"Cloud-based tools are a fantastic way for an organisation of any size to reduce the cost and admin of all kinds of internal and external software platforms,"
Is this a story? Or a promo?
A London-based developer claims he was accidentally given the keys to US broadcaster NBC Universal’s websites – thanks to a username mix up on GitHub. Glenn Shoosmith was an early adopter of Github, and thus bagged the short-and-sweet user ID Glenn in July 2008. Repositories can be public and viewable by all, or private and …
"Cloud-based tools are a fantastic way ...to reduce the cost and admin..."
Note the use of the adjective "fantastic." In this case, I would go with the following definition:
Imaginary or groundless in not being based on reality; foolish or irrational
It would seem that the maxim "you get what you pay for" applies.
"... some poor project or IT guy just sent all of the keys to NBC’s servers to the wrong guy in one mistyped username"
Err, no. Those keys should never have been uploaded, unencrypted, in the first place, even if you know who all your GitHub users are; the mistake is a LOT bigger than mistyping a username.
I second that comment! What in God's Green EARTH were they thinking to put the AWS Access secrets and keys on Git Hub in the FIRST PLACE?!?! Make some local Github server local in your environment and keep them there. If someone else needs those keys then your not using AWS right. Set up some IAM credentials, make a few secondary keys that you can throw away, something other than storing and accessing your primary keys outside of your network domain.
What in God's Green EARTH were they thinking to put the AWS Access secrets and keys on Git Hub in the FIRST PLACE?!?!
"Mwahahahaha!!! Mwahaha! CURSED! YOU ARE ALL CURSED!! I SAY!!!"
We see a crooked finger resolutly ress "enter" to confirm "git push" under the otherworldy green glare of a phosporescent glass TTY.
An immense thunderbolt rents the night, illuminating the baleful scene. The subsequent thunder blows the control room to smithereens.
Actually, It's more like lending your car to the wrong person. Except that, for some reason, you keep the swipe card and alarm code for your corporate office in the centre console.
Yes, you really should have double checked about the car, but what the hell are you doing storing the card and codes in there?
"As a vendor of cloud software-as-a-service, I’m obviously a big fan and supporter of correctly managed cloud services but, like any tool, cutting costs and reducing security creates risk."
Bingo.SaaS....so like err not giving the keys to the kingdom out to the rest of the world by simply clicking on someones name?
"Programmers must assume the worse and properly design around a threat model"
The worse? Think your cloud syntax may be slightly wrong there
NBC Universal is part of #46 on the Fortune 500 which pulled in 6.2 Billion dollars in profit last year, so why in the holy hell are they using some 3rd party service to store their most sensitive pieces of data. A company that size must have at least 1 internal document management system like SharePoint. Anything internal at all would be so much safer than any 3rd party service, at the very least you;d be able to have a definitive list of whoever has access.
Simple. It's cheap and easy.
The programmer didn't have to call IT and ask them to setup a special location for this type of info. If they had, it likely would have taken between 2 weeks and 2 years to get it pushed through.
I'm sure IT would have found a hundred reasons why it just couldn't be done with a few clicks. You know, like saying that they'd have to setup a new "secure" server for it (and therefore it needs to be budgeted for), because they wouldn't want an accident to occur where the wrong person got access. They'd also need to make sure it was part of the backup strategy - likely necessitating additional software licenses for the backup program. Also, they'd have to perform PEN testing on it and add it to the list of servers they have to monitor for problems...
There's a long list here of things any IT admin would likely bring up just to make sure that they don't have to do any more work.
My favorite real world example that I personally witnessed was seeing a developer be hired a week after a new head of IT was brought in. This developer was issued a new computer that he couldn't even START his development tools on because those required local admin access and the new head of IT refused to grant it. That developer sat in his cube for 6 months before the head of IT was fired. Then he had to wait another month while a new one was hired and got settled in before the absurdity was fixed. Idiocy in action.
> 20 years of unceasing regulation resulting in serial failures across the board (It keeps raining Federal Register; 1772 pages this week.)
> Believing that regulation brings the goods except for bureaucrats
It's like the Cargo Cult of the Bureaucratic Witch Doctors. The hoi polloi wants to believe, the regulated ones are going crazy, the potlatch goods comes to the ceremony leaders.
Biting the hand that feeds IT © 1998–2021