back to article Coding error in forgotten API blamed for massive data breach

The data breach at Australian telco Optus, which saw over nine million customers' personal information exposed, has been blamed on a coding error that broke API access controls, and was left in place for years. A Wednesday court filing [PDF] includes an account of the incident penned by Australia's Communications and Media …

  1. Version 1.0 Silver badge
    Facepalm

    Did AI update the software?

    Most software today is very much like an Egyptian pyramid with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. - Alan Kay

    But I see AI as simple repeating the error methods that we all created originally when Alan wrote that.

    1. Korev Silver badge
      Coat

      Re: Did AI update the software?

      > But I see AI as simple repeating the error methods

      Well Optus Prime is a transformer

    2. Brave Coward

      Re: Did AI update the software?

      Sorry for putting on my pedantic hat, but current trend in history research tends to indicate that the workers who build the Egyptian pyramids were not slaves after all.

      OK, it has nothing to do with the topic, I reckon.

    3. Kevin McMurtrie Silver badge

      Re: Did AI update the software?

      I'd describe it as more of an onion. Each layer fixes some of the bugs and limitations in the previous inner layers but adds new bugs and limitations of its own. It grows new layers until it reaches a mass where it can no longer survive and a new onion forks off. Slicing into it only makes you cry but it has a nice aroma over a fire.

    4. Xor007

      Re: Did AI update the software?

      Even more pedantic : predictable structural integrity in a building comes from the judicious use of gravity and precision geometry, which the ancient Egyptians got right. That allowed their pyramids to stand for millenia.

      1. John Brown (no body) Silver badge

        Re: Did AI update the software?

        Yeah, I raised an eyebrow at that too. Alan Kay may not have an interest in history and be up to date with the latest evidence that it was most likely paid workers, not slaves who built the pyramids, but you don't have to be an engineer or architect to realise that structures that have stood for millennia must have at least a smidgeon of structural integrity. It was a poor and ill informed analogy.

  2. Anonymous Coward
    Anonymous Coward

    Optus always denied everything, including that they even leaked anything.

  3. Mike 137 Silver badge

    "api.optus.com.au"

    Coding error apart (we can all make mistakes), to call a public facing service "api" anything is the height of idiocy as it invites attack. Nevertheless, one does wonder why the public facing service wasn't pen tested before going live. As indeed one wonders why practically nobody does.

    1. wangi

      Re: "api.optus.com.au"

      Nonsense, it's generally absolutely fine to call a public facing API server api, and it helps to do so. Giving it some cryptic hostname might feel more secure, but it just ends up sowing confusion. After all, it is presumably public facing for a reason: there will be client-side JS (or applications) with knowledge of the cryptic hostname, therefore trivial to gain knowledge of it via them.

      Of course there's no point having the api public facing if it's either a) no-longer used; or b) only used internally by the backend or other public facing servers...

  4. sitta_europea Silver badge

    Rule one in the security playbook:

    Make an inventory.

    1. ecofeco Silver badge

      Rule two: don't fire or underpay your good techs.

  5. sedregj Bronze badge
    Coffee/keyboard

    quantum of penalties

    Is this a new Reg Standard: "quantum of penalties"?

    1. TimMaher Silver badge
      Holmes

      Re: quantum of penalties

      Nope. It’s a James Bond film.

    2. yetanotheraoc Silver badge

      Re: quantum of penalties

      It's an old Reg Standard: find the quote that makes the quotee sound ridiculous.

    3. Bebu
      Windows

      Re: quantum of penalties

      Is this a new Reg Standard: "quantum of penalties"?

      I think it's a piece of legal Latin. Quantus/quanta/quantum is a Latin adjective for "how large or how great."

      Just another way of saying how much we are up for.

      Although I would have imagined "quanta of penalties" to agree in number.

      1. F. Frederick Skitty Silver badge

        Re: quantum of penalties

        Given that this is an Aussie firm, shouldn't that be a Qantas of penalties?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like