by frdmn on 11/29/18, 11:22 AM with 27 comments
by donaltroddyn on 11/29/18, 1:07 PM
I’ve found and reported serious security vulnerabilities to many companies that I’ve worked with, and become very disillusioned with some of the responses. Companies that operate in fields which materially affect people's lives (such as healthcare, finance and telecoms) will deploy software that is so badly designed that there is often no need to break any technical aspect to get access to private and sensitive data.
Yet, when I report a breach, the same people who deployed software with broken (or sometimes no) authorisation models, access control, etc, are suddenly competent enough to investigate their own failure. Invariably, they always have perfect logging and reporting that could not possibly have been evaded and which proves that no breach occurred or data was exfiltrated before the vulnerability was reported.
If another professional, say an engineer, lawyer, or doctor, had demonstrated the incompetence or negligence in their field that I’ve seen some software developers display (sometimes wilfully - “It’s a feature”), they would never be allowed to work again. Software is now so important that I believe that some of the developers and technical leaders that I have dealt with in resolving security vulnerabilities should never again be allowed to work with software that interacts with personal or sensitive data (or, more generally, with software that could affect human life, safety, or privacy).
by Already__Taken on 11/29/18, 12:27 PM
One piece of spam I've got on a brand new email account was ~1 day after ordering a brand new XPS. It was a fake tracking code email about my dell order with correct details like laptop, account name, price. I contacted dell and only managed to find out my order wasn't even in the post yet. They weren't interested in anything.
And I also never got any more than that specific 1 piece of spam.
by abo2t on 11/29/18, 11:45 AM
Their refusal to give the number of exposed accoundlts makes it seem like it's pretty bad.
by tyingq on 11/29/18, 12:41 PM
by ndrake on 11/29/18, 12:22 PM
What is a “hashed password”? Hashing is a cryptographic security mechanism, similar to encryption, that scrambles customers’ passwords into an unreadable format. Dell ‘hashes’ all Dell.com customer account passwords prior to storing them in our database using a hashing algorithm that has been tested and validated by an expert third-party firm. This security measure limits the risk of customers’ passwords being revealed if a hashed version of their password were to ever be taken.