The main stream news (NYTimes, Forbes) has covered the recent data breach in South Carolina’s Department of Revenue without really placing the blame anyone who’s responsible for this mess. It’s so bad, let’s not even call this a mess. Let’s instead call it what it is – a catastrophe for personal data for South Carolina residents.
Current state population 4.6 million. Exposed records 3.6 million.
The scale of the data breach is unbelievable. Governor Nikki Haley stated that they were attacked by an “international hacker”, based upon the IP address in log files. She, as well as various law enforcement officials go on to stress bringing this person to justice, and they collectively sat on this information for roughly two weeks to reach certain benchmarks. This press conference could easily be the scene in any hacker movie from the last couple of decades, with officials bumbling along, making statements that they don’t understand.
Some items that caught my ear and I can’t accept:
Governor Haley stated that all all of the holes have been plugged. Given that you didn’t know anyone in any IT department below the CTO level only a couple of weeks ago, how can you make that claim? Better yet, how can you not encrypt 3.6 million social security numbers in a database? How can 16,000 credit cards not be encrypted? This breaks basic PCI-DSS compliance.
Governor Haley said that she wanted the hacker “slammed against the wall”. I’m guessing that she’s not aware that this will be a 15 year old bored kid in Russia. Good luck with that. The real people that should be slammed against the wall are those who signed off on leaving data unencrypted. Take everyone who’s ever touched that data architecture and fire them immediately. These people are your past, present, and future security holes.
The Governor seemed satisfied that the state is offering identity monitoring. Sorry, the cat’s out of the bag. You can’t get the social security or credit card numbers back. In the case of 3.6 million social security numbers – those won’t change, and residents will have related problems for years to come.
If we as a people continue to let those with the blatant disgard for security and standards to escape without penalty then breaches like this will never slow down. I don’t care if it’s the programmer, database admin, project manager, or the CTO – hold those involved responsible. We all have the duty to stand up for protecting the data of our users.
It what would be an unbelievable event for other tech heavyweights, Microsoft has a second serious security policy blunder to be discovered in recent weeks. This time the focus is around Windows 8 and passwords being stored in plain text.
The hole involves user accounts that switch to an alternate security method – pictures or pins. When this is selected, the original password remains as plain text data.
Google produced a video a while back that really resinated with me. I think we as digitals (designers, developers, ux, etc.) all fail to look at the bigger picture sometimes. I’ve had all of the described actions in the video happen to me during past checkouts.
The answer to this requires us to retain the reasons why we’ve made the current system (security, accuracy), and apply them against a low barrier, pleasant experience. Here’s a few things that I’d like to see happen:
No timeouts for non e-commerce actions. Example: Browse through the Verizon site. Viewing new phones? It times out if you leave it open.
No usernames. Solution: email and passwords for authentication.
No CAPTACHAs. We’ve discussed this extensively at DYNAMIT. They’re a burden to users and they don’t stop spam.
As with most other developers/designers, I’m constantly bookmarking sites for reference and inspiration. Here’s a short list of those I’ve run across in the last few months that are great at telling stories:
Perhaps I’m confused or misread the text. At least I hope I did.
When reading the Cnet article “Microsoft modernizes Web ambitions with IE9” something dumbfounded me. As of today, the preview version of Internet Explorer 9 scores a “55” on the Acid 3 test and (more importantly) this is something Microsoft is happy with. For a frame of reference- older versions of IE scored in the 20’s and other modern browsers (Firefox, Safari, Opera) currently score in the 90’s. Last time I checked a “55” is still a horrible failure regardless of your last score. Is the bar really so low at Microsoft? We can only hope (and sadly dream?) that Microsoft can make it into the range of the competition by the final release.
On behalf of all internet users- Microsoft/IE please get your stuff together and raise your standards.
First, it interesting to see the dominance in traffic Facebook continues to build. The traffic of the top sites is staggering. Secondly, it’s interesting to see the evolution Facebook has taken with advertising throughout it’s lifecycle. As much as I hate shady marketers, the information presented is interesting to consider. Is shady advertising really part of a normal growth pattern? His opinion is interesting, even if you don’t agree with him.
This is just a quick heads up to everyone that I plan to expand this blog outside of SEO and development based topics in the near future. I’ve been spending more and more time working on new strategies for up and coming media (read: bands), and lessons learned with marketing and management. You may even catch a concert photo or two as the tour continues on. This feels like a natural extension from where I’m at currently, and will hopefully also help make posts more frequent.
Google Analytics has become the fast, free and first choice for metrics for many sites. The sites I produce are no exception. But what happens when your client/boss doesn’t want to use Google? Check out these sites with worthy offerings: