He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance to fix what went wrong--thus giving the black-hat types a window to do what they will, with probably more nefarious intent--is in NO way responsible behaviour.
Fair enough. Out of courtesy one should inform the "victim"; but he's not obligated. Not ethical and also not illegal.
There was no evidence that the addresses were disseminated - gives guy some leeway on the ID theft and probably fraud charges. Conspiracy to commit unauthorized access charge, though? Pretty much indefensible, and probably a non-issue if he'd made a good-faith effort to bring this directly to AT&T's attention and/or if it hadn't been used to the extent of 100k+ addresses.
Agree 100%. This is were he/they stepped over the line; you grab 10, or even 100 addresses and you proved your point. +100k? The only argument is if they were incompetent and just didn't know the scope of what they were going to retrieve with an automated script. 100 e-mails, okay so you turned the handle and you opened the front door. You saw that they get Victoria Secret because the magazine was sitting in the front hall. 100k+ e-mails, you stepped into the foyer or even took a few steps down the hall and looked around.
I would equate this with trespassing. Not break and enter. I think the attorney needs to prove that they were planning to (or did) use the information collection for nefarious actions. For the above analogy, you opened the door, you walked down the hall... and did you call your buddy to drive up with a van so you can load up the Plasma TV from the living room, or did you start unplugging it already?
I get it that it would take the a whole lot processing power to deal with the slew of private keys, but beyond that, encryption in this case looks gimmicky for the user. Only good if someone hacks in the FS remotely, steals a backup tape, or finds a discarded drive from their SAN.
Yeah, this is really nothing special. Maybe we should build our own?
Their terms of service did say that your data is inaccessible without your password, but this is nothing more than permissions rather than per-account encryption.
Or it could be that a personal encryption key is stored in their user profile database. So all data is still uniquely encrypted per user, but access to the key is available to the admins (and as you indicated limited by process/permissions).
I would hope that every person's data is not encrypted with the same key. If that's the case, then they may as well close shop now.
Chances are they enabled a function to impersonate any users in order to validate that it was working properly without having to know someone's pwd. Problem obviously is that they kept the original config. Deployment team, testers or devs probably share the problem equally. Most likely someone forgot to document all the steps including re-enabling the authentication piece.
Easy to criticize from the other side, but obviously change management and solid SLDC practices are not in place. I know that they're pretty much a start-up and their end-goal is a juicy IPO. They need to consider that they're a target for all the security hacks and other "cloud" providers.
All they need is to get one sensible person to review and validate the releases. They can keep their internal cowboy style, just as it hits or affects prod, then someone needs to sign it with blood.
I'm sure they will learn from this. Their rep has suffered major damage (again).
I had a 3G iphone with Rogers in Canada. Contract term was up and the phone is mine. Can i just plop a VirginMobile SIM and change providers? Nope. Rogers will charge $50 for unlocking *MY* iphone.
Had to jailbreak it and unlock it with ultrasnow. am on prepaid plan for a lot less than what rogers offered. Don't need the latest and greatest phone model. Comes in handy when i go to the us and use a prepaid plan down there.
If i ever buy another phone i will only by unlocked.
It relates to Privacy because one of the main "selling" points of Bitcoin is anonymity.
Yes, this has as much to do with Privacy as me taking off my license plates off my car so that I don't have to pay the tolls. Pardon the car analogy...
They could have put on the Borg Gates icon on there since perhaps the Bitcoin software was running off a Windows computer?
Last week it was about an imaginary bust of a Bitcoiner "miner" who may be using too much electricity, making law enforcement potentially believe that it was a grow-op.
Today is a story about virtual currency that is barely used anywhere to be used on online drug trading. Not Bitcoin specifically. Paypal most likely...
Honestly. Having a video "story" is bad enough. Having the story linked to Bitcoin on a vague premise is pretty bad.
Let's create a Bitcoin/. filter, so I can exlude these stories from my profile. Not sure how this relates to "Privacy". I'm thinking that there is a group of Bitcoin proponents working hard to get any publicity.
Privacy legislation in parts of Canada is such that because of the PATRIOT Act we cannot store or process certain type of data in the States. There are workarounds, but the hassle of appeasing privacy officers and the various boards just eliminates the US as a viable option. We now look more to the EU now...
Just so know, since it is clear that the US is losing business because of this.
Cost & Complexity: - certificates aren't free - certificates need to be properly managed - encryption requires computational power - you would be surprised how many things break when you move around http:/// to https:/// in URLs. There's a lot of amateurs implementing things. - a SSL cert is usually married to a dedicated IP address, this makes it cost or technically prohibitive for web hosting companies. IPv6 won't be around for a while.
and more importantly
- SSL is not necessary all the time!!!!
I would have hard a time recommending to anyone to run their whole site in SSL. Get the logins or most forms in SSL, but the rest would be overkill.
Perhaps someone more knowledgeable can enlighten me...
If I take my BB over to UAE, I guess when I start roaming on their local service, all my BES communication will go through the local UAE RIM gateways, correct? The same gateways that the UAE will have some major visibility into. So that means that something that is private in the US/Canada will forego that confidentiality once I'm within their borders?
Hate to reply my post; but I want to correct myself. NK and SK were occupied by the Soviets and Allies respectively (see http://en.wikipedia.org/wiki/Korea#Division_of_Korea). The big difference is that the NK people (backed by the Soviets) attempted to invade SK. So again, the big difference between Korea and Germany was the active state of war between the two separated countries.
Apples and oranges, wrt to Germany and Korea. In Korea, two disparate ideologies created a civil war that split the country apart (regardless of the USSR/China and NATO powers mingling). With Germany you had the country split in two by the four occupying powers. The ideology subjected to the East Germans (and well, the West Germans too from the Americans let's be honest) came from an external power; the Soviets. The German people (especially in the West) wanted to re-unite. I'm not too sure if the North and South Koreans really welcome each other.
As well, the West and East Germans never were in a state of war similar to what the Koreas have. Yes, there was the cold war (I grew up listening to the air siren tests on a regular basis since I grew up 100km from the West/East border)), but West Germans could visit East Germany, and to some extent the other way around (even though people tended to not want to come back).
Personally I'm not sure how the two Koreas would unite. It seems to me, they are too far apart.
Sorry, I read it and I just have a couple of questions. a) was Accolade forced to recall all their cartridges? b) there's a lot about fair use and Sega preventing competitors. How does Nintendo, MS and Sony deal with their licensing right now? How can they be forced to only go through the console manufacturers to have the necessary keys to play on the device?
The "sweat of the brow" argument for recouping R&D costs didn't seem to hold water in appeal court.
Slashdot Mirror
Linking to someone's blog to generate ad revenue happens too often around here.
Seriously, do editors even read the story and figure out that the real story is one link beyond?
Companies falter ... I see your Nortel, I raise you Wang Labs (snicker), Commodore, 3DFX, RCA, etc ...
Well, not automotive but Canada has Bombardier.
He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance to fix what went wrong--thus giving the black-hat types a window to do what they will, with probably more nefarious intent--is in NO way responsible behaviour.
Fair enough. Out of courtesy one should inform the "victim"; but he's not obligated. Not ethical and also not illegal.
There was no evidence that the addresses were disseminated - gives guy some leeway on the ID theft and probably fraud charges. Conspiracy to commit unauthorized access charge, though? Pretty much indefensible, and probably a non-issue if he'd made a good-faith effort to bring this directly to AT&T's attention and/or if it hadn't been used to the extent of 100k+ addresses.
Agree 100%. This is were he/they stepped over the line; you grab 10, or even 100 addresses and you proved your point. +100k? The only argument is if they were incompetent and just didn't know the scope of what they were going to retrieve with an automated script.
100 e-mails, okay so you turned the handle and you opened the front door. You saw that they get Victoria Secret because the magazine was sitting in the front hall. 100k+ e-mails, you stepped into the foyer or even took a few steps down the hall and looked around.
I would equate this with trespassing. Not break and enter. I think the attorney needs to prove that they were planning to (or did) use the information collection for nefarious actions. For the above analogy, you opened the door, you walked down the hall ... and did you call your buddy to drive up with a van so you can load up the Plasma TV from the living room, or did you start unplugging it already?
Agree 100%.
Damn; you're right.
I get it that it would take the a whole lot processing power to deal with the slew of private keys, but beyond that, encryption in this case looks gimmicky for the user. Only good if someone hacks in the FS remotely, steals a backup tape, or finds a discarded drive from their SAN.
Yeah, this is really nothing special. Maybe we should build our own?
Their terms of service did say that your data is inaccessible without your password, but this is nothing more than permissions rather than per-account encryption.
Or it could be that a personal encryption key is stored in their user profile database. So all data is still uniquely encrypted per user, but access to the key is available to the admins (and as you indicated limited by process/permissions).
I would hope that every person's data is not encrypted with the same key. If that's the case, then they may as well close shop now.
Chances are they enabled a function to impersonate any users in order to validate that it was working properly without having to know someone's pwd. Problem obviously is that they kept the original config. Deployment team, testers or devs probably share the problem equally. Most likely someone forgot to document all the steps including re-enabling the authentication piece.
Easy to criticize from the other side, but obviously change management and solid SLDC practices are not in place. I know that they're pretty much a start-up and their end-goal is a juicy IPO. They need to consider that they're a target for all the security hacks and other "cloud" providers.
All they need is to get one sensible person to review and validate the releases. They can keep their internal cowboy style, just as it hits or affects prod, then someone needs to sign it with blood.
I'm sure they will learn from this. Their rep has suffered major damage (again).
This is stupid on so many levels. What's next? Religions and cults? Political parties? Hobbies?
Man, who will be the registration authority? How will domains be impacted when/if companies are prohibited from doing business in some location?
I had a 3G iphone with Rogers in Canada. Contract term was up and the phone is mine. Can i just plop a VirginMobile SIM and change providers? Nope. Rogers will charge $50 for unlocking *MY* iphone.
Had to jailbreak it and unlock it with ultrasnow. am on prepaid plan for a lot less than what rogers offered. Don't need the latest and greatest phone model. Comes in handy when i go to the us and use a prepaid plan down there.
If i ever buy another phone i will only by unlocked.
Seconded. In healthcare and in Ontario, we need to make sure we have at least a copy of our data in our province.
It relates to Privacy because one of the main "selling" points of Bitcoin is anonymity.
Yes, this has as much to do with Privacy as me taking off my license plates off my car so that I don't have to pay the tolls. Pardon the car analogy ...
They could have put on the Borg Gates icon on there since perhaps the Bitcoin software was running off a Windows computer?
Last week it was about an imaginary bust of a Bitcoiner "miner" who may be using too much electricity, making law enforcement potentially believe that it was a grow-op.
Today is a story about virtual currency that is barely used anywhere to be used on online drug trading. Not Bitcoin specifically. Paypal most likely ...
Honestly. Having a video "story" is bad enough. Having the story linked to Bitcoin on a vague premise is pretty bad.
Let's create a Bitcoin /. filter, so I can exlude these stories from my profile. Not sure how this relates to "Privacy". I'm thinking that there is a group of Bitcoin proponents working hard to get any publicity.
Privacy legislation in parts of Canada is such that because of the PATRIOT Act we cannot store or process certain type of data in the States. There are workarounds, but the hassle of appeasing privacy officers and the various boards just eliminates the US as a viable option. We now look more to the EU now ...
Just so know, since it is clear that the US is losing business because of this.
Some manufacturers have some key combinations to erase the device. Sometimes the manuals actually the steps required.
Not affiliated, but these guys have a db of the commands:
http://www.recellular.com/recycling/data_eraser/default.asp
Cost & Complexity:
- certificates aren't free
- certificates need to be properly managed
- encryption requires computational power
- you would be surprised how many things break when you move around http:/// to https:/// in URLs. There's a lot of amateurs implementing things.
- a SSL cert is usually married to a dedicated IP address, this makes it cost or technically prohibitive for web hosting companies. IPv6 won't be around for a while.
and more importantly
- SSL is not necessary all the time!!!!
I would have hard a time recommending to anyone to run their whole site in SSL. Get the logins or most forms in SSL, but the rest would be overkill.
August 29th, 1997. At that point we lost all communication with Skynet.
What would you have recommended in regards to a higher performance RAID config? Just curious ...
Perhaps someone more knowledgeable can enlighten me ...
If I take my BB over to UAE, I guess when I start roaming on their local service, all my BES communication will go through the local UAE RIM gateways, correct? The same gateways that the UAE will have some major visibility into. So that means that something that is private in the US/Canada will forego that confidentiality once I'm within their borders?
Hate to reply my post; but I want to correct myself. NK and SK were occupied by the Soviets and Allies respectively (see http://en.wikipedia.org/wiki/Korea#Division_of_Korea). The big difference is that the NK people (backed by the Soviets) attempted to invade SK. So again, the big difference between Korea and Germany was the active state of war between the two separated countries.
Apples and oranges, wrt to Germany and Korea. In Korea, two disparate ideologies created a civil war that split the country apart (regardless of the USSR/China and NATO powers mingling). With Germany you had the country split in two by the four occupying powers. The ideology subjected to the East Germans (and well, the West Germans too from the Americans let's be honest) came from an external power; the Soviets.
The German people (especially in the West) wanted to re-unite. I'm not too sure if the North and South Koreans really welcome each other.
As well, the West and East Germans never were in a state of war similar to what the Koreas have. Yes, there was the cold war (I grew up listening to the air siren tests on a regular basis since I grew up 100km from the West/East border)), but West Germans could visit East Germany, and to some extent the other way around (even though people tended to not want to come back).
Personally I'm not sure how the two Koreas would unite. It seems to me, they are too far apart.
That's exactly what I thought when I saw it. I'm changing my systems at home or try to figure to set this at the router level.
Give it some time, and Rogers will probably block it due to security reasons.
Scan your databases for FQDs for issued certs with the null string. Then revoke them.
Then go after the people who requested them and ask for an explanation.
Sorry, I read it and I just have a couple of questions.
a) was Accolade forced to recall all their cartridges?
b) there's a lot about fair use and Sega preventing competitors. How does Nintendo, MS and Sony deal with their licensing right now? How can they be forced to only go through the console manufacturers to have the necessary keys to play on the device?
The "sweat of the brow" argument for recouping R&D costs didn't seem to hold water in appeal court.
A couple of entries I found doesn't really expand on what the consequences were for the market in general:
http://en.wikipedia.org/wiki/Sega#Sega_versus_Accolade
Here it states that Accolade won the appeal but yet reached a deal with Sega, http://en.wikipedia.org/wiki/Accolade_(company)