/i/1238484264.png?fit=%2C&ssl=1)
Western Digital says the hackers behind the malicious software in My Book Live and Live Duo hard drives, which caused users of the drives to lose their data massively when connecting to the Internet, were using a zero-day and not a 2018 bug.
It’s starting to get a bit of a hobby, but it’s wrong to put all the blame on this bug. That bug is the latest in a series of things that went wrong before it got to that point, that’s a list as long as my arm.
Mistakes are made everywhere and disabling authentication is something programmers do regularly. So that just seems like human error of the kind you would expect to be made.
That is why you should always have your code checked by another programmer.
That doesn’t seem to be done here.
Before you bother a person with your work, let the computer check it first, there are plenty of tools to help you with that.
That doesn’t seem to have been done either.
Because errors are so common, it is now best practice to have automatic tests to check important functionality.
That doesn’t seem to have been done either.
We’ve been explaining for years that a simple password isn’t enough, you need MFA.
Not done.
Then the users/owners. Apparently they hang such a thing directly on the internet without further shielding it with, for example, a firewall. Users trust the manufacturer, but that trust is unjustified.
Then you can ask yourself whether I am not setting too high standards for a 10-year-old device without support. Well no, those devices should no longer be in use and certainly not directly connected to the internet.
The lack of support is also a problem. The hardware is clearly still working fine. These devices were (certainly) sold until 2015. You don’t have to be a genius to predict that they would still be in use today. Then I find it irresponsible of the manufacturer to stop the support. Especially for a system that is made to be connected directly to the internet.
That each device needs its own custom software is also part of the problem. This makes you completely dependent on the manufacturer. In general, it is not possible to install your own OS/applications on these types of systems. They are supplied as a total solution.
I should add that this is the exception because you can put another OS on it (openwrt), but that is so unusual that most people do not know that it is even a possibility.
I can go on like this for a while. We need to stop making the programmer the sole scapegoat when a small mistake leaves an entire system open.
To be clear: I put the blame mainly on the manufacturer, who has to sell products that are suitable for the target group, and that includes the fact that that target group is not independent. Now it often feels a bit like we are selling heavy weapons to small children and then being surprised that major accidents happen.
But the government is not taking its responsibility either. Because security is invisible until something goes wrong, “good” companies can’t really invest in this because they then become too expensive compared to the cowboys who do nothing about safety.
[Reactie gewijzigd door CAPSLOCK2000 op 30 juni 2021 11:56]
–
