

My docs got dropped in the Stratfor leak - kisom
http://kyleisom.net/blog/2011/12/37-stratfor/

======
gyardley
Yes, the security of Stratfor was unacceptably lax, and yes, getting mad is
generally a waste of energy, but you can't legitimately compare the criminals
who broke into Stratfor and committed credit-card fraud to a five-year-old
who's gotten into the cookie jar. They are old enough to take responsibility
for and be held accountable for their actions; a five-year-old is not.

~~~
hack_edu
And, unlike a five year-old, they have the aptitude to pick specific targets
and continue to do so. Tactics of a hack are secondary. Intrusion is
intrusion, and whether or not they sneak in like a spy in a James Bond movie
or just walk in the back door is far, far down their list of their goals.

Can we get past relating them to children now? Many of them are professionals,
and if we're lucky, will soon enough be ones who are running next Stratfor.
Afterall, folks like these guys _founded_ the infosec industry.

------
sp332
Have any of these sites been brought to court for criminal negligence? If CC#
are getting dumped, they probably broke a bunch of PCI rules too.

~~~
kisom
Like I said, I've love to see legislative effort aimed at making this sort of
negligence criminal; I have absolutely no legal background so I have no idea
if there's current legal ground to pursue on.

They did store CVVs and expiration dates in addition to credit card numbers,
so I'd imagine there's some sort of PCI violation going on.

------
steve8918
Me too. I'm actually pretty pissed at Stratfor because it's a huge
inconvenience.

Unfortunately, I used an email address that I use on other sites, so now I
have to decide whether or not to create a new email account for everywhere
else, which is extremely, extremely annoying. Luckily, I used a separate
password for Stratfor (12+ characters).

Also, unfortunately, the cc was my main cc number, so that means I have to
change EVERYTHING, which is a huge hassle.

I guess this means I just have to keep creating throwaway email addresses for
every new service that I sign up for, which is turning into a management
nightmare.

~~~
JoshTriplett
Why would you need to change your email account? As long as you don't have a
compromised password, you shouldn't need to worry about it. The credit card
number seems like your primary concern.

Or have people started spamming that list of emails (more so than every email
address in existence gets spammed)?

------
drivebyacct2
Why should Lulzsec be held accountable and not the ignorant/arrogant
developers of the Stratfor/Mtgox/PS3 sites?

Everyone, EVERYONE, should be using something like LastPass, it makes me like
MORE convenient than when I used the same password for everything and it's
more secure because I have unique passwords everywhere.

As for credit card data, my understanding is that there are legal recourses
for sites that store that data insecurely. Sadly, no one has taken my idea of
an oauth style payments system where stealing a "credit card number" would be
entirely meaningless.

~~~
kisom
For passwords, I typically use a Mandylion
(<http://mandylionlabs.com/products/token.htm>). It has helped out quite a
bit, the downside being I have to run a Windows VM for the token software.

~~~
drivebyacct2
All I'm getting is jargo overload from that page. I don't understand what that
offers me over regular password generation/storage, besides having to use a VM
would pretty much mean no deal unless I'm missing out on some killer feature.

Stores 50 passwords at a max of 14 characters? I have many passwords over 20
characters and have well over 200 passwords stored in LastPass. LastPass also
supports two-factor auth via Google Authenticator now as well.

I really feel like I must be missing something. Its a glorified notepad? With
the ability to XOR the passwords with another string for additional
"protection"?

~~~
drivebyacct2
Can whoever is downvoting take half a second and tell me what I'm missing
here? Please?

~~~
kisom
Sorry, had to step out for some new years celebrations.

The long story short, I've had the mandylion for several years, before
LastPass came to be. It was the only solution at the time that offered
automatic generation of passwords, automatically re-generating them after a
configurable amount of time, and something I could take around with me between
various machines at my university / work. Now, I could use LastPass but I
already have the Mandylion worked into my daily habits.

Anything that's a passphrase is something like a sentence out of a book or
song, so I just remember the passwords for them. YMMV.

~~~
drivebyacct2
I see. Thanks for the explanation!

------
jeronimo4
who cares, waste of my time to read stuff like this on HN

------
mrzerga
flagged. blurbs like this are pointless waste of my time, so your email has
been revealed, WHO CARES? dont post garbage like this on HN.

~~~
loeg
Better than "how to XXX your start-up" and "business blah blah".

