Told you so. TechReckoning Dispatch v3n17
Hi friends,
There was a lot of “I told you so” going around this week. I hope you enjoyed your Internet snow day Friday as waves of DDoS brought down the DNS provider Dyn across the US. The culprit? Compromised IoT devices like DVRs and webcams. The finger was pointed at Chinese company Hangzhou Xiongmai, who has recalled the devices. (They had firmware-coded passwords.) Yeah, that’s going to fix things. Reports are also circulating that you can buy your own IoT bonnet software for the low price of $7500. The Mirai malware was ID’d as the culprit. Let’s let Leslie Carhart direct us further down the rabbit hole:
A few things to make you smarter though: 1. It wasn’t just Xiongmai devices. Even if it was this time, tomorrow it could be your TV or router. We really are in Boy and his Dog, The Road, Hobbesian Bellum omnium contra omnes territory now. .
2. Dyn was evidently using BIND, which is kind of like running your shipping business on go-karts.
3. That map with the red blotches that you saw everywhere labeled Level 3 did not, in fact, have anything to do with activity on the Level 3 backbone. (This is a great article from Glenn Fleishman that also explains concepts like DNS to civilians.)
Glenn’s a great writer and he’s also got a great article that lists ways that device makers could do to stop this from happening again.
Blaming users for not changing a device’s password is like blaming a car driver for not performing an oil change when first buying a car, or for not swapping out a defective air bag when they learn of a recall. The IoT device maker needs to be responsible for setting strong defaults and guiding a user through setup. And many of the problems that lead to devices being hijacked have to do with a poorly configured operating system or even debugging processes left in place that even a sophisticated user would be unable to change — only a firmware update from a manufacturer could close those holes.
Look, this stuff is hard, even for an enterprise appliance provider charging tens of thousands of dollars. They have trouble thinking of themselves as providing a service, not a product. I can imagine that device makers only are now dimly aware of the hell they have unleashed on the earth. As Bruce Schneier, the Chuck Norris of Security, says, the market can’t fix this because neither the buyer nor the seller cares. Heck, even Verizon and AT&T can’t reliably update their phones, and they’re already sold as a service.
What’s kind of crazy is we saw this coming in a and of slow-motion apocalypse — my files are full of this stuff collected over the last few years. Saying “I told you so” on Twitter doesn’t help much. I have no doubt a combination of technical and legal and cultural fixes will solve these problem, but until then, yikes. (Reason for my optimism: email spam is no longer a major problem. From the point of view of 15 years ago, that’s amazing.)
In case you’re a security admin and you think that one way we’re going to solve this is to keep bugging users about passwords and other borderline cruel harassment. ‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests reported at the mudder-fuggin NIST, so please pay attention.
“Years ago, you had one password to keep up with at work,” she said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”
The multidisciplinary team learned that the majority of their average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.
True confession: I always just changed the last digit for my new password, and I don’t understand why a user would ever do anything else. And I think the password to my router might be written down somewhere, but I’ll likely just factory reset it if I need to change anything. Nobody needs another password, ever.
Security stuff takes a long time to bake. It’s 2016, and Microsoft is just launching Shielded VMs (virtual TPMs), and vSphere 6.5 finally has encrypted VMs (with VMotion!) and secure boot. As VMware’s Mike Foley notes:
Our focus on security is manageability. If security is not easy to implement and manage then the benefit it may bring is offset. Security in a virtual infrastructure must be able to be done “at scale”. Managing 100’s or 1000’s of security “snowflakes” is something no IT manager wants to do. She/He doesn’t have the resources to do that. The key to security at scale is automation and in these new features you’ll see plenty of that.
Speaking of services and updates, Microsoft now has full awareness that Windows is a service; not sure the IT admins or the consulting channel partners have yet though. Keeping Up With Microsoft in the “Rapid Release’ Era by Barb Levisay at Redmond Channel Partner.
“It’s a relatively new role for us and that person’s job is to stay up to speed on what’s going on with the services. I think if you don’t have a person dedicated to it, it’s easy to fall behind pretty quickly,” says Wilson. “If you think about all the ways that information gets published now about changes and new functions added to the Microsoft cloud services — it’s all on the Internet.
Hey, have you heard about Docker? Of course you have, but if you want to move past “container is the new VM”, Stephen Foskett has a new post looking at the bigger picture and what it means to IT Ops. This is also my Big Thought of the moment. What’s the Deal with Containers?
Because containers specify an environment in which to run an application, they are truly transformative in practice. As mentioned, a developer can be sure that her application will run in exactly the environment she specifies … Because of this ease of use aspect, IT is beginning to embrace container technology, and especially Docker. Typically, IT operations folks are a little nervous about new technologies, and this is especially true of developer-focused tech. But once they try Docker, a light goes on!
Let’s lighten it up as we take it home. Many Mighty Amigas Still in Use 25 Years Later by David Cassel at The New Stack. I was never an Amiga person but I always kind of wished I was.
From the mailbox. I’ll paraphrase Chris Evans, who points out that (1) VMW on AWS is only good for legacy apps; greenfield apps should be cloud-native and don’t need vSphere or the new features on AWS; and (2) How can the economics work if VMW can’t price it lower than on-prem VMW, and AWS can always underprice both VMW scenarios? I’m not being paid by VMW to be an apologist, so I don’t feel compelled to answer, but I’ve got some thoughts. (1) Kit Colbert, the baby face killa of VMware, rebutted on Twitter with a plea to acknowledge just exactly where we are with regards to cloud migration (i.e., not very far; lots of legacy $) and if you look at Photon Platform you see Kit’s vision for cloud-native apps — still manageable by VMware. And (2) I got nuthin — it’s up to VMW to feed the channel and not to screw up pricing.
Also from the mailbox, Andrew Miller points out that both VMW and AWS are making (opposite) bets on how long it will take the cloud-native shift to happen. He later expanded his note to me into a full blog post. Worth reading.
Hey, I was on the Datanauts Podcast 056: The Changing World Of Skills, Silos & Clouds. Thanks Ethan and Chris for having me on! We talked about the career-y things I always talk about. Since you’re never going to be sure if you’re learning The Right Thing, just keep learning the stuff that seems the most fun to you. Welcome to all new Datanauts listeners! Don’t hesitate to drop me a line and say hi.
Listen to Geek Whisperers #123: Bizdev developer evangelism and the Hidden Genius Project with Kurt Collins. What if you could be a developer evangelist and work on company alliances? Give it a listen. We also talk bout Kurt’s work with the Hidden Genius Project, a program that mentors black male youth in technology creation, entrepreneurship, and leadership skills.
I’ll be headed up to CloudNativeCon November 8–9 in Seattle. Please come be my Kubernetes friend if you’re there too.
In memory of Charles Nelson Troyer, 2004–2016. He was a good cat.
If you like this newsletter, forward it to someone you think needs more vegetables in their diet. For more groovy links, check out TechReckoning on Twitter, Facebook, or LinkedIn. Photo credits: me, JC Green, animated by Butthug. Originally published at techreckoning.com.
