Lazy, stupid and incompetent?
I’m glad I waited a week to write about the Optus ‘hack’. Enough time has passed since the catastrophic data breach to be confident that it wasn’t a sophisticated hack by an advanced persistent threat-actor, like Optus would have us believe. It was just a cock up.
The telco’s desperate spokes holes have been winking and nudging like champions to suggest that Putinxinping terror state agents conspired with computerphone-powered violence gangs to pull off the world’s greatest hacker heist. Fair enough. It’s a lot less inculpatory and prejudicial to your profit margins aprés the inevitable class action lawsuit than admitting that you sort of, you know, er, left half the adult population of the country sitting naked on the internet.
We are all Paris Hilton now, and Optus just dropped our sex video.
They’re still not saying exactly what happened—and never will while the current board and CEO are legally liable for serving up this clusterfuckturducken—but that doesn’t mean we don’t already know.
Optus exposed an API to the open web without authentication or authorisation requirements.
Well, when two computer programs love each other very much…
No, wait, they don’t even have to like each other. But when they do have to communicate, the API (or ‘application programming interface’ to use the correct nerd words) is how they do it.
Suppose you’re a program running on the big ol’ Optus TRS 80, and you are full to pussies’ bow with delicious creamy personal data for, say, nine million customers. In that case, you should probably be a little careful about dropping your pants and inviting billions of internet randos to have a look.
But that’s pretty much what they did, it seems.
The company hasn’t confirmed this and won’t until someone is hauled into a witness box and placed under oath, but ten bucks and about ten million stolen passport and Medicare numbers says they left an API online at a publicly accessible internet address. Say, something like…
http://www.optus.com.au/allyourcreditcardnumbersarebelongtonorthkoreanow
And they forgot to add even a simple password. So you could roll up, give the API a tickle, and it would start spraying data in your face.
That’s the how.
But what about the why?
Why did the company hold on to some data for years after the customers who provided it had churned away to other providers?
Why was that data not encrypted?
Why was it stored in one giant toy box of digital goodies instead of being broken up and scattered across multiple silos?
And the big one. Why was the API exposed in the first place?
Optus says that it retained data for six years because it was required to by law. And that sounds legit if you know anything about the Orwellian twitch reflex of Australian lawmakers. But it’s also bullshit.
As Dr Brendan Walker-Munro, a Senior Research Fellow at The University of Queensland writes, the issue here is that our data retention laws impose no limit on how long a company can keep your data.
The commonwealth’s Privacy Act says only that information must be destroyed “where the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity”.
My italics there.
Because boiled down to essences that legalistic douchewaffle says that companies like Optus can hold on to stuff that companies like Optus, er, really like ‘for any purpose.’
If Optus wants to hold your data captive for, say, marketing purposes, even after you’ve escaped to Telstra or Vodafone, it can. Because ‘purposes’.
But why was none of this stuff encrypted?
Let’s just call that… incompetence.
And why did they store everything together in one giant cybercrime honeypot?
I’m gonna go with laziness and maybe stupidity. It just feels a lot truthier than a super-heist by criminal masterminds with gigantic, throbbing thinky-brains.
It’s also a great trifecta. Reminds me of the famous line from Animal House.
Nor is lazy, stupid and incompetent.
After 20+ years in IT, I can tell you that this API excuse stinks to high heaven. Like you, I've got so many whys to ask them. This wasn't sophisticated at all, but it was incompetent as shit. I'm betting anything that the engineers were warning the management about it for years, but "there was no budget". Like it always happens in IT, nothing ever changes without a disaster...
I was one of the 40% of Aussies pantsed by this nincompoopery. I have joined both class actions, because fuck them.
I would like to expand on Birmo's point about personal data - why aren't we all banding together and saying enough is enough as far as all this free data we give out? It is not a free public good, nor should it ever be. Every company that harvests your data PROFITS FROM IT, either through their own activities or by on-selling it to companies that take your data from multiple sources and build scarily accurate profiles of your behaviour patterns around everything from what you buy to how you vote. An Australian company called Quantium led the world in this and on-sold it all across the planet.
The data is ours, we own it, if they want it they should have to pay for it, and not through token gestures like the 0.5-1% discounts you get on most "loyalty" cards (which are just data mining schemes, btw). How much is your personal data worth? We should all ask ourselves this question and act accordingly.