[ale] Freelance web-devs make in-secure sites

DJ-Pfulio DJPfulio at jdpfu.com
Thu Jun 8 08:27:35 EDT 2017 

Perhaps IoT devices need this too?

Bruce Schneier's blog ...
https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html
"Last year, on October 21, your digital video recorder — or at least a
DVR like yours — knocked Twitter off the internet. Someone used your
DVR, along with millions of insecure webcams, routers, and other
connected devices, to launch an attack that started a chain reaction,
resulting in Twitter, Reddit, Netflix, and many sites going off the
internet. You probably didn't realize that your DVR had that kind of
power. But it does."


A few years ago during a national election is a smaller country, the
entire country was taken off line using internet attacks.

IoT (or Internet of Shit-devices) have amplified this power.


On 06/08/2017 08:09 AM, Jim Kinney wrote:
> Hah!
> 
> Sad but true.
> 
> Certain aspects of programming should be required to be
> run/directed/managed by licensed professional engineers. Finance,
> utilities, and medical are the top three for me that scream for real
> professional programming. We don't let precocious high schoolers build
> bridges just because they were really good with lego blocks. Engineering
> of physical things protects itself with professional standards.
> Engineering of virtual things needs to do the same.
> 
> On Jun 8, 2017 7:44 AM, "Adrya Stembridge" <adrya.stembridge at gmail.com
> <mailto:adrya.stembridge at gmail.com>> wrote:
> 
>     For $250 they got about what they paid for. 
> 
>     On Thu, Jun 8, 2017 at 6:42 AM, DJ-Pfulio <DJPfulio at jdpfu.com
>     <mailto:DJPfulio at jdpfu.com>> wrote:
> 
>         Of the 17 commissioned projects by Tripwire (a security firm), 10
>         websites were completed and purchased.
> 
>         The researchers found that every website had critical security
>         failures.
>         Read more here:
> 
>         https://www.helpnetsecurity.com/2017/06/08/website-security/
>         <https://www.helpnetsecurity.com/2017/06/08/website-security/>
> 
>         * Unauthorized users allowed (all) - Check
>         * Allowed hackers to upload a PHP webshell (all) - Check
>         * Allowed auth bypass via SQL injection (several) - Check
>         * Allowed content modification via SQL injection (half) - Check
> 
>         Short, but interesting read.

More information about the Ale mailing list