Why Are Technology Companies Sometimes Lead By Stupid People

June 08, 2012

LinkedIn, whose customers are mostly technology type people, managed to lose millions of user passwords this week by storing them simply hashed without a salt in a database.

I find it hard to imagine that someone there didn't point out how stupid this was to their leadership; yet clearly that leadership failed to exercise an iota of common sense and pay attention. I am sure that all of them made tons of money when they went public, envied by their former co-workers, admired by the local car dealers but now to be remembered as the doofusses who failed user security 101.

The internet is a wonderful place to find meaningful discussions on how to do almost anything, how to secure user passwords properly has to be as common as porn. Maybe they looked at the latter and ignored the former. Perhaps they preferred comparing their new Ferrari's and Porsches. Real people can get hurt when their password is stolen and decrypted: security is not something to do when you are bored.

You would think with so many companies embarrassed in the news by security mishaps that people would take this more seriously but for whatever reason it never registers.

As I've mentioned before, I once worked for a firm who kept all the production server and database passwords in a single text file in the code repository because the chief architect didn't like to have to remember a new one when he "fixed" the system. I pointed it out to the CTO, who remarked that he trusted the employees so it wasn't an issue. It's funny because the systems had no audit trail on logging in either so there was no way they could ever know if someone walked off with all the juicy customer data. None of it was encrypted either. Morons.

I bet that more people are hacked, attacked and cracked than actually admit it or even notice it. You can forgive the local hardware store than tries to manage their few computers and network themselves, but a public company with tons of money and access to an massive database of smart people that didn't even bother to hire a single security expert or audit firm is inexcusable.

Do you think anyone will resign or return their huge stock benefits as a public apology? Not likely.

Unless you want to be forever a poster child for stupidity, please take security seriously and listen to those little voices who nag you about how poor security is at your company.

Security is like an NFL offensive lineman: it's best when no one mentions your name.