Underperforming Security Vendors
I know, I try to give it to you gently but someone has to ask. Chris Skinner described it as 'massive' and he was understating it. The latest 'revelation' - a decade long security hole in the very fabric of the internet really does mean that almost everyone
has been running around with not only see-through undies, but see-through trousers on. Figuratively.
Where were RSA and Verisign and all the security vendors on this one? Asleep at the wheel. They still are. All those guys busy 'making the internet safe' - it's time to change your resumes to include a significant period (~10 years) as 'asleep at the wheel'.
Despite my early attempts to bait them into some dialogue, all we saw was a token foray into blogging. The big quiet was probably because they had already been told about this or one of the plethora of other issues soon to surface and the PR people said
to keep a low profile so it didn't come back to bite them.
- 'VeriSign operates the largest domain name registry in the world, managing over 50 million digital identities in over 350 languages. As the authoritative directory provider for all .com, .net, .cc, and .tv domain names, VeriSign processes over 15 billion
interactions each day using our proprietary global infrastructure. ' -
I'd say their experience in missing the obvious is unmatched.
Do you actually need to know anything about the Domain Name System to be the authoritative Domain Name directory provider?
Did this 'giant flaw' provide any opportunity to neutralise RSA's products?
Could antivirus software be misdirected to conveniently download updates from the hacker's site? Of course we don't really expect an answer on that one.
I'm just amazed at how gullible some are when it comes to snake oil (oh hang on - that's right - it's only their customers' and shareholders' money.)
Of course if we all just keep quiet all those security flaws on bank sites and the the giant collection of multiple security flaws that are called the internet itself will just magically disappear.
Homer Simpson could do a better job. If at least one of the kids who 'discover' these gaping flaws didn't blab about it on their chat sites the 'security vendors' would never be any the wiser. I don't mean Dan Kaminsky - he's hardly a kid, but he's also
not the first to know of this particular flaw.
I say again - the only reason you haven't been robbed yet (or had your information stolen) is because no-one has bothered, or you just aren't aware of it yet.
If anyone thinks that the internet will all suddenly be fixed with this 'patch' think again and there are still plenty of bank sites that are still full of holes.
If the internet was a bicycle tyre it would be the size of a tractor tyre because of all the 'security' patches and Microsoft is a great example of patchwork bloated beyond recognition. It's an interesting Catch22 but if it wasn't for the internet Microsoft
would be out of business because they wouldn't be able to deliver enough patches to keep their product from falling over. Just how much traffic do their 'updates' generate? Add the security vendor patches and all the spam, botnets and other stuff that still
get's through and probably half the world's computer power is diverted in a failed attempt to cover shoddy security methodology.
All those security products only stopped the people who didn't even want to break into your systems.
There's no chance that anyone has been using these long-standing flaws to 'update' your bank's operating system is there? No-ones been milking you quietly for all these years? (not counting the 'security vendors').
Will the fraudsters pull the big score now that this particular door to the vault is closing? Will they choose to 'go out in style' like the person responsible for one of the big Olympic ticket scams?
Previously this was unlikely - it's better to just steal a couple of eggs each day and the farmer's wife would never know, rather than make it obvious and clean them all out - unless of course she's spotted the hole in the henhouse you use to get in (DNS
in this case). Perhaps the farmers wife could do a better job of protecting those golden eggs.
That's all you'd need. Better get those IT guys on some more overtime . Remember it's not exactly their fault, and even the 'experts' didn't spot it. And hey banks are getting better aren't they? I must admit I haven't accidentally been sent any bank spreadsheets
lately with a request to 'clean it up a bit' prior to takeover negotiations by another bank. ( Yes - it has happened!)
Wakey wakey. I believe the show is not over yet. It's just time for a 'spin' break.
It'll probably be something like 'We knew about it and just had to bring forward our fix a bit sooner'.