Linux / Unix / Java vulnerability responsible for the Equifax hack.

[Anonymous Remailer (austria)]

https://www.wired.com/story/equifax-breach-no-excuse/

Apache Struts 2 is an open-source web application framework for
developing Java EE web applications

[Neil]

It's my understanding that system administrators failed to apply an
existing update that removed the vulnerability exploited by hackers. Bad
management is not the fault of the OS.

--
best regards,

Neil

[Wolf K]

Maintaining large systems is expensive. Equifax must increase
"shareholder value". That means minimising costs. That means putting off
maintenance. Deferred maintenance is a habit you can get away with when
it's brick and mortar, but not when it's digital. Old habits die hard.


--
Wolf K
kirkwood40.blogspot.com
"Wanted. Schrödinger’s Cat. Dead and Alive."

[Neil]

On 9/16/2017 9:49 AM, Wolf K wrote:
> On 2017-09-16 09:39, Neil wrote:
>> On 9/16/2017 7:25 AM, Anonymous Remailer (austria) wrote:
>>> https://www.wired.com/story/equifax-breach-no-excuse/
>>>
>>> Apache Struts 2 is an open-source web application framework for
>>> developing Java EE web applications
>>>
>> It's my understanding that system administrators failed to apply an
>> existing update that removed the vulnerability exploited by hackers.
>> Bad management is not the fault of the OS.
>
> Maintaining large systems is expensive. Equifax must increase
> "shareholder value". That means minimising costs. That means putting off
> maintenance. Deferred maintenance is a habit you can get away with when
> it's brick and mortar, but not when it's digital. Old habits die hard.
>

There is always a cost to doing business, and it's the responsibility of
management to know and handle those costs. If the maintenance issues in
a brick and mortar facility would close your doors they'd be dealt with,
and this situation is really no different. Incompetent decisions were
made and heads are rolling, although I can imagine that they are the
heads of scapegoats.

--
best regards,

Neil

[Chris Ahlstrom]

Neil wrote this copyrighted missive and expects royalties:

> On 9/16/2017 9:49 AM, Wolf K wrote:
>> On 2017-09-16 09:39, Neil wrote:
>>> On 9/16/2017 7:25 AM, Anonymous Remailer (austria) wrote:

Another trolling anonymous coward. Who'd a thunk it?

>>>> https://www.wired.com/story/equifax-breach-no-excuse/
>>>>
>>>> Apache Struts 2 is an open-source web application framework for
>>>> developing Java EE web applications
>>>>
>>> It's my understanding that system administrators failed to apply an
>>> existing update that removed the vulnerability exploited by hackers.
>>> Bad management is not the fault of the OS.
>>
>> Maintaining large systems is expensive. Equifax must increase
>> "shareholder value". That means minimising costs. That means putting off
>> maintenance. Deferred maintenance is a habit you can get away with when
>> it's brick and mortar, but not when it's digital. Old habits die hard.
>>
> There is always a cost to doing business, and it's the responsibility of
> management to know and handle those costs. If the maintenance issues in
> a brick and mortar facility would close your doors they'd be dealt with,
> and this situation is really no different. Incompetent decisions were
> made and heads are rolling, although I can imagine that they are the
> heads of scapegoats.

All the maintenance involved here is a cursory test of the update, and then
deploying it.

Even with Java in the mix.


--
Expect the worst, it's the least you can do.

[Neil]

True, as far as the OS is concerned. However, if you've ever had an
update screw with your apps, you know that the story could easily be
bigger than just deploying the update. The costs could be significant,
both in time and money. BTDT, and it's one reason that I dumped MySQL a
few years ago.

--
best regards,

Neil

[Chris Ahlstrom]

Java updates regularly "screwed" Jira, causing a small amount of downtime
in restarting Jira.

> The costs could be significant,
> both in time and money. BTDT, and it's one reason that I dumped MySQL a
> few years ago.

Interesting anecdote.

--
Q: What do you call the scratches that you get when a female
sheep bites you?
A: Ewe nicks.

[Mayayana]

"Neil" <ne...@myplaceofwork.com> wrote

| > Apache Struts 2 is an open-source web application framework for
| > developing Java EE web applications
| >
| It's my understanding that system administrators failed to apply an
| existing update that removed the vulnerability exploited by hackers. Bad
| management is not the fault of the OS.
|

Not just bad management. Bad overall design.
These hacks, aside from on-site devices that
have been tampered with, are generally caused
by a single, unforgivable flaw: Computers containing
sensitive data that are also connected to the
Internet.

Many people will say that's unavoidable. It's
obviously not. But there may be costs to not taking
such risks, like needing to hire more clerks. So what's
the solution? Either people get fined and go to jail,
or we come up with an entirely new system for
security. But we're headed toward more unnecessary
automation, so it doesn't look promising.

[Neil]

>I don't think that using humans to process the information would be more
secure than computers. Think Wikileaks and those who feel it's their
option to compromise large volumes of data. As I mentioned in another
post, heads are rolling, but I wouldn't be at all surprised to find that
those are the heads of scapegoats rather than the people who actually
decided whether or not to apply the patch, since tech managers are
typically middle-management, at best.

--
best regards,

Neil

[Jerry Stuckle]

Very true. I've seen fixes cause more problems than they solved more
than once. Just because the fix works in one environment doesn't mean
it won't cause problems in another one.

Proper testing includes installing the fix on a duplicate system and
performing extensive testing. This is especially true where security is
concerned; a fix may close one hole but open three more.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstu...@attglobal.net
==================

[Mayayana]

"Neil" <ne...@myplaceofwork.com> wrote

| >I don't think that using humans to process the information would be more
| secure than computers.

The point was that humans will be necessary if
things are not automated from start to finish.
Otherwise, it can't be made safe. I once read
that CIA employees each have 2 computers. One
connected to the internal network and one
connected to the Internet. That's the kind of
thing I'm talking about. But that also means that
the operation can't be entirely automated, so
more people are needed.

The problem is that companies want to automate
*everything*.

I ordered windows last week from
Home Depot. I can't find a clerk over the phone
who knows what's going on, yet I was being
robo-spammed every 2 days to tell me to log in
for "important updates" to my order. There were
no updates. Meanwhile, when the order was ready,
neither a human nor a bot called to tell me! That's
a great example of neglecting humans while trying
to automate the system.

Example: One of the big breaches (Lowes? HD?
I don't remember offhand) was a result of someone
getting in through a contractor account login. The
sensitive records should not be on the same system.
Or, the whole system should have limited access, so
that contractors have to call in to place an order.
It's likely to be more expensive but otherwise there's
no security. Pretending that the problem can be
solved by alert IT people is denying the problem.

[Nomen Nescio]

In article <opn31k$tof$1...@dont-email.me>

"Mayayana" <maya...@invalid.nospam> wrote:
>
> "Neil" <ne...@myplaceofwork.com> wrote
>
> | >I don't think that using humans to process the information would be more
> | secure than computers.
>
> The point was that humans will be necessary if
> things are not automated from start to finish.

Doesn't have anything to do with automation. It has everything
to do with cheap off-shore shitbags used by IBM, Hewlett
Packard, Dell and others.

These bastards are stealing the fucking information they are
supposed to be maintaining and safeguarding. Where do you think
all those phone calls come from on your landlines?

> Otherwise, it can't be made safe. I once read
> that CIA employees each have 2 computers. One
> connected to the internal network and one
> connected to the Internet. That's the kind of
> thing I'm talking about. But that also means that
> the operation can't be entirely automated, so
> more people are needed.

Automate intelligence gathering? Puh-leaze.

> The problem is that companies want to automate
> *everything*.

The problem is incompetent architects and security officers.

> I ordered windows last week from
> Home Depot. I can't find a clerk over the phone
> who knows what's going on, yet I was being
> robo-spammed every 2 days to tell me to log in
> for "important updates" to my order. There were
> no updates. Meanwhile, when the order was ready,
> neither a human nor a bot called to tell me! That's
> a great example of neglecting humans while trying
> to automate the system.

Again, an example of incompetent architects bending to sales
suggestions.

No doubt you'll be getting emails because of your interest in
windows in the near future. That's the mindless stupidity of
sales spam.

> Example: One of the big breaches (Lowes? HD?
> I don't remember offhand) was a result of someone
> getting in through a contractor account login. The
> sensitive records should not be on the same system.

Again, an architect issue.

When you hire shitbags from India, Brazil, Mexico, Argentina,
Philippines, and others, you get what you pay for.

Did you hear that IBM?

> Or, the whole system should have limited access, so
> that contractors have to call in to place an order.

That's a stupid suggestion. Design network, application, and
contractor access properly, this kind of crap will not happen.

Out-sourcing your IT work to a foreign country creates a huge
liability hole and security risk. I personally hope this puts
Equifax in bankruptcy and out of business.

> It's likely to be more expensive but otherwise there's
> no security. Pretending that the problem can be
> solved by alert IT people is denying the problem.

Hiring competent architects is where you start. You don't put
some ditz with a music degree in charge of IT security.

Some basic best practice network design concepts would have
prevented this from happening.

Again, you get what you pay for.

Cheap is liability.

[Mayayana]

"Nomen Nescio" <nob...@dizum.com> wrote

| > Or, the whole system should have limited access, so
| > that contractors have to call in to place an order.
|
| That's a stupid suggestion. Design network, application, and
| contractor access properly, this kind of crap will not happen.
|

Then how do you suppose it's been happening,
ubiquitously, for over 20 years? Are all "tech
architects" incompetent? How is it that there's
no online security when there's javascript? Is
that because all software developers are incompetent
or because executable code in webpages can't
be made safe? Is there a difference?

You raise relevant issues: incompetence, lack
of oversight with subcontractors and dishonesty.
But you're falling for the same old logic: "If we
just get good IT people and fix the bugs then
we can live like the Jetsons."
It's never going to work. If automation continues
on track it won't be long before your whole life
can be stolen by a kid living in Peru or Mongolia,
and it could be nearly impossible to remedy. Who
will you go to with common sense and your wife's
testimonial of your authenticity if there are only
machines to talk to and the machine data is
corrupted?
"Press 1 to submit digital proof that you are
Nomen Nescio. Press 2 to hang up. Press 3 if you
are prepared to confess to impersonating the
individual Nomen Nescio."

[Anonymous]

In article <fe2b4348726175e4...@dizum.com>
"Worst Case"@dizum.com wrote:

>
> On Mon, 18 Sep 2017 08:08:16 -0400, "Mayayana"
> <maya...@invalid.nospam> wrote:
>
> > You raise relevant issues: incompetence, lack of oversight with
> > subcontractors and dishonesty. But you're falling for the same old
> > logic: "If we just get good IT people and fix the bugs then we can
> > live like the Jetsons."
>

> Well, the mega corporations go about lamenting the lack of IT
> expertise in the (worldwide) labor market. ARE YOU SAYING they are
> just as satisfied with the credentials of their IT staff as their IT
> staff is satisfied with what they're being paid?

Dishonestly snipped groups restored.

They lament the lack of cheap IT expertise because it impacts
their bonuses.

Quality comes with a price.

That cheap off-shore IBM provided IT was sure worth the $150
billion in lawsuit liability, wasn't it?

[Fritz Wuehler]

In article <opod0p$9nh$1...@dont-email.me>

"Mayayana" <maya...@invalid.nospam> wrote:
>
> "Nomen Nescio" <nob...@dizum.com> wrote
>
> | > Or, the whole system should have limited access, so
> | > that contractors have to call in to place an order.
> |
> | That's a stupid suggestion. Design network, application, and
> | contractor access properly, this kind of crap will not happen.
> |
>
> Then how do you suppose it's been happening,
> ubiquitously, for over 20 years? Are all "tech
> architects" incompetent? How is it that there's
> no online security when there's javascript?

You asked the magic question.

[Mayayana]

"Fritz Wuehler" <fr...@spamexpire-201709.rodent.frell.theremailer.net> wrote

| You asked the magic question.
|
| "How is it that there's no online security when there's
| javascript?"
|

But no one wants to know. Everyone on both
ends of the wire wants any and all business to
transact seamlessly, with a slick, responsive UI.
We're way beyond the original idea of the Internet.
Most commercial pages are now software programs
written in javascript, created dynamically from
script files loaded from a dozen or more sources.