SPAM, FUD and Rogue Web Services

Most dodgy e-mails are fairly easy to spot, and represent the cost of doing business in a world where  human greed combines itself with technology and gullible users.

First one today from "Visa services" who'd insisted I entered my credit card details and password on their web site today to avoid irreversible instant deactivation of my account. Only problem is I don't have a Visa card and their URL had a Zambian IP address so I quickly deleted it.Next suspect in-box entry was claiming to be from a lawyer for a rich deceased ex-president who needs my help moving millions of pounds to Europe; the title of which was "Can you be trusted ?".  This type of scam is the well documented 491 variant of the centuries old Spanish Prisoner con, and is the subject of the extremely funny book "Tuesdays with Mantu: My Adventures with a Nigerian Con Artist"

My final interesting e-mail was titled "Beware rogue web services".  My understanding of web services is that they’re a very solid and simple technology to allow programs to communicate using a reliable and ubiquitous protocol, HTTP, transporting messages as XML.  The description of the message format is contained in WSDL document and the idea is that when designed well you get a de-coupling of end points giving a nice balanced peer to peer heterogeneous sharing of services.

Wanting to broaden my knowledge and learn about what rogue web services are, I followed the “danger, ignore this at your peril” in-box entry’s URL. According to the referenced article they’re a silent killer that means people are going to jail and companies are going out of business.

I don’t want either of these, so I read on; “rogue services are Web services that get lost in the IT system and cause problems because IT managers don’t know they are there and don’t know who might be using them”.   OK, so someone somewhere has realized that web services are basically a way for one program to call another, and because that other program might be outside your organization there’s the possibility that if you didn’t know this it might be bad.  Hmm, I suppose if you extrapolate this to a very frightening and extreme scenario there’s a chance that in your SOAP message you might send an organization you don’t trust a ton of sensitive corporate data.  This is the gist of the article that informs us that “next thing you know, company executives are on the witness stand explaining why an unknown Web service was capturing credit card data that was then accessed by a hacker”.

Being completely level headed and objective, this is total and utter tosh.  I see no way it could occur.  Web services are a way of describing how you do program to program calls over HTTP using XML as the message.  If developers are stupid enough to pass all of your credit card data in the message then what’s to stop them just e-mailing it to a Nigerian fraudster or printing it off in hard copy and leaving it on a bus.  This is covered in the article that tell ms to “think of a laptop with personal customer information left in a taxi, only now it’s left in a Web service accessible from the Internet. Just as serious”.

Tosh++.  It’s just not possible.  Hackers and briefcase thieves cannot break into your system and steal stuff through a web service.

The more one reads the article the more one suspects it’s brazen FUD. However, to back up its argument, it talks about the fact that various experts agree “applications built by outside consultants, or even well-meaning programmers on the company payroll, can become rogue web services”.

Encore du tosh, I fail to see how this is possible, and why they couldn’t do it today if they were so inclined, dishonest or stupid. Security is first and foremost about people and process.

After reading the piece several times I became suspicious of the fact that one of the heavily quoted experts works for a company which markets a tool that, incredibly fortunately for the now terrified reader, includes a discovery tool for finding rogue web services.  This expert apparently demonstrates the tool at a number of customer sites and finds “IT managers are shocked at the number of rogue services hidden in their system”.  He goes on to quote:  “What we’ve seen is that a lot of people really have no view of what they really have in production, in terms of services or their applications”.  No surprises there that IT managers don’t know what’s going on in their systems, and the expert’s tool is of course going to solve everything with one silver bullet check.

It’s sort of clever to draw unrealistic and hyperbole analogies to things like viruses and hackers that IT managers are already frightened of.  When the nervous manager takes his kids to the movies, they have to sit through shows where geeky nerds break into government agencies and world banks with seemingly ridiculous ease.  This scares them.

The fact it all occurs on laptop with fantastic wireless connection speeds, in a train tunnel , under a ton of bedrock, topped with 200 feet of ocean, while the hero is being chased by a helicopter, that is flying in the aforementioned tunnel behind the train, with no adverse effects of air dynamics, don’t detract from the fact that they’re worried about hackers.  Maybe after the movie a smart kid in the front row is going home, to do some copycat cyber theft and steal their end of year bonus using one of those rogue web services that one of those incompetent, but well meaning, programmers on the company payroll installed last week without management approval.

Wikipedia describes “snake oil salesman” as “the practice of selling dubious remedies for real (or imagined) ailments”.

It also defines “hoax” with “an attempt to trick an audience into believing that something false is real”.

The word “scaremonger” is explained as one who gives a “largely inaccurate statement of information that is written to steer the readers to the writer's point of view. Usually well-written, and using industry standard terms and figures, the reader is moderately or greatly frightened by the potential outcome of the event”.

The only problem is, I don't think the piece on rogue web services is well written and it doesn't have any figures.

posted Wednesday, 28 June 2006