[ale] Not scanned! Re: Freelance web-devs make in-secure sites

Jim Kinney jim.kinney at gmail.com
Thu Jun 8 09:30:13 EDT 2017 

+1

Now how do we get the tech industry to embrace it? They have $$$$$ and can
lobby against this so they must instead be redirected to support this. Then
they use the $$$$$ the they steal from us (profits) to lobby to curtail bad
corp behavior. Then we get laws.

On Jun 8, 2017 9:14 AM, "DJ-Pfulio" <djpfulio at jdpfu.com> wrote:

> Which is why - and I can't believe I'm saying this - we need national laws
> (cough, cough, cough) to mandate support periods (5-10 yrs?) and mandatory
> patching at least quarterly for all connected devices if more than 200 are
> sold.
>
> "connected" means **any** networking capability.
>
> The penalties need to be >> corporation ending << for failure to comply
> and tied
> to the management team, so they cannot be serial failures selling the same
> basic
> thing and going out of business every few years.
>
> Plus, this will prevent companies from adding networking, unless there is a
> really good reason, due to the patching required - looking at many TVs.
>
> I'm tired of Google thinking a $300-$1500 device has a 3 yr life.
> _Supported-until at-least_ dates on packaging, mandatory. If a company is
> sold,
> those support dates MUST be carried forward. Sorta a poison pill to
> prevent that
> old loophole.
>
> I'm tired of router companies putting out crap $20-$250 routers and NEVER
> making
> any patches available. Yes, many of those $250 routers are crap.
>
>
> On 06/08/2017 08:45 AM, Jim Kinney wrote:
> > The merest hint of "set and forget" devices left live online forever
> scares the
> > poo out of me. Colossally stupid idea. Add the "use of this device
> releases the
> > manufacturer of all liability" license crap and it starts looking like a
> smokers
> > convention at a fireworks factory.
> >
> > There's a responsibility level that software production just hasn't
> accepted
> > yet. Sometimes 'release early, release often' is really translated to
> 'break
> > early, break often, release anyway".
> >
> >
> >
> > On Jun 8, 2017 8:31 AM, "DJ-Pfulio" <DJPfulio at jdpfu.com
> > <mailto:DJPfulio at jdpfu.com>> wrote:
> >
> >     Perhaps IoT devices need this too?
> >
> >     Bruce Schneier's blog ...
> >     https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html
> >     <https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html
> >
> >     "Last year, on October 21, your digital video recorder — or at least
> a
> >     DVR like yours — knocked Twitter off the internet. Someone used your
> >     DVR, along with millions of insecure webcams, routers, and other
> >     connected devices, to launch an attack that started a chain reaction,
> >     resulting in Twitter, Reddit, Netflix, and many sites going off the
> >     internet. You probably didn't realize that your DVR had that kind of
> >     power. But it does."
> >
> >
> >     A few years ago during a national election is a smaller country, the
> >     entire country was taken off line using internet attacks.
> >
> >     IoT (or Internet of Shit-devices) have amplified this power.
> >
> >
> >     On 06/08/2017 08:09 AM, Jim Kinney wrote:
> >     > Hah!
> >     >
> >     > Sad but true.
> >     >
> >     > Certain aspects of programming should be required to be
> >     > run/directed/managed by licensed professional engineers. Finance,
> >     > utilities, and medical are the top three for me that scream for
> real
> >     > professional programming. We don't let precocious high schoolers
> build
> >     > bridges just because they were really good with lego blocks.
> Engineering
> >     > of physical things protects itself with professional standards.
> >     > Engineering of virtual things needs to do the same.
> >     >
> >     > On Jun 8, 2017 7:44 AM, "Adrya Stembridge" <
> adrya.stembridge at gmail.com
> >     <mailto:adrya.stembridge at gmail.com>
> >     > <mailto:adrya.stembridge at gmail.com <mailto:adrya.stembridge@
> gmail.com>>>
> >     wrote:
> >     >
> >     >     For $250 they got about what they paid for.
> >     >
> >     >     On Thu, Jun 8, 2017 at 6:42 AM, DJ-Pfulio <DJPfulio at jdpfu.com
> >     <mailto:DJPfulio at jdpfu.com>
> >     >     <mailto:DJPfulio at jdpfu.com <mailto:DJPfulio at jdpfu.com>>>
> wrote:
> >     >
> >     >         Of the 17 commissioned projects by Tripwire (a security
> firm), 10
> >     >         websites were completed and purchased.
> >     >
> >     >         The researchers found that every website had critical
> security
> >     >         failures.
> >     >         Read more here:
> >     >
> >     >         https://www.helpnetsecurity.com/2017/06/08/website-
> security/
> >     <https://www.helpnetsecurity.com/2017/06/08/website-security/>
> >     >         <https://www.helpnetsecurity.com/2017/06/08/website-
> security/
> >     <https://www.helpnetsecurity.com/2017/06/08/website-security/>>
> >     >
> >     >         * Unauthorized users allowed (all) - Check
> >     >         * Allowed hackers to upload a PHP webshell (all) - Check
> >     >         * Allowed auth bypass via SQL injection (several) - Check
> >     >         * Allowed content modification via SQL injection (half) -
> Check
> >     >
> >     >         Short, but interesting read.
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170608/a6bf6e9e/attachment.html>

More information about the Ale mailing list