CrankySec

We don't learn

The other day on our Discord, I linked to the Chicago Electrical Code to maybe make some obvious point about the need for standards and the enforcing of said standards. I don't remember, so don't quote me. The subject kind of ballooned from there, and it got me reading things like the NERC CIP, the fucking National Highway Institute's Design and construction of the Driven Pile Foundations - Volume I (thanks, Grady), shit from the ASTM International (née American Society for Testing and Materials), the IEEE, ANSI, ISO, NIST, the European Committee for Standardization, BSI, and things of that nature. I really like standards.

Then, after this amazing marathon of "people writing shit down today so the next dude doesn't have to learn how to do quotidian things the hard way tomorrow", I stumbled upon an article titled "OpenAI hit by two big security issues this week" that got me thinking about how fucking horrible these bIg tEcH programmers are. It's easy for me to sit here and type some shit like a Monday morning code reviewer, but, bro... This is an (allegedly) 80 billion dollar company. A company that's in the news every fucking day. A company that (allegedly) can attract and pay for the best of the best. The only thing I can surmise here is that what they consider to be the best is shit, and they should never, ever, ever call themselves engineers. Engineering has fucking standards. One search would solve this issue. As we've learned, writing shit down today so the next dude doesn't have to learn how to do quotidian things the hard way tomorrow. You gotta read what's been written, though.

What happens when the people who write software YOLO-style like this end up working for, I don't know, a company that makes airplanes? Or pacemakers. Or nuclear reactors. Or anything that will cause a lot of people to have a bad day if it goes wrong? Do people who write software for critical infrastructure, medical devices, and other things that can kill you if you don't take proper care avoid contact with people from FAAAANFGOAS companies, lest they become infected with the "mOvE fAsT aNd BrEaK tHiNgS" virus and start breaking things that should not break? In other words, you should only break things that don't matter.

And that's what it boils down to: your data don't matter. If it did, the protection of your data would be mandated and enforced by now. And it isn't, as demonstrated by the many pieces of mail I receive every other week informing me that my data was stolen from a company I didn't even knew existed. Not only is your personal data not protected, it is being actively bought and sold for a profit. You know Experian, Equifax, and TransUnion. Ever heard about Radaris? Or Inforver? Acxiom? Exactly. The fact that Equifax is still in business tells you everything you need to know about this. The fact that these companies even exist is all the proof you need that the people who should be looking out for you don't give a shit about your data. And don't give me that "if you're not doing anything wrong..." bullshit. Privacy is fundamental in a functioning society. Allowing our data to be collected, sold, and exploited is a choice that was made on your behalf.

So, how come fuck ups like these keep happening even though the solutions to the overwhelming majority of cybersecurity problems have been available for a while now? Because your data don't matter. Because almost nothing happens when Equifax fucks up. Or Microsoft. Or Meta. We, as a society, through our representatives, decided that these companies should be allowed to fuck up with very little consequence. If any. In fact, they should be allowed to do whatever the fuck they want, including burning the planet to fuel some stupid autocomplete that even diehard capitalists think might be useless.

Once upon a time, I worked for a company that cyber insurers wouldn't touch with a 10-foot pole. They found the industry in general to be too risky, and the company in particular to be too "immature" for the insurers' risk appetite. What if we, as a society, through our representatives, decided that companies like that should not be allowed to operate without cyber insurance? You know, like we do with other shit. I can't drive a car out of the dealership without insurance. If a business is uninsurable, it shouldn't be a business. And, while we're at it, throw some provisions in there to make sure the customers, who are always getting fucked, get paid, too.

If your house bursts into flames, or someone is electrocuted to death because you didn't follow section 404.2 of the National Electrical Code, the insurance company can very well refuse to cover the damages. The same should happen to companies that didn't follow, I dunno, pick one of the several cybersecurity standards available. Shit, pick the SCF and don't worry about having too many choices! Mandating cyber insurance and enforcing adherence to cybersecurity standards would solve a lot of the issues we have today because those issues are mainly due to dumbassery. Encrypt sensitive data. Use MFA. Sanitize user input. Write shit in a memory-safe language. Do these things properly and 95% of your cybersecurity problems will be handled. But, no. Because these companies are more worried about people's ability to write binary tree algorithms on a whiteboard than their ability to write readable, coherent, secure code.

It's time shit like this changes. Not only are we dealing with the same problems since fucking forever, we keep inventing new "solutions" to problems that were solved long ago. We keep the Shirky Principle alive. Join us. Let's figure out a way out of this mess because we need to start making use of the things we've learned the hard way. You can also hire me so I can say this shit to your face.