It's safe to say that headlines and headline writers (usually editors) are some of the biggest contributors to the culture wars and all-up dishonesty in modern discourse.
If you think about it, it was inevitable when incentives became more aligned with quick 'hot takes' and volume over signal/noise ratio.
...and strangely, even quality sites like HN take the given headline instead of the lede. Some subreddits have a way to indicate 'misleading headline' – could be a great feature across all consolidators/curatorial social media.
I read "body count 400+ orgs" and thought that so many companies had been put out of business, didn't notice the individuals part too. Not knowing what MOVEit is, I assumed it was some kind of boycott. Kind of surprised that it meant that 400 organizations and possibly 20 million customers data exposed. Definitely bad wording for the headline.
Of course, it's the Register, they try to be clever with every headline.
Body count has different connotations depending on context, but in the sense of "compromised information about a person" I have never come across this usage previously.
I can’t see how anyone is harmed by this usage. Seems more hyperbolic to me, or rather obsessive compulsive, which I say as someone who has struggled with OCD in the past. The impulse to constantly monitor and revise the minutiae of language for the slightest whiff of offense seems unhealthy to me, but maybe that’s just because of my predispositions.
I read it as another derivation of victims with an emphasis on the human impact. I am just guessing but they probably used that wording as so many sites are hacked every week we probably don't associate it with the human suffering in terms of financial, job losses and data leakage leading to more financial losses it can cause especially when so many businesses are exposed by a significant vulnerability. I don't know if Jessica [1] has an account here but their email is listed.
Agree, but it's The Register, they've always had a pretty unique and mostly humorous writing style. Not to dissimilar to The Economist, but learning slightly more into the humor.
It's a riff on British tabloid headlines, which will squeeze a pun, tortured analogy or a breathless overstatement into literally everything. The original clickbait before there were clicks involved.
It’s not the clearest title, but it’s taken directly from the original source who seem to assume the reader has been following their reporting on it and know what it means.
> The May 31 bug – a SQL injection vulnerability – was the first. Progress patched this one, tracked as CVE-2023-34362, the next day. A second bug, CVE-2023-35036, came to light on June 9, and was also patched the next day.
> Progress disclosed a third hole, CVE-2023-35708, on June 15.
> Finally (we hope), three additional vulnerabilities – CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933 – were spotted and fixed on July 5.
It seems like fixes came out the same day or the day after the problems were discovered. Yet an estimated 23% of customers are still vulnerable to the recent CVEs.
It seems to me that there's more going on than just shitty security practices by Progress Software, as reported on by this article. The fixes are out, the problems are known, and the fixes are available.
SQL injection is super trivial to prevent, right? How are we still falling for this? Is there any compliance audit regime that would catch this (presumably DoE has some pretty strict compliance protocols?), or is all compliance stuff just security theater?
>SQL injection is super trivial to prevent, right? How are we still falling for this?
Because the bug is super trivial to fix, it's also super trivial to do. Not to mention, the human mind is naturally inclined to not care about trivial stuff, which leads to careless mistakes at many levels and thus Bobby Tables dropped out of school.
Not only more effort, but also the only way in certain cases as not everything supports parameterization. The IN operator for example is one where we fall back to string interpolation, though not directly with user values.
Don't pass interpolated strings to the SQL driver? It seems super easy to do `exec("select * from table where column1=?")` instead of `exec(sprintf("select * from table where column1='%s'", user_data))`. If someone is doing the latter and they're super junior, it's a teachable moment. If they're not super junior I'm wondering what else they're sloppy about and if they need handholding (or worse).
Basically all these file transfer solutions are crap, from a quality and security perspective.
Procurement works by ticking off features of a list, possibly comparing prices. Quality and security are hard to quantify, and often cannot really assessed by the purchase managers themselves, so they don't play a major role in purchasing decisions.
Thus, vendors aren't really incentivized to make robust, reliable and secure software, they are incentivized to sell their software.
You could say that about most of the OWASP Top 10. If the discourse is any way to judge, most web developers are more invested in constantly re-litigating JavaScript framework wars than learning the extremely trivial design patterns that would resolve most of their security issues. Speaking as a penetration tester, the things devs will let go to prod while managing the information of millions of customers is enough to make you lose hope in the concept of digital infrastructure.
Unfortunately with security exploits, you're looking for the weakest link in a chain of X million people. All you need is one careless dev/analyst and you get compromised
That makes sense, but the aerospace industry seems to be able to solve for sloppy devs. Why can’t we secure our national infrastructure similarly? (To be clear, I don’t think we need aerospace-grade correctness for every piece of DoE software, but surely we can solve for low hanging fruit like “SQL injection attacks”)
Over and over, so much middleware software is abandoned due to the high level of customization and expense to replace it. Everyone knows old databases still being kept around, a spaghetti mix of highly configured software packages/vendors nobody wants to touch or pay to get replaced.
And the high expense of contractors to customize and migrate, keeps the legacy tech debt around.
But that is also what keeps an entire industry making money, and many legacy mom/pop shops employed for decades.
The thing that's missing from the article is that they did no security advisory announcement for the July 5th release (they have a mailing list), and instead hid it in a service pack. Overall just terrible behaviour around security.
Aren't monocultures great? Remember back 20 years ago, when a dumb VBScript macro virus like Melissa or ILOVEYOU could spread across the entire ecosystem in a couple of days?
> Despite being one of the compromised companies, the TJX spokesperson added: "We do not believe there was any unauthorized access to any customer or associate personal information on TJX's systems or any material impact to TJX."
However, are legislators trying to kill the golden goose, has the money printing exercise called quantitive easing given them an unfounded level of hubris for their central bank purchased national debt?
I'm not saying this is how it happened, but this is why they may be able to say that. When working with similarly sized companies, I am required to encrypt the files (PGP zip) and transmit over a secure encrypted channel (SFTP). Normally, those companies will use a feature of Moveit to automatically do the PGP encryption/decryption.
However, TJX could have written their security policy such that their Moveit server was not allowed to use that feature, so they used a different piece of software to do the encrypt/decrypt outside of Moveit. Thus, hacking the TJX server would only get a bunch of unencrypted reports and encrypted files with personal info in them. Again, I'm not saying this was what actually happened.
Seems we've finally entered the era people were expecting in late 2020 - i.e. that Russian and US diplomatic ties being vaporized would lead into open mass exploitation of vulnerable US infra
Do others agree or am I being hyperbolic?