[ale] Freelance web-devs make in-secure sites

Jim Kinney jim.kinney at gmail.com
Thu Jun 8 08:45:54 EDT 2017


The merest hint of "set and forget" devices left live online forever scares
the poo out of me. Colossally stupid idea. Add the "use of this device
releases the manufacturer of all liability" license crap and it starts
looking like a smokers convention at a fireworks factory.

There's a responsibility level that software production just hasn't
accepted yet. Sometimes 'release early, release often' is really translated
to 'break early, break often, release anyway".



On Jun 8, 2017 8:31 AM, "DJ-Pfulio" <DJPfulio at jdpfu.com> wrote:

> Perhaps IoT devices need this too?
>
> Bruce Schneier's blog ...
> https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html
> "Last year, on October 21, your digital video recorder — or at least a
> DVR like yours — knocked Twitter off the internet. Someone used your
> DVR, along with millions of insecure webcams, routers, and other
> connected devices, to launch an attack that started a chain reaction,
> resulting in Twitter, Reddit, Netflix, and many sites going off the
> internet. You probably didn't realize that your DVR had that kind of
> power. But it does."
>
>
> A few years ago during a national election is a smaller country, the
> entire country was taken off line using internet attacks.
>
> IoT (or Internet of Shit-devices) have amplified this power.
>
>
> On 06/08/2017 08:09 AM, Jim Kinney wrote:
> > Hah!
> >
> > Sad but true.
> >
> > Certain aspects of programming should be required to be
> > run/directed/managed by licensed professional engineers. Finance,
> > utilities, and medical are the top three for me that scream for real
> > professional programming. We don't let precocious high schoolers build
> > bridges just because they were really good with lego blocks. Engineering
> > of physical things protects itself with professional standards.
> > Engineering of virtual things needs to do the same.
> >
> > On Jun 8, 2017 7:44 AM, "Adrya Stembridge" <adrya.stembridge at gmail.com
> > <mailto:adrya.stembridge at gmail.com>> wrote:
> >
> >     For $250 they got about what they paid for.
> >
> >     On Thu, Jun 8, 2017 at 6:42 AM, DJ-Pfulio <DJPfulio at jdpfu.com
> >     <mailto:DJPfulio at jdpfu.com>> wrote:
> >
> >         Of the 17 commissioned projects by Tripwire (a security firm), 10
> >         websites were completed and purchased.
> >
> >         The researchers found that every website had critical security
> >         failures.
> >         Read more here:
> >
> >         https://www.helpnetsecurity.com/2017/06/08/website-security/
> >         <https://www.helpnetsecurity.com/2017/06/08/website-security/>
> >
> >         * Unauthorized users allowed (all) - Check
> >         * Allowed hackers to upload a PHP webshell (all) - Check
> >         * Allowed auth bypass via SQL injection (several) - Check
> >         * Allowed content modification via SQL injection (half) - Check
> >
> >         Short, but interesting read.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170608/cba2a362/attachment.html>


More information about the Ale mailing list