August 21, 2019

Every day we get news of compromised systems, hacked companies, data breaches, leaks, vulnerabilities and exploits. As I have written before, these news themselves used to be spectacular, newsworthy and share-worthy, but nowadays they are not. They are so common that it would be pointless to even share them. It's the new normal.

Recently, the tax authority of Bulgaria leaked the information of all their citizens. Estimated five million taxpayers with sensitive, personal and permanent data. While leaked passwords can be changed, sensitive permanent private information held by tax authorities cannot. Once it's leaked, it's leaked, and even if you know that your social security number has been leaked, you still cannot change it. As reported by CNN, "An entire nation was hacked". But despite the fact that, as I just said, this is just normal, there is an interesting observation in the CNN writeup:

"Data breaches used to be spearheaded by highly skilled hackers. But it increasingly doesn't take a sophisticated and carefully planned operation to break into IT systems. Hacking tools and malware that are available on the dark web make it possible for amateur hackers to cause enormous damage."

Hacking these kinds of systems USED to be something that required great expertise and could only be done by these "highly skilled hackers". But no more. Nowadays, even "amateurs" can cause "enormous damage".

This does mean that as our reliance on these digital, computerized systems grows, so does the ease of hacking into them. This is so extremely wrong! It was sort of ok and almost funny in some sense if my online game was discovered to have vulnerabilities and if, in the worst case, someone would be able to steal or kill my character in a game. But now that the systems are apparently becoming MORE vulnerable and hacking them becomes EASIER, at the same time they grow in importance, and now our actual lives depend on them. It's not a character in a game that gets stolen. It's my actual identity. It's not virtual game money, it's the actual money that is supposed to pay for the food and education of my children. It's the money meant to pay for my car loan that simply disappears without any explanation, and nobody has a clue as to what is happening.

It was also reported recently that large western organizations are systematically and continuously attacked in scale through the large IT-outsourcing providers that they contract to maintain and develop their systems and networks. This is no joke. Name a large organization, and we can see which large provider they have outsourced to. And they open full network administrator access to everything for the provider, because otherwise the provider cannot do their job. It is done this way because it is assumed that these large providers are experienced and competent, have mature processes, and are well on top of their game when it comes to information security. While in fact, none of that is at all true. And in the end, companies just open up their networks to incompetent individuals who might mostly (but not always) mean well and may sincerely try to do their best, but are simply and hopelessly unable to match the challenges posed by modern hackers, whether professional or amateur. The fact that the big-name providers mentioned in the article may not be as good as you may have thought might come as a shock to some people.

And just in case you were thinking of this from a legal perspective: When you get hacked, it won't matter how well or badly you have negotiated your contract or SLA with your provider. No matter how much you would end up claiming from the provider in court, you are still hacked. It's priceless.

Obviously such outsourcing arrangements are done in hopes of financial savings. It might look good on some particular balance sheet or strategic plan. But it's a troubling move that spells disaster in the long run.

It's the same financial "efficiency" that leads developers to just simply use and reuse unknown code from the internet, without having any idea what is being included in critical systems. See what happened to British airways. As a result, an overwhelming majority of web based software in this world has known vulnerabilities. Once when I reported a concrete instance of this to a particular large customer in a code review, the response of their senior developer was literally "well, this is how these things are developed these days".


Of course he was right. This IS how software is developed these days. More often than not, this means sloppy code, written in a rush with low quality, with all focus on just "making it work" instead of "making it work correctly and securely". And the results are evident, posted and available on CNN: "Data breaches used to be spearheaded by highly skilled hackers. But it increasingly doesn't take a sophisticated and carefully planned operation to break into IT systems."

So while this may be how things really are right now, don't you think we should CHANGE the way "these things are developed these days"? For the sake of our own lives and the lives of our children, this stuff should matter. Again, it's no longer a game. It's about our very identities and the funds that we use to buy food for our children.

That "change" does not need to be anything magical or elusive. How we develop software and systems is fully decided by the developers and organizations that are doing this. When we choose to outsource to unreliable providers in desperate hope for cost savings, we make decisions based on corporate values. That we choose to use bad unknown code from the internet simply because it's free is a choice we make based on our values. Which is what it all boils down to.

Some of the values that have a tremendous impact on security in particular include the following: Correct technical architecture. Sensible, logical design. Well written code. Adherence to good programming standards. Quality of implementation and deployment. Expertise of programmers and other team members. Code reviews, security audits, by competent, creative experts, not by following checklists. Less complicated systems and designs. Automation that helps human beings manage complexity and reduce manual labor.

The things we read from the daily news suggests that right now, by and large, as an industry and as a world that is in the process of digitalization, we do NOT seem to value security all that much.

Can this change?

Share this article: