This blog is normally written in ‘first person plural’ (i.e. “we”) to reflect the multiple inputs that influence the entries. Today, however, you are getting me, Sean Scorvo, M.D., in all my inglorious ‘first person-ness.’ Why the break in tradition you ask? “Current events.”
When I was practicing in the E.R., I took care of several “bullet vs. foot” injuries (PS: bullets tend to win). I heard all kinds of excuses, but the unifying theme was stupidity. As CEO of MiddleGate, I’ve been privy to a new kind of “bullet vs. foot” injury, but the unifying theme hasn’t changed.
Three years ago I had the pleasure of meeting Ed Stull. A year ago, we brought Ed in as our CTO. I’ve learned many things from Ed, but cryptography and network security top the list. I don’t profess to be an expert in the arena, but I’ve learned enough to recognize that what we are doing in the field is not only top notch, but cutting edge. I’ve also come to recognize that events like Adobe’s recently announced mega-breach (150 million usernames and passwords), and the carelessness exposed in their cryptography/encryption system as a result are the equivalent of the 2AM ambulance call of a GSW (gun shot wound) to the foot (insert ER staff eye-roll here).
Here is where the analogy diverges. The 2AM GSW to the foot affected only said Darwinian weed-out candidate, and was a self limited event (the “victim” did not have a tendency to pull the trigger twice). Breach events exposing underlying lack of attention to sound cryptography/encryption, on the other hand, affect millions and are not self limited events. Once the breach occurs, the poorly encrypted usernames, passwords, financial data, demographic data, etc., etc., are used to infiltrate networks and other systems. In other words, the damage perpetuates and extends.
This is not “new” news. That a breach occurred is not surprising…it is to be expected. That makes the fact that the data contained in the Adobe environment was not adequately secured all the more troubling. Unfortunately, this is unlikely to be a wakeup call for Chief Security Officers everywhere…if it were, the 2012 LinkedIn breach wherein use of an antiquated HASHING algorithm (SHA-1…a soon to be retired system) without “salting”, or the 2011 Sony Playstation breach wherein credit card numbers were encrypted but personal data was not, would have elicited a data security sea change. In other words, the Adobe breach may have happened, but with everyone having already learned the lessons of their peers, the encryption would have been robust enough that nothing could have been gained by the hackers. Alas, that was not the case.
In the end, I am happy Ed is on our team. I am happy we are well ahead of this issue. I am happy we will not shoot ourselves (or more importantly, our customers) in the proverbial foot. I am, however, unhappy in the realization that I naively thought I’d seen my last GSW to the foot back in 2007…I’m just seeing them in a different form now.