Poor Coding Should Be a Felony
It's been about 18 months since I wrote this little post on horrible website password security. Unfortunately, I see that very little has changed, as evidenced by Universal Music's recent security breach that exposed their users' real names, email addresses, and passwords. Similar reports seem to surface every day now, such as late last week at the Washington Post and FBI contractor IRC Federal, though it's unclear if the latter two were as wildly irresponsible as Universal Music.
You might think that a company the size of Universal Music that has plenty of resources would be able to follow the simplest form of security and at least hash its passwords before storing them. You would be incorrect. And if you were unfortunate enough to have registered an account with Universal Music in the past, your information is now spread around for anyone to see and use. For the large number of users that re-use passwords from site to site, their login credentials to any number of other resources is now public information -- and they may not even know it.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
Also, I expect to see a bunch of highly targeted phishing attempts appearing quite soon -- after all, they can send you an email, use your real name, and (most important) reference a password that you've knowingly used. Forge the headers and include a link to a bogus site that appears legit, and I'll bet they'd get a boatload of information from unwitting users. Frankly, I wouldn't consider that to be their fault at all. It's Universal Music's fault, top to bottom.
At this point, a brief PR hit is the only thing a company of any size really has to worry about when this sort of thing happens. Sony has been hit with wave after wave of security breaches that have directly affected a huge number of its customers, but with no apparent consequences. Millions of its users have had their account information released into the wild, and some of that number will begin finding fraudulent transactions in their name -- or any of a variety of possible illegal uses of their information. There's nothing they can really do to prevent it, and I'm certain that a significant portion of them may not even know they were exposed.
Just like Sony and all the others, Universal Music just has to say "oops" and issue a brief press release noting, "Hey, you might want to change your passwords on other sites now. Oh, and carefully inspect each email you get since someone may hit you with a phishing scam." Then hope it all dies down in a day or two.
I think it's high time that this level of technical absurdity be punishable by law. The company and employees directly responsible for constructing code so poorly that it stores plain-text passwords of millions of users and can apparently be compromised at will should, at the very least, be fined a vast amount, with some portion of that money going to each possibly affected user and the rest used to assist in addressing identity theft problems that will inevitably appear following a breach. If I had my way, there would also be mandatory loss of employment and possible jail time involved for those whose unspeakably poor decisions led to this event. Simply being on the receiving end of a server or network hack isn't what I'm talking about -- it's designing a system that stores such sensitive information so poorly that should be thought of as criminally negligent behavior.
Let's reframe this a bit. Suppose that a developer sneaks a function into a Web portal that snoops a user's name, email address, and plain-text password during the registration process and then stores this information somewhere. Suppose that the portal itself is designed well enough that the password is hashed before being stored, but this little function call also stores it in plain text. Suppose that the site is cracked and the plain-text database downloaded and paraded around the Internet. Odds are that the developer who snuck that function into the site would not only be fired, but he or she would probably be arrested for corporate sabotage or similar crimes and face fines and jail time.
The only difference between this hypothetical situation and what actually happened with Universal Music and a host of other sites is that instead of having a bad actor slip code into a solid design, these developers actually designed their code to function this way. They did it on purpose. That should actually be considered a far worse crime than the developer who snuck in the function. Incompetence is no defense, doubly so in this case.
But I highly doubt we'll see anything of the sort, and definitely not soon. If Anonymous and the various other hacktivist groups continue on their path of exploiting horribly implemented code, all we'll get are more regretful press releases and the occasional person who might fall on their sword and quit. It's not enough. It's not nearly enough.
I say throw the book at the ones who allow these breaches to happen. Maybe then they'll realize exactly how critical these design decisions really are. Maybe then they'll understand that they can't play fast and loose with other people's data without consequences.
But right now, they can -- and that's the real crime.
This story, "It's time to make poor coding a felony," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.