Then you have never worked for a modern commercial, technical company!
+ *All* benefits go to management, so their incentive is low cost, rapid delivery. + Any and all negatives, are laid on the heads of the technical staff, so again
the incentive for management is low cost, rapid delivery. + While the technical staff, sometimes, have a different opinion, by definition
nobody cares, since they are "non management". Monkeys make noise? They get the hose.
If by a miracle, the techs manage to actually do competent "Design, construct, test, ship" loops, then they will be head-count reduced, since there is "fat" there. Wash, repeat.
The reality is that a trained chimp with Google, and either Office or some open source components and 2 weeks worth of web-design, can duct tape together a minimal version that can fulfill at least *some* of the customer's requirements. Even if only the color!
Obviously it will be crud, with low performance, no security and completely unmaintainable.
But this becomes the baseline cost!
What are customers willing to pay, over that cost, for the additional quality? Guess what! NOTHING.
To pay the bonii, investors and the marketing costs, what are most modern tech companies willing to pay, as a premium, for their employees, to exceed that baseline? Guess again. Little or nothing.
This is not 1985. Software guys should be aware that electricians, plumbers and car mechanics have better prospects, more pay and get paid overtime.
Were you not listening, reading or watching for the past decade?
What did you not understand? This. Is. Corporatism! (Not Sparta! 8-))
An under-educated class, born to be in debt, endlessly conditioned to obey, bred under pain of punishment, to Serve.
In this model, Authority is there to Rule, not to Adjudicate, so any attempt, no matter how trivial, to resist, to dissent, or, as in this case, to provide any alternative to the Authority defined and controlled processes, will *always* be harshly punished. As subversive.
Appeals for protection justify further exploitation, since the weak deserve to be hurt, and the system serves only the strong. Might is Right, and don't bleed on the floor.
The only element missing is religion: "If Jaysus loved you, you wouldn't be picked on".
This school has a board. This municipality has elected officials. The Majority of the people in this area voted for this. Your neighbours, colleagues and fellow-parents? They want this.
I am a respected employee and colleague, and by collaborating we will build interesting products, to be proud of. By working hard and learning more, I will be promoted and paid more. Ultimately, I will reach retirement age and spend an enjoyable time with my family, in retirement, perhaps even as a non-executive director, until I die, of old age, surrounded by my loving family, in my own bed.
I was the responsible IT manager, over all devs. admins, ops and security.
Reviewed all contracts and implementations, upon taking over the job.
Discovered some seriously, bad stuff.
Developed plan to *quietly*, discretely, repair over short time period. "Rebury the bodies"
Turned out the responsible party was the CEO's favorite, "baby shark".
Got cardboard boxed. Out day after board presentation.
So it goes.
Interesting point:
All of those devs, techs and security people who moan about the lack of management support? How many of you have ever supported or somehow defended *any* manager who tried to help you, to do the right thing?
Speaking personally, I would guess... None of you. "Not my problem" attitude, up and down.
Just when you think that you have grown beyond caring, theses guys manage to poke beneath the shield and hit the "AAAAAARRRGGGHH" button !! I am sorry for taking this seriously, but after the Bank Bailouts, the corruption, the incompetency, the cover-ups and the sheer fuck-wittery of the past years, they attack OPEN SOURCE BROWSERS !!
What more can one expect from politicians that: - kowtow-ed to the EU on the Maastricht Treaty re-Vote, (It puts the lotion in the basket, and votes again and again until the answer is YES) - sold 3 generations of their own people out, in the form of a bank bailout for *private* non-system critical banks, - have no concept of Justice whether social, civil or criminal - have no concept of public probity, of duty or what to be a servant of the people actually means - assume in blind arrogance that their own short-sighted, small-town, bigoted, religion-ridden, never questioned views are "NORMALITY"
and those of everyone else, are simply illegal.
In short. Olympic level Assholes.
Winking and smiling and smirking, crapping out their "hokesy/folksy" catchphrases, with constant shit eating grins.
Concepts such as free speech, right to privacy, equal treatment before the law, due process, womens' rights (especially reproductive rights),... are considered amusing or just dismissed, out of hand, by these troglodytes.
For example, the implicit assumption that *all pornography* is simply illegal!
The US and Britain have blanket surveilled every Irish citizen for generations, and this cringing *lackey* assumes that *law enforcement* was the purpose.
Call me harsh, but I interpret the failure of elected representatives to protect.the rights of their citizens, in the face of blatant intrusions, as more than incompetence, more than failure. It is treachery.
Following the usual, endless cycle, whenever social unrest threatens, the Haves in Ireland, push the Have-nots to emigrate. Since, conveniently, the non-resident cannot vote, there was, is and will never be any pressure on the ruling elite to change any of their policies... the opposition is simply disenfranchised.
And nothing changes.
I dream of another Ireland. A country where an informed electorate hold their elected leaders to account, demand the definition and enforcement of just laws which protect individual and public rights. A truly Free Ireland.
Until then, I apologise to the world that we are represented by these fools and that you have to listen to their blather.
I really thought the same thing, but found out that life doesn't always turn out how you think.
I excelled and prospered, for 20 years. From dev to Senior, to team lead, Architect, Dept lead, division leader and CTO. Including sw dev, it ops and heavy, heavy doses of security.
And then... 40.
And it is really like your life-gem has expired.
"You're really great, but we just don't hire anybody over 40,
and certainly no techs over 35...".
There is not even anyone to argue with, just flat rejection.
So I wish you luck with your career. Hope it works out for you.
You should treasure the fact that you work in an org. where people care enough to even try! If you are smart, cynical and cunning, (strongly recommended for security professionals!), you can channel this into a benefit for you, your group and the whole company.
If you "Deputize" the eager-beavers, then it gives you a lot more eyes and ears. Yes, sadly, you will have the annoying "I Just Read...." know-it-alls, but even if the involvement is in reality, an illusion, you still get more back than you invest.
With, of course, the concept of responsibility, focus, and "handover"...
"Thank you for bringing this to our attention, you are, indeed, so-cool, and now we can take it further, leaving you to get on with the things the company actually pays you for..."
The best example I've ever seen of this, is the Starling speech to the troopers in the Silence of the Lambs.
A small barrier to entry, to keep out the assholes, is also advised. A monthly, unpaid, evening meeting for the "security" associates, with some feedback, news, updates and a doughnut, keeps things running well.
In the end, as Corporate Security, you can either act like an occupying army, or a police force that operates with the support of your users. Treat your users like shit, and they will notice, and they will not have your back.
Of course, this is no guarantee that if you treat them well, they won't stab you in the back anyway, but... as a security person, you already know that you will get to see the worst that people have to offer,... anyway.
The really cynical would point out that if you really were, an occupying army, then you should be smart enough to build up your "cadre" of supporters, without visible points-of-protest, and for "counter-intel" usage...
Actually Man-in-the-Middle transparent proxies, which intercept and monitor SSL/TLS traffic, are now standard in most corps. You don't get a browser alert since the corporate "fake" CA is pre-installed as trusted in your browsers by the corp's IT.
So, yes, basically... there *is* no encryption and they look at everything.
Oh! And using Cisco "policy based routing", or WCCP2 or other networking mojo, you cannot decide to skip the proxy, from your client.
And... using Deep Packet Inspection, the protocol will not just be matched versus the destination port, so your genius attempts to ssh to your external server running on tcp/443, will not only be blocked, you will be flagged and tagged.
Solution? Just use your own equipment with either built in 3/4G connections, or just tether across your personal phone.
This is getting old, since how many times has this been repeated in the past years?
If you notify, so that good companies can analyse, patch and protect customers, then you risk that "bad" companies will play "sly" and just sue you to stop the information, rather than fix the problem. Or even better, fit you up for an attempted extortion defense or shift the blame onto the reporter, using spin.
Most modern companies deny the existence of *any* responsibility to their customers, employees or communities (natural, governmental or academic).
So why the expectation of different behaviour when it comes to security?
Actually, these issues are pretty useful when it comes to deciding on which products to purchase, since you get to see the real ugly shapes behind the PR masks.
VW have pioneered the use of reduced, only 2-year warranties, at least in Europe, without lowering the price of their cars. Support is not a priority factor for them. Security has obviously been a low priority issue that they have decided *not* to "waste" money on.
If, the issue is really as reported, that given access (either physical or via some wifi "probe"), to the controller unit (CAN?) for the ECUs, since VW did not add encryption, authentication or serious security, an intruder can control a lot of things in the car, even while it is in motion.
Which means that VW would: 1. Need not only updated software to fix the controller, they would probably need some
hardened hardware, probably including some TPM/tamperproof elements. 2. Need new supplier handling, development, testing, support and dealer support mechanisms. 3. Have to build a "PKI"-type infrastructure for their dealers, including identification/registration
key distribution and other key handling nightmares. 4. To avoid the potential liability issues, they might also need some addtional components to
provide "black box" audit mechanisms, similar to flight recorders. Again with crypto,
tamper-proofing and crash resistance.
Which is all EXPENSIVE. And OBVIOUS. And offers dealer chain lockin and other non-competitive medium+ term advantages.
So, apparently faced with an entirely foreseeable issue, VW chose the cheap option, and now it has blown up in their faces. So they have to fix this, then do it right anyway.
And depressingly predictable, what was the response? Did they play the quality card, roll with it and try to convert it into a "branding" op, while actually addressing the issue?
Nahh! They sent in the lawyers. Stifle discussion, threaten academics and try to kick the problem away under the table. I would also bet that they are right now lobbying for new "responsible reporting" laws, at German and EU levels.
Schein nicht sein.
Well, I won't be buying a VW, Audi, Skoda, Seat anytime soon.
To generalise, unless a company has contracted you to analyse and report on their products, then what obligation or benefit do you have to report anything to them? If you contact them to report an issue, companies have try to frame you for extortion in order to suppress the security vulnerability. "No comment on judicial process"...
Good point. Perhaps a summary of Iain's work and philosophy would be of assistance to those who haven't tripped across them, but I am really too shocked and depressed by the news to compose one.
I'm sitting here with a brand new copy of Stonemouth, lying unread on the table, freshly delivered, but instead of reading it, I'm just staring out at the snow falling and remembering all the other books, where I was when I read them, and the people I was once with.
1. in Austria, the same copyright law that applies to creative content, Art, applies to software. 2. But collected "tax" revenues are distributed only to "Artists", via an Artists' Rights representation group.... SO... should enough software people form a club to represent them, they could, legally, petition for income from the collected revenue...
The reaction of the artists to this, is predictably, "What those techies do is not creative..."
Slashdot Mirror
Thank you.
All we ever hear, is the "party line" regarding these issues.
I needed to know that it is not over.
Cheers.
I am curious.
Do people in America really support this?
Are you aware of the path you are on?
Are you really ignorant of where this leads to?
Are you all in agreement?
Then you have never worked for a modern commercial, technical company!
+ *All* benefits go to management, so their incentive is low cost, rapid delivery.
+ Any and all negatives, are laid on the heads of the technical staff, so again
the incentive for management is low cost, rapid delivery.
+ While the technical staff, sometimes, have a different opinion, by definition
nobody cares, since they are "non management". Monkeys make noise? They get the hose.
If by a miracle, the techs manage to actually do competent "Design, construct, test, ship" loops,
then they will be head-count reduced, since there is "fat" there. Wash, repeat.
The reality is that a trained chimp with Google, and either Office or some open source components
and 2 weeks worth of web-design, can duct tape together a minimal version that can fulfill at
least *some* of the customer's requirements. Even if only the color!
Obviously it will be crud, with low performance, no security and completely unmaintainable.
But this becomes the baseline cost!
What are customers willing to pay, over that cost, for the additional quality?
Guess what! NOTHING.
To pay the bonii, investors and the marketing costs, what are most modern tech companies willing
to pay, as a premium, for their employees, to exceed that baseline?
Guess again. Little or nothing.
This is not 1985. Software guys should be aware that electricians, plumbers and car mechanics have
better prospects, more pay and get paid overtime.
The only thing worse, is QA.
I know what happens now ... Vampires, end of world, bad acting, dead dogs and lots of dodgy special effect monsters.
And Emma Thompson. So not all bad ...
Ah! But the Jocks uphold the system!
Those who support, always get special treatment, the only sin being to challenge established "Truths".
So, if the Jocks beat on the weak, the marginal, the dissenters, then they will be either ignored
or discretely applauded and supported.
And by Jocks, I mean Police, LEO, Spooks, and the various pillars of society.
I really wish that I was wrong.
I wish that things were not, what they have become.
Precisely!
Were you not listening, reading or watching for the past decade?
What did you not understand?
This. Is. Corporatism! (Not Sparta! 8-))
An under-educated class, born to be in debt, endlessly conditioned to obey, bred under pain of punishment, to Serve.
In this model, Authority is there to Rule, not to Adjudicate, so any attempt, no matter how trivial, to resist, to dissent, or,
as in this case, to provide any alternative to the Authority defined and controlled processes, will *always* be harshly punished.
As subversive.
Appeals for protection justify further exploitation, since the weak deserve to be hurt, and the system serves only the strong.
Might is Right, and don't bleed on the floor.
The only element missing is religion: "If Jaysus loved you, you wouldn't be picked on".
This school has a board.
This municipality has elected officials.
The Majority of the people in this area voted for this.
Your neighbours, colleagues and fellow-parents?
They want this.
This is what modern Western society has become.
I am a respected employee and colleague, and by collaborating we will build
interesting products, to be proud of. By working hard and learning more, I
will be promoted and paid more. Ultimately, I will reach retirement age and
spend an enjoyable time with my family, in retirement, perhaps even as
a non-executive director, until I die, of old age, surrounded by my loving
family, in my own bed.
As. If.
Have fun with that ...
Mobilkom Austria?
I was the responsible IT manager, over all devs. admins, ops and security.
Reviewed all contracts and implementations, upon taking over the job.
Discovered some seriously, bad stuff.
Developed plan to *quietly*, discretely, repair over short time period.
"Rebury the bodies"
Turned out the responsible party was the CEO's favorite, "baby shark".
Got cardboard boxed. Out day after board presentation.
So it goes.
Interesting point:
All of those devs, techs and security people who moan about the lack of management support?
How many of you have ever supported or somehow defended *any* manager who tried to help you, to do the right thing?
Speaking personally, I would guess ... None of you. "Not my problem" attitude, up and down.
Maybe you have all been luckier.
You are, of course, entirely correct.
I will present my apology, in person, to Zeus, upon my next visit.
Thank you! Seriously! I was so upset about the stupidity of this, that I overlooked the perfect word to describe them!
Gobshites!
Just when you think that you have grown beyond caring, theses guys manage to poke beneath the shield and hit the "AAAAAARRRGGGHH" button !!
I am sorry for taking this seriously, but after the Bank Bailouts, the corruption, the incompetency, the cover-ups and the sheer fuck-wittery of the past
years, they attack OPEN SOURCE BROWSERS !!
What more can one expect from politicians that:
- kowtow-ed to the EU on the Maastricht Treaty re-Vote, (It puts the lotion in the basket, and votes again and again until the answer is YES)
- sold 3 generations of their own people out, in the form of a bank bailout for *private* non-system critical banks,
- have no concept of Justice whether social, civil or criminal
- have no concept of public probity, of duty or what to be a servant of the people actually means
- assume in blind arrogance that their own short-sighted, small-town, bigoted, religion-ridden, never questioned views are "NORMALITY"
and those of everyone else, are simply illegal.
In short. Olympic level Assholes.
Winking and smiling and smirking, crapping out their "hokesy/folksy" catchphrases, with constant shit eating grins.
Concepts such as free speech, right to privacy, equal treatment before the law, due process, ... are considered amusing or just dismissed,
womens' rights (especially reproductive rights),
out of hand, by these troglodytes.
For example, the implicit assumption that *all pornography* is simply illegal!
The US and Britain have blanket surveilled every Irish citizen for generations, and this cringing *lackey*
assumes that *law enforcement* was the purpose.
Call me harsh, but I interpret the failure of elected representatives to protect .the rights of their citizens,
in the face of blatant intrusions, as more than incompetence, more than failure.
It is treachery.
Following the usual, endless cycle, whenever social unrest threatens, the Haves in Ireland, ... the opposition is simply disenfranchised.
push the Have-nots to emigrate. Since, conveniently, the non-resident cannot vote, there
was, is and will never be any pressure on the ruling elite to change any of their policies
And nothing changes.
I dream of another Ireland.
A country where an informed electorate hold their elected leaders to account, demand the
definition and enforcement of just laws which protect individual and public rights.
A truly Free Ireland.
Until then, I apologise to the world that we are represented by these fools and that
you have to listen to their blather.
Precisely. Dissent, in any shape or form, is *not* tolerated.
And you know it ...
Xest,
I really thought the same thing, but found out that
life doesn't always turn out how you think.
I excelled and prospered, for 20 years. From dev to Senior,
to team lead, Architect, Dept lead, division leader and CTO.
Including sw dev, it ops and heavy, heavy doses of security.
And then ... 40.
And it is really like your life-gem has expired.
"You're really great, but we just don't hire anybody over 40, ...".
and certainly no techs over 35
There is not even anyone to argue with, just flat rejection.
So I wish you luck with your career. Hope it works out for you.
You should treasure the fact that you work in an org. where people care enough to even try!
If you are smart, cynical and cunning, (strongly recommended for security professionals!),
you can channel this into a benefit for you, your group and the whole company.
If you "Deputize" the eager-beavers, then it gives you a lot more eyes and ears. ...." know-it-alls, but even if
Yes, sadly, you will have the annoying "I Just Read
the involvement is in reality, an illusion, you still get more back than you invest.
With, of course, the concept of responsibility, focus, and "handover" ...
"Thank you for bringing this to our attention, you are, indeed, so-cool, ..."
and now we can take it further, leaving you to get on with the things the
company actually pays you for
The best example I've ever seen of this, is the Starling speech to the
troopers in the Silence of the Lambs.
A small barrier to entry, to keep out the assholes, is also advised.
A monthly, unpaid, evening meeting for the "security" associates,
with some feedback, news, updates and a doughnut, keeps things
running well.
In the end, as Corporate Security, you can either act like an occupying army,
or a police force that operates with the support of your users.
Treat your users like shit, and they will notice, and they will not have your back.
Of course, this is no guarantee that if you treat them well, they won't ... as a security person, you already know ... anyway.
stab you in the back anyway, but
that you will get to see the worst that people have to offer,
The really cynical would point out that if you really were, an occupying army, ...
then you should be smart enough to build up your "cadre" of supporters,
without visible points-of-protest, and for "counter-intel" usage
Actually Man-in-the-Middle transparent proxies, which intercept
and monitor SSL/TLS traffic, are now standard in most corps.
You don't get a browser alert since the corporate "fake" CA
is pre-installed as trusted in your browsers by the corp's IT.
So, yes, basically ... there *is* no encryption and they look
at everything.
Oh! And using Cisco "policy based routing", or WCCP2 or
other networking mojo, you cannot decide to skip the proxy,
from your client.
And ... using Deep Packet Inspection, the protocol will not
just be matched versus the destination port, so your genius
attempts to ssh to your external server running on tcp/443,
will not only be blocked, you will be flagged and tagged.
Solution? Just use your own equipment with either built
in 3/4G connections, or just tether across your personal
phone.
Caesar and Rome ...
Hmm.
So, since 2010 the percentage of developers 40+ is shrinking?
And worldwide converging on 35?
Which means, unless there is a "Carrousel" scenario, that
developers are both being fired, then not rehired, after 35 years old.
Which agrees with what I have been seeing for the past 2 years.
Is it clear to software people that they have a 10 to 15 year "shelf-life",
with the associated limited earning potential?
I thought the experiment goal was: To see, into how many tins, they can fit a whale ...
Ahh! Fun followup!
VW *have* an encrypted 1024-bit ECU solution in place,
but this looks aimed at the chipper/modders.
We all look forward to reading the details when the academics ...
publish or, should it leak
This is getting old, since how many times has this been repeated in the past years?
If you notify, so that good companies can analyse, patch and protect customers,
then you risk that "bad" companies will play "sly" and just sue you to stop the
information, rather than fix the problem. Or even better, fit you up for an attempted
extortion defense or shift the blame onto the reporter, using spin.
Most modern companies deny the existence of *any* responsibility to their customers,
employees or communities (natural, governmental or academic).
So why the expectation of different behaviour when it comes to security?
Actually, these issues are pretty useful when it comes to deciding on which
products to purchase, since you get to see the real ugly shapes behind the PR
masks.
VW have pioneered the use of reduced, only 2-year warranties, at least in Europe,
without lowering the price of their cars. Support is not a priority factor for them.
Security has obviously been a low priority issue that they have decided *not* to
"waste" money on.
If, the issue is really as reported, that given access (either physical or via some wifi "probe"),
to the controller unit (CAN?) for the ECUs, since VW did not add encryption, authentication
or serious security, an intruder can control a lot of things in the car, even while it is
in motion.
Which means that VW would:
1. Need not only updated software to fix the controller, they would probably need some
hardened hardware, probably including some TPM/tamperproof elements.
2. Need new supplier handling, development, testing, support and dealer support mechanisms.
3. Have to build a "PKI"-type infrastructure for their dealers, including identification/registration
key distribution and other key handling nightmares.
4. To avoid the potential liability issues, they might also need some addtional components to
provide "black box" audit mechanisms, similar to flight recorders. Again with crypto,
tamper-proofing and crash resistance.
Which is all EXPENSIVE. And OBVIOUS. And offers dealer chain lockin and other
non-competitive medium+ term advantages.
So, apparently faced with an entirely foreseeable issue, VW chose the cheap option, and
now it has blown up in their faces. So they have to fix this, then do it right anyway.
And depressingly predictable, what was the response?
Did they play the quality card, roll with it and try to convert it into a "branding"
op, while actually addressing the issue?
Nahh!
They sent in the lawyers.
Stifle discussion, threaten academics and try to kick the problem away under the table.
I would also bet that they are right now lobbying for new "responsible reporting" laws,
at German and EU levels.
Schein nicht sein.
Well, I won't be buying a VW, Audi, Skoda, Seat anytime soon.
To generalise, unless a company has contracted you to analyse and report on their products, ...
then what obligation or benefit do you have to report anything to them?
If you contact them to report an issue, companies have try to frame you for extortion in order
to suppress the security vulnerability. "No comment on judicial process"
Publish and be damned, though the Heavens Fall.
Good point. Perhaps a summary of Iain's work and philosophy
would be of assistance to those who haven't tripped across them, but I am really too
shocked and depressed by the news to compose one.
I'm sitting here with a brand new copy of Stonemouth, lying unread on the table,
freshly delivered, but instead of reading it, I'm just staring out at the snow falling
and remembering all the other books, where I was when I read them, and the
people I was once with.
Someone made the interesting point that:
1. in Austria, the same copyright law that applies to creative content, Art, applies to software. ... SO ... should enough software people form a club to represent them, ...
2. But collected "tax" revenues are distributed only to "Artists", via an Artists' Rights representation group.
they could, legally, petition for income from the collected revenue
The reaction of the artists to this, is predictably, "What those techies do is not creative ..."
Artists. Hypocrites. Mostly.
Sadly, I was that CIO ... twice. Small companies, but still true.
CIO is just First Technical Idiot in the eyes of the "Wise Guy" CEO. ...
I have no answers ...
While a lot of Michael Moorcock's work is pretty high fantasy, the setting
and characters in the "Warhound and the World's Pain" are outstanding.
An anti-knight on the grail quest, set during the Thirty Years war, with a lot
of philosophical musing on the nature of choice, humanity and reality.
While the first of a (retconned) trilogy, it is better read in isolation.
I have long dreamed of seeing this as a film or even a good game,
but sadly it seems to be out of print.
Should you find a copy, enjoy.
Ummm. Overflow? Flipping sign bit?