THIS is why we cannot have nice things.

Another morning. Another interaction with a third party. They have some high-value trigger words for me in their domain name. Let me just pick one: Security.

Now imagine you lived in my alternate universe where a great deal of overthinking goes into making sure the metaphorical wolf is, as much as is possible within budget and resources kept on the other end of the door.

Then you find out they are using the ACTUAL passwords Password1234! and Security1234! .

When this is brought to light and the response is something like “do you not protect against brute forcing?” … words and rational calm thought start to fail me.

The continued assumption that privacy and security happen by some form of outlandish, mystical, ethereal and generally magical process – is far too commonplace. It seems to always be someone elses responsibillity leaves us with relatively secure environments, with the rather obvious and well lit front door left wide, wide open.

I can only imagine that they use the same passwords elsewhere also.

As such I find myself willing there to be such a thing as karma.

We all need to do our part. Sometimes our part is tough, complicated, in depth. Sometimes our part is a password that would last more than, while, in terms of entropy may take the best part of 3 million years to crack – but in terms of likely passwords will go in seconds.

Meanwhile, engineers message each other their such things… and make dark, dark jokes about their lifestyle choices, and veering over the white lines on the way home.

Don’t be that person. Love your invisible engineer.

 

Oh, and another box fresh Monday Morning example of hurt in my world:

“I have not updated this code in many years, and it has stopped working today.”

(╯°□°)╯︵ ┻━┻

While I am in the mood for “letting it out” – this is another classic of our time. These, again, are actual words used by a developer.

Servers firmware, control panel code, operating systems, services running to deliver content, versions of languages that code uses – they are updated. Checks are made at least daily to see if there are updates, and they are applied, automatically.

Sometimes things get a little tougher, and human-beens are involved. We have to gently nudge square shapes into round holes to ensure that things are kept at least following the curve. Much stress. Much best endeavour. Often out of hours to minimize impact.

This shifting sand occurs again to fix things, evolve, adapt to the threats that are very real, and very threatening.

So let’s assume you have not left the door open, banging in the wind with a password123 affair. However, no, this time you have not updated your code in a while. In fact, this is a specific period – MANY years – as if this is a badge of pride.

“But I wrote this in PHP version 4?” – we feel your pain. Changes of OS that goes EOL trumps your lines of code to edit a bit. Sometimes you have to just get in there and do it. Yes, we also understand time, lack of, and that this is usually when your hand is forced as opposed to in advance. I get that.

“I have not updated my version of WordPress because I didn’t want it to break” – you are now basically protected with obscurity as opposed to any conscious effort – having dropped off the ass end of any obvious vulnerability scanner.

The list is long and distinguished. However genuinely – we are all in this together to trot out a phrase that has been such a painful lie in the media… this is real. We do what we can… you … you updated your code “many years ago”. Another screaming and undefendable by your engineer hole in an otherwise alright job of wolf |<———>| door distance.

Again, as engineers exchange dark DARK memes with each other…. trying and failing is such a sacred thing. Be that person. Don’t be the “many years” guy (or gal) – life is too short.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar