'It's common for freelancers to farm out work to cheap coders'

Plus: 'I'm supposed to release an enterprise platform on Azure?'

Beginner's guide to SSL certificates

Quotw This was the week when Mobile World Congress was going on in Barcelona, but although the products were fun, the chat was better at RSA's conference. In the opening keynote, exec chair Art Coviello lambasted industry people for going on and on about a "Cyber Pearl Harbour" and frightening the ordinary folk of the world with their shock and awe tactics:

I absolutely hate the term 'Cyber Pearl Harbor'. I just think it's a poor metaphor to describe the state we are really in. What do I do differently once I've heard it? And I've been hearing it for ten years now.

To trigger a physically destructive event solely from the internet might not be impossible, but it is still, as of today, highly unlikely.

Unfortunately, Michael Chertoff, Bush's Secretary of Homeland Security, misunderstood Coviello's angst and just swapped out "Pearl Harbour" for "9/11". He said:

[Serious threats to cyberspace are] on a par with what this country tragically experienced on 9/11.

But since he was using his speech to try to get IT workers into jobs with the government instead of lucrative private-sector careers, perhaps the hyperbole was necessary.

Also at RSA, a Reg hack bumped into Bryan Sartin, director of investigative response on Verizon's RISK team, who mentioned that the story of the guy outsourcing his IT job to a firm in China, so that he could spend all day on Reddit, was by no means an isolated incident. Sartin explained:

When the story went out we got a bunch of phone calls with companies asking, 'Are you talking about our situation?'

It turns out this seems to be something of a trend and lots of people are doing it. It's especially common with contract workers and freelancers who sign up for jobs and then farm out that work in parts of the world where coders are cheap.

And of course, letting unauthorised outsourced workers in through the back door by giving up employee username and passwords can easily open up companies to hacks:

Our data shows that in 74 per cent of network intrusions, the initial access point is a remote worker's link. In these specific cases there doesn’t have seen to be a problem, but if the hacker's purpose is espionage rather than profit then they're going to keep a low profile.

This was also the week that Microsoft's cloud service Windows Azure crashed globally for 12 hours because Redmond had made the really schoolboy error of not updating a security certificate. One user fumed:

This is unacceptable, I'm supposed to release an enterprise app on this platform?

In security news, self-styled Anonymous intelligence agency Par:AnoIA leaked what it claimed was data lifted from insecure systems at a Bank of America contractor that showed the banking behemoth was trying to run tabs on hactivists. The group said in a statement:

We were amused by the fact that there are actually paid analysts sitting somewhere reading the vast amount garbage that scrolls by in large public channels like #anonops and #voxanon. Even more amusing is the keyword list that was found, containing trigger words like 'jihad' or 'homosexual'.

Meanwhile, that crack team of hackers from China's People's Liberation Army, codenamed advanced persistent threat one (APT1), isn't actually all it's cracked up to be. Security experts are saying that the group, also known as Comment Crew, is more prolific than particularly skilled. Jaime Blasco, labs director at security tools firm AlienVault, said:

APT1 is one of the less sophisticated groups. They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the time they don't use zero-days exploits to gain access.

While Joe Stewart, director of malware research at Dell SecureWorks CTU added:

The Comment Crew are, in general, not terribly sophisticated. But there are some people in there who are quite skilled not just in the malware they create but in their ability to hide their tracks. You are always going to get some junior members in any hacking or security group who are less skilled.

And other experts, such as cybercrime researcher Dancho Danchev, worry that all this focus on China hackers is dangerous:

Now that everyone's obsessed with China, the Russian underground can continue 'milking' its favourite cash cow, the US. Anything launched by eastern European cyber-criminals can be described as an APT these days. It's just that go after the dollar, not the intellectual propery.

Because Linux kernel chief Linus Torvalds hasn't gone off on one recently, here's a rant he had this week at Red Hat employee David Howells over the X.509 public key management standard.

Howells suggested that the code should be accepted into the kernel so that Red Hat could "embed an X.509 certificate containing the key in a section called '.keylist' in an EFI PE binary and then get the binary signed by Microsoft”. This arrangement would be more elegant than the way the Linux kernel signs certificates today, he reckoned. Torvalds did not:

Quite frankly, I doubt that anybody will ever care, plus getting me to care about some vendor that ships external binary-only modules is going to be hard as hell.

Plus quite frankly, signing random kernel vendor modules (indirectly) with a MS key is f*cking stupid to begin with.

In other words, I really don't see why we should bend over backwards, when there really is no reason to. It's adding stupid code to the kernel only to encourage stupidities in other people.

Seriously, if somebody wants to make a binary module for Fedora 18 or whatever, they should go to Red Hat and ask whether RH is willing to sign their key. And the whole "no, we only think it makes sense to trust MS keys" argument is so f*cking stupid that if somebody really brings that up, I can only throw my hands up and say "whatever".

In other words, none of this makes me think that we should do stupid things just to perpetuate the stupidity. And I don't believe in the argument to begin with.

And that wasn't even the bit where he was going on about Red Hat deep-throating Microsoft. ®

Security for virtualized datacentres

More from The Register

next story
Boffins who stare at goats: I do believe they’re SHRINKING
Alpine chamois being squashed by global warming
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers
Don't worry Wilson, I'll do all the paddling. You just hang on
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
Adorkable overshare of words like photobomb in this year's dictionaries
And hipsters are finally defined as self-loathing. Sort of
Not a loyal follower of @BritishMonarchy? You missed The QUEEN*'s first Tweet
Her Maj opens 'Information Age' at the Science Museum
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.