At this point I think we’re more surprised when folks actually end up doing the right thing as opposed to the behaviour seen from the software vendor here. As long as some baseline of security standards and practices are not enforced by regulation, organisations primarily incentivised by money are just going to continue on doing things like this with little to no repercussion. I suppose that’s nothing new though, it’ll probably take something catastrophic for regulators to get around to it—and even then there’s no guarantee.
What’s crazy is that security isn’t even incentivized by money in extreme cases. Breaches happen to companies who you think would be massively impacted, but nope. Okta was breached in 2023 and their customers were breached because of it, but their stock is up since then. That is… insane. This indicates that no one cares about security, to the extent that companies get breached due to a vendor getting breached and that vendor sees no financial impact.
I feel like users are perhaps fatigued to the extent that it feels pointless or idk. At least some of it is that security plays almost no role for software engineers other than being perceived as a useless pursuit that adds friction.
Our engineering minds are often blind to the non-technical “fixes” that stabilize these systems.
Consider credit card fraud. The absurdly low entropy of the standardized payment card Primary Account Number has led to a massive private bureaucracy that issues data handling regulations and regularly audits all organizations that handle these numbers. The expense is considerable. And yet, fraud is a regular occurrence, written off as a cost of doing business. If you as a consumer experience a fraudulent charge, you just contact your card issuer: they reverse the charge and issue you a new number. We don’t even perceive the friction because we have little basis for comparison: it’s always been this way.
I’m certain that the shitshow that the big teleco equipment providers ship isn’t any better. Some stuff that I’m NDA’d would make anyone sane just close their computer and hit nearest pub.
I’ve worked with FreeSWITCH in the past and can confirm it’s a bit of a shit show. We kept running into a problem where its sqlite database kept getting corrupted, presumably because threads kept stomping on eachother’s file descriptors. Our solution: simply delete the sqlite database in a cron job. The database wasn’t important apparently, or maybe it was used as a cache or something? I don’t recall.
The reason we used FreeSWITCH: legend had it that Asterisk was a total shit show. So it must be even worse… Eldritch horrors, alright!
This is kind of “defensive C programming practices 101” level.
I guess, but the code was written in the year 2000. It’s not an excuse to not have reviewed this code and modified it to use snprintf, but the snark about a >25 year old line of code in a dependency’s dependency sucks.
Nice work by Soatok again.
At this point I think we’re more surprised when folks actually end up doing the right thing as opposed to the behaviour seen from the software vendor here. As long as some baseline of security standards and practices are not enforced by regulation, organisations primarily incentivised by money are just going to continue on doing things like this with little to no repercussion. I suppose that’s nothing new though, it’ll probably take something catastrophic for regulators to get around to it—and even then there’s no guarantee.
What’s crazy is that security isn’t even incentivized by money in extreme cases. Breaches happen to companies who you think would be massively impacted, but nope. Okta was breached in 2023 and their customers were breached because of it, but their stock is up since then. That is… insane. This indicates that no one cares about security, to the extent that companies get breached due to a vendor getting breached and that vendor sees no financial impact.
I feel like users are perhaps fatigued to the extent that it feels pointless or idk. At least some of it is that security plays almost no role for software engineers other than being perceived as a useless pursuit that adds friction.
Our engineering minds are often blind to the non-technical “fixes” that stabilize these systems.
Consider credit card fraud. The absurdly low entropy of the standardized payment card Primary Account Number has led to a massive private bureaucracy that issues data handling regulations and regularly audits all organizations that handle these numbers. The expense is considerable. And yet, fraud is a regular occurrence, written off as a cost of doing business. If you as a consumer experience a fraudulent charge, you just contact your card issuer: they reverse the charge and issue you a new number. We don’t even perceive the friction because we have little basis for comparison: it’s always been this way.
I’m certain that the shitshow that the big teleco equipment providers ship isn’t any better. Some stuff that I’m NDA’d would make anyone sane just close their computer and hit nearest pub.
I’ve worked with FreeSWITCH in the past and can confirm it’s a bit of a shit show. We kept running into a problem where its sqlite database kept getting corrupted, presumably because threads kept stomping on eachother’s file descriptors. Our solution: simply delete the sqlite database in a cron job. The database wasn’t important apparently, or maybe it was used as a cache or something? I don’t recall.
The reason we used FreeSWITCH: legend had it that Asterisk was a total shit show. So it must be even worse… Eldritch horrors, alright!
I guess, but the code was written in the year 2000. It’s not an excuse to not have reviewed this code and modified it to use snprintf, but the snark about a >25 year old line of code in a dependency’s dependency sucks.
Nevermind, I guess? 4.4BSD in 1992 had snprintf… reading the xmlrpc-c source and shaking my head the whole time so people know I disagree with it…