If it's not on your network ...
Then it's not your data.
Yesterday, a security screw up with the Spiceworks application was noticed, and reported a little earlier by our good selves. Anyone with a Facebook or LinkedIn account could log in to Spiceworks installs running the latest version and it would create an administrative account for them. This is not OK, not at all. Many …
This post has been deleted by its author
This post has been deleted by its author
If you don't have your own physical backup of your data where do you go when a section of the cloud gets fried? I still get regular loss of broadband so loose backup to the off site servers, but at least I know where that data is physically and can recover later.
Where do you store your money, under your pillow?
I store some of it in my pocket, some is in the bank, and some is invested in stocks and shares.
However that's not the point as there are known checks and balances you can put in place to mitigate the losses such as not walking down dark alleyways keeping less money in the bank than the government will cover you if the bank fails and not gambling on the stock market more than you are prepared to loose.
Where do you store your data and who's covering you when the data centre closes.
•What is the necessity of integrating any given application with services hosted on the internet?
Generally very little, but a lot of the things in spiceworks (eg checking warranties etc) don't work well if they can't use the net.
This is a huge security screwup by spiceworks, which should have zero impact for paranoid users of it, which to be fair is going to be the majority of it's userbase. I mean, who puts total trust in any software package being 100% secure? A few years reading daily horror stories of disasters on El Reg from top tier suppliers should have put paid to that for even the newest IT bods, let alone the older paranoid cynics amongst us.
At the end of the day though, unless your firewall rules read:-
ALLOW INCOMING TRAFFIC FROM *.external to *.internal
ALLOW OUTGOING TRAFFIC FROM *.internal to *.external
Then you already looked into what the program wanted to send, decided this was ok and then set rules to allow the program to do it.
•What must be best practices regarding this sort of implementation, both at a code level and at a systems administration level?
Maybe it's just me having deep trust issues, but I consider that the outside of my network is an extremely hostile environment that will be hacked mercilessly from the second it's discovered by one of the port scans my firewall shows being run against my network on a near 24/7 basis. On that basis, I assume that *nothing* should be directly available on the internet, apart from port 25. (which on my network gets a huge number of people connecting and running directory scans for email addresses I accept, which they then send spam. This keeps the honeypot on my anti spam system busy collecting IP's which are then used against the spammers.)
As far as these applications are available then i'd say:-
Available on LAN: Yes.
Available on VPN: If business requirement.
Available on WLAN: I don't have one because we don't have a business requirement for it, but if I did then i'd say "if business requirement, and if adequately secured from public access"
Available on WAN: Hell no.
•How comfortable are any of us, really, with "hybrid cloud" applications such as Spiceworks?
Reasonably. I like spiceworks, but I don't trust it security wise. Then again, I don't trust anything security wise enough to leave it open to the WAN. Excepting the firewall, which only accepts SSLVPN logins from things with the right security certificate and connection details, the right user & pass and authentication via 2FA.
Even if the security flaw didn't exist, why would unrelated third party logins ever be allowed for admin access?? particularly this kind of admin access???
There is so much Fail in just the _concept_ of what Spiceworks implemented.
My opinion of Spiceworks has been quite high, however, as I have reflected on this debacle I realise the greater part of this is the community of knowledgeable, helpful members.
The issue at hand, however, is so grievous that it should be triggering a very serious discussion amongst developers and systems administrators alike about the entire concept of social sign-on.
OK, here's how I think the discussion should go:
"Why don't we entrust the ability to access everything we control to a third party, such as FaceBook?"
"What?! Are you stupid or just plain nuts? No!"
"Look, I know that on the face of it, it might not sound like a good.."
"DIE!"
"No! Argh! no.. please stop..." gurgle
And we should never have to have this discussion again.
Note: I don't advocate violence of this nature, but this situation makes me think about it... out loud... Perhaps we could throw some canned vegetables at the situation?
Hmm. I do find the Roman solution to this sort of problem attractive. Once upon a time they had a serious problem with structures (bridges etc) collapsing when the supports used in it's construction were removed.
They made the architects stand under the bits they were removing the supports from. There was a breif adjustment period, followed by construction being performed to such a standard that two thousand years later many of the buildings and bridges are still standing.
You can't argue with the results! (I'm not sure how you could apply this to IT Development though)
After the news article went up and the original thread filled with a few other upset folks, yes. The real issue, however, is that this wasn't broadcast immediately via e-mail. Lastpass suffers a breach and I know about it via e-mail before it's made known to the press.
In the case of the Spiceworks breach, I was informed, then went to bed, woke up, had breakfast, coffee and then wrote the article. And there still was no e-mail from Spiceworks by this point!
I did not jump down Spiceworks' throat on this immediately. I'm sure my editors would have preferred it, but I had been up for 32 consecutive hours and couldn't write a thing without at least 8 hours sleep.
Spiceworks had been given time to do the right thing and to come up with a proper response. They failed. Miserably.
That Spiceworks chose to be a little more transparent after the issue was published and then broadcast over every social media channel available is closing the barn door after the horse frelled off, nothing more.