GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In the Enterprise, aside from the computer enterprise, security is often an afterthought. "First to market," "sales," and "gross receipts" take precedence over security.
My father was a banker and he was a good and honest man. Today he would be ashamed to admit that he was in any way associated with the financial industry.
I casually noticed the word "opensource" in my FoxNews app story.
Then I websearched: opensource equifax
Sad. Even before I saw that word, my exaggerating imagination was saying:
Quote:
Proof that anything stored in any computer, is exposed to ALL!!!
Finally, the "nail in the coffin" / "end of the road" / "death knell"
for InternetComputing, privacy/security at least!!!
And that is a very recent notion. Although it's repeated as revealed truth these days, it dates from the 1970s and became popular in the 1980s and is a creation of the Chicago School of Economists, who unfortunately were not around when Mrs. O'Leary's cow did her thing or perhaps we would have all been saved a lot of trouble . . . .
Historically, the first responsibility of management has been to the sustainability and well-being of the business, not to the quick buck.
Today's New York Times had an article about victims of identity theft, including one poor schmo whose identity has been stolen multiple times.
In cases like these, I openly suspect that they will prove to be inside jobs.
Right now, in the State of Georgia (USA), you have to have a license to install low-voltage wiring around a rich man's yard. But you need no professional license at all to be a computer programmer. Furthermore, companies are quite happy to "import" non-immigrant workers from anywhere that labor is cheap, and/or to "export" their entire data-centers there, as part of "the Happy Little Cloud.™" No one stops to ask questions: "we're savingmoney, aren't we?"
Someone, who doesn't get paid much and who doesn't give a damn about Equifax because (s)he knows that the feelings are mutual, figures out how to make a lot of money while doing a lot of damage. Sweet Revenge. Companies are marveling at the breach – "how did those pesky Russian (of course ...) Hackers do this?" But of course what they're really doing is deflecting blame and attention away from their own questionable labor practices.
With absolutely no justification for doing so, they happily trust any employee contractor with the keys to their entire kingdom.
When companies and governments finally get tired of losing billions of dollars with no satisfactory explanation, government regulation will come to the data-processing industry. Just as it already did to low-voltage wiring, plumbing, air conditioning, electricity, civil engineering . . .
Last edited by sundialsvcs; 09-13-2017 at 11:52 AM.
Not only website bloatware, but difficult to maintain/update:
Quote:
Fixing those applications means getting the source code, updating the build scripts to change the Struts dependency to the latest version (2.3.32 or 2.5.10.1), and then rebuilding the application. For currently-developed code, that may be easy, but for a three year old app that hasn't been touched in a while? That's a little hairier. You might have to dig out older JDK versions to get it to build, find an old copy of an old internal JAR that's somehow gone missing, all the usual problems that happen when you try to rebuild an old application. That's assuming, of course, that you have the source code and build scripts, and that alone is far from guaranteed. I bet that there will be developers who find that the version in source control for some reason doesn't quite match the version that's deployed, or that they have no source at all, or that it doesn't build for whatever reason.
The problem for me is, "it's a lon-n-n-ng way between 'a flaw in Apache Struts' and a total compromise of millions of accounts."
Successful compromise of any large data system, I would argue, is nearly impossible to mount "from the outside," with absolutely no knowledge of the systems that you are penetrating. I think that you have to have thorough knowledge of them ... inside knowledge of them.
Thus far, we have paid no attention to who we actually hired, nor to where our data centers were located. If labor is cheap and electrical power is cheaper, "we're there!" But it seems that we have an increasing number of billion-dollar breaches that we "simply can't explain," and most importantly, no one seems to be accountable.
Maybe we need to pass a law that says that any employee who works on a financial data system used in the United States must be a United States Citizen who holds such-and-such grade of a license issued by the Federal Department of Information Security, has cleared so-many background checks, and has appropriate training certified by the US-FDIS.
After all, we have been doing very similar things for many decades with regard to every other form of professional engineering ... except software engineering.
If you did that with software engineers and packages your software industry would collapse, and most of your financial industries would go into meltdown.
If you did that with software engineers and packages your software industry would collapse, and most of your financial industries would go into meltdown.
Personally, I don't think so. Every roadway is built according to designs bearing the official red stamp of a civil engineer. Every aspect of a building is designed by licensed architects and constructed by licensed professionals. But in this case I am also speaking of internalprocesses, and the [present lack of ...] accountability therefor. "Knowledge Is Power."
"Who could have done this?" Why, he might be back in Bangladesh by now, his two-year visa time being up. And you'll never be able to go over there and find him. I think that we need to have legal regulation of many things which, in the first heady twenty-odd years of all this wunnerful Internet stuff, has been utterly "loosey goosey." These billion-dollar breaches are not taking place from half-a-planet away. They're not exploiting our software: they're exploiting our [lack of] human process.
Last edited by sundialsvcs; 09-21-2017 at 01:20 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.