BA systems down globally
Discussion
The Selfish Gene said:
That's before we even get into entire governments doing it to destabilise other economies.
Frankly - the UK has been caught napping in many respects.
A crossover with the Salisbury thread - I was amused by the suggestion of the suggestion that GCHQ etc. could go after Russian government, utility and banking systems to cause disruption. Do they really want to start a "cyber war" with them, REALLY??Frankly - the UK has been caught napping in many respects.
Gareth79 said:
The Selfish Gene said:
That's before we even get into entire governments doing it to destabilise other economies.
Frankly - the UK has been caught napping in many respects.
A crossover with the Salisbury thread - I was amused by the suggestion of the suggestion that GCHQ etc. could go after Russian government, utility and banking systems to cause disruption. Do they really want to start a "cyber war" with them, REALLY??Frankly - the UK has been caught napping in many respects.
the issue isn't so much the hacking (although that is a problem)
it's more the entire buildings set up with IT people creating fake profiles across FB, Insta, t
tter etc and trying to sway public opinion.In worked getting Trump in (although that was pushing on an open door somewhat in the US)
Nearly worked with Corbyn - but well, even the British aren't that gullible.
Getting some customers bank details, email details frankly is low priority.
Bringing down Gatwick, or BA, or NHS is a bit more of a high profile problem.
captain_cynic said:
If it doesn't make sense to you, that would be your issue.
I've worked with banking, finance and insurance. Nothing goes into production without being checked and triple checked. Any slightly ambiguous sources of code to be used with payment information is discarded. Unless they know exactly what the code does, it's not implemented.
The problem with this approach is it's not cheap. You need talented people who can write their own code rather than copy/pasting from Stack Overflow.
I've worked with banking, finance and insurance. Nothing goes into production without being checked and triple checked. Any slightly ambiguous sources of code to be used with payment information is discarded. Unless they know exactly what the code does, it's not implemented.
The problem with this approach is it's not cheap. You need talented people who can write their own code rather than copy/pasting from Stack Overflow.
Get over yourself. I work in banking, finance, insurance, healthcare, comms, media, public sector and more. They're all as bad as each other and nobody, but nobody, audits their code in an exhaustive manner as it's just not possible. Tracing every execution path for every possible set of inputs is quite literally impossible for anything more complex than { printf("Hello World"); }
And the thought that any system, anywhere, has ever gone live without using a third party library is simply laughable. I would further suggest that using well-known, supported, open-source libraries is an excellent and very secure way to implement things. Certainly better than getting Bob the Intern to write something from scratch.
Andy Zarse said:
What I find most shocking is BA holding credit card and CCV numbers in non-encrypted form. I’d expect my local taxi firm to encrypt, let alone a huge international airline.
You'd be surprised how encryption works in the regulatory sense compared to the "common expectation" sense. You will probably find they were compliant and 'encrypted' to the level required in the regulations.rxe said:
IT systems are very different. I’ve been in the business for er, several decades, and I’ve not once seen two implementations that were the same, even when they were using the same underlying software. Even when companies decide to use an external service (one of the premises behind cloud), they will use it in subtly different ways. A “lesson learned” in one place may not be relevant to others. Software suppliers (either closed or open source) do update their code all the time to fix problems - but that may open up new issues in something that someone has built.
Implementations are different, but processes are similar. Almost all large sites have some kind of front-end content management tool. If this tool was used to update a JavaScript file (we don't know how the file was changed), then there is a clear lesson for anyone using a content management system, regardless of technology or implementation. Don't put dynamic client side files in your CMS.deckster said:
captain_cynic said:
If it doesn't make sense to you, that would be your issue.
I've worked with banking, finance and insurance. Nothing goes into production without being checked and triple checked. Any slightly ambiguous sources of code to be used with payment information is discarded. Unless they know exactly what the code does, it's not implemented.
The problem with this approach is it's not cheap. You need talented people who can write their own code rather than copy/pasting from Stack Overflow.
I've worked with banking, finance and insurance. Nothing goes into production without being checked and triple checked. Any slightly ambiguous sources of code to be used with payment information is discarded. Unless they know exactly what the code does, it's not implemented.
The problem with this approach is it's not cheap. You need talented people who can write their own code rather than copy/pasting from Stack Overflow.
Get over yourself. I work in banking, finance, insurance, healthcare, comms, media, public sector and more. They're all as bad as each other and nobody, but nobody, audits their code in an exhaustive manner as it's just not possible. Tracing every execution path for every possible set of inputs is quite literally impossible for anything more complex than { printf("Hello World"); }
And the thought that any system, anywhere, has ever gone live without using a third party library is simply laughable. I would further suggest that using well-known, supported, open-source libraries is an excellent and very secure way to implement things. Certainly better than getting Bob the Intern to write something from scratch.
We always always always release with issues and security flaws. The trick is the risk assessment to make sure they are the least bad of all the issues we found or designed in across the cost, time , quality triangle. We should at least know what they are. Nothing is ever defect free.
My industries are defence, banking, insurance, telecoms, TV, Media, electricity/gas etc
deckster said:
Get over yourself. I work in banking, finance, insurance, healthcare, comms, media, public sector and more. They're all as bad as each other and nobody, but nobody, audits their code in an exhaustive manner as it's just not possible. Tracing every execution path for every possible set of inputs is quite literally impossible for anything more complex than { printf("Hello World"); }
And the thought that any system, anywhere, has ever gone live without using a third party library is simply laughable. I would further suggest that using well-known, supported, open-source libraries is an excellent and very secure way to implement things. Certainly better than getting Bob the Intern to write something from scratch.
And where do you stop? Do you roll your own processors? Intel have found some huge cock ups in the last year. Encryption libraries? Unless you have the best team on earth, and all the time you need, I guarantee anything you write will be worse than whatever libraries people pull down from Sourceforge on a daily basis.
Actually having precise control of all your environments would be a good start. A key question is “how long does it take you to get from a bunch of VMs to a working environment”? You’d be surprised how many organisations answer “months”.
Another day, another BA IT problem.
"British Airways IT glitch causes chaos for holidaymakers"
https://www.theguardian.com/business/2019/aug/07/b...
"British Airways IT glitch causes chaos for holidaymakers"
https://www.theguardian.com/business/2019/aug/07/b...
BlackLabel said:
Another day, another BA IT problem.
"British Airways IT glitch causes chaos for holidaymakers"
https://www.theguardian.com/business/2019/aug/07/b...
It's like many banks."British Airways IT glitch causes chaos for holidaymakers"
https://www.theguardian.com/business/2019/aug/07/b...
Staggering complexity of legacy systems on top of legacy systems across a spectrum of integrated companies.
Every airline would say to their board that IT and data is critical to their existence and future.
Every board will block a £2-4bn, 3-5 year fundamental replatforming - those CEOs that are brave enough to tackle the core issue.
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff