Outside the Box: Don’t be surprised about another Equifax-type breach in 2018

People are rightly infuriated as criminals have already started using stolen data from the Equifax breach to apply for credit cards and file false insurance claims. But developers like me know that there are a lot of weak spots in the modern internet, and in some ways it’s surprising these kinds of catastrophic breaches don’t happen more often.

Imagine that the internet is a massive, complicated quilt, hand-stitched together by craftspeople from around the world, creating variety and intricacy of colorful designs laid out in a dizzying composition.

Looking at the finished, front side of such a project, it looks polished and neat. You might not even begin to understand the varying strengths of fabric, all of the tiny stitches, and the missed stitches, as well as the knots and rough edges on the back side that are holding things together. You would not know much about the wide differentiation in the capabilities of the various individuals working on it, and the weak spots.

Internet’s flaws

In many ways this is the modern internet, where intense labor and focus by developers, paid and unpaid, have created the amazing “it just works” experience. But we developers behind the scenes, stitching together all of the code, understand the complexity and, yes, even mistakes and flaws that are inevitable.

The economy relies on the internet to function — for banking, for communications, for transportation networks that deliver everything from our food to our Christmas presents. It’s alarming how patchy things can actually be in the cloud. And even more so, to understand that no one is really in charge when there’s a vulnerability.

We’re infuriated by the Equifax breach, and we should probably feel little reassured by the explanation of how it happened. Equifax said hackers exploited a vulnerability in the open-source Apache software the company was using in one of its systems.

The Apache Foundation had issued a patch for the flaw two months earlier. It was clearly sloppy that Equifax fell behind on keeping its software up to date. But it’s hardly unusual. In fact, many companies are not fully aware of all of the software components they are using from the open-source community.

Heartbleed bug

And vulnerabilities can be left open for years, giving hackers opportunities to do their worst.

Take, for instance, the Heartbleed bug of 2014.

If you aren’t a technical person, you may remember it, vaguely, as that time a couple of years ago where there was some hoopla in the news about online security. Maybe you changed your Yahoo password.

For software developers like me, the Heartbleed bug was nothing short of alarming. The security flaw in the OpenSSL software, which is meant to safeguard computer networks from eavesdropping, actually did the opposite: It left thousands of servers vulnerable, compromising perhaps half a million different sites and applications such as Yahoo, Google GOOG, -0.16% GOOGL, -0.12% Dropbox and Facebook FB, -0.34% as well as online banking.

Among the known hacks: 4.5 million health-care records were compromised, 900 Canadians’ social insurance numbers were stolen. It was deemed “catastrophic.”

And yet many servers today — two years later! — still carry the vulnerability, leaving whole caches of personal data exposed. If it were a quilt, it would be as if a whole section needed to be ripped out and restitched, and even then it was done imperfectly. It’s still weak.

Life in the cloud

As cybercrime becomes pervasive and increasingly sophisticated, everything we hold dear is an attack target: our elections, our retirement savings, our photos of our children — all stored in the cloud. If you think about anything you’d want to secure if your house were on fire? Much of it now exists in the cloud.

So those of us who are on the back end, stitching away, we often feel a sense of dread. For instance, did you know that much of the software that underpins the entire cloud ecosystem is written by developers who are essentially volunteers? And that the open-source software that underpins 70% of corporate America is vastly underfunded?

The Heartbleed bug, for instance, was created by an error in some code submitted in 2011 to a core developer on the team that maintained OpenSSL at the time. The team was made up of only one full-time developer and three other part-timers.

Underfunded software development

Many of us are less surprised that a bug had gotten through than that it doesn’t happen more often. Despite calls for better funding for such business-critical software development, not much has changed since Heartbleed. The most successful open-source initiatives have corporate sponsors or an umbrella foundation (such as the Apache and Linux foundations). Yet we still have a lot of very deeply underfunded open-source projects creating a lot of the underpinnings of the enterprise cloud. That impairs the long-term maintenance of applications, documentation and developer support.

For any of us building businesses on the cloud, this is something we need to watch. To what extent is the larger tech world responsible for maintaining a healthy and secure cloud ecosystem? I would say: to the extent that your business depends on it.

Lucas Geiger is the CEO of Wireline, which is seeking to raise an open source development fund to help sustain projects through a distribution of funds to the community. Be on the lookout for an application process.

Filed in: Top News Tags: 

You might like:

CryptoWatch: Goldman issues a warning on bitcoin—and an even bigger warning on Ethereum CryptoWatch: Goldman issues a warning on bitcoin—and an even bigger warning on Ethereum
Tsunami advisory cancelled for West Coast after Gulf of Alaska earthquake Tsunami advisory cancelled for West Coast after Gulf of Alaska earthquake
White men are the most likely to benefit from employee referrals White men are the most likely to benefit from employee referrals
Bond Report: Treasury yields pull back slightly as investors focus on economy Bond Report: Treasury yields pull back slightly as investors focus on economy
Key Words: Stock markets don’t need a ‘trigger’ to correct, says Robert Shiller Key Words: Stock markets don’t need a ‘trigger’ to correct, says Robert Shiller
Metals Stocks: Gold gets a lift from dollar weakness, stock shakiness Metals Stocks: Gold gets a lift from dollar weakness, stock shakiness
Need to Know: Here’s what the Netflix haters don’t get about the soaring stock Need to Know: Here’s what the Netflix haters don’t get about the soaring stock
Teenagers are eating Tide Pods, but should their parents be using them? Teenagers are eating Tide Pods, but should their parents be using them?

Leave a Reply

Submit Comment
© 2018 Stock Investors News. All rights reserved. XHTML / CSS Valid.