Yahoo Passwords Hacked
Over the past few months there have been several breaches of security on major websites, for example LinkedIn and Match.com. However within the past week a bigger name was hit: Yahoo! Now it wasn’t Yahoo! mail or anything like that. Apparently it was their Contributor Network which they bought in 2010.
What makes this case worse, is two-fold. First, the attackers used a SQL Injection attack. For those not in the know, this attack has been around for quite a long time, and a lot of modern web frameworks help prevent agaif;nst this attack. Even the ones that don’t have automatic prevention have methods and approaches that can eliminate the attack.
Secondly, the passwords weren’t hashed. That means if your password was “password” it would show up in the database as “password” Whereas if it had been hashed it might have looked something like: lakjsdf09123;akdsf091cna0013asd–129asd84wqqr71
Essentially, once the attackers used an old-but-true method to get to the database, they instantly saw 400,000 passwords in the same way that you see this blog.
That’s bad. Really bad.
But there’s a bigger problem.
The bigger problem is that developers act like passive-aggressive adolescents. Over and over again, I saw this comment on different sites: I guess the CIO didn’t really care about security.
I guess the CIO didn’t really care about security.
Is it the CIO’s responsibility to make sure the data is secure? Sure. But it’s not JUST the CIO’s responsibility. Whoever created the database table to store passwords in is at fault. Whoever wrote the code to access the table is at fault. Whoever wrote the code that allowed SQL to be injected into the website is at fault. It could be those are 3 separate people, it could be they’re all the same person, but at a minimum each of those 3 roles had a chance to stop this.
I can almost imagine the situation, because I’ve been it before. The developers perhaps suggested they should hash the passwords, and someone from the business side said “No, I need to be able to resend the password if it’s lost. I don’t want to reset it, just send me my current password.”
There was probably some slight arguing back-and-forth before the developers capitulated and created plain text passwords. But this is where developers need to grow up!
You’re Not A Professional
Becoming a professional engineer is not an easy task. To start with you have to take an 8 hour test called the Fundamentals of Engineering. The first 4 hours are over fundamental engineering questions — math, chemistry, physics, as well as some specific engineering questions. The next four hours are over your specific field. Think you know about electrical engineering? Get ready to not only answer communication theory but power grid questions, circuitry etc.
If you pass that, you then need to work for several years underneath someone who is a professional engineer. Then after that, you get to take another 8 hour test over specific topics in your field.
If I remember right, something like 40-50% of people who take the FE fail. It’s a big deal, without passing the FE you often can’t get a job as a civil or mechanical engineer, because nobody wants to hire someone who isn’t working towards a PE.
Then once you get your PE, the real responsibility comes in to play. You are now able to sign your name to drawings and designs. Placing your professional reputation on this design. Or, as one friend was told when he became an architect “Congratulations, you can now be sued!”
So what happens if someone from business comes to a civil engineer and says “The material you’re using to build this bridge is too heavy and ugly. Use something lighter that’s more appealing to the eyes.” If that engineer values his professional reputation, and wants to avoid harm to the people traveling over the bridge, he won’t capitulate.
That’s not a problem too often in the engineering world, because they’re treated as professionals.
Software developers are not treated this way.
Who is to blame?
I don’t lay the blame on managers or executives for not treating developers as professionals, I lay it completely at the feet of developers. You are the reason our field is not treated as professionals.
Go back to the password situation. How many times have you been in, or heard this conversation:
Business Owner: I need to be able to do X, Y and Z (perhaps it’s get the password in my email.)
Developer: If you do that you risk opening up a security hole.
Business: I don’t care, just do it.
Then as the developer walks away, he mutters under his breath “You’ll be sorry for this. It’s going to come back and bite you.”
That’s exactly how adolescents act. Instead of taking a stand for what you know is right, you relent and throw away all your integrity. You’ve reduced yourself from a developer to a code monkey that just pushes the buttons someone higher up than you tells you to push.
You’re the puppet.
They’re the puppet master.
If you’re a developer, writing code is simultaneously an important part of your job and the last thing you should worry about. You are there to solve problems and provide solutions. You’re not a dictation machine. You were hired to think. And if the place you are at doesn’t want you to think, then you would be 100 times better off to leave that job.
Don’t sit back and become passive, and just let whatever bad decisions are made come to fruition, the whole time saying “This is going to blow up.”
Be an adult. Take a stand. It’s your name that gets attached to the comitted code. Somehwere in the code base, we could see who made the Yahoo passwords plain text, and I guarantee it was a developer, not a business professional!