I have blogged for many years that cloud computing was a train wreck waiting for a plane crash to hit it so it could roll down the hill into a daycare center at lunch time. Too many worthless MBA diploma mills cranking out even more worthless management who can only chant buzz phrases like “quick win” and “cut costs.” Not one of them actually knows how to run and build a business. They are all too busy trying to fill out their Outlook calendar leaving only a random 15 minute slice open each day for the next two months.
There is no way anything developed using AGILE methodology can ever truly be secure. When you develop software looking 6 inches in front of your shoes without a real plan you end up with trash. Nobody can tell you it is trash because you never did the 4 Holy Documents up front so their is no architectural documentation proving your project was a failure.
Combine low skilled MBAs chanting “cut costs” with AGILE software to create cloud services and you create the biggest juicy target in the world for hackers. Are you willing to believe Cloudhopper was the first? I’m not. They just managed to do enough stupid stuff and get caught. I also gotta believe that the Trump trade war with China had something to do with this becoming public knowledge.
Were the MBAs really gullible enough to believe they could “cut costs” by selling off all their infrastructure, canning everyone who knew anything about it and turning everything over to a cloud service? Do they really believe if Cloud-Service-A is breached causing massive identity theft that their corporation who signed a contract with Cloud-Service-A won’t ultimately be held liable? Not one of those worthless MBA diploma mills had their students read about Slick Willie Sutton?
I rob banks because that’s where the money is.
Hackers target clouds because that’s where the data is.
Do the math. It is roughly the same amount of effort to breach one well designed corporate data system as it is to breach a cloud. They are all running the same near free operating systems on pretty much the same x86 based servers and their teams all read the same security manuals on-line. What does a hacker get when they breach one corporate data center? Quite possibly just email. While it is true the email server might have some research or technical specification documents attached to the messages, odds of it having a complete documentation set for an unreleased medical device or some hush hush weapons tech still on the drawing board are small. When you fully breach a cloud service, you get everything for all of their customers. What are you going to target? The crime and potential prison time are basically the same so, aren’t you going to look for a haul which will still leave you Jamie Dimon rich after you get out of prison?
Let’s pick on GE for a moment. Their stock is near worthless now and they are a good example of a mega corporation. GE isn’t just one company. It’s lots of companies bought over many years and never fully integrated. I have no insider knowledge, but, given the worthless management GE has had over the past decade or more, and the fact they are able to sell units off rather easily, I would be stunned to learn they have a centralized IT service. Each company did their own thing before they were bought and, most likely, continued to do their own thing after being bought. If you are a hacker and want unlreleased-product-X which is still in the design phase, you have to figure out which company within GE is actually designing the product. Then you have to find out where their data center is on the Internet and begin the drudge work of hacking your way in.
Centralized data systems are a lot of work. Done correctly they are quite secure. Those IBM mainframes and DEC midrange systems kids like to make fun of today were, in many cases, built before the Internet. There are rings and layers of both security and systems connecting these things to the Internet. Many, some might say most, have no direct connection to the Internet. You have to breach N services before you can issue a request to get some small piece of data from them. Selling off a division which is integrated into such a system requires staff years of effort migrating applications and data sets onto a mirror system. It’s not like selling off a division with its own IT infrastructure. For them you sign a few contracts, they turn off data feeds (if any) to your systems and presto, all done.
Cookie-cutter MBAs always wanting a “quick win” leapt onto the cloud. They sold off all of the infrastructure, fired everyone who used to run it and whenever they wanted to sell off a division, they signed a few contracts, some passwords and IP addresses were changed and presto, deal done. They never really thought about security. They never really thought about the liability. Today’s hackers aren’t there to trash your computer for the fun of it. They are there to steal your most precious information and sell it on the black market. Many corporations around the world will pay top dollar for the source code behind your driverless car, surgical robot or any other tech product you have in the pipeline.
While this case may be getting the press right now, it is a long way from the only such instance. The list of companies willing to buy their ill-gotten goods is long. One might even be a company you currently work for. Once you sign a nondisclosure agreement and they let you see some source code, if it doesn’t have a comment in there saying something like email@example.com you don’t know where it came from. They tell you they had a third party develop the initial cut of the software but are now bringing the development in-house and you continue coding.
Today, it is nothing to walk into a “small” shop of less than a dozen developers, find out they’ve had a high turn over rate and learn the code base is now millions of lines long. You will never read all of that code. You may never see the file which has a comment stating firstname.lastname@example.org. If you do, are you going to buy the story that they bought some code from GE? Are you even going to ask where it came from?
Seriously? Be honest. How many of you cut and paste code from the Internet leaving out the copyright notice? The majority of you will probably just delete the comment from email@example.com along with any copyright notice and continue coding.