Fancy a career exposing cloud data leaks? Great news, companies are still largely clueless Anyone hoping to halt the flood of data leaks stemming from cloud services got bad news this week when Palo Alto's Unit 42 found little sign companies were improving their security practices. The networking giant's security branch examined cloud servers hosted on AWS, Azure, and Google Cloud Platform to see how publicly-facing …
I disagree with that statement.
I believe cloud admins have learned quite a lot recently.
First and foremost would be that cloud admins and the companies they worked for have learned that it is not neccessary to spend too much time or money securing their data when all they really need to do is put a few pennies away to flog free credit monitoring to their victims for the upcoming breach.
This post has been deleted by its author
So true. I guess you have met the development managers in our department. "Admins? I do not need no stinking admins or DBAs! Just gust give us the Cloud and our teams will do miracles" - That is what our development managers have been singing for the last couple of years.
Companies trying to escape the consultancy overheads involved with "on-prem" think they can escape these costs by going "cloud". I suspect this is why cloud is in vogue at present.
I have seen this countless times with email: companies moving from a local email server to using a cloud-based one. It seems that cloud providers give no consultancy on issues such as "you might like to amend your SPF record if you want your emails to continue to be received."
Speaking of SPF I recently opened a support ticket with Western Digital as their online storefront was sending emails for order confirmation and shipping confirmations as "from" support@wdc.com. The problem was the SPF record for wdc.com did not include the IP addresses for their online store (hosted by someone named digital river), so in my case at least my personal mail server enforces SPF lookups and rejected the email. After doing some checks I discovered exactly what the issue was and contacted them. I temporarily disabled the SPF checks on my mail server so the shipping confirmation came through at least (mail server rejected order confirmation with a 550 error code so it was gone for good). They didn't seem to understand my message, even though I specifically asked them to forward the details to their email or web admins.
Support's response consisted of "
Thank you for contacting Western Digital Customer Service and Support. My name is Ashley.
If you have any further questions, please reply to this email and we will be happy to assist you further."
(and no communications after)
This was about a month ago, and their SPF record is still not updated. Address that tried to send the mail to me originally was 208.82.174.245 (mta0301.digitalriver.com -- probably one of many servers they have for sending email). SPF record for wdc.com does not have any entries with the text 208, or digitalriver. I suppose it's possible they changed their "From" address to fix the issue(doubt it) but no way to test that myself without ordering something else.
This problem has been there for at least a year I think as I never got order confirmation last year for an order though I didn't care enough to look into it at the time.
Um, just a thought : how come those protocols are available on The Cloud (TM) at all ?
Or did they create The Cloud (TM) by including every protocol that has been created in the past twenty-five years, regardless of whether or not it was secure ?
the latter-day re-creation of old "computer central", the evil big brother that motivated the whole "personal computer revolution" in the first place. We've gone full-circle and the mass of computer users are now (voluntarily) back in the clutches of those, the escape from whom, caused so much energy be expended.
Yes, all the usual corporate issues are in play here. There's incompetent management, more or less the default setting for the English-speaking world (well, I dunno about the Commonwealth, but British and US management, at any level you care to choose, is almost universally shyte: any half decent bunch of Germans leaves them looking like ignorant children—or in the case of the US, shouty ignorant children). You have people in charge with political vices rather than domain expertise, who haven't the first clue what 'leadership' really is. Beancounters being allowed to contaminate the management pool, making things even worse. The number of cowboy 'consultants' who think they know IT or can code because they once wrote an Excel macro. The incredible variation in skills among IT people generally, from top-notch to laughable-but-still-mysteriously-employed.
IT is something that ought to be treated and executed a lot like serious engineering, perhaps even aeronautical engineering. Evidence-led, fact-based, rationally and logically planned and executed, with reliability, safety and security simply baked in to everyone's daily thought processes.
But for some reason a great deal of IT actually resembles the sloppy, superficial buzzword-swamps of sales and marketing. In many companies IT has never grown up and is redolent of the 'colouring-in' departments that coders and engineers justifiably scorn. Those 'colouring-in' departments are all about words, twisted, exaggerated, often simply lies, where nothing has solid meaning. IT, on the other hand, is fundamentally math. Whether it's Boolean algebra in the code, stats in the analytical stuff, set theory in the databases, quaternions in graphics engines, tensors in modelling ... all of it ultimately comes down to hard numbers. The difference could hardly be greater. Why?
I don't know—perhaps because the industry is too young, and never grew the virtues of certification and peer approval? It is strikingly absurd that you cannot shoe a horse in the UK without having passed stern and strenuous training and exams—it's a bloody tough job that I always observe with some fascination and awe—but you can call yourself a 'consultant', read up on buzz phrases, memorise some rubbish MBA jargon, print a few business cards and start doing damage among FTSE500 IT services next afternoon. (As a magnet for lazy, gormless amateurs, IT isn't far from politics.)
The whole privacy and security thing needs specialists and their managers to have an engineering and mathematically literate mindset, but what they too often have is just ... sloppy. Until IT grows up—and as you can tell I really believe it has not, yet—things will not get radically better.
Quite so, Milton,.... we couldn't have said it better ourselves. And while the cool cats and smart dudes are AWOL and/or MIA, RATs will play with immunity and impunity opening up new cans of worms and stealthily infecting/invisibly and intangibly breaching any targeted state and non-state servers of particular and peculiar interest and high value.
It is a perfectly natural progression for humanity in IT ....... and yet behold all of the shenanigans and expensive and expansive vain efforts to deny the advances which are made and causing such ructions.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
