Cybersecurity is brokenhttps://crankysec.com/blog/broken/
Cybersecurity is broken
27 March 2024
It is a well-known fact that we dish out a whole lot of shit talk around these parts. And by "we" I mean me, but that's beside the point. Talking smack about 10-ply LinkedIn vCISOs is, quite honestly, pretty easy and kind of satisfying because some 8 out of 10 times they are stupid as fuck and deserve the heckling. The remaining 2 out of 10 are maybe trying to fight the good fight, and do right by their teams. Maybe. Don't you quote me on that figure. Actually, best you don't quote me at all because there are peeps out there saying things that are much more clever. Take this quote(?) from one Bob Metcalfe (tks, snowcrasher!)
"The Stockings Were Hung by the Chimney with Care"
The ARPA Computer Network is susceptible to security violations for at least
the three following reasons:(1) Individual sites, used to physical limitations on machine access, have
not yet taken sufficient precautions toward securing their systems
against unauthorized remote use. For example, many people still use
passwords which are easy to guess: their fist names, their initials,
their host name spelled backwards, a string of characters which are
easy to type in sequence (e.g. ZXCVBNM).(2) The TIP allows access to the ARPANET to a much wider audience than
is thought or intended. TIP phone numbers are posted, like those
scribbled hastily on the walls of phone booths and men's rooms. The
TIP required no user identification before giving service. Thus,
many people, including those who used to spend their time ripping off
Ma Bell, get access to our stockings in a most anonymous way.(3) There is lingering affection for the challenge of breaking
someone's system. This affection lingers despite the fact that
everyone knows that it's easy to break systems, even easier to
crash them.All of this would be quite humorous and cause for raucous eye
winking and elbow nudging, if it weren't for the fact that in
recent weeks at least two major serving hosts were crashed
under suspicious circumstances by people who knew what they
were risking; on yet a third system, the system wheel password
was compromised -- by two high school students in Los Angeles
no less.We suspect that the number of dangerous security violations is
larger than any of us know is growing. You are advised
not to sit "in hope that Saint Nicholas would soon be there".
That's from 1973. The dude who invented Ethernet was worried about what we now call cybersecurity fifty fucking years ago. Several wake-up calls happened since then: phreaking peeps exploding the phones, hacker supergroups testifying in front of the US Senate on the topic of cybersecurity, hacker supergroups releasing super easy to use RATs, a cornucopia of malware, including shit made by nation-states, and ransomware attacks that are only profitable because some people just decided that an inefficient distributed database was worth some money. A lot of those issues were only made possible by people's insistence on using a programming language from half a century ago when better options are available. And that's just the technical side of things.
Take, for example, the Pen Test Partners' research on Peloton's API security. The researchers were able to grab a whole bunch of data that was supposed to be private, disclosed the issue to Peloton who, in turn, basically ghosted the researcher until a TechCrunch reporter got involved. Classic case of "we're not sorry we suck at protecting our customers' data, we're just sorry we got caught." I mean, if you need to get fucking TechCrunch involved to be taken seriously, the situation is hopeless.
Absolutely no amount of gentle pleas disguised as executive orders from the White House urging people to use memory-safe languages will solve the problem. CISA, despite all the phenomenal work they do, can't charge people who mishandle data with negligence; critical infrastructure involved or not. And maybe they should.
You see, cybersecurity is broken because of the lack of consequences. It's really that simple. When literally nothing happens when some stupid service gets popped and loses your data they had no business collecting in the first place, this kind of thing will happen over and over and over again. Why the fuck do you need my home address just so I can copy and paste some GIFs? Because you want to sell this data to data brokers, and you know there will be absolutely no negative consequences if you mishandle this data, fucking over the people who keep your business afloat. So, companies big and small fuck things up and we need to clean up the mess and face the consequences. Sounds about right.
Cybersecurity is even more broken when these companies that face zero consequences look at their payroll and think "Wait a fucking minute! Why the hell are we spending six full dollars a year on cybersecurity when we can, I dunno, do nothing at all for free because cybersecurity incidents will not negatively impact our bottomline whatsoever?" That's why you, my cybersecurity and infosec brethren, are getting laid off. That's why you don't have the tools you need. That's why you don't get the training you should. That's why you're overworked. That's why you're stuck as an underpaid individual contributor doing the work of 5 people for $75k/year while your CISO who makes $500k is on LinkedIn all day writing stupid shit about AI.
Cybersecurity is broken because fixing it benefits no one but the regular, unremarkable, salt of the earth folks. And, according to the powers that be, fuck them folks. Fixing it requires strong data protection laws, but passing laws is just not something the overwhelming majority of legislative bodies in the world do. Passing laws that slightly inconvenience multi-billion dollar corporations while improving the lives of the plebes is even more of a tall order. And that's true for a whole lot of things that have nothing to do with cybersecurity, but this is a blog about cybersecurity, so please bear with me.
That's the answer: data protection laws. You get my data for rEaSoNs, and you fuck it up? You should pay a hefty price that cannot be written off as the cost of doing business. You make data brokers illegal, or, at the very least, way less profitable. You do what the payment card industry has been doing for decades: you tell everyone handling your data that they have to follow a very comprehensive set of data protection rules, lest they get fined or cut off entirely. A group of four credit card companies can do that, so I'm sure mighty governments can, too.
But how do we push things in the right direction? Well, that's one of the many topics we discuss in our Discord server (Hey you guys!). Not only are my fellow Crankies inspiring the shit out of me every day, we have bigger plans than just shitposting and commiserating. Turns out that buying a congressperson lobbying is not that expensive, really. We are working on something that we hope will help lift everyone in this industry up. As I once wrote on that very Discord: "When we abstain from using our collective power of influence, we lose by default." Or "you miss 100% of the shots you don't take" or whatever the fuck Gretzky said. We're about 700-strong and planning on doing great things. Come join us because the movement cannot be stopped.
Previous: Pigeons As Far As The Eye Can See