Shellshock should come as a timely reminder to every person who is connected directly or indirectly to a device that is accessible from the public internet. And that footprint will most likely cover almost every living person in the world today, though most of us won’t have the faintest idea how it affects all of us.
But, the point of this post is not to educate you about the vulnerability. The point of this post is that even I can’t, at this time, say with any degree of certainty that I have a good handle on the attack surface of the problem on the servers that I run. I have been dealing with servers for close to 15-years now and used to run my own stack for a long time, but I no longer do that.
Keeping even a single public-facing server secure these days is not a simple job. It is not good enough to be even somewhat well-versed in security issues anymore. Security is a full-time job and if you are not a specialist, you are exposing your business and your users to risk that you don’t have any idea of.
Incidents like the story of Codespaces serve as a frightful introduction to how badly all of this can go wrong. Even so, I don’t see much improvement in the approach most companies take towards the issue of security, trying to cut corners by not involving specialists for the job.
Every couple of weeks, I am asked to help out a start-up or a big company who has some problem or the other in their infrastructure. A good number of these cases, it is a given that the security is either lax or non-existent. A recent case involved a start-up that had zero instrumentation in place other than the high-level overview that the AWS reporting interface provides.
The great thing about the cloud revolution is that it has made access to quality infrastructure and the cost of that access easy and ridiculously cheap. I can spin up a server, on a public IP with 16GB RAM, in a minute. Which also means that an idiot like me can get root on a fairly powerful machine without having enough knowledge or ability to properly secure it.
That ease, increasingly, is becoming a huge problem.
While it is true that everyone has to start learning somewhere before they get really good at anything, the fact is that this growing universe of servers that are not properly secured now represents a nice pool for the numerous number of bad actors who thrive on these things. As a result, I gave up managing servers on my own a while ago (the incredibly complex iptables rules on a well-secured sever quickly demonstrated how out of my depth I was on the topic) and don’t recommend self-managed services to clients either.
Even so, in most cases, clients wind up going the AWS route, trying to handle the serves on their own without having a good enough team in place to secure them or they try to cut corners in the worst possible manner and go for the cheapest deal out there. In either case, a couple of months down the line they are hit with performance or security issues that they can’t fathom. And in the worst case scenario, their servers are broken into and they have no idea that they have been compromised.
By the time the realization happens that something is wrong, reputations (in the case of data theft) are destroyed or the ability to grow the business is curtailed due to infrastructure issues. In trying to save the market salary of one good IT professional, organizations wind up giving up many times that number in terms of lost revenue.
If you are a decision maker in any organization, I urge you to get in place some professional help sooner than later. This is a problem that will only grow as more and more devices become accessible from the internet. Don’t wait for that big break in before scampering around to fix the problem.
Category: Uncategorized
Is this the best we can do?
This is a post that has been in the works for a while, even though I have not been able to find a way to frame it in a manner that is to my liking. It does not cover the usual tech/early stage/digital topics that I prefer to write about here. In a sense, it actually does cover all of them, but it goes a little bit further than that.
The time since June this year has really been quite an intense one, mostly thanks to a complete switch to focusing only on executing plans made over the past year. Somewhere in that time period I stopped logging into Twitter (I don’t have Facebook/G+ accounts other than ones I keep for work) to intensify the effort to get more done as I’m really prone to getting distracted easily. The idea also was to hit a few targets before I allowed myself to be active on Twitter. Some of those targets have been met, while others have not (that’s a post for later) and even though I have started lurking on-and-off on Twitter these days, something about the state of affairs in this very (digitally) social age bothers me.
The question that keeps coming back to me is: “Is this the best we can do?”
If you look at the history of mankind, this very moment that you are reading these words is the most enabled entire societies have been able to do good. A vast chunk of humanity carry in their pockets more computing power than what was available to an individual, irrespective of the money, even as recently as 50-years-ago. We have access to information, at practically zero cost, on our fingertips, the creation and access for which tens and thousands have fought and died for in earlier times. We can connect and communicate with others, sitting half way across the globe, at the speed of light, while 50-years-ago, two-way-communication was still a marvel of technology that was accessible to a handful of people.
All of this should have made better people of us. We should have be more open, considerate and warmer towards our fellow beings. Yet, for how all of this should have enabled us, we only seem to have grown a stronger sense of entitlement. As people, we communicate more (actively and passively); yet, we are more isolated from each other than ever before. All this technology should enable governments to serve who they truly serve — the people — a lot better; yet, the same technology is being used to shackle people than to free them.
This, I must stress, is not a holier-than-thou exposition on my part. In the past months I have had fleeting episodes where I could set aside my own limitations, prejudices and conditioning to reflect on the life that I have lived and the values that I have lived by and it is not a pretty picture. I have often reveled in being sarcastic, dismissive and not doing even 1/10th of what I could really do. I am as much part of the problem as anyone else is and my disappointment is with myself as much as it is with anyone else.
We think of legacies as what we leave behind at a particular point in time. We are wrong in thinking that. Our legacy is what we create over a lifetime of individual moments. If we are not living the best lives we can live and be the best that we can be through most of our lives, chances are that our legacies are not what we would ideally have liked it to be. We also leave the fate of our legacies to circumstances, bosses, political leadership and and a million other factors, while the truth is that we are the only people who really control it, while anything else is just an excuse to shy away from doing what you say that needs to be done.
What is also lost in all the noise is that most of my generation is slowly progressing towards middle age. We are the age group that will determine where things go from here. Most of us are no longer twenty-year-old youngsters who really don’t wield much influence. A lot of us are in places and positions of influence and if we truly desire a world that is better, we should use that influence in a better manner than just sit on the sidelines lamenting how wrong things are.
And it need not even be about going out there and starting a revolution. It is about stepping up, taking the responsibility towards your immediate environment. Be nicer to people, be more helpful. Help others succeed while you chart your own course for success. Be less negative and snarky. You have far more with you than what most others have and to get more you need to first learn to give more; not just that what can be touched, but also that cannot be touched.
At least, that is what I feel. That it is not enough to just want better things for myself, but also for the world around me and back it up with action. A first small step towards that for me is stop being negative, cranky and being proud of being an ass. In the end, for me, it is about using these great tools I have been provided with, in a better manner. Yes, the world usually uses these same tools in a negative manner, but I can choose to use the same things in a different way and that’s my first step small step.
India – Thinking Outside The Box
I’m writing this short post over a GPRS connection (yes, you read that right) in a quiet orchard, straddled by mountains on three sides. I am quite fond of taking breaks like these regularly. It helps me stop, reflect and interact with a part of the world that I don’t often interact with.
Yet, such interactions are vital if we are to understand India and the massive opportunity she has to offer. We speak often of our massive mobile opportunity, how 3G has had better penetration than EDGE, smart v/s feature, data APRU and all. But at the ground level, all these assumption fail. As product people we need to understand the reasons behind this failure.
India has always been, at best, an abstraction. Technology adds another complicated layer on top of this. Take the case of mobile. BSNL supossedly has the most widespread 3G network. Yet, even in towns that have 3G on BSNL the coverage is less than spectacular. I’m sitting now, barely 40 kilometers away from a main district center in Himachal Pradesh, with clear line of sight to at least 4 cellphone towers, yet the best I get is EDGE and BSNL is carrying data over GPRS.
When we build products, especially for mobile, how do we factor all of this? Yes, it is awesome to have an iPad app for our products, but I have not seen a tablet for at least 3-days now. How do we take into account data availability that ranges from nothing to 4G within the same country? Do we even think about that?
Obviously, it is possible to build healty businesses that tap into the current base of smartphones and tablets, but if you are looking to tap into the billion-plus-people opportunity you have to get out of the cities and travel and learn how people are using various technologies.
The bubbles that we live in within the cities lead us often into cycles of validation that are based on our immediate peers in the industry. The world outside of it is a different ball game. Step out, understand the real problems faced by people outside our immediate circles, then the billion-plus opportunity will open up us.