"A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data."
Sure, blame the consultants with their "booming industry". I'm sure T-Mobile spent adequate amounts of money on securing their data, hired all the best people, and it was all the security peoples' fault for not doing it properly.
I don't doubt that T-Mobile could have done more, but it's also frustrating to see this trope that spending more money on security is some type of silver bullet. It's not.
I've been in security for over a decade. I currently work at a FAANG with nearly unlimited security budget. Previously I worked at another major tech company with nearly unlimited security budget. Before that I was a consultant and consulted at companies with huge security budgets. All of them, including my FAANG, struggle to have anything more than security that can only be described as "patchwork".
The truth is that nobody actually knows how to do security. Software devs are awful at it (the amount of FAANG engineers I know that don't even understand what encryption is, or think that hashing passwords is unimportant, would blow your mind), management is awful at prioritizing it or even knowing what to do in the first place, and every security professional in the industry is effectively just winging it based on what someone else in the industry promoted as "best practice" (and is probably outdated by now).
Sure, prolonged investment in security might help make things better, but that's not an overnight solution, and it might not be a solution at all given that the attackers are investing heavily in their methods, too. We have to do more than just acting like increasing the security department's budget is going to fix all of our problems. I guarantee it won't.
> Software devs are awful at it (the amount of FAANG engineers I know that don't even understand what encryption is, or think that hashing passwords is unimportant, would blow your mind)
But that's not because there aren't also lots of devs who understand security, it's because FAANG companies have purposely chosen to prioritize hiring based on leet code ability above hiring based on security knowledge.
edit: This is why software developers would benefit from a union or licensing process, because currently devs who don't understand security are artificially lowering developer salaries by externalizing risk onto users.
I don’t do anything security related — I’m a lowly bare metal programmer — but I’m still mystified as to how user passwords are securely kept on disk? The only thing I could think of was to encrypt a user’s password with their password…
> I don't doubt that T-Mobile could have done more, but it's also frustrating to see this trope that spending more money on security is some type of silver bullet. It's not.
So true. A problem is that "spending money on security" is so nearly always a synonym for increasing the infosec budget under the CISO. Which is useful, yes, but only a partial solution. A bigger ROI would be to spend it on developers who are experts in security and building a culture that cares. But even in enterprise security companies (most of my career), product security is so often seen as a checklist that infosec will take care of, not a core engineering competency.
This makes no sense at all---you're implying that the bad guys somehow have a monopoly on innovation and effectiveness, when in reality, there is just more upside for them to steal sensitive info than there is downside for companies to protect it. If T-Mobile's latest data breach led to them getting fined, say, $5 billion, I promise you it would be the last.
I'm sure it's both. As in, much of what they did spend likely went to snake oil salesmen. I've met lots of security consultants who did not have backgrounds in math or compsci.
> I've met lots of security consultants who did not have backgrounds in math or compsci.
My experience both working at and with higher end consultancies is that there is no correlation whatsoever between those degrees and any particular consultant’s competency. Some of the best people I’ve worked alongside have been college dropouts and Religion majors.
One of the biggest problems in the security industry is a misconception that security and computer science are the same. They aren't at all.
If you're doing low level design of crypto algorithms, you need to know math. If you're doing appsec reviews or pentests, then a background in software development might help (but is not required).
But there is an entire world of security roles out there that are essential to implementing security that have nothing to do with math or compsci. The security industry right now has a huge problem with gatekeeping, where they think you can't even begin to think about security unless you're already a top-tier principal engineer, and it's led to a huge drought of talent in security roles across the board.
> I'm sure it's both. As in, much of what they did spend likely went to snake oil salesmen. I've met lots of security consultants who did not have backgrounds in math or compsci.
I'm going to bet that they did have qualified engineers, because I like to assume the best in people, but I also assume that those engineers may not have been able to make the changes they want to.
In my experience in big companies, corporate bureaucracy and a complete unwillingness to change processes or systems is usually a bigger hinderance to security than the skill level of consultants/engineers.
What do you consider a background in compsci? A few years in the industry?
Because my degree is in Management Information Systems (MIS), but I've done troubleshooting on both performance problems of the O(n^5) variety and problems of the "not covered in the requirements document" variety... Not sure what else I need to understand, say, memory bounds-checking problems or firewall/ACL configuration problems.
"A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data."
Exactly. Heaven forbid we blame the corporations whose lax security led to the stolen data in the first place. That would make advertisers unhappy.
I had to manually change the urls in their site to opt-out of some data sharing a couple months ago.
Something like that getting shipped to prod... yeah, you have the D team building tech at tmobile. So we should collectively be shocked if their codebase isn't a leaky sieve.
Everyone's security is awful, as the penalty for failure is less than the expense required to make it secure. Until the former becomes higher the latter will guarantee insecurity rules.
Everyone always talks about making penalties more severe for data leaks. I have to wonder what the consequences of that would be. Bankrupting your competitor might become as easy as paying a few bitcoins to a foreign mercenary.
I think better security and encryption protocols need to be developed that mitigate the severity of a single leak. Without more compartmentalization of data and more control put into the hands of users, leaks of these massive, un-encrypted databases appear inevitable.
> Bankrupting your competitor might become as easy as paying a few bitcoins to a foreign mercenary.
This would result in insurance policies to guarantee against that outcome. Those policies in turn would introduce both costs and practices across industries that would improve the security of all the insured (and indirectly, their customers).
Unlike hiring a Rainmaker to look nice for the C-suite, imposing these costs would make sure that there's effective mitigations. Just like safety matters for your car, it would start to matter for your software.
Does the basic security scanning the hacker was doing costs hundreds of millions for big companies? Because that's the fines some big companies are getting:
Equifax agreed to pay 600 million, but still saw profits up 20% for the year... Sure they could have made 600 million MORE in profit, but that's still just 15% of their profits for the year.. sure they'll spend a few million in the area they need to shore up one time and wait for the next incident... It's just good for business... Invest enough to keep these incidents down to one every 5 years, pay fine, repeat.
Scanning is pretty inexpensive. Maintaining a complex system that passes the scans? That's something different altogether.
If I take a clunker to a mechanic, how much will it cost me to hear everything that needs fixing? About $150. But actually performing the fixes? One order of magnitude greater - and that's if I'm very, very lucky!
Been a T-Mobile customer for ages. Sim swaps are too easy. 2 factor is a joke. This is like the 3rd time my data has been lifted. But I stay with them, why? Because I have 3 free lines, unlimited everything, for $32 a month. They have crazy phone trade in deals from time to time, T-Mobile tuesday usually nets me 15c off per gallon at shell. Am I happy that they keep getting hacked? Absolutely not, but I'm happy pretty much any phone with a sim card works, my bill is low, and I have 5G pretty much everywhere.
So what you are saying is that the overcall cost of doing business with tmobile (both monetary and your personal data being public) justifies the convenience?
It's not so much the convenience as the problems other carriers bring. T-Mobile has no security, and lousy coverage, and is technically incompetent, but they're fairly honest and customer-friendly.
I could tell a horror story from Verizon about a multi-thousand-dollar roaming bill from someone I knew, from Google about being completely locked out of a phone number forever from another person, and lots of others.
Pick your liability.
On the whole, I found the risk of data theft from T-Mobile to be the lesser of the evils.
not quite as good a deal, but you can get $15/month with mint mobile, which sits on top of t-mobile's network. supposedly low priority but i've never had a problem in the past twelve months: http://fbuy.me/siAKU
You forgot the 2015 breach where T mobile customer's SSNs were stolen. This was the one that T-Mobile blamed on Experian and Experian said they were only holding the customer SSN's at T-Mobiles request. See:
Similar for me, I have 4 lines (2 I’m using) unlimited everything, no data caps for $100 a month. I looked at other options and there’s nothing close that compares.
Grandfathered "simple choice" plan with 10 lines for $160. I have upgrade to 5G phones with no problems. Not unlimited, but I never use up the data anyway.
I really hope TMO takes security seriously going forward.
What I don't understand is why the hacker (whose full name is used in the article - alias?) is being public about this? Shit security or not, they made a clear cut black hat move purely for money. Or I suppose the other factor is fame/infamy. Pretty sure there are at least a few pissed off hackers among those 50M people who would want to track this person down digitally and pull something as retaliation.
I was about to comment this. He says he went public to raise awareness about allegedly being illegally detained in a "fake mental hospital". Obviously anything is possible, but that sounds a lot like he could've been legally detained and doesn't really understand the law i.e. he could've been a danger to himself or others.
His other bombastic comments to press and relatives also make him sound insecure and immature. Obviously he had to be somewhat adept and dedicated to gain access, but he didn't discover any incredible exploit here. He also takes credit for discovering a well known zero-day but admits he had nothing to do with the code for the exploit. To me that supports the idea that he hangs out in black hat circles because he wants to be one of the 'cool kids', put in the time and got lucky. I imagine the press love that because a lot of the public doesn't really know the difference.
"John Binns, a 21-year-old American who moved to Turkey a few years ago"
I'm assuming it is the Turkey thing, probably counting on that to be a significant barrier. Yes they have extradition but I've also heard that Turkish authorities are quite amenable to bribes as well.
> Yes they have extradition but I've also heard that Turkish authorities are quite amenable to bribes as well
Turkey is also a NATO member. If T-Mobile can get the U.S. government to plead their case, that could generate serious impetus for action from the top.
Also, if you're in a country whose officials take bribes, advertising that you're (a) vulnerable and (b) potentially in possession of cash is dangerous.
> I've also heard that Turkish authorities are quite amenable to bribes as well.
If the dude is banking on this, the major issue is that the Turkish authorities may be quite amenable to bribes from anyone indeed. Subsequently, my wager is that both TMobile and many among the 50M whose details were stolen have far deeper pockets than hacker exhibit A.
In other words, the dude must be absolutely certain that government corruption can only go well for him. In the US, he'd "only" go to prison if the system wants to make an example out of him. In a place where anyone can be bribed to do anything, the sky is the limit.
I don't know if this is still the case, but in the past when I changed a line to a different SIM on T-Mobile an alert about the SIM change was texted to me, on the new SIM. :/
It didn't inspire much confidence in me regarding their security practices
Once there was a billing snafu and they cut off my line, with no notice given. I was freaking out a bit cause I thought it might be a SIM swap attack or something. After figuring it out and getting reconnected, I realized that actually they had told me about it. Via a text message. To the phone number they disconnected. After they disconnected it.
Data is a liability. It's hoarded because it's also a gold mine, and the risk to those hoarding it is minimal even if it's stolen.
The risk for hoarding data needs to be made comparable to the harm that theft would cause to the individuals effected by it; or hoarding data needs to be strictly regulated.
It would be nice to be able to open these accounts without providing PII, so that it would be harder to attack specific users, and breaches would not be so damaging to customers.
This US trend of requiring government-issued ID for even routine transactions (like phone service) that aren’t ID-related is insane and dangerous.
Anyone know of a provider that doesn't mandate storing this info? I understand they want to know your credit to open an account so need your pii to get credit info, but does any cell provider not store it after that? I tried to get tmobile to delete mine and they won't so I'm open to switching to any post-paid service that does.
If you want privacy, you need to be more serious than that. Mint mobile prepaid (no personal info) on a device you bought outright in cash. Obviously, no one should know that phone number; you should do all interactions through your publicly known VOIP number that's forwarded. That phone shouldn't be turned on any time you're near home; that should be done with a separate home iPad or the like. And no traffic should ever happen outside of a VPN...
Readit News
Sure, blame the consultants with their "booming industry". I'm sure T-Mobile spent adequate amounts of money on securing their data, hired all the best people, and it was all the security peoples' fault for not doing it properly.
I've been in security for over a decade. I currently work at a FAANG with nearly unlimited security budget. Previously I worked at another major tech company with nearly unlimited security budget. Before that I was a consultant and consulted at companies with huge security budgets. All of them, including my FAANG, struggle to have anything more than security that can only be described as "patchwork".
The truth is that nobody actually knows how to do security. Software devs are awful at it (the amount of FAANG engineers I know that don't even understand what encryption is, or think that hashing passwords is unimportant, would blow your mind), management is awful at prioritizing it or even knowing what to do in the first place, and every security professional in the industry is effectively just winging it based on what someone else in the industry promoted as "best practice" (and is probably outdated by now).
Sure, prolonged investment in security might help make things better, but that's not an overnight solution, and it might not be a solution at all given that the attackers are investing heavily in their methods, too. We have to do more than just acting like increasing the security department's budget is going to fix all of our problems. I guarantee it won't.
But that's not because there aren't also lots of devs who understand security, it's because FAANG companies have purposely chosen to prioritize hiring based on leet code ability above hiring based on security knowledge.
edit: This is why software developers would benefit from a union or licensing process, because currently devs who don't understand security are artificially lowering developer salaries by externalizing risk onto users.
Deleted Comment
So true. A problem is that "spending money on security" is so nearly always a synonym for increasing the infosec budget under the CISO. Which is useful, yes, but only a partial solution. A bigger ROI would be to spend it on developers who are experts in security and building a culture that cares. But even in enterprise security companies (most of my career), product security is so often seen as a checklist that infosec will take care of, not a core engineering competency.
My experience both working at and with higher end consultancies is that there is no correlation whatsoever between those degrees and any particular consultant’s competency. Some of the best people I’ve worked alongside have been college dropouts and Religion majors.
If you're doing low level design of crypto algorithms, you need to know math. If you're doing appsec reviews or pentests, then a background in software development might help (but is not required).
But there is an entire world of security roles out there that are essential to implementing security that have nothing to do with math or compsci. The security industry right now has a huge problem with gatekeeping, where they think you can't even begin to think about security unless you're already a top-tier principal engineer, and it's led to a huge drought of talent in security roles across the board.
I'm going to bet that they did have qualified engineers, because I like to assume the best in people, but I also assume that those engineers may not have been able to make the changes they want to.
In my experience in big companies, corporate bureaucracy and a complete unwillingness to change processes or systems is usually a bigger hinderance to security than the skill level of consultants/engineers.
Because my degree is in Management Information Systems (MIS), but I've done troubleshooting on both performance problems of the O(n^5) variety and problems of the "not covered in the requirements document" variety... Not sure what else I need to understand, say, memory bounds-checking problems or firewall/ACL configuration problems.
EDIT: expanded acronym
Deleted Comment
Exactly. Heaven forbid we blame the corporations whose lax security led to the stolen data in the first place. That would make advertisers unhappy.
Something like that getting shipped to prod... yeah, you have the D team building tech at tmobile. So we should collectively be shocked if their codebase isn't a leaky sieve.
I think better security and encryption protocols need to be developed that mitigate the severity of a single leak. Without more compartmentalization of data and more control put into the hands of users, leaks of these massive, un-encrypted databases appear inevitable.
This would result in insurance policies to guarantee against that outcome. Those policies in turn would introduce both costs and practices across industries that would improve the security of all the insured (and indirectly, their customers).
Unlike hiring a Rainmaker to look nice for the C-suite, imposing these costs would make sure that there's effective mitigations. Just like safety matters for your car, it would start to matter for your software.
https://www.csoonline.com/article/3410278/the-biggest-data-b...
or at least tens of millions in the EU thanks to GDPR:
https://www.enforcementtracker.com/
We understand it's nothing compared to their profits but is it nothing compared to the cost of basic security?
If I take a clunker to a mechanic, how much will it cost me to hear everything that needs fixing? About $150. But actually performing the fixes? One order of magnitude greater - and that's if I'm very, very lucky!
Dead Comment
I could tell a horror story from Verizon about a multi-thousand-dollar roaming bill from someone I knew, from Google about being completely locked out of a phone number forever from another person, and lots of others.
Pick your liability.
On the whole, I found the risk of data theft from T-Mobile to be the lesser of the evils.
Deleted Comment
1 in 2018, 1 in 2019, 2 in 2020.
https://money.cnn.com/2015/10/01/technology/tmobile-experian...
I really hope TMO takes security seriously going forward.
His other bombastic comments to press and relatives also make him sound insecure and immature. Obviously he had to be somewhat adept and dedicated to gain access, but he didn't discover any incredible exploit here. He also takes credit for discovering a well known zero-day but admits he had nothing to do with the code for the exploit. To me that supports the idea that he hangs out in black hat circles because he wants to be one of the 'cool kids', put in the time and got lucky. I imagine the press love that because a lot of the public doesn't really know the difference.
Deleted Comment
"John Binns, a 21-year-old American who moved to Turkey a few years ago"
I'm assuming it is the Turkey thing, probably counting on that to be a significant barrier. Yes they have extradition but I've also heard that Turkish authorities are quite amenable to bribes as well.
Turkey is also a NATO member. If T-Mobile can get the U.S. government to plead their case, that could generate serious impetus for action from the top.
Also, if you're in a country whose officials take bribes, advertising that you're (a) vulnerable and (b) potentially in possession of cash is dangerous.
If the dude is banking on this, the major issue is that the Turkish authorities may be quite amenable to bribes from anyone indeed. Subsequently, my wager is that both TMobile and many among the 50M whose details were stolen have far deeper pockets than hacker exhibit A.
In other words, the dude must be absolutely certain that government corruption can only go well for him. In the US, he'd "only" go to prison if the system wants to make an example out of him. In a place where anyone can be bribed to do anything, the sky is the limit.
but also props to the reporter for getting likely winning the FBI's bounty.
It didn't inspire much confidence in me regarding their security practices
The risk for hoarding data needs to be made comparable to the harm that theft would cause to the individuals effected by it; or hoarding data needs to be strictly regulated.
This US trend of requiring government-issued ID for even routine transactions (like phone service) that aren’t ID-related is insane and dangerous.
If you want privacy, you need to be more serious than that. Mint mobile prepaid (no personal info) on a device you bought outright in cash. Obviously, no one should know that phone number; you should do all interactions through your publicly known VOIP number that's forwarded. That phone shouldn't be turned on any time you're near home; that should be done with a separate home iPad or the like. And no traffic should ever happen outside of a VPN...