So, I am pretty much a citizen that normally don't wish to right the wrong. I normally don't like to play the knight on his high horses throwing a vibrant «you failed the Internet». Yet I did.
In the previous «fun» episodes of my life, I have been a coder, than a mover.
I like moving, but, well being paid 5€/hr overall in quite insecure conditions is spoiling the fun. I would do it for 15€/hr without a regret. And for the same reasons I learned to respect their know-how, I finally came to value my knowledge in coding, and learning. So, recently, I came back after a serious crisis on what we do in the IT industry to apply once again to «decent jobs».
Well, I tried.
When you are jobless, companies and administration seem to think you are the scumbag of the internet and that your time is free.
Websites are at best broken, non usable/accessible and most of the time insecure. And so this is the story of my small victory against the evil forces of «not caring» (this is not in my backyard, you non paying customers).
When the new Information Technologies results in loss of time and security
Almost all the websites I am talking of are made with all the latest kikoo lol UX and so called innovation. People seem to learn new tricks, yet they still do not learn the old one.
Every day I apply to «IT» function I between 1 and 3 hours worth of work:
- creating custom credentials
- validating my email
- feeling for the nth time my resume with custom squared wheel
- rewriting a new motivation trying to pretend loving this company expert in UX/IT making me do a walk of shame in their pityfull poorly coded web pages.
- then having expecting 5 minutes later a letter telling me I am rejected without any justifications.
I am using governmental funded web site (pole-emploi.fr). They redirect us most of the time either on third party proxies or company websites.
Most of the day I say nothing. I am not a philanthropic billionaire with time to waste on protecting banks on my free time.
I am just a broke worker, I want to have a job collecting the data of poor customers to treat them through big data and neural network. I am guilty of knowingly normally putting my knowledge to the service of the bad guys.
The day you grow a conscience something is wrong
But, 4 days ago, in one of my 4th application of the day, something weird happened : I made a typo and needed to recover my password.
Then two things happened that pissed me off :
- the mail giving me my password back was not the same as the website it was coming from, and was coming from a different domain. And, google was whitewashing probably in the name of «let's give confidence in commerce when people use our tools».
- my password was returned to me AS IS, let's say that it may not be clear text storage but it is too close (symmetric ciphering with a secret) for my comfort,
- there was NO contacts available on the website to report problems,
Non sysadmins, non web devs do not see the trouble. In fact most web devs and sysadmins don't see the trouble with clear text passwords.
Let's state it clearly it is a clear taboo in the world of web development since 1996 for very good reasons. If the database get hacked, ALL passwords get stolen, and since users often reuse passwords and login, it is putting users in jeopardy if a breach occurs.
The day after you grow a conscience and need to move on
Well, I went on my local language python and bsd chans and talked with «professionals», they said to me move-on, because they told me, you know, today, it is common practice, focus on finding a job and don't get that sensitive especially you are security aware, but you are not specialized in security.
And you know what? When there is such a level of not caring, why care?
The day after the day you did not cared.
Well guess what, you have to fill another application. And rebelotte.
And then you notice it is a «very successful» company oustourcing portal for job applications.
When of the reason I was utterly pissed was the job description explicitly stated attention to security details in it was for THE BIGGEST PROVIDER OF BUSINESS SOLUTIONS for IT in Europa. Not to name it Orange Business Service.
You know what when I do job interview people are grilling me on small details that I find irrelevant in security. For me security is : make it simple stupid and manageable with strong attentions to details like : having fucking contact information to report security holes and have fucking humans on 24/7 awareness in CERT teams (Computer Emergency Response Team) in case there is a fucking security hole.
So, I saw red.
I first tried to find a security contact on OBS web sites. None.
There was a commercial contact. I used it.
They called me back expecting to do money, and discarded my alert.
I used the mail in the whois of the main domain. No answer
I used the phone number. No one at this number.
No fucking contact on the websites.
So I saw red hot chilli pepper red, jalapeno red to be exact.
Since my twitter is @obnoxiousJul I decided to be ... jul
I shamed @orange that then redirected me on @orangejobs. And I asked them:
Cher @orangejobs_fr est il normal pour un spécialiste de l'IT comme OBS le site de candidature stocke les mots de passe en clair?— jul (@ObnoxiousJul) August 16, 2016
Dear @orangejobs_fr is it normal for an IT specialist like you to store clear text passwords in your database in your application site?— jul (@ObnoxiousJul) August 16, 2016
Actually there was an answer and it fell bittersweet relieving:
@ObnoxiousJul le portail NRS va être définitivemt arrêté. Privilégiez le site https://t.co/6dOe38wsQr . En attendant, on va regarder. Merci— orange jobs fr (@orangejobs_fr) August 17, 2016
@ObnoxiousJul the NRS portal will be definitively stopped. prefer this site https://t.co/6dOe38wsQr. In the meantime we look for the situation thanks— orange jobs fr (@orangejobs_fr) August 17, 2016
Why am I still seeing 1000 Scoville red
First the dig axfr on the provider I will not name is still having 600 websites for job application listed. Most are off, but still.
As an unemployed person being tracked with marketing tools is already pissing me off.
But, more than that, it is exposing me to insecure practice that pissed me.
This «application portal provider» is providing for major french companies pretending to care about security:
- airport related business;
- energy business;
- IT business;
- consulting in security business;
- BANKS !
Seriously, the whole profession is suffering a long slow steady shift of concern. Not in using stronger algorithm, better practice, but just about the basics of security which is TO CARE.
And you see, what is concerning me too, is some e-commerce websites I use for buying spare part for my bike as a near hobbo (like "@Retto KYA") are doing the same: clear text password and autistic IT team.
I have also been talking to pole emploi about the fact they are exposing the jobless, they discarded my concerns. So I tried the «service public» site, they seemed to not understand.
The problem is not technical anymore: it is human.
Actual IT is like experiencing a fire while on a plane and when you activate the alarm the steward, the passenger come coughing in the middle of the smoke saying there is no problem.
And that is a problem. I am still seeing a huge problem in actual pedantic IT culture and if the crisis will not come from finance, it will come from the lost of trust of the users that will stop using insecure web technologies.
IT enthusiasts, it is time to wake up and stop snoring while the boat is sinking.