Log Exploits, Pegasus Methods, and Willful Ignorance
December 21, 2021
Which of the “our hair is on fire” articles should I reference. There’s the “worse security issue ever” approach of the Security Now podcast. The Google released an analysis of NSO Group’s Pegasus methods. There’s the happy discovery story and community centric notification by an engineer working at a Chinese company. There’s Canada’s turning off quite a few essential government Web sites. And more. Lots more.
My take is that these post SolarWinds’ missteps are going to come faster and more furiously with or without Microsoft’s magical 1,000 engineers beavering away in lovely Moscow.
Why?
Three reasons, and I know these will not be particularly popular among the thumbtypers, the funders of venture backed cyber security firms, and the open source community. Hey, life is tough.
1. Good Enough
In order to reduce costs and move faster, good enough is the key business practice to have emerged in the last decade. Systems are assembled via chunks of code, APIs, and scripts conjured from online sources. As a result, there are obviously some egregious issues. The SolarWinds’ misstep is one example. The hair on fire over Java is another. We have a ring side seat to the Kendara start up which was sold to @Home which may have been AT&T, Java was exciting indeed. Now Java is different? Sorry. It’s good enough. Why not do “better”? It takes effort, money, and time. Foosball and making designer coffee are more important for some.
2. Open Source and the Community
Yeah, the appeal of free software, no proprietary software license agreements, and the ability to make changes which — ha ha ha — which coulda woulda shoulda been shared with the community are powerful rocket engines for open source applications. Now everything from Elasticsearch to the latest mobile device is like a clueless elderly person negotiating with a New York real estate wizard. You know who is going to win, right? The community is often a front for a commercial interest, a way for a developer to get a job, or a clever programmer to drive business to a consulting side gig. Who knows who will cobble together enough open source to solve one of the persistent problems with computing. The issue is that the “community” is not homogeneous and the fruit cake of code is neither subjected to testing for security issues or reworked to make it just more wonderful. Without an incentive, open source is almost as juicy a bad actor opportunity as that wonderful Microsoft Exchange “solution.”
3. Kick the Can Down the Road
In my more than 50 year work career, the most frequent answer to a persistent problem has been to find something expedient to ameliorate a problem. Then kick the can down the road for subsequent managers, programmers, and summer interns to solve. Whether the issue is the security of home smart devices or hidden vulnerabilities of a $200,000 per year piece of smart software infused with Snorkel goodness, just focus on the short term. Those larger issues? Hey, what are those? Just walk away from the dead whales on the beach. Technology and tomorrows will solve the less visible, longer term problems.
Net Net
What’s the fix for the hair on fire crowd? Oh, upgrade to the more secure version. License a smart system like Antigena. Introduce a new cyber threat information service. See how easy it is to operate in a digital world in which the vast majority of people are thrilled with the computing status quo. Life will be more secure and even better in the metaverse too.
Stephen E Arnold, December 20, 2021
Comments
One Response to “Log Exploits, Pegasus Methods, and Willful Ignorance”
[…] Log Exploits, Pegasus Methods, and Willful Ignorance […]