Outside the Box: Don’t be surprised about another Equifax-type breach in 2018

People are rightly infuriated as criminals have already started using stolen data from the Equifax breach to apply for credit cards and file false insurance claims. But developers like me know that there are a lot of weak spots in the modern internet, and in some ways it’s surprising these kinds of catastrophic breaches don’t happen more often.

Imagine that the internet is a massive, complicated quilt, hand-stitched together by craftspeople from around the world, creating variety and intricacy of colorful designs laid out in a dizzying composition.

Looking at the finished, front side of such a project, it looks polished and neat. You might not even begin to understand the varying strengths of fabric, all of the tiny stitches, and the missed stitches, as well as the knots and rough edges on the back side that are holding things together. You would not know much about the wide differentiation in the capabilities of the various individuals working on it, and the weak spots.

Internet’s flaws

In many ways this is the modern internet, where intense labor and focus by developers, paid and unpaid, have created the amazing “it just works” experience. But we developers behind the scenes, stitching together all of the code, understand the complexity and, yes, even mistakes and flaws that are inevitable.

The economy relies on the internet to function — for banking, for communications, for transportation networks that deliver everything from our food to our Christmas presents. It’s alarming how patchy things can actually be in the cloud. And even more so, to understand that no one is really in charge when there’s a vulnerability.

We’re infuriated by the Equifax breach, and we should probably feel little reassured by the explanation of how it happened. Equifax said hackers exploited a vulnerability in the open-source Apache software the company was using in one of its systems.

The Apache Foundation had issued a patch for the flaw two months earlier. It was clearly sloppy that Equifax fell behind on keeping its software up to date. But it’s hardly unusual. In fact, many companies are not fully aware of all of the software components they are using from the open-source community.

Heartbleed bug

And vulnerabilities can be left open for years, giving hackers opportunities to do their worst.

Take, for instance, the Heartbleed bug of 2014.

If you aren’t a technical person, you may remember it, vaguely, as that time a couple of years ago where there was some hoopla in the news about online security. Maybe you changed your Yahoo password.

For software developers like me, the Heartbleed bug was nothing short of alarming. The security flaw in the OpenSSL software, which is meant to safeguard computer networks from eavesdropping, actually did the opposite: It left thousands of servers vulnerable, compromising perhaps half a million different sites and applications such as Yahoo, Google GOOG, -0.16% GOOGL, -0.12% Dropbox and Facebook FB, -0.34% as well as online banking.

Among the known hacks: 4.5 million health-care records were compromised, 900 Canadians’ social insurance numbers were stolen. It was deemed “catastrophic.”

And yet many servers today — two years later! — still carry the vulnerability, leaving whole caches of personal data exposed. If it were a quilt, it would be as if a whole section needed to be ripped out and restitched, and even then it was done imperfectly. It’s still weak.

Life in the cloud

As cybercrime becomes pervasive and increasingly sophisticated, everything we hold dear is an attack target: our elections, our retirement savings, our photos of our children — all stored in the cloud. If you think about anything you’d want to secure if your house were on fire? Much of it now exists in the cloud.

So those of us who are on the back end, stitching away, we often feel a sense of dread. For instance, did you know that much of the software that underpins the entire cloud ecosystem is written by developers who are essentially volunteers? And that the open-source software that underpins 70% of corporate America is vastly underfunded?

The Heartbleed bug, for instance, was created by an error in some code submitted in 2011 to a core developer on the team that maintained OpenSSL at the time. The team was made up of only one full-time developer and three other part-timers.

Underfunded software development

Many of us are less surprised that a bug had gotten through than that it doesn’t happen more often. Despite calls for better funding for such business-critical software development, not much has changed since Heartbleed. The most successful open-source initiatives have corporate sponsors or an umbrella foundation (such as the Apache and Linux foundations). Yet we still have a lot of very deeply underfunded open-source projects creating a lot of the underpinnings of the enterprise cloud. That impairs the long-term maintenance of applications, documentation and developer support.

For any of us building businesses on the cloud, this is something we need to watch. To what extent is the larger tech world responsible for maintaining a healthy and secure cloud ecosystem? I would say: to the extent that your business depends on it.

Lucas Geiger is the CEO of Wireline, which is seeking to raise an open source development fund to help sustain projects through a distribution of funds to the community. Be on the lookout for an application process.

Filed in: Top News Tags: 

You might like:

The government has no idea how many gig workers there are—why that’s a problem The government has no idea how many gig workers there are—why that’s a problem
God-fearing countries are among the least wealthy—with one notable exception God-fearing countries are among the least wealthy—with one notable exception
America’s 1% hasn’t controlled this much wealth since before the Great Depression America’s 1% hasn’t controlled this much wealth since before the Great Depression
Women don’t see men who drive flashy cars as husband material Women don’t see men who drive flashy cars as husband material
The New York Post: Trump dubs himself ‘your favorite president’ in tweet about Michael Cohen tape The New York Post: Trump dubs himself ‘your favorite president’ in tweet about Michael Cohen tape
The Wall Street Journal: Cease-fire in place between Israel and Hamas in Gaza Strip The Wall Street Journal: Cease-fire in place between Israel and Hamas in Gaza Strip
The New York Post: New York Giants owner says Trump lacks understanding of NFL players’ anthem protests The New York Post: New York Giants owner says Trump lacks understanding of NFL players’ anthem protests
The New York Post: Most of music business’s top money makers in 2017 had been at it for decades The New York Post: Most of music business’s top money makers in 2017 had been at it for decades

Leave a Reply

Submit Comment
© 2018 Stock Investors News. All rights reserved. XHTML / CSS Valid.