Software and sue.

When the White House introduced its National Cybersecurity Strategy in March, the administration included a provision suggesting that because software developers have avoided liability for their product’s lack of security, a reassessment of the field is overdue.

Avoiding vulnerabilities altogether rather than narrowly defining which ones make you liable to legal action strikes Jack Danahy of NuHarbor Security as a good goal. Danahy told IT Brew that, in his view, due diligence has fallen by the wayside in part because of the lack of accountability for developers that limited liability has provided them.

“We try to define having a vulnerability as the thing that makes you liable, as opposed to trying not to have a vulnerability,” the product and engineering VP said.

Using regulatory action to push software providers to take better care of their products can be effective. GitHub CSO Mike Hanley told IT Brew at RSA 2023 that “the optimistic case is hopefully that by shifting some of those incentives and the burdens back on the software producers, that will get us to better outcomes.”

“Today, we know that if there’s a software vulnerability or a defect, it’s not just that it rolls downhill,” he continued. “It rolls all the way downhill until it has clobbered the end consumer who has no recourse, no options, no compensation—that’s the cost of them participating in that ecosystem.”

Read more here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

We expect web experts to build and deploy magic. That’s a lot of pressure, and they deserve the right tools to make that magic happen.

IONOS is a web professional’s toolbox and a treasure chest all in one. They have a comprehensive range of hosting products, servers, and cloud solutions. Like their WordPress hosting, it’s got integrated caching, daily backups, and customizable updates.

Then there’s the Deploy Now membership, which gives you fast, streamlined hosting for git-based sites and apps. And did we mention their free Partner Program, which lets web pros tap into lead generation, single sign-on access, and product trials?

Last but not least, there’s the green factor. IONOS has proprietary data centers in North America and Europe that run on 100% renewable electricity. Web projects renewable energy.

Tap into the trove of IONOS tools. Get started for free.

Storage manufacturer Western Digital has acknowledged that a major breach earlier this year, which took out consumer cloud services for over a week, resulted in the loss of its customers’ data to unauthorized parties.

In a May 5 press release, Western Digital said hackers stole a database associated with online retail sales. The company identified the breach on March 26 and initially disclosed their response on April 2. The company wrote that it had worked with “outside forensic experts” over the course of its investigation.

“This information included customer names, billing and shipping addresses, email addresses, and telephone numbers,” the press release stated. “In addition, the database contained, in encrypted format, hashed and salted passwords and partial credit card numbers.”

“We will communicate directly with impacted customers,” the company added.

The release additionally acknowledged reports that “other alleged Western Digital information has been made public,” likely referring to a TechCrunch article that reported that the alleged attackers demonstrated their ability to falsify Western Digital’s code-signing certificate, and provided evidence they had obtained 10 terabytes of data. Parts of the haul seen by TechCrunch included executives’ personal data, corporate files and emails, and information from SAP Backoffice, an e-commerce management platform.

TechCrunch had reported the hackers were demanding a “minimum 8 figures” ransom, an exorbitant amount by cybercrime standards.

It’s not clear how many customers were affected, although one Western Digital client shared a copy of a notification email with TechCrunch. Ransomware group Alphv (aka BlackCat) has taken credit for the incident, Hacker News reported, and has issued threats and taunts alongside various screenshots intended to demonstrate the breadth of their access.

Charlie Smalling, a PR rep for Western Digital, declined to comment beyond the May 5 press release.

Keep reading here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Learning to trust—to feel safe with friends, dentists, a neighbor’s dog, that big coffee machine with all the buttons—can be difficult. Learning to not trust takes time, too, especially for IT teams who want to implement none of it.

An IT Brew reader asked: What’s the most important first step for a company on a journey to deploy a zero trust architecture?

Organizations building zero trust architectures need to do so one step at a time, and prepare to keep stepping. After all, it’s not the destination:

“It’s a journey for different organizations who will start with different types of maturity, start at different levels, but the journey will never end,” said Ismael Valenzuela, VP of threat research and intelligence at Blackberry and a SANS Institute instructor.

The Cybersecurity and Infrastructure Security Agency (CISA) released updated guidance saying just that: “The path to zero trust is an incremental process that may take years to implement.”

But some IT pros haven’t yet set out from The Shire.

What is zero trust? The consultancy Forrester defines zero trust as an “information security model that denies access to applications and data by default.” The philosophy calls for continuous, contextual, and risk-based verification.

A February 2023 Forrester survey found that 88% of CIOs and CTOs said their leadership was committed to a zero trust security strategy.

Keep reading here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Today’s top IT reads.

Stat: 500%. That’s the growth in the last 30 days of podcast episodes that talk about AI, according to Spotify’s CEO. (Insider)

Quote: “When faced with a system that presents itself as a listening, eager interlocutor that’s hearing us and responding to us…we seem to fall into a kind of trance [and] engage in some kind of wish fulfillment: thinking that they’re human, and there’s someone there listening to us.”—Researcher Meredith Whittaker on the risks of interacting with AI owned by large corporations (Fast Company)

Read: Microsoft’s training videos are a hit. (Maybe security awareness also needs high drama and flawed characters?) (the Wall Street Journal)

Kiss bugs goodbye: Get complete QA coverage for your web apps in just 4 months. With QA Wolf, you have access to unlimited parallel test runs + round-the-clock test maintenance to stop bugs from reaching production.*

^{*This is sponsored advertising content.}