonymous Coward

    First, I stand for TLS, not SSL.

    ... and I'll go get my coat now.

    1. Trevor_Pott Gold badge

      Re: First, I stand for TLS, not SSL.

      Hah! Fair point. I think of TLS as "SSL" even though I know the difference. Same purpose, same libraries, same modules...guess I'm just getting old; conflating things that are "close" because of implementation rather than provenance.

      1. Drs. Security

        Re: First, I stand for TLS, not SSL.

        and indeed, because of old cypher suites as easily vulnerable as well.

        Just because of all the issues rightly portrait in this article.

        1. Anonymous Coward
          Anonymous Coward

          Re: First, I stand for TLS, not SSL.

          Switching from SSL to TLS, and disabling old cipher suites, will have only minimal effect on the information security problem. I would be relatively happy for these to rot for a while *IF* people were actually using the time saved on dealing with some of the real issues.

          1. Anonymous Coward
            Anonymous Coward

            Re: First, I stand for TLS, not SSL.

            Right now, it cut me away from some older Dell systems remote management web tools, which I still use in a lab to run tests. I will have to revert them to unencrypted communications.

      2. Dan 55 Silver badge

        Re: First, I stand for TLS, not SSL.

        They only changed the name to TLS to please Microsoft anyway...

      3. streaky

        Re: First, I stand for TLS, not SSL.

        SSL is dead! Long live SSL!

        I usually find it's easier just to call everything TLS and not support any SSL versions, there's been good computational reasons to do this since long before POODLE et al which is why I was having a good chuckle at rest of world when it happened.

  2. Steve Gill
    Facepalm

    Rise up Techie Introverts and be ...

    oh :(

    1. Trevor_Pott Gold badge

      Re: Rise up Techie Introverts and be ...

      Yep. That's a big problem right there. I don't really have a solution to that. Maybe it requires an extrovert to start taking a stand so the rest will follow. Maybe it requires massive encouragement across the industry. Maybe social media can help. But we need to get everyone - even the introverts - to stop allowing badness to ensue through apathy. If anyone comes up with magical solutions to motivate, I'd love to hear them! :)

      1. John G Imrie

        Re: Rise up Techie Introverts and be ...

        Well a lot of us Techie Introverts read El Reg so can we get our beloved Red Top to launch a campaign to help us ram the problem down the PHB's throats.

        Failing that I'll see about organising a badge or T Shirt. Something along the lines of 'I know where your personal details went last night' might be fun.

        1. Anonymous Coward
          Anonymous Coward

          Re: "I know where your personal details went "

          Or, perhaps: "which corporation has leaked or sold your personal information today?"

          1. Charles 9

            Re: "I know where your personal details went "

            "Or, perhaps: "which corporation has leaked or sold your personal information today?""

            What happens when the answer comes back, "ALL of them", and you're faced with a desperate need to put food on the table? Principles are tough to defend when you're starving...

            1. Mike Moyle

              Re: "I know where your personal details went "

              "It's 2015: Do you know where your personal information is?"

          2. Captain DaFt

            Re: "I know where your personal details went "

            How about:

            "Google knows more about you than your mother does."

            "Everytime you go online, an advertiser is listening."

            "If you won't tell it to strangers in public, why the Hell do you post it on Facebook?"

            Maybe I should write a book?

      2. Anonymous Coward
        Anonymous Coward

        Re: Rise up Techie Introverts and be ...

        I've taken a stand, by refusing to commit to allowing company data to be sent out unencrypted, only be to be bulldozed aside by middle management with zero clue about security, the task is then given to someone they know won't argue and will just do it.

        1. Trevor_Pott Gold badge

          Re: Rise up Techie Introverts and be ...

          Taking a stand doesn't mean you'll win. But for it to work not everyone who takes a stand has to win. Even a small percentage winning some of the time can begin to change things, and make security the new normal. That can start to make those who don't provide security for their products seem a worse deal.

          Persistence is required. And a diversity of people willing to take a stand in a diversity of situations. But the attempt is not irrelevant simply because not all will succeed in all situations all of the time.

      3. Anonymous Coward
        Thumb Down

        Re: Rise up Techie Introverts and be ...

        ".....even introverts"? It's the introverts in there fixing the shitty IT practices. Server admins afraid to patch, devs that know NOTHING about AppSec, flat networks ......Any/Any.

        Have never met an extroverted IT practitioner (a rare species to begin with), that I didn't want them to just get out of the way.

  3. Anonymous Coward
    Anonymous Coward

    will it really help?

    Trevor,

    All good and well and I only already know how it feels when this exact behaviour is costing employment.

    As long as senior management can still hide below their desks and are not made painfully accountable for all the security blunders that are made, nothing is going to change.

    For the last 10 months I've done my stinking best to get a governmental joint to listen and improve security, all I get for it is (precisely) nothing in return.

    Will you give up writing for the Register if they don't switch to HTTPS like you demand in your article?

    And yes I'm posting this anonymously which I normally wouldn't dream of doing, only to make sure I even can get a new job after this current one expires because I already did what you propose us senior information security experts to do.

    Internet and privacy are unforgiving.

    1. Trevor_Pott Gold badge

      Re: will it really help?

      Fortunately, I don't have to make that choice. The Register is, in fact, working on HTTPS support (or so I have been told). But you know what? Yeah. In the long run, if I couldn't convince them that it mattered - especially for a technology site! - I'd probably take my content elsewhere. I don't want to, but I really do think ethics matter.

      Someone has to say "no, I won't take that job". I've started to do just this with some of my sysadmin clients. I think it's valid to think about it applying to writing, too.

      There is room for discussion about taking things to extremes though. If your employer is making headway and clearly working on the problem, it's probably not going to help anything if you pull the rip cord. But if they just stubbornly don't care about their customers to the point that they ignore security why would you believe they give a bent damn about you?

      But before we can hammer out these sorts of fine details we need to start having the discussion about infosec professional ethics in the first place. Glad to see some readers are willing to join in.

      1. Anonymous Coward
        Anonymous Coward

        Re: will it really help?

        precisely why the fact my contract wasn't extended is such a double feeling.

        On one hand you lose some personal security, on the other hand: do I really want to work for an organisation that doesn't fucking care about their user data, that of millions of citizens (including obviously my own)?

        Where compliancy is more important then fixing security risks and the only answer to malware is blocking "private" webmail sites?

        And then management thinks we are "secure" again?

        No thanks.

        Then again my dear Trevor, name me any company that does take this seriously before they've been hacked and shamed into submission.

        1. Trevor_Pott Gold badge

          Re: will it really help?

          Hence why I think both legislation and grassroots nerdrage are required. Corporates are not going to give fucks without both things occurring.

          1. Fatman
            Joke

            Re: will it really help?

            <quote>Hence why I think both legislation and grassroots nerdrage are required. </quote>

            I hope you `like it hot`, because it will be a cold day in hell before legislation gets passed that brings individual responsibility down on the heads of damagement.

            Corporates OWN the government and legislators in MANY countries.

            AFAIAC, trying to 'raise awareness' from within is a potential resume generating event.

            Good luck getting a job when the corporate overlords make these kind of remarks regarding your time with them:

            1) doesn't take direction well

            2) can't see the `bigger picture`

            3) not focused on the company's goals

            4) too many personality conflicts

            and I could go on, so I hope you get the idea. You seem to forget the cardinal; rule of HR:

            When the prospective employee's version of events conflict with those of management; those of management are PRESUMED to be correct.

            1. Trevor_Pott Gold badge

              Re: will it really help?

              Assuming your take on things to be correct, how is it rational to take a job knowing that there will be a lax attitude to security, this will lead to security breaches and you, as the minion "just following order" will be the schlub on the hook to take the blame?

              How is it rational to say "I'll take some easy money now, knowing that there is a really good risk that shit will hit the fan, I'll get blamed, and end up unemployable in this field forever after that point"? Wouldn't it make more sense to put your labour into another profession where you can actually expect long term employment, instead of an abrupt, messy - and potentially expensive - sacking, followed by being reverted to essentially "unskilled labour"?

              1. fajensen
                Flame

                Re: will it really help?

                People have mortgages to pay; I think it is pretty rational to weigh up the risks of: "me eventually getting blamed for letting "Evul Hax0rs" stonk on some database" or "me getting evicted next month because of ... Principles".

                In Other Words: If you don't like working with shit, don't work with IT!

                Chose an Evolutionary field - electrical engineering, aerospace, ship-building et cetera ... do not chose a Revolutionary one, where every five years new, brighter, more shiny (and cheaper) young things emerge equipped with the latest fad in tools & methods.

      2. Naselus

        Re: will it really help?

        "Fortunately, I don't have to make that choice. The Register is, in fact, working on HTTPS support (or so I have been told)."

        Are the consultancy firm you work for doing so, too? Only, I just tried going to https://www.egeek.ca/ (free plug!)... and that doesn't work. Only http://. Same goes for https://Webreaktech.com, the firm's review website. Seems like you're not entirely practicing what you're preaching here. Seems to me, someone over at eGeek should really make a stand about this sort of thing, and withhold their valuable consultancy hours until management do something about it.

        1. Trevor_Pott Gold badge

          Re: will it really help?

          Actually, we are working on HTTPS for all our sites. (There are about 12, including trevorpott.com)

          The issue we're facing is one of limited IP addresses. I know that HTTPS should work with multiple sites to a single IP on newer browsers, but I would really like to ensure that we have backwards compatibility support. So I'm in the process of evaluating load balancers and how it is they might (or might not) solve the problem.

          In the meantime, we have (to my knowledge) removed from all our sites any member sign-ups on publicly published pages. We have informed our existing members that we're looking to alter our entire security stance on the sites, including eventually altering where the login pages are, switching to .hta access and more.

          We've been mostly working on behind the scenes security in the past month. Database and operating system hardening. Automated updates for Wordpress. Security plugin testing and hardening for wordpress. Selective writelock cascades for any site which doesn't have to be writable for that particular timeframe...we've also gone over the code and the databases to make sure we weren't pwned at any point in the past.

          Because we aren't in the process of building an active forum presence that requires readers to sign up or subscribe, bur primary focus from a security standpoint has been to ensure that we aren't hosting malicious stuff that could infect readers. HTTPS support is on the list in the near term, but as the sites are (at the moment) publicly facing read-only (rather than interactive) sites, we felt the other security issues had priority.

          If you feel there is a really good reason to push HTTPS above the rest of our security efforts to get it done sooner, please, make your case! We're entirely open to it!

          1. Tomato42
            Stop

            Re: will it really help?

            @ Trevor_Pott: winXP is dead, don't let the zombie roam the streets

    2. Martin Gregorie

      Re: will it really help?

      Oddly enough, yes, there are some governments and companies that can do a good job. Here's an example.

      I'd been having a problem renewing a passport (no, not a UK one, but I'm not about to say who in case it embarrasses somebody who doesn't deserve that). The initial part of the online dialog was plain text (no problem there - nothing private involved at that stage), but Firefox 39 refused to start an encrypted connection for the next section (inputting details of the old passport), with the error page making it obvious that this was due to FF39 refusing to use an outdated cypher and the server insisting on it. I had a brief e-mail interchange with the sysadmins, who agreed this this was a problem that would be rectified. They also said that their change process couldn't do the update within my timescale and suggested a temporary workround which got the job done. Result.

      Thanks, El Reg, for the article that highlighting the fact that the FF39 release forced the pace by deprecating the older and most broken SSL cyphers. I just didn't expect it to be so immediately useful.

      This short (two e-mails each way) and very helpful exchange with the sysadmins in the passport office proves that some governmental departments are helpful and responsive, and will fix problems when brought to their attention.

      I just wish I could say the same about HMG and the numptys running it. The latter don't have the brain to recognise that a clueless, tech-free bunch like GDS will never do anything except squander money.

  4. shub-internet

    Sue the directors

    Target's failure in the USA has shown the rich that they, personally, are now vulnerable as they can be sued for being inadequate directors (effectively). As a result, one organisation that is a mesh of small & medium networks is having a serious onslaught at the network architecture to make penetration actually difficult, as opposed to a script-kiddy job. The only thing that motivates directors to do something about this is to sue them personally. I can see this up close & personal as the local network crew are on 7x12 hour days at the moment, rebuilding and reworking.

    1. Roo
      Windows

      Re: Sue the directors

      "I can see this up close & personal as the local network crew are on 7x12 hour days at the moment, rebuilding and reworking."

      ... So the work is being timeboxed to what can be accomplished by tired folks thrashing their way through 84 hour weeks. That probably won't end well. Best of luck with that.

  5. naive

    Security needs to be moved down

    What is perhaps a way to improve security on a more structural manner is moving concepts of organizing memory as implemented by 3GL's data structures, down to the level of hardware. Since the 80's some new languages came into use, but on machine instruction level, most stayed the same, memory is just one large desert of bytes, which can be changed at will. The last feature is abused by hackers, while 3GL programmers can not address memory directly, the hackers can use x64 machine code.

    If instruction set extensions, for example instructions for array manipulation, including bound checking and protection for the memory used by arrays from alteration by general purpose machine instructions, the probability for buffer overflows would be reduced as soon compiler builders start using these instruction in the code generation.

    This idea just covers part of the problem, but a closer alignment between data structures widely used in programming languages, and enforced use of specific machine instructions to access and change these data structures on machine language level would probably have prevented a significant percentage of recent security issues. As a side effect, overwriting random parts of memory would be harder, since it would be riddled with protected spaces, which can not be updated by generic memory update instructions. All is written with the idea that plain K&R C is a 2.5GL, offering little protection from programming errors.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security needs to be moved down

      Security needs to be move UP (to design phase), not DOWN (to hardware where the software people will ignore it).

      Most of the major security issues are not buffer overflows, they are badly configured systems, taped together with untested scripts, and left to rot in cupboards for years without patching. Oh, and users. The fleshies always screw things up if the system lets them.

      Security is a system problem. Stop thinking of it as (only) a coding problem.

      1. LucreLout

        Re: Security needs to be moved down

        @Pete H

        Stop thinking of it as (only) a coding problem.

        I dearly wish I could make some of my colleagues understand that security IS a coding problem, not just something for the networks guys to fret over. Seriously, I've seen systems broadcast trade data to anything subscribing to them - no security at all, and no comprehension of why that is unprofessional.

        Security is everyones job. There are no roles in IT or even using IT where that is not the case.

    2. Anonymous Coward
      Anonymous Coward

      "for example instructions for array manipulation"

      You mean, for example, the "BOUND" instruction introduced by the 80286?

      Often the hardware has protection features often ignored by system and application software - and sometime it is the culprit, as in the SMM bug unveiled yesterday. And when the bug is in hardware, it's even more difficult to fix...

  6. Stevie

    Bah!

    "Our jobs?"

  7. Roo
    Windows

    Bellyaching & refusing to sign the cheques isn't enough on it's own.

    "We need to agitate internally within our organizations to stop buying from vendors who don't have a strong public – and practical – commitment to security."

    Techies agitating against shit solutions has always happened, and always will, and I don't think any evidence that it has had a significant impact on purchasing habits across the industry at large. At the end of the days while techies grumble the PHBs are out playing golf with the salesdroids and signing the cheques.

    "We need to stop buying consumer gear from companies that refuse to pay more than lip service to security. We need to show that we will use our wallets with purpose, not merely convenience."

    So you've stopped paying the vendor for crapware, are you going to close your business down while you wait for the vendor to produce something decent - or are you going to run an alternative ? For folks who like to stay in business the only answer is to find an alternative, so these people need viable alternatives, and they need to know they exist if change is going to happen. They also need less FUD in the form of articles telling people that there are no viable alternatives to sticking with the same flawed product lines they already use.

  8. Anonymous Coward
    Anonymous Coward

    Problem with security is that it stops people doing what they want to do. To the bosses, you are "that paranoid arsehole who is always trying to spoil our fun". Anything approaching decent security involves sacrifice and changing ways of doing things; which a great many people are not prepared to do. They want the shiny toys; the IoT; the voice-activated personal assistants; and either don't know or don't care what the price is. And by the time the bill presents itself, it's too late.

    You can try to head off the worst of it; but there's just too many flaws; too many ways in. So to others you're the guy who is constantly carping about things that haven't happened yet.

  9. Anonymous Coward
    Anonymous Coward

    ...

    Yawn

  10. Anonymous Coward
    Anonymous Coward

    That way lie dragons

    First, bravo for your manifesto.

    Second - a warning. I went through the same realization 4 years ago and decided to become an ethical technologist. My mantra was only be excellent, never write code with known defects or that would directly be used to harm others. What followed was a highly entertaining sequence of events involving being arrested, losing my job, becoming homeless and almost starving to death. In the USA.

    Was it Vaclav Havel who said something about he didn't plan on becoming a dissident, it was a byproduct of trying to be excellent?

    1. elDog

      Re: That way lie dragons

      Merlyn, is that you?

      Randal Schwartz was also taken to task by a very large US company (Intel) for trying to improve security within. But that was 20 years ago so some things don't change.

  11. alain williams Silver badge

    Ethics in business ...

    is, unfortunately, rapidly dying. Make money no matter how - who cares how?

    One other story today is shops in airports telling customers that they needed to see their boarding passes ''for security reasons'' - when the true reason is that if the customer is flying out of the EU then the VAT does not need to be paid to the tax man and the shop pockets the difference.

    Sales assistants were telling the customers fibs. While some of them might not have known the real reason someone did and was happy to have the customers lied to. This is a complete abomination. If they lie on things like this - what else will they lie about ?

  12. Anonymous Coward
    Anonymous Coward

    > We can do these things. We should do these things. Even if they cost us our jobs.

    All that will happen is that the situation will get much, much worse as those with the passion and intelligence to stand up are quickly replaced by the immoral, the careless and the stupid.

  13. ecarlseen

    Real geeks roll their own home routers.

    "Hell, when was the last time you, the information technology experts reading this article, bothered to check if you could update your home routers?"

    Well, they run OpenBSD, so yeah, they're upgradable, and whatever few remotely-exploitable flaws exist will be patched post-haste. And they're clustered, so I can do this with zero downtime.

    1. Trevor_Pott Gold badge

      Re: Real geeks roll their own home routers.

      Well, I use OpenWRT. So that's upgradable. Not everyone is allowed to do this, however. My ISP, for example, usually freaks out if you don't use their shitty Actiontec modem/gateways. I was able to score an appropriate VDSL2 modem-only unit from ebay and put my own router behind it. But what if I had had an Actiontec? I can't really do much to it. I'd be entirely at the mercy of the ISP.

      This is a really bad situation.

    2. P. Lee
      Mushroom

      Re: Real geeks roll their own home routers.

      My home router is "end of life" or so Cisco says. And yet, it does ADSL2+ as does my telco. It does all the usual static and dynamic routing. It passes traffic as it always did.

      And yet... no more patches will ever be available for it.

      Why is this allowed? If ADSL was obsolete, I could understand it, but why are companies allowed to abandon products. Sure Cisco wants to sell me a new one, but I think the mindset of, "its old, it has to be replaced" needs to go. Perhaps if they spent more time refining the software and less time marketing new kit things might be better. The chips in these systems are pretty standard. I can't help but think that incompatibilities are deliberately created to prevent long life and upgrades, just like in tablets and phones.

      I like dedicated equipment because it tends to be reliable. Putting an ADSL modem in a server always makes me nervous. I suppose what we really need is a nice little switch/router reference platform from ARM or MIPS running a small *BSD or something like that. The only people I've seen doing such things are quite expensive. Maybe Xiaomi or someone like that could help out?

  14. Anonymous Coward
    Anonymous Coward

    Easy to bitch about other people's work

    I'm puzzled about your use of "Oracle-class" since as an independant consultant you seemingly have no idea just how hard execs in big companies like Oracle have been busting peoples' balls for the past several years to find and fix security problems. It's easy to sit in your little cube and say "I wouldn't have made that mistake, but it isn't necessarily true. Security is the #1 issue for big IT companies right now. Like it or not, every complex system (even Intel chips) has bugs, and they can't all be fixed in a week.

    Sure, we can debate whether bug bounties are useful or not, Dilbert covered that 20 years ago: http://www.dilbert.com/strips/comic/1995-11-13/ , but suggesting that it implies a lack of interest in security is nonsense. When you have a backlog of CVSS 10 bugs to fix already, having some bright spark pop up with "I've found another, give me $10K or I'll publish next week" doesn't exactly help.

    As other posters above have noted, the way people use software (rubbish passwords, never configuring encryption, clicking on unsafe email) is at least as big a problem. A knee jerk reaction of "I found a bug, line the bastards who wrote this up against the wall" isn't going to help.

    Teaching users about security is a thankless, uphill task. We all know that the $10 router on eBay is probably insecure, but I'll guarantee you that if you put another secure one up at $40 many people would still buy the $10 one, just because it's cheaper.

    1. Trevor_Pott Gold badge

      Re: Easy to bitch about other people's work

      Who is asking they be fixed "in a week"? The issue is taking information security seriously and doing everything reasonably possible to ensure that it not be given lip service only. For a company Oracle's size, that absolutely includes bug bounties.

      But bug bounties aren't the real issue. The Oracle-class stupidity is bemoaning user and researcher attempts to discover bugs in the first place. The concept that a company's need to protect its intellectual property and/or near-monopoly with an EULA should come before security is not only assinine, it is dangerous.

      Oracle has been pretty clear about putting security far behind commercial interests for a very long time now. This lady has just been the first to be honest about it. And they threw her under the yacht for doing so!

      If yoru software is so awful that you have a "line of CVSes to fix" then you should be out there, fixing those. They shouldn't stay unfixed for ages. And you shouldn't be objecting to people adding new ones to the list.

      More to the point, you should have layers of QA, proper unit tests and proper security testing before things go out so that the number of CVSes starts dropping over time.

      I don't expect any company to magically solve all security problems over night. I don't expect all code to be without flaw. I absolutely do expect companies - especially large ones - to make security the primary priority. Ahead of new features. Ahead of release dates. Ahead of any other priority in their software.

      Corporate profit should not come before information security, especially for vendors as large (and profitable) as Oracle. The hell of it is that it doesn't take a whole lot of investment to resolve this. For a company Oracle's size adding a few hundred extra bodies to security testing design and then to QA (those who implement the tests) and drawing out releases a little so that the bugs can be solved before going out...that's nothing.

      And throwing a few measly million at the research community to find bugs in your software is a minor expense for an Oracle. Especially since the stuff the researchers find is going to be the same stuff so easily visible to blackhats using those very same techniques.

      Nobody should get to avoid responsibility for security just because they believe they have a $deity-given right to ignore security in the quest for money.

      1. Anonymous Coward
        Anonymous Coward

        Re: Easy to bitch about other people's work

        But you forget the IT people don't have influence over the accountants. The accountants have to handle the budgets and are under fiduciary duty to minimize costs. And accountants can take a look at fines and figure them to be less even accounting for the lawyers to negotiate the fines down than replacing anything. Plus the executives can grease palms in the legislatures. For them, shirking responsibility and making governments look the other way with overwhelming influence is cheaper than doing things right. And since you can't directly pin DEATHS to IT the way you can with cars, planes, factories, and so on (which is why they're regulated and IT is not), there's little public real outcry to change things. Fortunes and identities can be rebuilt, so they don't draw as much ire. You MUST threaten the one irreplaceable thing—life—to get any real righteous indignation.

        1. Trevor_Pott Gold badge

          Re: Easy to bitch about other people's work

          Bad IT in a car can indeed kill people.

          Bad IT in planes has killed people.

          Bad IT in medical equipment has killed people.

          Bad IT in AI-equipped auto-death weapons inevitably will kill people.

          And on and on and on....

          1. Charles 9

            Re: Easy to bitch about other people's work

            But in each and every one of those scenarios, there's something between the IT and the life involved. Since IT is mostly nonphysical, it's hard to DIRECTLY pin the blame on the IT to the point the average joe has no recourse but to blame it and nothing in between.

      2. LucreLout

        Re: Easy to bitch about other people's work

        @Potty

        I absolutely do expect companies - especially large ones - to make security the primary priority. Ahead of new features. Ahead of release dates. Ahead of any other priority in their software.

        The primary priority of companies is profit. It will always be so, because as soon as it isn't, your competitor eats your lunch and you go home empty handed. I can understand why you, and many Reg readers don't like that view. I don't like it either. But that is how the world is, and it'll not be changing for a very long time.

        You speak of Oracle... Less than half its dot come peak price, and only now regaining its stock price of 16 years ago. Oracle is a company in trouble. MariaDB is eating its bottom end and Hadoop/MongoDB are coming for its top end. Java needs billions pouring into it annually over the next decade to fend off Microsofts open sourcing of dot net and its porting to linux. Its very easy to say the shareholders need to get less, but investors are not emotional about stocks - they stack up as the best investment, or they don't.

        Corporate profit should not come before information security

        Perhaps, but it always will. There is a balance to be struck, where data breaches cost revenue, and so profit, but that must come from consumers, not regulators or legislators.

        The way to engender change is to own what you can own, and change what you can change. Encourage others to see the error of their ways, sure, but you've used words like "expect". You need to adjust your expectations, because they're not realistic, which is why you're getting frustrated.

        Nobody should get to avoid responsibility for security just because they believe they have a $deity-given right to ignore security in the quest for money.

        Do you think people care? Normal people, not us. Do any of them ever stop to think what information they're entering into Farcebook, or what they're blathering about on tw@tter? Unless you can convince the masses that privacy is better than 'fame' (xfactor's brothers got talent style) then you'll never make them understand - you place a higher priority on the security of their information than they themselves do.

        Bad as things are now, they will get worse when the millenials end up running things, because they've grown up just mindlessly handing over data to be farmed, in return for doodads and trivial improvements to convenience.

        1. This post has been deleted by its author

  15. Anonymous Coward
    Anonymous Coward

    Quit your job...

    ... and they will hire immediately hire someone who will do what you refused to do, and usually worse. Did you check how many of your colleagues really understand security, and its broader implications on everybody's life?

    Sometimes the only resistance is to work "secretly" behind the lines and fight for security, even if it means to slip it in products and services without management approval for funds. Especially if projects are your ones, and not just someone's else pushed down your throat. Meanwhile "evangelizing" about true security although many won't listen - until they got hit. If you are able, slowly you can get rid of the worst ones, and keep the right ones.

    Meanwhile, look for a new better job if you can find one. Because, as an Italian proverb says "he cut his own testicles to upset his wife" - is not usually a good line of action. Sometimes waiting for some corpse coming down the river is funny. Just ensure the corpse is not yours, and no one could blame you for the murder. Cynic? Maybe. But is emulating Don Quixote clever? Sometime people learn only when their buttocks get aflame, and it may take some time.

  16. BrowserUk

    Your vehement invective is pointless; there is only one fix for this malaise...

    The abolition of the 'generic disclaimer'.

    You know, that piece of boiler-plate prose you have to dismiss every time you download or install or buy a piece of software that reads something along the lines of:

    You agree to use this software at your own risk and indemnify all those who had a hand in creating it against any responsibility whatsoever; regardless of whether it causes:

    - the loss of your data;

    - the destruction of your business;

    - the loss of your identity;

    - the emptying of your bank account;

    - the raping of your wives, mothers or daughters;

    - the enslavement of the free world;

    - or the total destruction of life as we know it;

    A car manufacturer cannot disclaim responsibility for the deaths caused by it products; even if they are being grossly misused.

    An airline will still be held responsible for the deaths of those involved in a crash of one of its fights; even if it was caused by an idiot who packed volatile substances in their checked baggage.

    Doctors are held responsible for deaths under their care even when they have striven their utmost to save the charges against impossible odds.

    I've programmers, information technology companies and software houses are ever to be consider 'professional organisations'; they have to start taking responsibility for their works.

    Yes. That means software will have to start costing again, rather than being given away for free; and it means we will have to start training programmers and analysts again, and ascribing them professional qualifications, and rejecting and discarding those that do not measure up!

    Yes, it will be painful; but while it is more lucrative for the 1% of truly gifted programmers to hack then it is for them to work for legitimate enterprise; the black hats will beat teh white hats at every turn.

    And the cause? The FSF, and OSS. Whilst Richard Stallman can not just exist; but live a lucrative and privileged lifestyle whilst commanding exorbitant fees on the international after-dinner speaker circuit; 97% of those contributing long hours in their evenings and weekends -- having completed a long and underpaid day job -- to OSS; are burning themselves out to produces the flawed and endlessly forked OSS products that allow Richard Stallman to live the high life.

    If you want to understand what happens when creative works are distributed for free; ask a journalist; or a musician.

    If you are a programmer; and you've bought in to Richard Stallman's sales pitch; YOU ARE AN IDIOT! And in the process of exhibiting your idiocy; you screwed the rest of us out of a decent living.

    Thanks! For nothing!

    1. Roo
      Windows

      Re: Your vehement invective is pointless; there is only one fix for this malaise...

      "And the cause? The FSF, and OSS."

      That doesn't make sense because payware from multibillion dollar companies is routinely shipped with serious vulnerabilities, people choose to pay them good money for it too, and that was the case before Stallman escaped the lab and started banging lecterns for a living.

    2. Destroy All Monsters Silver badge
      Mushroom

      Re: Your vehement invective is pointless; there is only one fix for this malaise...

      And the cause? The FSF, and OSS. Whilst Richard Stallman can not just exist; but live a lucrative and privileged lifestyle whilst commanding exorbitant fees on the international after-dinner speaker circuit; 97% of those contributing long hours in their evenings and weekends -- having completed a long and underpaid day job -- to OSS; are burning themselves out to produces the flawed and endlessly forked OSS products that allow Richard Stallman to live the high life.

      Thank you fucking arsehole for dismissing work that may be done for fun and learning and not necessarily for profit (though some OSS work IS done for profit) and reducing it to the catchy "you are performing unpaid work for Stallman" meme. Congrats. You are the cancer.

      If you want to understand what happens when creative works are distributed for free; ask a journalist; or a musician.

      Journalists and musicians are not working for free (well, sometimes thy are, same thing really). They may be working in a branche that rewards mediocrity, works on bad model or in which it is hard to make a living but that is another problem entirely.

      No-one forces you to use OSS of any quality level whatsoever. You are free to shell out maximum dollar for any software you like, for a quality level you can set. Only getting Windows from a company that has golden teeth of the X-Box kid but that disclaims reponsibility in an EULA? Tough. Then order bespoke. Not enough money? Sucks to be you.

      Now Fuck Off And Die in an Orlowski thread.

      1. Paul Kinsler

        Re: Now Fuck Off And Die in an Orlowski thread.

        Ah! a FOADIOT :-)

    3. Dan 55 Silver badge

      Re: Your vehement invective is pointless; there is only one fix for this malaise...

      Because keeping Larry in yachts and SadNad in... whatever it is he likes is so much better...

    4. fajensen

      Re: Your vehement invective is pointless; there is only one fix for this malaise...

      you screwed the rest of us out of a decent living.

      Well, obviously you deserve whatever screwing you get!

      PS:

      You were actually doing OK up to: " And the cause? The FSF, and OSS.

  17. LucreLout

    Be careful out there kids....

    @Potty

    We can refuse to work on projects that, based on our professional opinions and experience are security problems waiting to happen.

    Systems administrators can refuse to install hardware and software that they know can't be defended.

    Sure, if you like being fired for insubordination. Yes, I was actually threatened with that where I work for refusing to do something my then tool of a manager wanted done but which wasn't actually possible.

    I agree with the sentiment, taking the action you can take, fixing what you can fix. But if there's any yoot out there reading this, and they work for a large corporate, what you've advocated could very easily see them fired. IIRC you're self employed, so this is less of a concern to you, but large companies just don't work like you're suggesting, and they haven't for the 20 odd years I've been playing the game.

    1. Trevor_Pott Gold badge

      Re: Be careful out there kids....

      You're absolutely correct. It can get you fired. So you have to make the choice: do you care only about yourself? Or do you have a responsibility to others? I argue that we all have a responsibility to others not to let companies ignore security. Even if it cost us our jobs.

      If we were able to make professional ethics a legal requirement for our professions they wouldn't be able to fill those positions with people willing to break with ethics for corporate profit. Not if they wanted to be allowed to keep practicing, anyways.

      A combination of legislation and a unified stance is required for this to work.

      1. Anonymous Coward
        Anonymous Coward

        Re: Be careful out there kids....

        Sorry, but my first responsibility is to my dearest one. And if being fired puts their lives at risk, I have first to consider it.

        It happened to me to work for a company where someone asked for something unethical - and probably unlawful, and I refused. Because between being fired, and being jailed if something went wrong, the former was not the worst outcome. Also, I like to be honest <G>, and there is of course a clear boundary I will never trespass.

        Asking for a full written and signed permission to perform what I was asked, helped to avoid it, without being fired. Sometimes people, when faced to have to bear full responsibility, change their minds quickly.

        I know I have a big responsibility when designing and implementing applications and systems. Security requirements are a big parts of any planning of mine. Even - and especially - when nobody asks them. And I ensure there's time and budget to implement them.

        Then there are boundaries to what I can do. If a sysadmin deploys my applications in his or her lame network, or my applications have to talk to a customer's Oracle database I have no control upon, all I can do is to assess and report security risks - and then nail them if something wrong happens. I *always* raise my concerns and document them, someone listens, others don't. Nobody can't say they didn't know. Then, is someone has to be fired, I prefer not to be me.

        The real problem is lack of proper security is still not perceived nor unethical, nor a mistake. Something that in other industries would be not accepted, is OK in IT. We probably need a large scale disaster, like Seveso in Europe that lead to the EU Seveso Directive for chemical plants safety (and it was far smaller than Bophal, which happened later) impacting people far more than it happened till now. Even Sony and OPM are not big enough yet. Sadly, some people learn only in face of a true disaster.

        Meanwhile, what we could do is trying to avoid such a disaster happens, because even if I moved away, I would feel responsible to have let it happen, while maybe I could have avoided it somehow, or contained it.

        1. Charles 9

          Re: Be careful out there kids....

          "We probably need a large scale disaster, like Seveso in Europe that lead to the EU Seveso Directive for chemical plants safety"

          People won't pay attention until their lives are in danger. Think of all the regulations that are in place in other industries. Nearly all of them came about because someone DIED or was SERIOUSLY HURT as a result. It's about the only motivator that matters. But since IT deals primarily with virtual, non-physical matters, it's going to take something truly extraordinary to pin IT on a death.

          1. Trevor_Pott Gold badge

            Re: Be careful out there kids....

            You mean something like this?

            1. Charles 9

              Re: Be careful out there kids....

              "You mean something like this?"

              Even that's going to be shaky. See, with IT you're mostly dealing with virtual, non-physical things. There's always at least one degree of separation between IT and your life. In this case, faulty compilation, not a flaw in the code itself, was the primary problem. It could also be one of a hundred other things between the code and the life that proves the linchpin. Yet it has to be that DIRECT connection that will make people pay direct attention to the actual code enough to make it matter.

            2. Anonymous Coward
              Anonymous Coward

              Re: Be careful out there kids....

              No, because it was a test flight, and when you're a test pilot you can die, can't you? After all tests are there to fix issues, aren't they?

              When a commercial A380 full of passengers will crash over a school because the FADEC had a security issues, maybe something will happen.

          2. Anonymous Coward
            Anonymous Coward

            Re: Be careful out there kids....

            Nearly all of them came about because someone DIED or was SERIOUSLY HURT as a result.

            ... And then I suspect this is mostly only because Trains, Automobiles, Planes, Boats, Electricity were first adopted by 1%'ers -> Rich People dying; That's always a problem that must be solved, brown people or poor people buying it - not so much, that is the expected outcome.

            If meaningful change is to happen, bad things must first begin to happen within the C-segment and their beholden Politicians; so, Every Little Hack Helps ;-)

        2. Trevor_Pott Gold badge

          Re: Be careful out there kids....

          @AC Well, at least you're honest. That's not really much of a consolation, but there is that one, small redeeming quality.

          1. Anonymous Coward
            Anonymous Coward

            Re: Be careful out there kids....

            Mr. Pott, if quitting your job just means risks grow even bigger, how do you feel? Or once you've quitted your job knowing it will only get worse, it's just "who cares is somebody dies, after all it's no longer a responsibility of mine"?

            Sure, if you're some highly visible individual whose quitting would be notices, sure, it could work.

            If some unknown sysadmins quit, or developers, who would notice? Unless you go for the even much riskier option to cause yourself big - but not lethal - damages, and then hoping someone else will still hire you after that...

            Otherwise the only way would be to "unionize" - but again, without obtaining consensus from peers, how could you make it work? Security is an issue not just because of "evil management", but also because too many sysadmins and developers still don't care about it at all, or enough.

            How do you plan to bring them on your side? Quitting? They will just thank the whiner went away, so they could work as they like. Sure, they may still complaining they now have to do the work you did, and thereby will do it the simplest - and unsecure - way they could find.

            Meanwhile, the HR person interviewing you, will ask, frowning, "you have changed job n times this year, why can't you keep one?" Do you believe answering "I quitted each of them because my colleagues/managers were morons who didn't care about IT security" will help you?

            1. Trevor_Pott Gold badge

              Re: Be careful out there kids....

              @AC: If they won't listen to you and implement security as a priority then there's fuck all you can do. Being there won't give you power to magically make it better. Leaving - especially if the why of it is explained to the right people - may well make them realize the importance of security. Especially if enough do it.

              As for If some unknown sysadmins quit, or developers, who would notice? that depends on who finds out. As a generally rule, if you're good at your job, people internal to the company notice. And if enough people (or high ranking) people leave a company for this reason the press notices. And this is what is ultimately required.

              They will just thank the whiner went away, so they could work as they like

              If this is the kind of attitude that not only your company but your peers within that company have then you are in a really shitty workplace. If they view you as a "whiner" for having professional ethics what makes you think that their apathy about corporate or professional duty of care will somehow end at treating the customer like a commodity? If they treat others like shit they are going to treat you like shit and you need to get the hell out of there ASAP.

              Do you believe answering "I quitted each of them because my colleagues/managers were morons who didn't care about IT security" will help you?

              Hell yes it would, at any place that actually worth my time and effort.

              1. Anonymous Coward
                Anonymous Coward

                Re: Be careful out there kids....

                I see you just replied to some issue I pointed out, and not all, anyway:

                "implement security as a priority": any business priority is always to make money. You will never gain approval for better security unless you show it brings in more money, and/or avoids losses - even regulations are sometimes not enough, as often they are more bureaucratic processes than anything else, yet you can leverage them at your own advantage.

                Very few business are run by truly ethical people. Most executive are promoted because they bring in more money, not because they are ethical people.

                "As a generally rule, if you're good at your job, people internal to the company notice": good luck, if you work for a large company and IT is not the main business. Those who will notice, are not those who can change things. And they won't quit following you but in rare cases. The higher their rank, the lower the probability they will follow you, unless they see a real risk for their own career - or they are one of the rare ethical people around.

                "If this is the kind of attitude that not only your company but your peers within that company have then you are in a really shitty workplace": I asked you how many of your peers are really aware of security broad implications. You didn't answer. I still see too many are still focused only on making things work quickly, not making them work in a secure way. Many people do a job only to bring money home, and don't like to spend time to re-learn how to do it. Do CS courses teach programming better today? From what I can't see, they don't. So it's up to you to add the missing pieces, and not always is easy.

                It takes time to change a mindset, and simply quitting won't help. I've been able to change some people attitude, while others are beyond hope, and I really hope one day they'll learn the hard way.

                "Hell yes it would": again, good luck. Most will only think you're someone who can't play well with others, and just causes troubles. You know you're right, the HR drone in front of you won't. Her psychology degree will tell her your a troublemaker, not an ethical sysadmin. Maybe some small company or startup could be curious enough to try, most other business will go for the complacent drone...

                I wish you to find your little heaven, a community of wholly ethical developers and sysadmins, my experience tells me there are better companies and worse ones - never perfect, and quitting not always offer you a better place, even it may look so in the beginning. While forcing changes may take time.

      2. Vic

        Re: Be careful out there kids....

        A combination of legislation and a unified stance is required for this to work.

        But you're simply not going to get a "unified stance". We who care are a tiny minority.

        Some years back, I was doing support for local businesses. And time after time after time, I ended up sorting out the mess some kiddie had made. They got him in because he was prepared to install any software they wanted for free; I was insisting on everything being licenced properly. And they probably spent more cash fixing the malware that came with his "Warez" than they would have spent on a proper licence. But no-one cares.

        Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: Be careful out there kids....

      "Sure, if you like being fired for insubordination. Yes, I was actually threatened with that where I work for refusing to do something my then tool of a manager wanted done but which wasn't actually possible."

      Was there someone above him you could go to, or perhaps inform him that trying to comply could mean bringing in the legal department or the like?

      1. Vic

        Re: Be careful out there kids....

        perhaps inform him that trying to comply could mean bringing in the legal department or the like?

        Doesn't work.

        In my last job, the product was high-value capital equipment. And the bulk of the software inside it was unlawfully copied - "pirated", in the vernacular. I raised this several times - including escalating it to the legal department - to no avail; they just didn't care.

        I no longer work there. This event was one of the reasons for that.

        Vic.

    3. Pookietoo

      Re: Sure, if you like being fired for insubordination

      Maybe give notice that what you've been asked to do is inadvisable or overly difficult, and get the relevant manager to sign off on it? That might be just as bad as refusing to do whatever - I've been sacked for "bad attitude" despite having done nothing wrong.

    4. Vic

      Re: Be careful out there kids....

      Yes, I was actually threatened with that where I work for refusing to do something my then tool of a manager wanted done but which wasn't actually possible.

      I was threatened with a disciplinary because I refused to give my manager the root passwords to a set of production machines that were owned by a completely different group[1].

      Vic.

      [1] I'd done some work for them beforehand, and they hadn't changed the root passwords yet. He thought he should be able to log into these machines on a whim...

    5. Roo
      Windows

      Re: Be careful out there kids....

      "Sure, if you like being fired for insubordination. Yes, I was actually threatened with that where I work for refusing to do something my then tool of a manager wanted done but which wasn't actually possible."

      I've got a story with a slightly happier ending (for me at least).

      On my first job after graduating I was offered the opportunity of working a weekend with no pay or time in lieu on a hack intended to defy the laws of physics and common sense. The customer had already said that option wouldn't work, I agreed with the customer's assessment, so I refused. I had to refuse quite a few more times until the manager accepted that shouting at me was going nowhere.

      Happily I didn't get fired, but I am pretty sure I would have been fired if I wasn't 50% of the coders who could use a C compiler. Since then I have turned down a number of immoral/dubious/questionable requests, but in each case I've been careful to nip it in the bud as early as possible so that the requester is disappointed rather than angry.

  18. Anonymous Coward
    Anonymous Coward

    Profession bodies

    having in a previous career in accounting had to refuse to do something on more than one occasion I agree that the importance of professional bodies and impact on driving ethical behaviour and standards shouldn't be overlooked.

  19. Dan 55 Silver badge

    Nice idea

    But if you are consistently taking longer to produce work than the time allotted because you're doing work which wasn't asked for, you've got a problem.

    You can go into all the whys and wherefors but if they don't want it done the only thing you can do is take it to his boss and get fired for your trouble.

    What's left apart from professional associations, unionising? Good luck with that, organising programmers is like herding cats.

    1. Trevor_Pott Gold badge

      Re: Nice idea

      So..fuck the customer, the population at large and everyone, everywhere, only you and your job matter?

      Sorry, but this one is actually worth fighting for. And it is worth organizing professional associations for. And worth putting time and effort into.

      Or maybe you just want to wait until the price of individual selfishness and cowardice on behalf of developers is measured in bodies. How many people's lives is your job worth? Hmm? How many injuries and maimings does it take before you exit your comfort zone? How many people need to face financial ruination before you speak out?

      or do you somehow think that, because you're "just following orders" you aren't to blame? That it's only the fault of the higher-ups who pushed back on you over and over to get it done quicker, and you folded like a cheap tent every time?

      Do you feel you bear no responsibility whatsoever for the results of your work?

      1. Charles 9

        Re: Nice idea

        "Or maybe you just want to wait until the price of individual selfishness and cowardice on behalf of developers is measured in bodies."

        About the only way you'll make people care is when you can directly pin security faults and so on to people dying. That's what it took to mandate seatbelts and airbags, recall cars with explosive gas tanks and ground faulty airplanes. Nothing less will do.

      2. Pookietoo

        Re: you're "just following orders"

        Don't mention the ... er ... you know ... thing.

      3. Dan 55 Silver badge

        Re: Nice idea

        I do feel I have professional responsibility for the quality of my work and I am unhappy when it is not as good as it can be, but my higher ups don't or rarely bare any responsibility for the overall quality of the project. Costs will overrun, features will be missing, time will be short, security will be an afterthought. Until they do have, nothing us surfs do will have any effect.

        It's also very difficult to prove that extra effort has avoided deaths. After all, even though the uConnect thing was bad the auto industry is notorious for weighing fines and insurance payments against redesigning a car. Industry practices like that are why we are ignored and told to get back to the keyboard.

        We can all rant and get angry but we all have to put food on the table and there's more we come from. Individually we can do nothing apart from say something and be ignored or say a lot and be fired for being a troublemaker. Walking out of job after job becomes unsustainable.

        Why are we not the experts of the work we do in the same way that architects, scientists, doctors, or engineers are? Perhaps that might be the first question worth answering.

        1. Trevor_Pott Gold badge

          Re: Nice idea

          I think did answer it: because, apparently, IT is filled with people perfectly willing to put their own desires before the lives of others. Just shrug off any responsibility. You're just following orders.

          Nice.

          1. Charles 9

            Re: Nice idea

            If "Following Orders" is the only way to put food on the table, ethics kind of takes second priority.

            1. Trevor_Pott Gold badge

              Re: Nice idea

              If "Following Orders" is the only way to put food on the table, ethics kind of takes second priority.

              That worldview is fucking appalling. Jesus H mother of goddamned donkeyfucking christ, what the hell happened to us that we've forgotten so much, so fast?

              Holy wow. Just wow.

              1. Charles 9

                Re: Nice idea

                "That worldview is fucking appalling."

                It's also the only one THAT ACTUALLY WORKS. Welcome to Reality. Why else has no other beast on Earth tried what we're doing?

                "Jesus H mother of goddamned donkeyfucking christ, what the hell happened to us that we've forgotten so much, so fast?"

                We've come to the realization that, in the final analysis, it's every man for himself. Nice guys finish last, and if you don't pass on to the next generation, you might as well be whizzing in the wind...

                1. Trevor_Pott Gold badge

                  Re: Nice idea

                  @charles 9: plenty of other professions have codes of conduct, ethical standards and we have legislation to enforce this.

                  It's only every man for himself in really shitty parts of the world, mate. Like Somalia. Or the US of NSA. In much of the rest of the world - the good parts of the world - people are raised with a belief in a duty of care to their society.

                  But I've noted your Randian worldview and made the appropriate push of the ignore button. Good bye.

              2. fajensen
                Terminator

                Re: Nice idea

                what the hell happened to us that we've forgotten so much, so fast?

                Neoliberalism and Globalisation, that's what happened - and is still happening!

                In fact, you making the resolution of this problem a Personal Issue, that must be solved by Individual Action & Personal Responsibility ... and not by The State - which actually has the power to Legislate and Enforce professional standards just shows that Neo-liberlist thinking has been fully internalised and is indeed working as intended: The little fragments of sentien protein can rant & rave all they like against the machine; it's just Brownian motion that will achieve Nothing!

          2. Dan 55 Silver badge

            Re: Nice idea

            Look, I completely understand where you're coming from, but you have to overcome people's basic human drive to provide for themselves and their own above all else.

            The system is stacked against individuals. Would you be prepared to invest time and money to set up the Canadian Association of IT Dudes Sticking it to The Man? There is a high chance of failure and a high chance the system spitting you up and chewing you out to teach the others a lesson. Everyone here knows this, which is why they haven't done it.

            1. Trevor_Pott Gold badge

              Re: Nice idea

              Canada already has a professional association for iT. I am working for increased legal recognition.

      4. Anonymous Coward
        Anonymous Coward

        Re: Nice idea

        You think it is easy to get a job?

        The fellow who posted about not allowing adhesion contracts to disclaim all responsibility hit the nail, though liability law is a bit more obfuscated than that, especially in the US.

        No, if we are working for someone else, they are the ones at fault. They are the ones who need to take responsibility. They are the ones who need to pay. They are the ones who need regulation and laws.

        As far as professional organizations are concerned, they have some real problems, especially in the infosec area.

        o Many of the best hackers don't have the personality to deal with the inevitable cabalization. And there will be cabal. Remember when the infowar guy advocated hiring the autistic?

        o Best practices aren't.

        o The practical tech outruns any theory or best practices, if there could be any.

        o Wide attack modalities. Script kiddies, insiders, states, paranoid geniuses, cooperative actors (like the insiders/hackers stock trading in the news right now), bots, social engineering... we haven't even seen the worst of very patient distributive attacks yet.

        o Unpredictable motivations of attackers.

        o Unpredictable motivations of defenders.

        And that's just off the top of my head. There are others smarter than me.

    2. Anonymous Coward
      Anonymous Coward

      Re: Nice idea

      "But if you are consistently taking longer to produce work than the time allotted because you're doing work which wasn't asked for, you've got a problem."

      Sometimes you need to beat them at their own game. Sure, you don't have to go over schedule or budget - at least no more over schedule and budget than the average project <G>. So you have to learn how to slip in those costs and time. It's feasible, even if not easy. And you may need some allies.

      Also, you may never be rewarded for that - but by your own conscience.

      Anyway, if you design and implement security from start, is usually cheaper than trying to retrofit it later - and that's another reason someone prefers to wait and then earn even more money...

      1. Anonymous Coward
        Anonymous Coward

        Re: Nice idea

        "Anyway, if you design and implement security from start, is usually cheaper than trying to retrofit it later - and that's another reason someone prefers to wait and then earn even more money..."

        Nah, usually taking your chances and using your lawyers to pare down the fines and your lobbyists to keep fines from going up is cheaper than doing it right from the start: it's The Cost of Doing Business. Otherwise, they wouldn't be doing it that way due to fiduciary duty.

  20. lucki bstard

    @Trevor - I agree with the principle but the reality is that it will not work. Even a corporation being sued for data loss doesn't really help (the corporation is owned by a holding company that has the money, sue the corporation and you may win, but there is no money to pay out).

    To make the changes would need a general awareness of technology that just doesn't exist and for people to care, and quite frankly they don't.

    Maybe its signs of big government combined with population density with access to 'big data', I don't know. But I do know that you'll never stop it, and if you work for a company that see their bottom line affected by it, then you'll be out of that place so quick you'll head will spin.

    1. Trevor_Pott Gold badge

      I disagree. Legislation to make information security failures the responsibility of the executive layer personally would stop this almost overnight. The other alternative would be legal recognition of professional associations and banning individuals from working in the field who weren't members. Those associations would then boot out anyone who didn't follow ethical guidelines.

      Engineering in civilized countries functions this way. It's time to apply this to development, and IT in general.

      1. Charles 9

        "Engineering in civilized countries functions this way. It's time to apply this to development, and IT in general."

        But in really civilized countries, the executives have the legislature's ear with carrots and sticks, blocking such efforts. What then?

        1. Trevor_Pott Gold badge

          That's not a civilized country. That's a shithole.

          1. Dan 55 Silver badge

            How could you get a bunch of nerds to lobby the government and be taken seriously? It's a tough question.

          2. Charles 9

            A civilized shithole, and the inevitable result of civilization if history is any indication.

            1. Trevor_Pott Gold badge

              We'll have to agree to disagree, Charles 9; I don't consider shitholes particularly civilized. I mean, look at the US of NSA...

              1. Charles 9

                And I disagree on the disagree. It's happening EVERYWHERE; you just don't see enough of it on your side yet, but it HAS happened, it IS happening, and it WILL happen, inevitably, to every civilization you see. Yours just may not be that far along, but it will be soon enough.

                1. Trevor_Pott Gold badge

                  Just because the US of NSA has allowed itself to deteriorate doesn't make it civilized. It's not. It's a shithole. An uncivilized shithole that is losing any shred of decency it may once have had.

                  If my country follows, it too won't be fit to call civilized either. Civilizations work collaboratively for the good their people. The US of NSA gave that up some time ago. As is very clearly evidenced by the unrepentant - even proud - selfishenss of some of the commentards here.

                  I've never been more disappointed in humanity than I am today.

                  1. Charles 9

                    "If my country follows, it too won't be fit to call civilized either."

                    So what happens when ALL the countries fall down the slippery slope? Are you willing to say then that civilization as a whole is a failed experiment against the baser instincts of humanity?

                  2. Hollerith 1

                    Civilisations?

                    Trevor, I don't think history will bear the message that civilisations work collaboratively for the good of their people. Civilisations such as the Assyrians and the Greco-Roman civilisation and the Mayan civilisation were not good places to live in if you were, say, a slave, poor, etc.

                    What I agree with is that sometimes people ahve to take a stand. The dissidents in Communist Czechoslovakia, the dissidents in Russia and PR of China today, and I would include Snowden and others who deliberately seek ways to expose and therefore (they hope) stop evil.

                    To stand up, at personal cost, to be counted, to say 'the shit stops here' is to be a hero.

                    We in the west have had it good for so long that I doubt we'd recognise a barricade if we saw one.

                    I salute you, Mr Potts.

                    1. Trevor_Pott Gold badge

                      Re: Civilisations?

                      Civilisations such as the Assyrians and the Greco-Roman civilisation and the Mayan civilisation were not good places to live in if you were, say, a slave, poor, etc

                      First off, it's worth noting the difference between "citizen" and "not citizen" in these cultures. Even the poor were treated a heck of a lot better than any non-citizen. And, to be perfectly frank, for a lot of the existence of those cultures non-citizens did okay. Not great, but far - far - better than non-citizens in contemporary cultures.

                      But the cultures you mentioned existed for long periods of time. How people were treated varied. And towards the end of each civilization we see the treatment of people at large degenerating. Slaves are treated more harshly. The poor are treated as non-citizens. Eventually, only the very rich seem to enjoy any rights at all.

                      Empires have fallen because when conquerors came they found an eager fifth column in an oppressed populace. That is where civilizations end. Hence, in my analysis, a culture it no longer "civilized" when the populace becomes so stratified that the majority are oppressed enough to actively work against the culture as a whole.

                      Those who pay history no mind will repeat its most egregious errors.

                      1. Charles 9

                        Re: Civilisations?

                        But did any of those past civilizations have the power we have today, where a chosen few, if the need arose, could easily eradicate a few million people without much in the way of outside assistance? How would the oppressed masses feel if even their combined might were no match for, say, a nuke in their backyard? Even worse, what if these oppressors felt, in the final analysis, if they couldn't win, then MAD would be considered preferable to ceding power (Death Before Dishonor)?

        2. Fatman

          RE: In civilized countries

          <quote>But in really civilized countries, the executives have the legislature's ear with carrots and sticks suitcases of campaign contributions, blocking such efforts. What then?</quote>

          FTFY!!!

          1. Charles 9

            Re: RE: In civilized countries

            "suitcases of campaign contributions" - BZZZT!

            You broke what wasn't broken. That's just the carrot. You forgot the stick of, "Do what we demand or we'll take our business (and our taxes) someplace friendlier to us!" How else do you think oil companies can get such generous tax terms except because 10% of something is better than 100% of nothing?

      2. Anonymous Coward
        Anonymous Coward

        Look at what it took to ban Enron-like ways of doing business... also other professions started to be regulated when risks started to become understood they killed people, and could be easily avoided - not before. Maybe IoT and smartcities will help us - but someone will surely tell "regulations kill innovations!" (wait for Worstall to read your article!) while really thinking "regulations kill easy money!".

        Moreover "certified professionals" will cost more, and nobody wants today to kill the cheap chicken of the golden eggs. In some ways, IT system and software engineering is still a "labour intensive" industry - you need a lot of hands on the keyboards. You can harvests a lot of money as long as you keep that cost low enough - and maybe off-shore it somewhere, especially where people don't make questions as long as your pay them, and replacements can be easily found, among a billion or so...

      3. Anonymous Coward
        Anonymous Coward

        I still have to see, for example, physician association to boot associates who doesn't follow ethical standards, unless - maybe - under big public outrage. For example, whole pharma business is very, very far from following true ethical standards - it's all about making a lot of money and keep risks under control - even if some people die, and relatives can be keep silent with some of the money.

  21. MissingSecurity

    Hence my username ...

    We seem to spend a lot of time playing a chess game of responsibility in infosec. This is definitely an executive level fight, and if I get there I'll have no issue fighting it, but since I can merely point it out, I play the cover my ass so I can play the "I told you so" card.

    1. Fatman
      Joke

      Re: Hence my username ...

      <quote>I play the cover my ass so I can play the "I told you so" card.</quote>

      I hope that you have used some 25 mm steel plate in that ass covering.

  22. tfoale

    Corporate liability

    While I applaud the sentiment, there will always be someone willing to forget their professional ethics in exchange for dollars. The only way to change the game is to make business leaders personally responsible for the damage caused by their lack of diligence - and making it stick. Then they will be chasing YOU to make sure that their bonuses are safe. Managers making bad decisions that affect security should be exposed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Corporate liability

      But part of the job of management is to deflect responsibility. It's an unwritten, unspoken part of the job description. Otherwise, they would never have taken up the position in the first place. That's why powerful executives have learned to keep legislators on call. When you can keep the ultimate makers of the law under control, there's nothing to stop you.

  23. MarkSitkowski

    It can't happen to us...

    Brilliant article, expressing what I've been saying for years.

    My view is kind of biased, since I'm in the security business but, from what I've seen of the attitude of decision-makers in financial institutions, they have everything in common with the guy who jumped off the top of the Empire Stat Building. As he passed each floor, people heard him say, "so far, so good..."

    The worst part, however, is that the guy was told by a False Prophet that he would never reach the ground.. A couple of years ago, when the FBI was deciding on an authentication system, I wrote to them to warn them against biometrics (the data is digitised, it's just username and password all in one, and you can't change it, if it's stolen). The fact that they chose to ignore the warning is purely indicative of stupidity, payola, incompetence or whatever but, now that the FBI, Department of Defense and others actually have had their fingerprint database stolen, how confident do you think they will be in the next snake oil salesman?

    I think the False Prophets are partly to blame for the attitude of management in many industries.

    1. Charles 9

      Re: It can't happen to us...

      "The fact that they chose to ignore the warning is purely indicative of stupidity, payola, incompetence or whatever but, now that the FBI, Department of Defense and others actually have had their fingerprint database stolen, how confident do you think they will be in the next snake oil salesman?"

      Probably just as confident as they were last time. The people making the decisions now probably weren't the ones who made the decision when the fingerprint scanners appeared, have been lulled into complacency, and will willingly make the same mistakes again, banking on persistence paying off before insanity hits.

  24. Henry Wertz 1 Gold badge

    Industry pressure

    I agree with not working on projects I know will be insecure.

    As for regulation, I think different industry standards would solve companies seemingly lax attitudes to security. If insurance companies began to change the business insurance so the business had to follow secure practices if they expected data loss to be covered... and if the credit card companies actually enforced PCI DSS security.. then this kind of thing would happen far less often than it does now.

    1. Trevor_Pott Gold badge

      Re: Industry pressure

      The market has failed to produce solutions thus far. Why do you feel it is rational to cling to a belief this will somehow change? There are very, very few examples in human history of markets self-regulating, especially in a manner good for the population at large.

      There are an unlimited number of examples in which markets have failed to self regulate. Belief that markets will self regulate, in defiance of all historical evidence to the contrary, is faith as irrational as any religion.

      1. Charles 9

        Re: Industry pressure

        Markets can't self-regulate because markets are run by humans...and humans, in spite of popular belief, default to irrational behavior. Essentially, they run on emotions first and logic only when the former doesn't get in the way. It's for this reason that things like lotteries (that play on inherent optimism) can make a killing. It's why you have runs on the bank and panic spikes.

  25. dirkjumpertz

    So sad but true

    And even sadder when

    s/security/environment/g

    is a regex that makes perfect sense.

    I'm a chemical engineer by education; today I work in IT security (governance mainly). Often I tell people that the real problem with IT is that people don't die by their own mistakes. In a chemical plant, if you don't follow procedures, guidelines and standards, you will end up hurt and in the worst case dead. Sitting behind a desk, fiddling with code might be bad for your back, but that's as far as it goes.

    Personal harm is the best motivator for taking the right decisions and doing the right thing.

  26. MS Rocks

    I wonder how many people who commented on this article....

    Use an Android mobile..

    1. Anonymous Coward
      Anonymous Coward

      Re: I wonder how many people who commented on this article....

      And your point is?

      1. Anonymous Coward
        Anonymous Coward

        Re: I wonder how many people who commented on this article....

        If you do not get I then I am not going to explain it to you.

        1. Anonymous Coward
          Anonymous Coward

          Re: I wonder how many people who commented on this article....

          Please enlighten me, I'd really like to hear.

          1. Charles 9

            Re: I wonder how many people who commented on this article....

            He's saying Google and Android are part of the problem. IOW, people using Android mobes to comment on invasions of privacy are basically hypocrites.

            1. Anonymous Coward
              Anonymous Coward

              Re: I wonder how many people who commented on this article....

              Correct. Google are the undisputed champion of stealing and selling personal data. And much vitriol has been expressed on this topic in the comments. Yet I suspect that many of the vitriolic comments have been typed on the keyboards of android powered devices, that the device owners have chosen and paid good money for. Without seeing the irony of the situation.

  27. ecofeco Silver badge

    Yeah...

    Good luck with that.

  28. Michael Wojcik Silver badge

    Your solidarity is not so solid

    I have some long e-mails to write to the owners of various online publications I write for about implementing SSL by default

    Well, now, there's one problem. I don't want TLS everywhere on the web. My security model is not your security model, so why should I support your effort to impose your security model on me?

    When I read the Reg, I don't need or want the extra overhead of TLS. For that matter, when I post comments, I don't need or want it. I don't care if someone goes through the (not trivial) effort of impersonating me here.

    The HTTPS Everywhere fanaticism is only one small corner of IT security, true, but it's symptomatic of the whole. Every armchair security expert has some axe to grind. I don't believe I want an Occupy Computers movement agitating for a lot of ill-considered, poorly-understood security "fixes".

    1. Charles 9

      Re: Your solidarity is not so solid

      "When I read the Reg, I don't need or want the extra overhead of TLS. For that matter, when I post comments, I don't need or want it. I don't care if someone goes through the (not trivial) effort of impersonating me here."

      You'll start caring when someone finagles the identity you get here to steal a more significant of your identities elsewhere. Plus there's the prospect of having malware injected through your in-the-clear transmission by someone along the TCP/IP chain.

  29. Anonymous Coward
    Anonymous Coward

    Ada - the only infrastructure that's reliable & secure by design

    People who fly aeroplanes by-wire can't afford crashes - so they use Ada.

    Why are banks, and major corporations allowed to use any rubbish?

    I'm agreeing, BTW, this is a good article, on an important topic.

    If boards understood the massive risk they face from IT, they'd insist on Ada now, and throw out all the closed-source rubbish.

    1. Charles 9

      Re: Ada - the only infrastructure that's reliable & secure by design

      "If boards understood the massive risk they face from IT, they'd insist on Ada now, and throw out all the closed-source rubbish."

      Thing is, most boards have to answer to the investors, and many investors these days are quite short-sighted.

    2. fajensen

      Re: Ada - the only infrastructure that's reliable & secure by design

      Boards understand that the way to win big in finance is to become a "Too Big To Fail" - TBTF - institution; then you can fuck up as much as you like and taxpayers will bail your business out and pay your bonus on top for all the hardship and stress you just endured.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ada - the only infrastructure that's reliable & secure by design

        "Boards understand that the way to win big in finance is to become a "Too Big To Fail" - TBTF - institution"

        IOW grow so big you can hold a country hostage. I think William Gibson wrote of companies and institutions that big: transnationals who were beholden to no one, large enough to be sovereign entities themselves

  30. Augur
    Alert

    Trevor, great sentiments, "The only thing necessary for the triumph of evil is that good men do nothing", I wrote the following in response to a Trend Micro security blog by Raimund Genes CTO on buying and selling vulnerabilities, I think it applies well here. "Very laudable but it is unrealistic to expect the "Chickenhawks" to play ball, the discussion that underlies all of this is Governments (every where) weaponising the Internet. Aberrant behaviour as currently displayed by those in power will only be curtailed or "managed"when good defensive defence posture as policy has priority over offensive capability, even if this makes the surveillance practised by the" "State" a hell of a lot more expensive. The cost to UK PLC of malicious activity via the Internet (UK Governments figures) was circa £13 Billion for 2013. A sound economic argument needs to be had. Austerity is an opportunity. And in general answer to your complaint perhaps the next time you vote, ensure that the party you support gets the message, you may wish to remove references to donkeys though. I am not sure it worked for Lewis Page.

  31. Anonymous Coward
    Anonymous Coward

    Rise up then you can have my role in infosec, I'm sick of it because Ive been fighting the above for a far too long solid stint, only you've got to do it for 1/3 the rate in the name of efficiency savings and there has already been the voices suggesting that its offshored instead. What could possibly go wrong with that?

    Nobody in management or finance is listening Trevor, you can rally the troops but we don't control the budget and if you make a noise, your identified as a cost saving for being a pain in the arse and hurting the bottom line of the business.

    1. Anonymous Coward
      Anonymous Coward

      Have you tried getting the Legal Department on your side and pointing out that your work is "ounce of prevention" stuff? Perhaps the Legal Department can point out that if they thing the bottom line takes a hit thanks to IT, then wait until the lawsuits or regulatory fines hit because they DIDN'T listen to IT.

      1. Anonymous Coward
        Anonymous Coward

        Thats why any company has any infosec resource at all to be blunt. Ever get tired of spending more of your time justifying your role than actually doing it?

        1. Anonymous Coward
          Anonymous Coward

          Perhaps some would say that's how life rolls. 10% of your work is the actual getting things done while 90% is convincing the brass above you that it's worth it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like