this post was submitted on 21 Sep 2024
71 points (97.3% liked)

Cybersecurity

5652 readers
90 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 

Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued.

"The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference.

Easterly also implored the audience to stop "glamorizing" crime gangs with fancy poetic names. How about "Scrawny Nuisance" or "Evil Ferret," Easterly suggested.

Even calling security holes "software vulnerabilities" is too lenient, she added. This phrase "really diffuses responsibility. We should call them 'product defects,'" Easterly said. And instead of automatically blaming victims for failing to patch their products quickly enough, "why don't we ask: Why does software require so many urgent patches? The truth is: We need to demand more of technology vendors."

all 7 comments
sorted by: hot top controversial new old
[–] [email protected] 21 points 1 month ago

Software suppliers who ship buggy, insecure code

So... all of them?

[–] [email protected] 13 points 1 month ago (2 children)

That seems like a myopic view. Service misconfiguration is not always a vendor's fault, and demanding software vendors to patch their products is not going to fix OSS vulnerabilities. In fact, we've seen examples this year of increased pressure to fix "issues" leading to developers unwittingly accepting malicious commits.

Mind you, I'm not contesting that some vendors produce dogshit products (looking at you, CrowdStrike), but calling all vendors villains is a bit of a stretch.

[–] [email protected] 5 points 1 month ago

In addition, a lot of cybercrime involves social engineering as part of the attack vector. You can't roll out a security patch for Karen from HR.

[–] [email protected] 4 points 1 month ago

I'm not sure I fully agree with you, partly because she's not talking about OSS alone. Let's look at a recent but important example.

Yubikeys manufactured before firmware version 5.7 (before May 2024), are vulnerable to a specific type of attack that is not novel, due to a faulty IC via its code. It's something that should have been caught during QA. Who is to blame?

Yubikey didn't make the faulty IC, so obviously the IC maker should bear at least a good chunk of it, but I think it's Yubikey's responsibility to verify their work, especially since they're the ones making the ultimate promise of cryptographic suitability that businesses and governments rely upon.

I don't know if it's right to call companies like this "villains," but I think "lazy or lax" might be appropriate. Additionally, I like the idea of calling cybercrime groups funny names.

[–] [email protected] 2 points 1 month ago (1 children)

i’m sorry ya’ll, i’m working on it with my therapist.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Lol he just pointed the gun at the NSA for forcing everyone to ship backdoors