The main stream news (NYTimes, Forbes) has covered the recent data breach in South Carolina’s Department of Revenue without really placing the blame anyone who’s responsible for this mess. It’s so bad, let’s not even call this a mess. Let’s instead call it what it is – a catastrophe for personal data for South Carolina residents.
Current state population 4.6 million. Exposed records 3.6 million.
The scale of the data breach is unbelievable. Governor Nikki Haley stated that they were attacked by an “international hacker”, based upon the IP address in log files. She, as well as various law enforcement officials go on to stress bringing this person to justice, and they collectively sat on this information for roughly two weeks to reach certain benchmarks. This press conference could easily be the scene in any hacker movie from the last couple of decades, with officials bumbling along, making statements that they don’t understand.
Some items that caught my ear and I can’t accept:
- Governor Haley stated that all all of the holes have been plugged. Given that you didn’t know anyone in any IT department below the CTO level only a couple of weeks ago, how can you make that claim? Better yet, how can you not encrypt 3.6 million social security numbers in a database? How can 16,000 credit cards not be encrypted? This breaks basic PCI-DSS compliance.
- Governor Haley said that she wanted the hacker “slammed against the wall”. I’m guessing that she’s not aware that this will be a 15 year old bored kid in Russia. Good luck with that. The real people that should be slammed against the wall are those who signed off on leaving data unencrypted. Take everyone who’s ever touched that data architecture and fire them immediately. These people are your past, present, and future security holes.
- The Governor seemed satisfied that the state is offering identity monitoring. Sorry, the cat’s out of the bag. You can’t get the social security or credit card numbers back. In the case of 3.6 million social security numbers – those won’t change, and residents will have related problems for years to come.
If we as a people continue to let those with the blatant disgard for security and standards to escape without penalty then breaches like this will never slow down. I don’t care if it’s the programmer, database admin, project manager, or the CTO – hold those involved responsible. We all have the duty to stand up for protecting the data of our users.
My mind stopped me for a moment this morning and I thought “How cool is this? I’m watching live video from space”. This morning was the scheduled departure of the Dragon capsule (developed by SpaceX) from the International Space Station. In roughly last month we’ve seen the first delivery of supplies to ISS from a private company, a man jumping from the edge of space, and now the return of Dragon capsule.
Sure, growing up as a kid in the 80’s, we thought about all the cool technology that would exist in the far off future of 2012. As we’ve all grown older, it’s easy to forget how fast things change. We have the technology to not only made these events successful, but also the infrastructure to follow along live, worldwide. Kudus to NASA, SpaceX, RedBull, and everyone else who has given us times this month to put things into perspective.
It what would be an unbelievable event for other tech heavyweights, Microsoft has a second serious security policy blunder to be discovered in recent weeks. This time the focus is around Windows 8 and passwords being stored in plain text.
The hole involves user accounts that switch to an alternate security method – pictures or pins. When this is selected, the original password remains as plain text data.
For the full story, continue to Softpedia.
I recently read an article on the The New Web in which they describe how Hotmail is limiting passwords to 16 characters. Now, this contradicts best practices, and is a policy that tips the “convenance vs. security scale” grossly in favor of convenance (or the attempt of it). In a world that is trending towards allowing pass phrases (i.e. Simple), this policy is misguided at best.
Read the full article here.
Another year, another Rock on the Range that helps me check things off of the bucket list. I’m happy to be able to do the things I love. While I wish that WE were playing again, the next best thing is going any way.
I’m lucky to be able to catch up with so many old friends this past weekend. Also, a big shout out to the Tune Lab members I was able to meet face to face.
Shinedown – Diamond Eyes
Shinedown – 45
Shinedown – Simple Man
Google produced a video a while back that really resinated with me. I think we as digitals (designers, developers, ux, etc.) all fail to look at the bigger picture sometimes. I’ve had all of the described actions in the video happen to me during past checkouts.
The answer to this requires us to retain the reasons why we’ve made the current system (security, accuracy), and apply them against a low barrier, pleasant experience. Here’s a few things that I’d like to see happen:
- No timeouts for non e-commerce actions. Example: Browse through the Verizon site. Viewing new phones? It times out if you leave it open.
- No usernames. Solution: email and passwords for authentication.
- No CAPTACHAs. We’ve discussed this extensively at DYNAMIT. They’re a burden to users and they don’t stop spam.