I was the responsible IT manager, over all devs. admins, ops and security.
Reviewed all contracts and implementations, upon taking over the job.
Discovered some seriously, bad stuff.
Developed plan to *quietly*, discretely, repair over short time period.
"Rebury the bodies"
Turned out the responsible party was the CEO's favorite, "baby shark".
Got cardboard boxed. Out day after board presentation.
So it goes.
All of those devs, techs and security people who moan about the lack of management support?
How many of you have ever supported or somehow defended *any* manager who tried to help you, to do the right thing?
Speaking personally, I would guess
Maybe you have all been luckier.
You are, of course, entirely correct.
I will present my apology, in person, to Zeus, upon my next visit.
Thank you! Seriously! I was so upset about the stupidity of this, that I overlooked the perfect word to describe them!
Just when you think that you have grown beyond caring, theses guys manage to poke beneath the shield and hit the "AAAAAARRRGGGHH" button !!
I am sorry for taking this seriously, but after the Bank Bailouts, the corruption, the incompetency, the cover-ups and the sheer fuck-wittery of the past
years, they attack OPEN SOURCE BROWSERS !!
What more can one expect from politicians that:
- kowtow-ed to the EU on the Maastricht Treaty re-Vote, (It puts the lotion in the basket, and votes again and again until the answer is YES)
- sold 3 generations of their own people out, in the form of a bank bailout for *private* non-system critical banks,
- have no concept of Justice whether social, civil or criminal
- have no concept of public probity, of duty or what to be a servant of the people actually means
- assume in blind arrogance that their own short-sighted, small-town, bigoted, religion-ridden, never questioned views are "NORMALITY"
and those of everyone else, are simply illegal.
In short. Olympic level Assholes.
Winking and smiling and smirking, crapping out their "hokesy/folksy" catchphrases, with constant shit eating grins.
Concepts such as free speech, right to privacy, equal treatment before the law, due process,
womens' rights (especially reproductive rights),
out of hand, by these troglodytes.
For example, the implicit assumption that *all pornography* is simply illegal!
The US and Britain have blanket surveilled every Irish citizen for generations, and this cringing *lackey*
assumes that *law enforcement* was the purpose.
Call me harsh, but I interpret the failure of elected representatives to protect
in the face of blatant intrusions, as more than incompetence, more than failure.
It is treachery.
Following the usual, endless cycle, whenever social unrest threatens, the Haves in Ireland,
push the Have-nots to emigrate. Since, conveniently, the non-resident cannot vote, there
was, is and will never be any pressure on the ruling elite to change any of their policies
And nothing changes.
I dream of another Ireland.
A country where an informed electorate hold their elected leaders to account, demand the
definition and enforcement of just laws which protect individual and public rights.
A truly Free Ireland.
Until then, I apologise to the world that we are represented by these fools and that
you have to listen to their blather.
Precisely. Dissent, in any shape or form, is *not* tolerated.
And you know it
I really thought the same thing, but found out that
life doesn't always turn out how you think.
I excelled and prospered, for 20 years. From dev to Senior,
to team lead, Architect, Dept lead, division leader and CTO.
Including sw dev, it ops and heavy, heavy doses of security.
And it is really like your life-gem has expired.
"You're really great, but we just don't hire anybody over 40,
and certainly no techs over 35
There is not even anyone to argue with, just flat rejection.
So I wish you luck with your career. Hope it works out for you.
You should treasure the fact that you work in an org. where people care enough to even try!
If you are smart, cynical and cunning, (strongly recommended for security professionals!),
you can channel this into a benefit for you, your group and the whole company.
If you "Deputize" the eager-beavers, then it gives you a lot more eyes and ears.
Yes, sadly, you will have the annoying "I Just Read
the involvement is in reality, an illusion, you still get more back than you invest.
With, of course, the concept of responsibility, focus, and "handover"
"Thank you for bringing this to our attention, you are, indeed, so-cool,
and now we can take it further, leaving you to get on with the things the
company actually pays you for
The best example I've ever seen of this, is the Starling speech to the
troopers in the Silence of the Lambs.
A small barrier to entry, to keep out the assholes, is also advised.
A monthly, unpaid, evening meeting for the "security" associates,
with some feedback, news, updates and a doughnut, keeps things
In the end, as Corporate Security, you can either act like an occupying army,
or a police force that operates with the support of your users.
Treat your users like shit, and they will notice, and they will not have your back.
Of course, this is no guarantee that if you treat them well, they won't
stab you in the back anyway, but
that you will get to see the worst that people have to offer,
The really cynical would point out that if you really were, an occupying army,
then you should be smart enough to build up your "cadre" of supporters,
without visible points-of-protest, and for "counter-intel" usage
Actually Man-in-the-Middle transparent proxies, which intercept
and monitor SSL/TLS traffic, are now standard in most corps.
You don't get a browser alert since the corporate "fake" CA
is pre-installed as trusted in your browsers by the corp's IT.
So, yes, basically
Oh! And using Cisco "policy based routing", or WCCP2 or
other networking mojo, you cannot decide to skip the proxy,
from your client.
just be matched versus the destination port, so your genius
attempts to ssh to your external server running on tcp/443,
will not only be blocked, you will be flagged and tagged.
Solution? Just use your own equipment with either built
in 3/4G connections, or just tether across your personal
Caesar and Rome
So, since 2010 the percentage of developers 40+ is shrinking?
And worldwide converging on 35?
Which means, unless there is a "Carrousel" scenario, that
developers are both being fired, then not rehired, after 35 years old.
Which agrees with what I have been seeing for the past 2 years.
Is it clear to software people that they have a 10 to 15 year "shelf-life",
with the associated limited earning potential?
I thought the experiment goal was: To see, into how many tins, they can fit a whale
Ahh! Fun followup!
VW *have* an encrypted 1024-bit ECU solution in place,
but this looks aimed at the chipper/modders.
We all look forward to reading the details when the academics
publish or, should it leak
This is getting old, since how many times has this been repeated in the past years?
If you notify, so that good companies can analyse, patch and protect customers,
then you risk that "bad" companies will play "sly" and just sue you to stop the
information, rather than fix the problem. Or even better, fit you up for an attempted
extortion defense or shift the blame onto the reporter, using spin.
Most modern companies deny the existence of *any* responsibility to their customers,
employees or communities (natural, governmental or academic).
So why the expectation of different behaviour when it comes to security?
Actually, these issues are pretty useful when it comes to deciding on which
products to purchase, since you get to see the real ugly shapes behind the PR
VW have pioneered the use of reduced, only 2-year warranties, at least in Europe,
without lowering the price of their cars. Support is not a priority factor for them.
Security has obviously been a low priority issue that they have decided *not* to
"waste" money on.
If, the issue is really as reported, that given access (either physical or via some wifi "probe"),
to the controller unit (CAN?) for the ECUs, since VW did not add encryption, authentication
or serious security, an intruder can control a lot of things in the car, even while it is
Which means that VW would:
1. Need not only updated software to fix the controller, they would probably need some
hardened hardware, probably including some TPM/tamperproof elements.
2. Need new supplier handling, development, testing, support and dealer support mechanisms.
3. Have to build a "PKI"-type infrastructure for their dealers, including identification/registration
key distribution and other key handling nightmares.
4. To avoid the potential liability issues, they might also need some addtional components to
provide "black box" audit mechanisms, similar to flight recorders. Again with crypto,
tamper-proofing and crash resistance.
Which is all EXPENSIVE. And OBVIOUS. And offers dealer chain lockin and other
non-competitive medium+ term advantages.
So, apparently faced with an entirely foreseeable issue, VW chose the cheap option, and
now it has blown up in their faces. So they have to fix this, then do it right anyway.
And depressingly predictable, what was the response?
Did they play the quality card, roll with it and try to convert it into a "branding"
op, while actually addressing the issue?
They sent in the lawyers.
Stifle discussion, threaten academics and try to kick the problem away under the table.
I would also bet that they are right now lobbying for new "responsible reporting" laws,
at German and EU levels.
Schein nicht sein.
Well, I won't be buying a VW, Audi, Skoda, Seat anytime soon.
To generalise, unless a company has contracted you to analyse and report on their products,
then what obligation or benefit do you have to report anything to them?
If you contact them to report an issue, companies have try to frame you for extortion in order
to suppress the security vulnerability. "No comment on judicial process"
Publish and be damned, though the Heavens Fall.
He was 59 years old, and loved by many."
Link to Original Source
Good point. Perhaps a summary of Iain's work and philosophy
would be of assistance to those who haven't tripped across them, but I am really too
shocked and depressed by the news to compose one.
I'm sitting here with a brand new copy of Stonemouth, lying unread on the table,
freshly delivered, but instead of reading it, I'm just staring out at the snow falling
and remembering all the other books, where I was when I read them, and the
people I was once with.