• GreenEngineering3475@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    1
    ·
    edit-2
    3 months ago

    From the article:

    In an email, a GivEnergy representative reinforced Castellucci’s assessment, writing:

    In this case, the problematic encryption approach was picked up via a 3rd party library many years ago, when we were a tiny startup company with only 2, fairly junior software developers & limited experience. Their assumption at the time was that because this encryption was available within the library, it was safe to use. This approach was passed through the intervening years and this part of the codebase was not changed significantly since implementation (so hadn't passed through the review of the more experienced team we now have in place).
    
    • sugar_in_your_tea
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      3 months ago

      So, it sounds like they don’t have regular security audits, because that’s something that would absolutely get flagged by any halfway competent sec team.

      • WhatAmLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        No need for audits. It’s only critical infrastructure embedded into tens of thousands of homes, lol.