Location, Wifi, BlueTooth, NFC and all other wireless protocols should be off. unless you have a reason to have them on! You should also always use VPN / TOR proxies on your phone to mask it's location. This is a common problem and people need to wake up.
I can't speak for the general public, but I always disable "flash" or "tap" on my cards. If I don't have to enter a passcode to use my card, then I shouldn't be using it.
Fair enough and I totally agree. It's not just on the CSO, it's also on the CTO and I've seen FAR to many massively unqualified CTO's, who I wouldn't let watch a VTech kids notebook.
Nobody is deploying key fobs or encryption keys to their customers by default and even if it did it wouldn't solve much. People will lose or destroy them and expect their service anyway. The chance of this changing any time soon is zero. The change of IT driving such change is zero.
Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure. If we need to look into something, such as a product failure, the customer has to go into the software and send us a version of the key that is a one time hash. Once we have that we, we gain access to the key and read the log files. Once we're done, the key is automatically regenerated and once again we're locked out. You can't say, "Nobody is deploying keys fobs or encryption keys", when responsible companies are.
I'm not the only person doing this, you can find many companies that will, for instance look at ProtonMail, they have the same approach and there are several electronic lab book tools that function the same way, amount others, which I'm not going to list. I've had customers complain about this level of security, but my answer is always the same, "This is how a responsible company handles security, if you want to use insecure devices, go ahead, but I'll never sell you one.".
The account MUST be available in a form accessible to the provider in order to provide and manage service. It can't as a practical matter be encrypted and accessible to nobody but the end customer. This is not a reasonable position to have. It's a complete nonstarter.
I answered this above, but this is very doable and reasonable. There is no reason I have to access one of my customers accounts, without their consent. If there is an issue they need to resolved or something they would like looked into, they have to go provide us access, much in the same way as the device access I explained above. This system would be great for mobile carriers, as they have no reason to go into my account, unless I allow it.
I agree from what is know about T-Mobile case if the customer went out of their way to setup a security procedure to authenticate themselves and T-Mobile failed to live up to their end they should be on the hook for something.
I don't want to say your lying, but it sounds like you don't agree at all to this point. The measures I'm explaining are to make sure that the person who can access the account, does access the account. If the customer doesn't want someone in their account, then it should be so, but currently, as far as I'm aware, no North American carrier allows anything close to this level of reasonable protection.
- EVERYONE is no longer entering passwords into adhoc web forms
- Give up insecure authentication protocols (e.g. CHAP/Kerberos).
- No longer rely entirely on automated procedures based on feedback from insecure protocols (eg DNS and HTTP) to establish trust relationships (PKI)
- When banks and ecommerce sites stop filling their pages with faux padlock gifs and meaningless assertions of security.
- When anyone in the world can't put whatever the hell they please in the FROM line of an email with an executable payload and the recipient have no clue.
There are points that need to be driven home to the average person, there good points to make, and people in the technology field should be driving them home.
-You really shouldn't be using passwords, unless it's as a first factor method of authentication, and even then, use something like a YubiKey. - Excellent point on insecure authentication protocols, they should be activity discontinued and even blocked. - A good firewall should block all HTTP request and as people move onto Secu
This should show everyone how much security and validation is lacking in almost every aspect of our lives. The best thing to do, is to learn from what happened and evolve systems that can deal with the real threats. When security legs behind, you get scenarios such as this!
In any other job, you have to carry the qualifications of that job. If I'm a software developer, I have to know and understand the languages which I work with, in great detail, if I don't, then I'm really just a script kiddy, taking code off stack overflow. Why would or should the taxi industry be any different?
CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.
Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.
If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.
I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology. The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of people are working on.
What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue.
If you give someone an account and nothing stops a customer service rep from getting into that account, or resetting access to that account, that would be a major security violation. Accounts should always be stored in such a way as to prevent anyone but the user of that account from gaining access, or changing access details, 2FA and encryption help to stop this problem through validation of the account holder.
It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure. If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP, then they are at fault for not providing a reasonable, and responsible security level for the account access.
However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.
This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.
The biggest problem in IT is finding people who are actually qualified to work in real IT environments.
The majority of the people I've worked with, have either grossly overestimated their skill levels or flat out made them up. I've lost count on how many times I've had someone try and hold their years in IT or title over me and claim that proves their skill levels, then they've failed to login to a server via SSH (which really happened from TWO CTO's).
The problem, I find, is qualification and finding people with real skill.
If they want to be treated like everyone else in the work place and the work place is pro sexual harassment, then they have to deal with it, period. I'm not going to act differently or talk differently because a woman walks in, she can adapt and react, not force change. My current development team actually is 1/3 female, 1/3 middle eastern and 1/3 white and we all preform at our peaks with no need to change how we work or act. We often make sexist jokes back and forth, women against men, white again middle eastern, voting jokes, penis jokes, terrorist jokes and etc..., no one has a problem with it and we're all friends.
The problem with these pro-diversity talks, is that we're hiring people because they're diverse, rather then if they're skilled and the right fit. If you see a development team who is all white and male, you have SJW's crying discrimination, when in fact, in 99.999% of cases, you have qualified people, the right people working together. People shouldn't be hired because they're diverse, they should be hired because they're the right fit.
The fact they can't break the encryption is proof that's effective and a good idea. If I want people to see my traffic and data, I'll let them see it, other wise, forget it.
As a web developer, this really isn't an issue, always use HTTPS even internally. The only way you'd really be locked out is if you didn't follow smart practices.
Who wouldn't take cash with them when they expect to shop on massively busy/overcrowded events? If you didn't take cash, you have nothing to complain about, learn from this and move on.
How about not connecting to WiFi hotspots? With mobile data being plentiful, you simply don't need to hook up to WiFi hotspots, which completely removes the need to forget them:)
I work in high-security IT, it's my job to make sure that no one and nothing can track or read anything my team does. I understand more than most people the need for privacy.
Yes, once a device has no privacy or when you have a public statement that the company behind the device doesn't give a rats ass about security, the device becomes worth almost nothing.
Why wasn't the USB key in question a high security, hardware encrypted device? There is no reason to not have a military FIPS-140-2, AES encrypted USB key that can self wipe and self destruct, with full location tracking and remote kill switch.
There is no excuse for files of this importance to be left on a "normal" key. Who ever provided the key and who ever takes care of the systems the files were copied off of, should face criminal charges.
There is nothing wrong with passwords as a first line of authorization, but if it's all you're using then you really deserve to be hacked. In 2017 it's no longer acceptable to have a single factor of authentication to a system, especially with the prevalence of TOTP and Hardware key, such as YubiKey.
When trying to secure servers, if you don't have 2FA+ enabled, then you should be fired and blacklisted!
You route the cables into the computer and use motherboard mounted ports that can't be accessed without disassembling the case. I've used this method countless times for servers and endpoints that weren't in proximity to me, as the first round of security. As a second round, test the latency of the keyboard or mouse and if you find strange readings, shut off the ports and go investigate, even a very good hardware keylogger will leave a latency in the signal.
Slashdot Mirror
Location, Wifi, BlueTooth, NFC and all other wireless protocols should be off. unless you have a reason to have them on! You should also always use VPN / TOR proxies on your phone to mask it's location. This is a common problem and people need to wake up.
I can't speak for the general public, but I always disable "flash" or "tap" on my cards. If I don't have to enter a passcode to use my card, then I shouldn't be using it.
Fair enough and I totally agree. It's not just on the CSO, it's also on the CTO and I've seen FAR to many massively unqualified CTO's, who I wouldn't let watch a VTech kids notebook.
They're different only in the skill set required.
Nobody is deploying key fobs or encryption keys to their customers by default and even if it did it wouldn't solve much. People will lose or destroy them and expect their service anyway. The chance of this changing any time soon is zero. The change of IT driving such change is zero.
Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure. If we need to look into something, such as a product failure, the customer has to go into the software and send us a version of the key that is a one time hash. Once we have that we, we gain access to the key and read the log files. Once we're done, the key is automatically regenerated and once again we're locked out. You can't say, "Nobody is deploying keys fobs or encryption keys", when responsible companies are.
I'm not the only person doing this, you can find many companies that will, for instance look at ProtonMail, they have the same approach and there are several electronic lab book tools that function the same way, amount others, which I'm not going to list. I've had customers complain about this level of security, but my answer is always the same, "This is how a responsible company handles security, if you want to use insecure devices, go ahead, but I'll never sell you one.".
The account MUST be available in a form accessible to the provider in order to provide and manage service. It can't as a practical matter be encrypted and accessible to nobody but the end customer. This is not a reasonable position to have. It's a complete nonstarter.
I answered this above, but this is very doable and reasonable. There is no reason I have to access one of my customers accounts, without their consent. If there is an issue they need to resolved or something they would like looked into, they have to go provide us access, much in the same way as the device access I explained above. This system would be great for mobile carriers, as they have no reason to go into my account, unless I allow it.
I agree from what is know about T-Mobile case if the customer went out of their way to setup a security procedure to authenticate themselves and T-Mobile failed to live up to their end they should be on the hook for something.
I don't want to say your lying, but it sounds like you don't agree at all to this point. The measures I'm explaining are to make sure that the person who can access the account, does access the account. If the customer doesn't want someone in their account, then it should be so, but currently, as far as I'm aware, no North American carrier allows anything close to this level of reasonable protection.
- EVERYONE is no longer entering passwords into adhoc web forms
- Give up insecure authentication protocols (e.g. CHAP/Kerberos).
- No longer rely entirely on automated procedures based on feedback from insecure protocols (eg DNS and HTTP) to establish trust relationships (PKI)
- When banks and ecommerce sites stop filling their pages with faux padlock gifs and meaningless assertions of security.
- When anyone in the world can't put whatever the hell they please in the FROM line of an email with an executable payload and the recipient have no clue.
There are points that need to be driven home to the average person, there good points to make, and people in the technology field should be driving them home.
-You really shouldn't be using passwords, unless it's as a first factor method of authentication, and even then, use something like a YubiKey.
- Excellent point on insecure authentication protocols, they should be activity discontinued and even blocked.
- A good firewall should block all HTTP request and as people move onto Secu
Punishing those who exploit the holes, doesn't solve the problem.
This should show everyone how much security and validation is lacking in almost every aspect of our lives. The best thing to do, is to learn from what happened and evolve systems that can deal with the real threats. When security legs behind, you get scenarios such as this!
In any other job, you have to carry the qualifications of that job. If I'm a software developer, I have to know and understand the languages which I work with, in great detail, if I don't, then I'm really just a script kiddy, taking code off stack overflow. Why would or should the taxi industry be any different?
CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.
Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.
If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.
I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology. The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of people are working on.
What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue.
If you give someone an account and nothing stops a customer service rep from getting into that account, or resetting access to that account, that would be a major security violation. Accounts should always be stored in such a way as to prevent anyone but the user of that account from gaining access, or changing access details, 2FA and encryption help to stop this problem through validation of the account holder.
It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure. If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP, then they are at fault for not providing a reasonable, and responsible security level for the account access.
However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.
This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.
The biggest problem in IT is finding people who are actually qualified to work in real IT environments.
The majority of the people I've worked with, have either grossly overestimated their skill levels or flat out made them up. I've lost count on how many times I've had someone try and hold their years in IT or title over me and claim that proves their skill levels, then they've failed to login to a server via SSH (which really happened from TWO CTO's).
The problem, I find, is qualification and finding people with real skill.
+1 for SWJism! That's great :)
If they want to be treated like everyone else in the work place and the work place is pro sexual harassment, then they have to deal with it, period. I'm not going to act differently or talk differently because a woman walks in, she can adapt and react, not force change. My current development team actually is 1/3 female, 1/3 middle eastern and 1/3 white and we all preform at our peaks with no need to change how we work or act. We often make sexist jokes back and forth, women against men, white again middle eastern, voting jokes, penis jokes, terrorist jokes and etc..., no one has a problem with it and we're all friends.
The problem with these pro-diversity talks, is that we're hiring people because they're diverse, rather then if they're skilled and the right fit. If you see a development team who is all white and male, you have SJW's crying discrimination, when in fact, in 99.999% of cases, you have qualified people, the right people working together. People shouldn't be hired because they're diverse, they should be hired because they're the right fit.
The fact they can't break the encryption is proof that's effective and a good idea. If I want people to see my traffic and data, I'll let them see it, other wise, forget it.
If calling yourself an Engineer is a free speech right, then I'm every cool, qualified title on earth.
As a web developer, this really isn't an issue, always use HTTPS even internally. The only way you'd really be locked out is if you didn't follow smart practices.
Who wouldn't take cash with them when they expect to shop on massively busy/overcrowded events? If you didn't take cash, you have nothing to complain about, learn from this and move on.
How about not connecting to WiFi hotspots? With mobile data being plentiful, you simply don't need to hook up to WiFi hotspots, which completely removes the need to forget them :)
This is the result of a failing education system that doesn't put enough stress on science and mathematics.
I work in high-security IT, it's my job to make sure that no one and nothing can track or read anything my team does. I understand more than most people the need for privacy.
Yes, once a device has no privacy or when you have a public statement that the company behind the device doesn't give a rats ass about security, the device becomes worth almost nothing.
You'll try to help police get into a protected phone? He should be fired for make that statement.
Why wasn't the USB key in question a high security, hardware encrypted device? There is no reason to not have a military FIPS-140-2, AES encrypted USB key that can self wipe and self destruct, with full location tracking and remote kill switch.
There is no excuse for files of this importance to be left on a "normal" key. Who ever provided the key and who ever takes care of the systems the files were copied off of, should face criminal charges.
There is nothing wrong with passwords as a first line of authorization, but if it's all you're using then you really deserve to be hacked. In 2017 it's no longer acceptable to have a single factor of authentication to a system, especially with the prevalence of TOTP and Hardware key, such as YubiKey.
When trying to secure servers, if you don't have 2FA+ enabled, then you should be fired and blacklisted!
You route the cables into the computer and use motherboard mounted ports that can't be accessed without disassembling the case. I've used this method countless times for servers and endpoints that weren't in proximity to me, as the first round of security. As a second round, test the latency of the keyboard or mouse and if you find strange readings, shut off the ports and go investigate, even a very good hardware keylogger will leave a latency in the signal.