The impending doom of regulatory incompetence
The road to hell is paved with government departments.
Do you ever find yourself staring at a news story muttering "fuck" to yourself?
In the last few weeks Australia has had 2 massive data leaks. The most prominent of these involved our second largest telecom company, Optus, wherein approximately 40% of the populations PII was taken.
Lets hear what the CEO of Optus, Kelly Bayer Rosmarin, has to say about the issue:
[It was] ...a sophisticated attack. And we will not be releasing further details at this stage.
I choose the word "leak" deliberately above; this wasn't some high level phishing attack, nor were executives children held as ransom unless sys root was granted, nor was corporate espionage worthy of a Steven Seagal movie conducted. This wasn't a problem with a legacy SOAP handler allowing an RCE nor was it an SQL injection attack. Nope, what happened is a production API with read access to customer master data allowed unathenticated access. Raw, unathenticated access to customers social security and medicare details.
I can think of no more fitting picture:
Kelly Bayer Rosmarin has obviously committed criminal and civil violations by misleading shareholders. Further, her sheer incompetence is exhibited by the lack of sacrificial lamb; the sole reason the CISO role exists. Putting this to the side for a moment though, anyone that has been in this industry long enough probably has a less knee-jerk reaction than the normies and the mainstream media. Whilst this is a shit thing to happen we all appreciate that something like the following happened:
- someone derped on their terraform deployment and mistakenly opened a port to an internal microservice
- someone accidently commented out a security annotation in Spring for testing purposes and forgot to put it back in
- someone in a suit was trying to close a deal. They had a programmer create a demo service and were warned it was for DEMO DATA. Suit human had it to pushed to prod ignoring advice and not telling the ops team to make their sweet dollarydoos commission.
These are fumbles. No self respecting technology team allows this to happen knowingly or willingly. Its stupid and derpy and some people will bite a bullet for it. The downstream effects of this however will be profound.
Our industry has enjoyed a spring of productivity because we are free. We can build what we want, how we want, when we want. And because of our freedom society and humanity has benefitted immensely. As we've come to rely on these benefits more and more occasionally mistakes like this happen. However, like the dog that bites the hand that feeds it the incompetent who can never produce what do and only consume the products will want a piece of this pie. In a vain attempt to make their names mean anything, regulations and licenses will be suggested and eventually imposed. And this will be the death of our industry.
Regulations are always ineffective, led by government departments full of the dregs. Australia has very strict building regulations, and yet by latest estimates 95% of buildings constructed in New South Wales in the last 15 years are defective. Ninety-five fucking percent! This is despite the army of consultants, contractors and auditors that inspect and approve these broken down domiciles, all at the beheast of a bloated and useless bureaucracy.
Now imagine the same thing happening to our industry. We will get a set of approved languages and run times. We will have eXpErT cOnSulTanTs telling us that C# is a compiled language and therefore is safe whilst totally ignoring the IL bytecode interpreter running underneath the hood. We can encode our security directly into the type system in Haskell, but these hIgHly TeChNiCaL SenIoR auditors will say a language with no variables is esoteric and experimental and isn't suitable for production use. The same clueless morons that exist only because of government rules will swoop in like nasty ass crows and ruin this fantastic industry of ours.
I instead propose an alternative. Most of the Optus PII only existed because of government rules requiring these companies to collect this data. Its absurd that an organisation is required to collect this information for the government, secure this information for the government and control this information for the government; with no benefit for the organisation. And if they make a mistake with that data to be held liable for it... by the government. To put some meat on these bones - is it really appropriate that a company holds a copy of my passport so I can get a phone number?
What I propose is that we as an industry push back against doing the governments dirty work for them. Businesses should be able to transact with whoever wants to pay them. The business shouldn't be required to collect; nor the consumer divulge; their entire persona up until the last time they took a shit. This way, when data issues can and do happen there is nothing to take.
Lets make the reward smaller rather than the wall thicker. Its cheaper and more effective this way. And I'll never need to swear when reading the news again.
git gud.