1 Comment

  1. Ted Clayton

    As I’ve mentioned elsewhere, we can tell a lot more about how a vehicle is really made, and especially what kind of people are behind the product, by looking at the aftermath of the typical fender-bender or other accident/incident, than we can by looking at it on the showroom floor and letting the sales staff ‘inform’ us.

    Mollum’s response to this server-related security issue follows the usual, nominally wholesome & responsible track. Unfortunately, this popular track is designed & operated to be long on generalities & abstractions, short on actionable information & facts, and leaves the customer-base with what boils down to ‘trust us’, in making their forward-going decisions.

    Mollum’s partly-good, but importantly/critically non-useable (ie, “useless”) communications are very typical of those who run servers for any of a wide range of public services/businesses.

    Real details & facts are lacking. Specifically, eg in this case, what was this 3rd party software, which Mollum says was the key to the exploit? Is there, or is there not, any indication or clue, whether the breach is actually ‘explained’ by the use/presence of said 3rd party product? Can we, or can we not, tell one way or the other?

    Entities who run servers in public contexts – all such servers, at all levels & for all purposes – very typically take on the full-blown cloak & dagger aura of the NSA (of Edward Snowden fame), or the CIA or FBI (but without the armed interdiction aspect) intelligence agencies, when it comes to what is & isn’t actually going on with their server environment …. upon which the rest of us end up being more than a bit inordinately dependent, and about which we are kept too ignorant.

    In most ordinary server-contexts, this Top Secret affectation is “unwarranted” *, and our general security would be improved, with a more Open attitude that provides more “real” information to everyone. In fact, under well-known & celebrated Open Source principles, we would fully expect that fewer of these kinds of breaches would happen in the first place, if more details about server-installations were accessible to more eyeballs.

    In plain language, unless you are actually the NSA, NSA-grade security-attitude is not only misplaced — it’s counterproductive, in pragmatic practice.

    (* All real security systems are multi-tiered. Top Secret, Secret, Confidential, etc. Professional security is never one-size-fits-all … but you wouldn’t guess that, looking at the attitudes under which everyday, run-of-the-mill servers are managed. This inappropriate deployment of ‘attitude’ does not improve security. On the contrary.)

Comments are closed.