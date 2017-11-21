Ask Slashdot: How Are So Many Security Vulnerabilities Possible? 55
dryriver writes: It seems like not a day goes by on Slashdot and elsewhere on the intertubes that you don't read a story headline reading "Company_Name Product_Name Has Critical Vulnerability That Allows Hackers To Description_Of_Bad_Things_Vulnerability_Allows_To_Happen." A lot of it is big brand products as well. How, in the 21st century, is this possible, and with such frequency? Is software running on electronic hardware invariably open to hacking if someone just tries long and hard enough? Or are the product manufacturers simply careless or cutting corners in their product designs? If you create something that communicates with other things electronically, is there no way at all to ensure that the device is practically unhackable?
Is software running on electronic hardware invariably open to hacking if someone just tries long and hard enough?
This is 10% of the problem
Or are the product manufacturers simply careless or cutting corners in their product designs?
This is 90% of the problem.
And 90% of the 90% are the biggest boys (Score:3)
That can be simply listed as (in the order that I see them):
- Microsoft as an OS vendor (I know I'll get attacks from various ACs that think any criticism of MS is unfair but they are putting 'way more energy into sucking user's personal data into their servers than protecting said personal data)
- Large service companies with poor security for customer databases (I just saw Uber had a big hack last year that they've been trying to keep quiet).
Yes, the big issue here is that it's common knowledge consumers by and large refuse to be bothered to get educated and the bulk of the major software development companies out there aren't don't have leadership ethical enough to be able to resist taking maximum possible advantage of their naivety. Unfortunately this knowledge gap is also being turned against our own government even as our own government participates in using the very same knowledge gap on the general population. It's a huge ugly mess, rea
Or are the product manufacturers simply careless or cutting corners in their product designs?
This is 90% of the problem.
This, so much this. Companies still view security as something that costs too much money to implement properly. It's cheaper to deal with the financial loss of a hack, than it is to have decent security policies implemented with properly trained personnel who's responsible for patching security vulnerabilities and testing the network constantly. Security's a constantly changing state of being, but this last statement shouldn't really be news for the crowd who's drawn to reading
Android doesn't have an "update overnight" option like iOS does?
Most of my non-techie friends with iPhones just hit "update overnight" and the update is done by morning; no interruption to their routine.
"How in the 21st century, is this possible..."
-Some Genius on
Hey, pointing out that's it's the 21st century actually answers your question.
The technology is super young. We're not even 20% into the 21st century and computers were invented in the 2nd half of the 20th century. And they didn't even have operating systems for a long time.
Just in case the uninitiated might confuse this for a serious statement; to be clear he's completely trolling.
I agree that better programming languages with safety features would make a huge difference, if someone can make one that is easy to understand by average or below-average programmers, who write a lot of the software out there. Rust is quite safe, but has a lot of really weird-ass new concepts that many programmers can't be bothered to try to grok. Go is half-decent, but also a moderately weird and finicky programming language.
Safer web-app templating and db access libraries would also help a lot.
Security costs money? (Score:2, Interesting)
Good security usually means re-architecting whatever legacy garbage fire has been burning in off in the corner for the last 12 years and that costs money. The insecure software is still generating revenue in it's current state and there are no consequences for poor software security. #Equafax
Agile development (Score:1, Informative)
Who cares, we have arbitrary deadlines to meet. Ship it broken! We can fix it later.
Also bugs (Score:2)
How are bugs still possible? That's how security holes are still possible too.
A week or two goes by? (Score:2)
Git-r-done (Score:3)
The good news is much like Charlie Rose gets embarrassed off the national stage, hopefully companies that don't take security seriously will be forced into bankruptcy.
Yes. (Score:3)
Yes.
I've been a software security guru for more than ten years, and none of the companies I worked for, whether Fortune 100 or commercial companies shipping commercial software, fixed all the vulnerabilities we found before shipping. (Some set the bar at "high" and some as "critical", but no one halted the presses for "medium".) For all I know, most of the vulnerabilities we found perished on a disbanded team's backlog years ago to the delight of hackers everywhere.
But the bigger problem would be the code that shipped that we never saw, whether it was an intern's "hackathon" project shat onto the web, something that crawled out of a pool of H1Bs, or a third-party app grafted in to fake reporting enough to get past the demo with the big client. I have more horror stories than I can relate involving things like this.
Liability is separated from ownership (Score:3)
We need to share a password (Score:1)
Our software needs password access to our servers.
I know, let's store the password as a variable in our code.
Great, how do we get the latest version of our code?
It's in the company repository.
Alternatively,
We're getting a permissions error.
Just chmod everything to 777. (Yes, I've seen this done. Yes, I know it's a bad idea).
Do you live in a house or apartment? (Score:3)
How Are So Many Security Vulnerabilities Possible?
Do you life in a house or apartment? Go around and look very closely at every aspect of the structure. As you go, make note every flaw you find, however tiny, but paying special attention to things that could be avenues for entering the dwelling from the outside even if everything is locked up. Now imagine 1,000,000 people all working constantly to find ways through those vulnerabilities without you realizing that is going on. Now imagine everybody in your city has an identical dwelling so that when one avenue is compromised, they all are.
That is how.
Two reasons (Score:2)
white hat hackers are the best programmers (Score:1)
yes, every time i see something like this.. i go.. hmmmm.. makes one wonder..
if every who thought about or wrote a program, and that programmer was a white hat hacker we could have bliss and live happily ever after... or one could really do harm if on the dark side, yet karma is a wonderful training tool, so just wait and see..
for me, i am a white hat...
;-)
my favorite is to redirect sql injection attempts to www.fbi.gov with the attacker IP in the URL and a text string along with to say go get them...
Security is not free or an afterthought (Score:1)
Companies treat security as something that just takes care of itself once you put a password on a site to gain access. Every company with any data has a security risk, but how many companies have a CSO? How many have a senior engineer overseeing security. Everyone is follows the big buzz words like "cloud" and "big data" and have a buzzword bingo "strategy." Not so much when it comes to bolting the doors.
Simple (Score:2)
Nobody cares (Score:2)
Companies do not care about security, because they see no value in it. They rush their own developers to release software, and never ask them to focus on security.
Developers do not care about security. They never face the consequence of their negligence on it
Consumers do not care about security. They shop for the cheaper or the most hyped product, not for the one that was correctly engineered. How could they know it really was, anyway?
How are so many vulnerabilities possible? (Score:2)
All complex software has bugs. But not all software respects your freedom to run, inspect, share, and modify the software so you can decide how to handle whatever problems arise with the software. You ought to be allowed to fully control the computers you own. Free software (software that respects your software freedom) is a means to grant people that control and treat people ethically with regard to computer software. Nonfree (or proprietary) software denies users the freedoms of free software. Nonfree sof
Simpel (Score:1)
Isn't it just complexity? (Score:1)
Who asks stuff like this? No one who's seen code. (Score:2)
Please, before you post on Slashdot about code vulnerabilities, make sure you have at least programmed a "Hello, World" before. This post reminds me of the time a frustrated boss demanded to know why the game AI I was programming didn't "just use common sense."
More vulnerabilities are happening because there is a *massive* increase in software in consumer products. A bazillion products now have codebases that didn't before - ovens, toys, even my damn Christmas tree. Combine that with professional and social
Unavailable: Principle of least privilege (Score:2)
Almost all security problems boil down to the absolute lack of support for the principle of least privilege [wikipedia.org]. None of the commonly used systems have anything approaching this concept. The crude approximation available is to put each resource in a virtual machine and tightly limit its connections to other virtual machines that need to access it for a specific resource... then watch those like a hawk for traffic spikes etc.
The other thing that could help immensely is to install Data Diodes, which are gateways
