Strength Through Security. Security Through Faith.

[andrewducker]

[Poll #1754082]

The context being the recent security apocalypses at Sony (repeated breaches, where they were storing credit card details openly, and passwords in plain text), the US Senate (likewise), and now possibly the UK census.

Comments

[eatsoylentgreen.livejournal.com]

both of those actually, the corporations and large organizations are always working very hard to fight the security issues of two months ago.

[andrewducker]

Encrypting passwords is not the security issue of two months ago, it's the security issue of fifteen years ago!

[momentsmusicaux.livejournal.com]

And open source web apps have been encrypting them for ages because otherwise everyone would know they're not... *smug*

[bart-calendar.livejournal.com]

It will cause large companies to buy insurance policies to financially protect themselves.

[andrewducker]

Would you insure Sony against data theft?

[bart-calendar.livejournal.com]

As far as I can tell people will write insurance policies against anything.

Companies are still writing insurance policies against a greek debt default - which is something I think is a lot more likely to occur than a third round of Sony hacking.

[andrewducker]

They'll insure against anything - in the same way that betting shops will take (almost) any bet. Because that's what insurance is - it's a bet.

The question is, what odds do you get? (And therefore what does it cost you to insure yourself).

[danieldwilliam.livejournal.com]

There is a significant incentive for both the insured and the insurer to reduce the risk. The risk of a claim will be the main driver of the premium and the premiums for large corporate insurance are often tightly bespoked i.e. knowledgeable people come out and visit you and often go as far as suggesting how you can reduce the risk and therefore the premium.

[andrewducker]

Exactly. If you're going to insure yourself then you'd balance out the extreme costs by doing things to reduce the dangers.

[danieldwilliam.livejournal.com]

My experience of insurers of highly specialised assets is that they were very willing to work with us and knew at least as much about the risks facing our operation as we did.

[theferrett.livejournal.com]

Don't forget Dropbox.

[andrewducker]

They just did something stupid, didn't they? Left themselves wide open for a couple of hours, but no sign of any hackers?

Or was it worse than that?

[momentsmusicaux.livejournal.com]

Fuck. Dropbox??? *sigh* Stupid of me to be surprised, really.

[andrewducker]

For about four hours any password worked. Oops.

[theferrett.livejournal.com]

Wasn't a breach breach per se, but for about four hours on Sunday any password would get you into anyone's account. Dropbox said that less than 1% of its accounts were impacted, which to me means that a bunch of kids IMed each other and went on a rampage before it was closed up.

[gonzo21.livejournal.com]

Good lord, if they've lost the CEnsus data, that's massive.

That's the names and addresses and signatures of everybody. Want to know where a celeb lives? You can find out. Members of parliament? All there.

Ex military...

[ciphergoth.livejournal.com]

LulzSec deny it:

https://twitter.com/#!/LulzSec/status/83167715799470080
https://twitter.com/#!/LulzSec/status/83172089711964161

[andrewducker]

Thanks - good to know!

[andrewhickey.livejournal.com]

How many people have actually stopped using Sony's services as a result? I'd guess a negligible number. Customers fundamentally don't care about this stuff, and if the customers don't care the companies sure as hell won't.

[octopoid-horror.livejournal.com]

People got a free game or two from Sony so of course they mostly stopped caring apart from a few.

And, of course, if a company gets hacked and your details stolen and used, how on earth will most people know that it was a specific hacked site that led to the identity theft or whatever?

I've used my credit card in quite a lot of internet stores, and in physical stores and in hotels etc. If my credit card details were suddenly used by someone else, I would have NO idea of which specific place they acquired them.

[brixtonbrood.livejournal.com]

Yes, definitely, for a few weeks. During the month or two before the risk committee forgets all about these events, the one person in IT who is exercised about these things may (if sufficiently clued up) take the opportunity to pounce on them with the plan to improve a specific security flaw that's been languishing in a bottom drawer for 18 months, and get it approved.

So I think some companies will end up improving their security a bit as a result of this.

[johncoxon.livejournal.com]

Register headline: "Has the UK Govt lost the census to LulzSec?"

No.

LulzSec document their hacks on Twitter. If it ain't on their Twitter, they haven't done it. (There is a message to this effect on their Twitter at the moment.)

[andrewducker]

Beaten to it by Mr ciphergoth (about four comments above you).

[johncoxon.livejournal.com]

I hope you've started following them on Twitter as a result.

[andrewducker]

Oh Good Lord No. I don't use Twitter for that kind of thing (heck, I barely use Twitter at all). I largely follow people who producing interesting links, or people I actually know. I don't think I see more than 5% of my feed anyway, so it's not like I could rely on it for fact-checking.

[johncoxon.livejournal.com]

In that case, I hope you manually check their Twitter feed before reporting the next unsubstantiated rumour? (You can add Twitter feeds through RSS readers, you know...)

[andrewducker]

Hah! I linked to a story, and included the word "possibly" because there wasn't any confirmation at the time. If my readers want to take the word "possibly" and a link to a story phrased in the form of a question as evidence that something has happened then that's _their_ problem.

And I have no wish to flood myself with more RSS on single topics covering a single group. I get about 1500 RSS entries a day as it is.

[johncoxon.livejournal.com]

Exactly. You linked to it with the word 'possibly' when, actually, a single visit to a single URL would have meant you'd have known it hadn't happened. And you still haven't edited the post to make it clear to readers that it didn't happen. The lack of factchecking, the lack of a correction and the sensationalist headlines are all ticking the 'tabloid journalism' box in my head at the moment, is all.

[andrewducker]

a) I had no idea that such a URL existed when I posted it. I don't keep up with the habits of hackers, and can't access Twitter from work, where I posted this.
b) If people want to know if "possibly" turned into something then they are perfectly capable of checking themselves. I note that The Reg added a link to the Twitter feed themselves, so they can click that, if they so wish.
c) I'm not _any_ kind of journalist. I'm a bored guy on a PC at work, posting something to get comments. If you expect any kind of fact checking then you've not been paying attention to _any_ of my posts.

It's not my job to keep people informed, and frankly if more than 30 seconds effort was involved in this kind of thing then I wouldn't be doing it at all. It's my personal journal, where I ramble about stuff that amuses me, post links that amuse me, and post polls in the hope of comments that amuse me. The moment I start making money off of it you can expect me to start adhering to journalistic standards, and not one moment before.

[johncoxon.livejournal.com]

Sorry. I didn't mean to cause offence, and I enjoy your posts. I was just trying to illustrate why it annoyed me.

[andrewducker]

Oh that's fine :-) I do wish I had more time to update stuff. If I hadn't been being soaked on the way home and frantically tidying the flat before dashing to the airport to meet Juke it might have occurred to me to do an edit. I'll try you remember next time!

(I do forget that people take anything here more seriously than I do - feel free to remind me next time. And apologies for my stress-related grumpiness.)

[johncoxon.livejournal.com]

And, in return, apologies for my not-enough-sleep-due-to-videogames grumpiness. :)

[andrewducker]

Oooh, what game is keeping you awake?

And why aren't you playing Frozen Synapse?

[johncoxon.livejournal.com]

Starcraft II, AVA and Champions Online mainly. I do play Frozen Synapse occasionally, but not as often as I should... :)

[andrewducker]

I'm AndrewDucker. Challenge me! (Server UK1)