Outside the Box: Don’t be surprised about another Equifax-type breach in 2018

People are rightly infuriated as criminals have already started using stolen data from the Equifax breach to apply for credit cards and file false insurance claims. But developers like me know that there are a lot of weak spots in the modern internet, and in some ways it’s surprising these kinds of catastrophic breaches don’t happen more often.

Imagine that the internet is a massive, complicated quilt, hand-stitched together by craftspeople from around the world, creating variety and intricacy of colorful designs laid out in a dizzying composition.

Looking at the finished, front side of such a project, it looks polished and neat. You might not even begin to understand the varying strengths of fabric, all of the tiny stitches, and the missed stitches, as well as the knots and rough edges on the back side that are holding things together. You would not know much about the wide differentiation in the capabilities of the various individuals working on it, and the weak spots.

Internet’s flaws

In many ways this is the modern internet, where intense labor and focus by developers, paid and unpaid, have created the amazing “it just works” experience. But we developers behind the scenes, stitching together all of the code, understand the complexity and, yes, even mistakes and flaws that are inevitable.

The economy relies on the internet to function — for banking, for communications, for transportation networks that deliver everything from our food to our Christmas presents. It’s alarming how patchy things can actually be in the cloud. And even more so, to understand that no one is really in charge when there’s a vulnerability.

We’re infuriated by the Equifax breach, and we should probably feel little reassured by the explanation of how it happened. Equifax said hackers exploited a vulnerability in the open-source Apache software the company was using in one of its systems.

The Apache Foundation had issued a patch for the flaw two months earlier. It was clearly sloppy that Equifax fell behind on keeping its software up to date. But it’s hardly unusual. In fact, many companies are not fully aware of all of the software components they are using from the open-source community.

Heartbleed bug

And vulnerabilities can be left open for years, giving hackers opportunities to do their worst.

Take, for instance, the Heartbleed bug of 2014.

If you aren’t a technical person, you may remember it, vaguely, as that time a couple of years ago where there was some hoopla in the news about online security. Maybe you changed your Yahoo password.

For software developers like me, the Heartbleed bug was nothing short of alarming. The security flaw in the OpenSSL software, which is meant to safeguard computer networks from eavesdropping, actually did the opposite: It left thousands of servers vulnerable, compromising perhaps half a million different sites and applications such as Yahoo, Google GOOG, -0.16% GOOGL, -0.12% Dropbox and Facebook FB, -0.34% as well as online banking.

Among the known hacks: 4.5 million health-care records were compromised, 900 Canadians’ social insurance numbers were stolen. It was deemed “catastrophic.”

And yet many servers today — two years later! — still carry the vulnerability, leaving whole caches of personal data exposed. If it were a quilt, it would be as if a whole section needed to be ripped out and restitched, and even then it was done imperfectly. It’s still weak.

Life in the cloud

As cybercrime becomes pervasive and increasingly sophisticated, everything we hold dear is an attack target: our elections, our retirement savings, our photos of our children — all stored in the cloud. If you think about anything you’d want to secure if your house were on fire? Much of it now exists in the cloud.

So those of us who are on the back end, stitching away, we often feel a sense of dread. For instance, did you know that much of the software that underpins the entire cloud ecosystem is written by developers who are essentially volunteers? And that the open-source software that underpins 70% of corporate America is vastly underfunded?

The Heartbleed bug, for instance, was created by an error in some code submitted in 2011 to a core developer on the team that maintained OpenSSL at the time. The team was made up of only one full-time developer and three other part-timers.

Underfunded software development

Many of us are less surprised that a bug had gotten through than that it doesn’t happen more often. Despite calls for better funding for such business-critical software development, not much has changed since Heartbleed. The most successful open-source initiatives have corporate sponsors or an umbrella foundation (such as the Apache and Linux foundations). Yet we still have a lot of very deeply underfunded open-source projects creating a lot of the underpinnings of the enterprise cloud. That impairs the long-term maintenance of applications, documentation and developer support.

For any of us building businesses on the cloud, this is something we need to watch. To what extent is the larger tech world responsible for maintaining a healthy and secure cloud ecosystem? I would say: to the extent that your business depends on it.

Lucas Geiger is the CEO of Wireline, which is seeking to raise an open source development fund to help sustain projects through a distribution of funds to the community. Be on the lookout for an application process.

Filed in: Top News Tags: 

You might like:

Asia Markets: Asian markets get off to a slow start Asia Markets: Asian markets get off to a slow start
The Wall Street Journal: Trump’s travel ban goes before Supreme Court on Wednesday The Wall Street Journal: Trump’s travel ban goes before Supreme Court on Wednesday
The Wall Street Journal: France’s Macron rebuked by party as tough immigration bill passes Assembly The Wall Street Journal: France’s Macron rebuked by party as tough immigration bill passes Assembly
The Wall Street Journal: Nicaragua cancels social security overhaul amid deadly protests The Wall Street Journal: Nicaragua cancels social security overhaul amid deadly protests
Earnings Outlook: PayPal earnings: Expansion plans focus on debit cards, global services Earnings Outlook: PayPal earnings: Expansion plans focus on debit cards, global services
The Wall Street Journal: China streaming giant Tencent Music tunes up for massive IPO The Wall Street Journal: China streaming giant Tencent Music tunes up for massive IPO
The Wall Street Journal: Trump to North Korea: Nuclear dismantlement must happen before sanctions lifted The Wall Street Journal: Trump to North Korea: Nuclear dismantlement must happen before sanctions lifted
Earnings Watch: Facebook earnings: The numbers to watch for an advertiser revolt Earnings Watch: Facebook earnings: The numbers to watch for an advertiser revolt

Leave a Reply

Submit Comment
© 5079 Stock Investors News. All rights reserved. XHTML / CSS Valid.