Worried about security in the cloud? Fret over this instead: Last month, a hacker surfaced who claimed he can sell access to more than a dozen government, military and university websites — all cracked easily because of bad programming.
Stories by Frank Hayes
Internet Explorer may be losing favour among most users, but in big companies, it is still doing fine — especially IE6. Why? "We have to use IE6," a contractor at one telco told me recently. "We have all these web applications that won't run on a browser that isn't broken." And that means big trouble — doesn't it?
Quick – how many iPads are in your users' hands right now? You don't know? Of course not. Your IT shop is not supporting the iPad. You probably can't even figure out what an iPad is good for .
Fed up with swine flu fearmongers? Feeling suspicious that the people whose bird-flu pandemic predictions didn't pan out, are now trying for a second bite at the apple? You should be. Yes, the current swine flu outbreak is a real health problem. In some places, it's also a real economic problem.
Fifty cents. That's how much US businesses could save by shutting down individual PCs at night and on weekends, according to a study released last month by the Alliance to Save Energy. Of course, that's not how the report headlined it. The alliance's number was US$2.8 billion per year.
Can you hear it? Amid the deafening silence that was the the Conficker nonevent of April Fools' Day, you should be able to detect an echo from the past. It started as a quiet murmur, but over time, it will build to a crescendo that could make Conficker the most dangerous malware IT has ever seen.
What do we do about all these PCs, now that their users have been laid off?
Last week, I saw a plug-and-play web camera. OK, you've seen things called that before, but this was different. It works like this: You plug a gateway device into a network. You switch on the battery-powered camera. You push one button. Now you have a palm-sized device beaming live images onto your network.
Forget Facebook. Well, OK, you can't forget Facebook's recent terms-of-use fiasco — it's been all over the media. First, Facebook claimed it owns everything its users post — forever. Then, after bloggers raised a mighty stink about that, Facebook reversed course.
Terry Childs is in the news again. Remember Childs, that lone-wolf network administrator who worked for the city of San Francisco? In July 2008, he was arrested for refusing to tell his bosses the passwords to the city's high-speed network. He's been in jail ever since because he hasn't made his US$5 million bail.
Microsoft cuts 5,000 jobs. That's big news. Not just because the layoffs will cut one in 20 of Microsoft's 91,000 employees. Not only because it signals just how hard Microsoft has been hurt by the failure of Vista and by shifts in the way big customers license and use software. Not even because of the grim sign it represents for the rest of the IT industry.
Please tell me this isn't happening in 2009: Last week, an 18-year-old student reportedly used a password-guessing program to get into the account of a Twitter employee. From there, the teen cracker hijacked the accounts of President-elect Barack Obama, Britney Spears, Fox News and 30 other Twitter users.
A password-guessing program? That is so 1983.
According to Wired blogger Kim Zetter, who tracked down the cracker calling himself "GMZ" and interviewed him via email, the crack was a marvel of old-school simplicity. GMZ noticed that one Twitter user named "Crystal" was following a lot of Twitter feeds. GMZ went to the Twitter log-in page, typed in Crystal's name, pointed his homebrew guessing program at the password field, and went to bed.
When he checked the next morning, he discovered the correct password was happiness — and he was in.
He also discovered that Crystal wasn't just a Twitter user. She was a support employee, and her account had access to an administrative tool that could reset the password for any Twitter user. GMZ says he didn't access any other accounts himself — but he did give access to fellow hackers.
Twitter regained control only after several hours.
Scary, isn't it? Not that Obama and Fox News had phony messages sent out on their Twitter feeds — that turned out to be prankster-level stuff. What's scary is that systems administrators ignored so much basic password security on a system with millions of users.
You don't let your employees pick easily guessable passwords like happiness. You don't allow anyone to keep trying to log in for hours after repeated password failures. And you don't use the same log-in interface for powerful employee accounts that you use for ordinary customers. You just don't.
The idea that sysadmins could be so sloppy that they'd get hit by this kind of '80s-era hack is mind-boggling — right?
Hold that thought.
Now consider this: We're entering the second full year of a recession. When it comes to staffing, we've cut the fat, we've cut the muscle, and we're starting to saw away at bone. That means in even the best of corporate IT shops, we're starting to cut corners.
There's always too much to do in IT. It's all about choosing priorities. Operations — keeping everything running — is always at the top of the list. Support — helping out individual users with problems — is usually next. These two things have big constituencies on the business side because, if they fail, things will happen and business people will notice. And then they'll howl.
But security doesn't have a big constituency. If we cut corners on security, no one may notice, because nothing bad may happen right away.
No one on the business side will howl until something does happen. And it's likely to be something very, very bad.
We don't know how Twitter, a start-up with 31 employees, got sloppy with password security. But it's not hard to imagine how it could happen in a big corporate IT shop. A little too much corner-cutting in the face of way too much work is all it would take.
That means we need to be vigilant even on simple security — even when there's no demand for it from the business side. We have to keep passwords hard to guess, lock out repeated log-in attempts and keep powerful IT accounts especially secure.
Because it is 2009, brutal economy and all. But if we slip up on something as simple as password security, it could feel like 1983 all over again.
One of this year's Computerworld US Premier 100 honorees, Sheldon X Wang of eHealth, quotes an old Chinese proverb: "If you put three shoemakers together, they are going to be smarter than the prime minister".
Finally, there's a silver lining in the ever-darker economic cloud: For once, corporate IT people are facing a gadget season in which we can honestly tell users, "I'm sorry, but we can't support use of your new gadget. This year, we simply can't afford it."
Your IT shop is about to be forced into a technology refresh. You don't have a choice. You can't stop it. You can't put it off until the economy gets better. You can't scale it back. You don't even get to decide what products your users will move to.