I’ve seen Optus “computer security” in action. I use quotes for a reason.
There was a court-enforced order requiring them to apply security updates to their production systems. That was in response to a previous breach.
You see, until a judge made them do it… they weren’t patching anything. They would just build systems and walk away. For some software systems they had every major and minor version deployed, like a museum of software history.
They had operating system versions in production that were in my university text books… in the late 1990s.
Their interpretation of the court order was to update only production systems. Non-production on the same network was not to be touched.
And by “update” they meant simply running the system update tool, which does precisely nothing on software that has passed its end-of-extended-support before some of the IT staff on the payroll were born.
They also fired their entire IT staff recently and replaced them with a low-cost Indian outsourcer.
Most of the above is a matter of public record. I wish I could tell you all about things that are still under NDA.
You can tell how broken their tech is when you try and use the website. Half the pages just fail to load. I don't mean time out, I mean, they think they are finished loading but most of the page is missing.
Don’t confuse the failings of their consumer-facing systems with the madness behind that facade.
The equivalent of what I was describing in terms of a web experience would be having to use a dialup modem to sign up for an account via Netscape Navigator 4. With a login secured using SSL… version 1.0.
I wish I was exaggerating, but their systems literally date back to that era and have comparable limitations in terms of supported network protocols.
Hahaha holy shit is GSMIS still running? In all it’s TUI glory?
When I left, the mobile division had its customers split between three different systems; GSMIS, Focus and Arbor. The poor customer service reps would have no idea which one any given user was in when the phone rang. The only way to figure it out was to ask the person for their phone number, then type that number into each backend and see which one returned a result.
Telstra's got something similar going on with their management systems - three platforms and two incomplete migrations in progress for seemingly the last eternity.
I tried to sign up for Optus in around 2007? They had this contract system you agreed to over the phone . I spent ages saying “yes” in different ways because it couldn’t pick up my kiwi accent. Eventually I managed to agree and got the worst internet experience ever. Moved to TPG after the contract finished.
from the twitter link
..."The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use.
The API endpoint was api[dot]http://optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data."
There was a court-enforced order requiring them to apply security updates to their production systems. That was in response to a previous breach.
You see, until a judge made them do it… they weren’t patching anything. They would just build systems and walk away. For some software systems they had every major and minor version deployed, like a museum of software history.
They had operating system versions in production that were in my university text books… in the late 1990s.
Their interpretation of the court order was to update only production systems. Non-production on the same network was not to be touched.
And by “update” they meant simply running the system update tool, which does precisely nothing on software that has passed its end-of-extended-support before some of the IT staff on the payroll were born.
They also fired their entire IT staff recently and replaced them with a low-cost Indian outsourcer.
Most of the above is a matter of public record. I wish I could tell you all about things that are still under NDA.