This manufacturer of heavy equipment uses encryption for exchanging sensitive data with its partners as well as within the company, reports a pilot fish on the scene -- and everything is built on the SHA-1 algorithm.
Which eventually turns out to be a problem, because the 20-year-old algorithm is no longer considered secure. "At a meeting with a vendor, we started to talk about SHA-1 and using it," fish says. "The vendor rep was quiet for a moment, then said they were using SHA-2, and listed the reasons.
"Our team said we were using SHA-1 and needed to use it due to a timing issue. The vendor rep said they don't revert back to a less secure option, especially for encryption."
But fish's team argues that switching to SHA-2 won't be trivial for the manufacturer, and even though the project won't be going live until well down the road, upgrading everything from SHA-1 just isn't practical in the time available.
In the end, the vendor rep finally accepts the requirement, even though it doesn't make sense -- after all, what's the point of using insecure encryption to protect sensitive information?
Two days later there's another project meeting, and this time one of the attendees is from the corporate IT department. With a little time in the meeting to spare, someone mentions to the corporate-IT guy that the team successfully pushed the vendor to support the corporate-wide SHA-1 standard,
"He was silent for 45 seconds," says fish. "Then he asked why we were going to do this. Before anyone could answer, he said the company was nearly done switching to SHA-2, and he could not even get the SHA-1 certificates anymore.
"We were all quiet until someone spoke up and said that we were going to use SHA-2 for the project.
"Cue the crickets."
Sharky's standard is true tales of IT life. Send me your story at firstname.lastname@example.org. You'll score a sharp Shark shirt if I use it. Add your comments below, and read some great old tales in the Sharkives.
Get your daily dose of out-takes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.