
Dell announces security breach - frdmn
https://www.zdnet.com/article/dell-announces-security-breach/
======
donaltroddyn
If software development was a true profession, then I firmly believe that many
developers would be struck off for extreme negligence or incompetence.

I’ve found and reported serious security vulnerabilities to many companies
that I’ve worked with, and become very disillusioned with some of the
responses. Companies that operate in fields which materially affect people's
lives (such as healthcare, finance and telecoms) will deploy software that is
so badly designed that there is often no need to break any technical aspect to
get access to private and sensitive data.

Yet, when I report a breach, the same people who deployed software with broken
(or sometimes no) authorisation models, access control, etc, are suddenly
competent enough to investigate their own failure. Invariably, they always
have perfect logging and reporting that could not possibly have been evaded
and which proves that no breach occurred or data was exfiltrated before the
vulnerability was reported.

If another professional, say an engineer, lawyer, or doctor, had demonstrated
the incompetence or negligence in their field that I’ve seen some software
developers display (sometimes wilfully - “It’s a feature”), they would never
be allowed to work again. Software is now so important that I believe that
some of the developers and technical leaders that I have dealt with in
resolving security vulnerabilities should never again be allowed to work with
software that interacts with personal or sensitive data (or, more generally,
with software that could affect human life, safety, or privacy).

~~~
wil421
The stack is too large, complicated, and abstracted to put the blame on a
single engineer.

Vulnerability in struts? Go after the open source engineers.

CPU vulnerability? Go after the engineers at AMD and Intel.

Bad firmware? Go after the network engineer who setup the box.

In a time when even the highest people in companies are basically untouchable,
for example Lehman Bros, and you want to start going after the engineers?

~~~
3pt14159
I keep harping on it, but civil or nuclear engineers have a world of practice
we could draw on in software. We just don't.

> Buildings are too complicated!

> Fabrication problem in struts? Go after the strut manufacturers.

> Badly documented connection in column with resulting bracing failure and
> buckling? Go after the column connection manufacturers.

> Bad soil conditions led to improper concrete pile hardening? Go after the
> geotechnical engineers or concrete placers.

And so on. We have building codes with pre-set ways of doing things for a
reason. You can go outside of them if you want to, but you take on way more
cost. Not just bonding, but design, testing, etc. We also have, _gasp_ ,
government inspectors. Say it ain't so! But every single domicile or place of
work has had them give the thing a look over, but we can't even get them for a
company as important as Equifax.

The Economist is right about one thing: Data is the new oil. We're the new
oilmen. And if you want to understand how they slept at night sweeping global
warming under the rug look no further than our own corporations that are
resisting regulation at every turn.

Always on microphones in almost every home. Televisions that spy on us.
Cameras everywhere with facial recognition. Companies that track our phones
while we walk around. Hospitals that lose bulk patient records or keep Windows
unpatched because "airgaps" then WannaCry hits. Children with anxiety and
suicide rates that have sky rocketed. Babies parented by YouTube which for
years lacked any oversight on content. Completely unregulated cyberarms market
with American companies selling iPhone vulns to corrupt, illiberal states that
torture journalists.

Hackable cars. Hackable powerplants. Hackable electrical grids. Hackable
telephone towers. Hackable satellites. Hackable tanks. Hackable aircraft
carriers.

This cannot stand.

~~~
wil421
I agree we should hold companies accountable for everyone one of your
hackabels. Broader and faster moving regulation is probably needed in the US
around basic software and networking security.

I absolutely disagree with the OP about holding individual software engineers
responsible and even banning them from ever working in software engineering
again. Engineers take orders from management and executives. Even with the
loudest protest possible they are often shutdown by higher ups. Sometimes the
noisy engineers are replaced by more docile yes types or shunned.

~~~
3pt14159
I was a structural engineer (EIT) once. I pushed back against a manager that
wanted to do something that I knew for certain would degrade the structural
capacity that the design engineer had planned for. He could have fired me but
it would have made the news if he did because the public has trust in the
individual engineers that design our buildings and civil works.

We need the same for software. It doesn't mean mistakes never happen. Mistakes
happen even with the best of intentions by the smartest people. We don't
blindly strip engineers of their livelihood. Only when an engineer has shown
gross incompetence or carelessness or repeated poor judgement does that
happen.

------
Already__Taken
Dell's been an open book for years.

One piece of spam I've got on a brand new email account was ~1 day after
ordering a brand new XPS. It was a fake tracking code email about my dell
order with correct details like laptop, account name, price. I contacted dell
and only managed to find out my order wasn't even in the post yet. They
weren't interested in anything.

And I also never got any more than that specific 1 piece of spam.

~~~
lostgame
Out of curiosity, how did you/did you confirm it was a fake?

~~~
Already__Taken
The tracking number was a zipfile I have to run a program to get.

I messaged Dell to confirm who they ship with, who said it's not in the post
yet. Once another tracking number came in a week or so it was from dell since
it had more branding and did actually contain just a number and did work in
the shipping companies website.

------
abo2t
It's insane that companies are allowed to say "yes there was a security hole,
but no we don't have logs, therefore nothing was stolen, so stop asking."

Their refusal to give the number of exposed accoundlts makes it seem like it's
pretty bad.

------
tyingq
Dell redirected the vulnerability press release link to a Christmas Deals
page. Heh.

~~~
lostgame
Oh. Wow. That's just awful.

------
ndrake
From
[https://www.dell.com/customerupdate](https://www.dell.com/customerupdate)

What is a “hashed password”? Hashing is a cryptographic security mechanism,
similar to encryption, that scrambles customers’ passwords into an unreadable
format. Dell ‘hashes’ all Dell.com customer account passwords prior to storing
them in our database using a hashing algorithm that has been tested and
validated by an expert third-party firm. This security measure limits the risk
of customers’ passwords being revealed if a hashed version of their password
were to ever be taken.

~~~
xoa
Bleh. Maybe it's too much to hope for a company like that to give any
specifics but that's pretty empty by itself. I mean, great, they didn't use
plain text(!), but "MD5 with no salt" would fit that blurb just fine too. I
really hope Dell was properly using an adaptive hash, but usually when
companies do a good job there they want to tout it because it does in some
small way show they care somewhat despite the breach. Even if it should be the
norm saying "we used bcrypt with 65k+ rounds" or whatever is legitimately
reasonable to put in there.

~~~
tialaramex
It seems like they could add a parenthetic which is more specific to help
those of us who actually understand the question gauge for others who ask.

As it stands if my mother asked whether this means her password is protected,
my answer realistically is "No". Her passwords are not great (it is, after
all, not a great sign that I'm saying "her passwords" meaning I know what they
are) but they're not in the Pwned Passwords list for example, still a
reasonable brute force of MD5 would get most of them. Whereas if they said
they had even a crummy salted and pessimised hash, say PHK-MD5-crypt, I'd feel
comfortable saying that "Yes", nobody is going to break her password. Which
isn't to say nobody could in theory, just that salt means they'd need to
target her and pessimisation means it'd cost money, and so why her?

I guess the reason not to is that it invites Monday Morning Quarterbacks. "Oh,
why did they use PBKDF2 with this many rounds? Why not Bcrypt? Why not not
Argon2?" and so on.

