Don’t be doomed to repeat the past

Years ago, I couldn’t think of a better question to ask Hewlett Packard’s then open source and Linux chief technologist Bdale Garbee than what actually drove him towards open source.

Unfazed, Garbee provided an answer that made total sense: the group he was working with in the 90s needed to use some printers that the manufacturer had stopped supporting, so there were no operating system drivers.

Rather than give up and buy new ones, Garbee and Co wrote drivers for the printers and open-sourced them so others could use them and improve the code if needed.

Fast forward to 2015, and I’ve got a new 24-port gigabit Ethernet switch. Well, it’s actually second-hand but not that ancient, 2010-2011 vintage with firmware from that timeframe.

This is a device for business networks and as it’s a managed switch, I thought it prudent to check the settings and turn off unneeded features.

The switch has lots of advanced network monitoring, security and configuration features as you’d expect from a device that’s meant to be internet-facing. All are accessed via a web server on the switch using plain old unencrypted HTTP and nothing else.

That is if you can access the server in the first place. Whoever coded the settings pages on the switch managed to make them incompatible with all current browsers, which is no mean feat but it meant the only configuration change possible was to press the reset button.

Long story short, a virtual machine running Windows Vista and Internet Explorer 7 gave access to the switch settings pages, but there’s not much you can do to make the device compatible with security demands of 2015. This fellow isn’t going anywhere near today’s hostile internet.

Being (almost) locked out of a device because it requires now-obsolete web browsers for management is a striking example of bad decisions taken in the past coming back to bite you in the future.

The recent panics over the FREAK and LogJam vulnerabilities are cases in point: it became obvious early on after the United States government declared in the 90s that only weak cryptography could be exported that it was a bad idea.

So bad, in fact, that the decision to do so is coming back to haunt us in 2015. The upside however is that the flawed thinking that led to FREAK and LogJam can be fixed (and repeated in Australia’s recent defence export control laws that make it a crime punishable by prison to ship strong encryption).

Once the bad decisions are baked into hardware and firmware, it becomes much more challenging to fix them.

Scrapping almost new devices and replacing them with others you hope won’t be obsolete and insecure within six months is one way to deal with it, but it’s unlikely to be effective as vendors don’t think ahead and provide a way to fix what’s wrong.

If hardware doesn’t follow open standards and you can’t load open firmware of your choice on it, scratch it off the organisation’s procurement list and look elsewhere.

That may sound harsh, but if at some point the choice is a “forklift upgrade” or a software/firmware patch to fix a gaping security hole, especially across multiple devices, I know which option I’d pick.