Sounds to me that someone needs to make a new delicacy consisting of zebra mussels. Much like the nutria and feral hogs down here in the south, coyotes are just plain fun to hunt. When an invasive species starts to take over a region, you make it a culinary delicacy that people will pay a crap load for all the while having an open season. Problem solved.:P
Your subject really would have worked better if you had worded differently. Insane would be just crazy, abnormal, random behavior which could manifest harm to oneself or others. This actually does kind of make sense, but I am not sure it totally covers all of their intent.
I propose a modification to the term as insidious. This actually provides the full intent of their actions. Any other term would mean that they did not intentionally want the outcome any different than what they obtained.
Has it started already? First, it was the power plant, then the 40th floor of the Empire State Building, and later it was a Manhattan woman's 27th floor window. I am just wondering if these are practice runs and just a precursor to to what will really happen when Skynet finally has had enough of our pesky human existence.
Mitigation is always the prudent path. I have lost count of the times I had been countered in a design meeting when asking what security approach we would use only to be told "features" outweigh "security". I hope that most companies actually did create a tested, repeatable and, current disaster recovery plan because I think they may need it in the near future.
That is just because you have become accustomed to the taste of your local water source. I have had people say the same thing when they first moved into the area where I live. At first they say "Oh god, this water tastes strange", or sometimes even worse. Yet, when compared nation-wide, this area always ranks in the top 10 for the best taste. Why, because with water (flavorless) it all has to do with the minerals that they are ADDED to it during the filtration/transport process (which varies). Unless it is coming directly from a well (my instance) with no filtration.
So about that job, I don't need one. I have everything I need.
I can not say this about other countries, but in the US, if you purchase bottled water for ANYTHING other than an emergency back up to existing water supplies, you deserve EVERYTHING that comes with it. The actual cost is around a 2000X markup. But I think a Tusser quote pretty much sums it up. A foole and his money be soone at debate: which after with sorow repents him too late.
Further down though, there is the clarification that the search has to be "reasonable" which the NC Supreme Court did not address. Hence they vacated the judgement back to the lower court to address the issue as to whether attaching a GPS tracker for LIFE, not just some arbitrary time frame in this instance, is to be considered reasonable.
I could see this decision to be reversed if the NC court system demonstrates that it is reasonable as this plaintiff was a repeat-offender for the same crime, so this actually could be considered reasonable.
I believe you definitely pointed out the crux of the issue. It isn't the fact that it can not be used in a court of law without a warrant, it is the fact they are using it all the time. IMO, this is pretty much akin to any other monitoring device implemented by the legal system AFTER a conviction.
Uh, so the CSO personally configured the system with a default username/password of admin/admin. I was talking at the level. She is just the one who has been held accountable, not the one who actually did the deed. And with the way most BIG companies operate nowadays, I would it hard to show that the actual deed WAS an internal employee.
Just the most critical information that affects pretty much ALL working class individuals in the US. It does not take a rocket scientist to actually realize that if the information taken is the primary basis for any other information they may have, even though it was not taken, will devalue any of said information to the point of insignificance. Since the underlying base information has now been compromised any other data derived from it has now been made much less valuable almost to the point of worthless.
So, in hoping that the company survives this debacle, it would have to be looked as to whether they diversified their company to not rely solely on this base information. In other words, does their information include anything where their "product" (e.g. the consumers that were compromised) still holds any value
BTW, if you actually look at their corporate mission statement, one of the values they purported to achieve was Integrity. I'd definitely say, in this case, they failed big on that one.
Yup, the return on a class action suit is a pittance for the people affected compared to what the law firm that's handling it will get. Our $70/1 year credit monitoring service compared to the millions that the law firm will get.
That's also why it is better to be in debt to a bank than to the mafia, no matter how savage banks are. Sure, debt collectors are annoying and they may take your house but at least your existence will be safe and you won't be mailed body parts of family members.
Your life is still f_%ked either way. It's just that one MAY be recoverable.
Curiosity, why do banks collect relative information on all their loan documents? Habit?
It probably could. The method you are depicting could also be used by intercepting your SMS message from the reset of your password as well as a transaction confirmation method. Once they reset your password, make a transaction, okay it all while still intercepting your SMS, and viola. All unbeknownst to you, they have drained your account. Are there other safeguards in place to ensure that this does not happen? I do not know at this point, but that is a good question to ask.
This I hope actually does reinforce most engineers to really pose the question, "Just because I can, does not mean I should" ("I can" != "I should"). It also points out that technology is just a tool and should always be treated as such.
IMO, currently the user definable Security Question/Answer is a better choice over SMS. This way you do NOT have a set of predefined questions to establish a pattern off of (e.g. Mother's maiden name, high school attended, street you grew up on, etc..), you know, anything that are public record based. Could your phone number also be considered "public record" considering most everyone asks for it as a point of contact on about EVERY document you have to sign on (which they now have your signature as well)?
SMS TFA reminds me of the commercial for Life Lock, "Oh, I am not a real security guard, I am a security monitor". And the article points out this by showing that SMS TFA does not provide you with that much security. It is exploitable and not as difficult as some would like you to believe.
I have to agree with you on their approach. They did seem to stop at protecting the consumer information part. But this also points out a glaring deficiency in the US. Maybe they really should look at some regulation similar to HIPAA as this deals with a person's overall well-being, albeit financial and not medical.
Slashdot Mirror
Sounds to me that someone needs to make a new delicacy consisting of zebra mussels. Much like the nutria and feral hogs down here in the south, coyotes are just plain fun to hunt. When an invasive species starts to take over a region, you make it a culinary delicacy that people will pay a crap load for all the while having an open season. Problem solved. :P
So says the crack dealer to the addict. Geez.
That's their CxO overhead.
Your subject really would have worked better if you had worded differently. Insane would be just crazy, abnormal, random behavior which could manifest harm to oneself or others. This actually does kind of make sense, but I am not sure it totally covers all of their intent.
I propose a modification to the term as insidious. This actually provides the full intent of their actions. Any other term would mean that they did not intentionally want the outcome any different than what they obtained.
Has it started already? First, it was the power plant, then the 40th floor of the Empire State Building, and later it was a Manhattan woman's 27th floor window. I am just wondering if these are practice runs and just a precursor to to what will really happen when Skynet finally has had enough of our pesky human existence.
What do you mean wait? Consider it already done.
PEBKAC (Problem Exists Between Keyboard and Chair)
Mitigation is always the prudent path. I have lost count of the times I had been countered in a design meeting when asking what security approach we would use only to be told "features" outweigh "security". I hope that most companies actually did create a tested, repeatable and, current disaster recovery plan because I think they may need it in the near future.
That is just because you have become accustomed to the taste of your local water source. I have had people say the same thing when they first moved into the area where I live. At first they say "Oh god, this water tastes strange", or sometimes even worse. Yet, when compared nation-wide, this area always ranks in the top 10 for the best taste. Why, because with water (flavorless) it all has to do with the minerals that they are ADDED to it during the filtration/transport process (which varies). Unless it is coming directly from a well (my instance) with no filtration.
So about that job, I don't need one. I have everything I need.
I can not say this about other countries, but in the US, if you purchase bottled water for ANYTHING other than an emergency back up to existing water supplies, you deserve EVERYTHING that comes with it. The actual cost is around a 2000X markup. But I think a Tusser quote pretty much sums it up. A foole and his money be soone at debate: which after with sorow repents him too late.
Further down though, there is the clarification that the search has to be "reasonable" which the NC Supreme Court did not address. Hence they vacated the judgement back to the lower court to address the issue as to whether attaching a GPS tracker for LIFE, not just some arbitrary time frame in this instance, is to be considered reasonable.
I could see this decision to be reversed if the NC court system demonstrates that it is reasonable as this plaintiff was a repeat-offender for the same crime, so this actually could be considered reasonable.
I believe you definitely pointed out the crux of the issue. It isn't the fact that it can not be used in a court of law without a warrant, it is the fact they are using it all the time. IMO, this is pretty much akin to any other monitoring device implemented by the legal system AFTER a conviction.
Uh, so the CSO personally configured the system with a default username/password of admin/admin. I was talking at the level. She is just the one who has been held accountable, not the one who actually did the deed. And with the way most BIG companies operate nowadays, I would it hard to show that the actual deed WAS an internal employee.
Just the most critical information that affects pretty much ALL working class individuals in the US. It does not take a rocket scientist to actually realize that if the information taken is the primary basis for any other information they may have, even though it was not taken, will devalue any of said information to the point of insignificance. Since the underlying base information has now been compromised any other data derived from it has now been made much less valuable almost to the point of worthless.
So, in hoping that the company survives this debacle, it would have to be looked as to whether they diversified their company to not rely solely on this base information. In other words, does their information include anything where their "product" (e.g. the consumers that were compromised) still holds any value
BTW, if you actually look at their corporate mission statement, one of the values they purported to achieve was Integrity. I'd definitely say, in this case, they failed big on that one.
Powering the World with Knowledge
Yea, they sure did! They just gave all the personal information for pretty much all the working class Americans.
Now that is a great motto for a company that actually adhered to their mission statement.
But the data may already be public? Soooo, that is kinda defeating the purpose.
What gave you the impression that outside contractors were not the initial cause of this?
Yup, the return on a class action suit is a pittance for the people affected compared to what the law firm that's handling it will get. Our $70/1 year credit monitoring service compared to the millions that the law firm will get.
Yea, so when your IT folks raise concerns about security..... DON'T IGNORE THEM!
It has been lost to the era of "Ooooo, shiny" mentality.
I have seen just as bad with security Q/A which they implemented later.
Steps:
Reset Password
Enter Security Question (blank, one was not previously set)
Enter Security Answer (blank, also previously not set)
Returns failed reset (as they do not allow a blank security Q/A)
That's also why it is better to be in debt to a bank than to the mafia, no matter how savage banks are. Sure, debt collectors are annoying and they may take your house but at least your existence will be safe and you won't be mailed body parts of family members.
Your life is still f_%ked either way. It's just that one MAY be recoverable.
Curiosity, why do banks collect relative information on all their loan documents? Habit?
It probably could. The method you are depicting could also be used by intercepting your SMS message from the reset of your password as well as a transaction confirmation method. Once they reset your password, make a transaction, okay it all while still intercepting your SMS, and viola. All unbeknownst to you, they have drained your account. Are there other safeguards in place to ensure that this does not happen? I do not know at this point, but that is a good question to ask.
This I hope actually does reinforce most engineers to really pose the question, "Just because I can, does not mean I should" ("I can" != "I should"). It also points out that technology is just a tool and should always be treated as such.
IMO, currently the user definable Security Question/Answer is a better choice over SMS. This way you do NOT have a set of predefined questions to establish a pattern off of (e.g. Mother's maiden name, high school attended, street you grew up on, etc..), you know, anything that are public record based. Could your phone number also be considered "public record" considering most everyone asks for it as a point of contact on about EVERY document you have to sign on (which they now have your signature as well)?
SMS TFA reminds me of the commercial for Life Lock, "Oh, I am not a real security guard, I am a security monitor". And the article points out this by showing that SMS TFA does not provide you with that much security. It is exploitable and not as difficult as some would like you to believe.
I have to agree with you on their approach. They did seem to stop at protecting the consumer information part. But this also points out a glaring deficiency in the US. Maybe they really should look at some regulation similar to HIPAA as this deals with a person's overall well-being, albeit financial and not medical.