This doesn't surprise me. I spent a bit of time at one of the companies that do loyalty programs on behalf of retailers (I would say that most if not 90% of loyalty programs are outsourced). This one had some big-ticket clients including a well-known coffee shop chain. Some things to note:
* In terms of culture, it was primarily a marketing company, not a technology company. Marketroids made up much of upper management. During new-employee orientation, one of these marketroids would attempt to sell you on the company's mission by redefining the word "loyalty" in such a way that it doesn't involve trust, faithfulness, or any other human virtue.
* The office was aggressively open-plan. Engineers sat shoulder-to-shoulder at long benches, with about enough room for their MacBook and one or two monitors, and that's it. There were no "focus rooms" or other quiet places to get work done, only a few conference rooms (and of course offices for upper management). Engineering shared the same office space with sales, marketing, and the other divisions and the place was constantly loud. Even the receptionist's area was out in the open like this. It was like some of the worst boiler-room recruitment firms I'd seen, but scaled up, and you were supposed to get technical work done there.
* The pace was also aggressive. There was an expectation that new features would be implemented and go into production quickly, and this is also the sort of company where you "commit" to work for the next sprint, you do not "forecast". If what you pledged to do by end of sprint isn't done, you will be given the turd-burgling stink eye at best.
With rewards programs being implemented in that kind of environment, is it any surprise that proper care for things like security is not being done?
Precisely why HN is like no other site: no matter what the subject or how arcane the field, SOMEONE reading any post is an expert. It's like one of those companies that finds you an expert for a price, except here it's free.
I am on the other end of those "find an expert for a price" (I'm the "expert") and I always expect to be asked touch questions that are hard to answer.
Once -- once! -- I was contacted by a domain expert looking for someone else to discuss some arcane tech issue (he was trying to decide if he should commit to a new display technology for their next gen design, or if it was too risky. I didn't make any decision for him or anything, just discussed the issues with him).
Typically the questions I get are from people who aren't really sure about the right question to even ask, typically in marketing or corporate strategy, and typically mid level (not new hires but not the VPs or senior directors either). They always have a particular question they want answered but don't even know enough to phrase it properly ("we're looking into strategic direction for our next level offering and our teams are recommending either writing it in C++ or using the blockchain" -- not an actual question!)
This actually makes sense. If they understood a bit about they domain they would already have contacts, hopefully ones they trusted, to help them decide. The kinds of people who pay (well, get their company to pay) to "speak to an expert" are not idiots, merely domain-ignorant and smart enough to know so. So what I end up giving is a kind of off-the-cuff interactive survey white paper to someone who hopes I don't know who they actually are (well, where they work).
It’s not tangential at all: they don’t hire me, they contract with a company that has relationships with a ton of “experts” and that company makes the connection, handles billing etc. they also have expert witnesses (often the same folks) etc. I have no idea how those guys find me. Word of mouth I presume.
I am really curious about the company that you work through. Place I contract with right now really could use some of that expert advice(not software engineering issue)
I wouldn't call myself an expert. I didn't spend a whole lot of time there (although something tells me I still spent too much time and should have GTFO'd the first time I heard the word "decisioning" being used entirely steaightfacedly). And Hackernews is full of people who think themselves experts and have strong opinions, but are really nothing of the kind, particularly in the field of health and medicine. The real experts tend to keep quiet while the pseudo-experts post anecdata about how everything from rolfing to mewing changed them from bedridden invalids to Matterhorn-conquering climbers.
Indeed, and that should leave you very scared about the security of MANY online services, not just rewards programs!
Some things to note:
1) A lot of "tech companies" are really marketing companies.
2) These companies tend to experience weed-like growth, especially during the early stages, which causes other companies to adopt their practices (Dickensian-orphanage employee seating, emphasis on features and innovation rather than quality, short development cycles) in the belief that doing so will make them more innovative and hence competitive in the cloud era -- a form of cargo-cult management.
Online reward programs are a "bonanza", "gold mine" for criminals, where they can have a "field day", "orgy", "spree", ... consisting of "binging" on personal information. Let's keep "honeypot" what it has come to be, though, in connection with computer security.
A honeypot is a decoy used to attract malicious activity, keeping it from legitimate targets, and accurately identifying it.
Honeypots are deliberately promoted in such a way that legitimate users will not find them, but criminals will end up harvesting their addresses. For instance a honeypot e-mail address wouldn't be offered to legitimate users as a contact, but only buried in some content where only a spammer will harvest it. When the criminal uses the decoy identifier, their connection attempts are subject to time-wasting pauses (the honeypot is "sticky"!), and their IP address is put into a blacklist at the same time, so then the have a hard time accessing non-decoy resources.
"Honey pot" as a metaphor existed long before this. Just because in your life's context the security-related is more dominant doesn't mean the dozen other uses of "honey pot" need to be let go of.
What you're suggesting isn't "let's keep...", since at no point in time it exclusively meant that one thing.
It's the NYT, not HN, but still they used the phrase 'honey pot for hackers'. The 'for hackers' part is what makes the whole phrase misleading. It's as if they said "Physicist says gravity is only a theory": A physicist would never use the word 'only' there, even though a non-scientist might. The word 'theory' means something very specific to a scientist but its meaning is a lot looser to a lay person.
I really get tired of non-security people entering a security discussion to redefine known security terms to fit some irrelevant personal emotional familiarity. Worse is when you point that out suddenly people are somehow greatly offended.
The way the term is used is correct in the article. Security people use based on the common definition, it's just in security it is assumed that it is with the intent of trapping the person going for the honey.
I agree that domain specific terminology, general language and another domain's language is confusing.
I'm sure a developer at a toy company and management could get confused by a conversation about models.
Doesn't mean either of them are right. Language is frequently ambiguous and we avoid it internally in our domains where possible.
When I read the title, I read it as though these reward programs were stings used to catch black hat Hackers. The purpose of language is to communicate meaning and this headline fails to do so properly.
Honey pot (and honey trap) have been used in espionage, and related fiction, where a target is seduced sexually. The infosec version of this is essentially the same approach though.
Also it's been used to describe vaginas and male sex toys.
noun: honey-pot
1.
- a container for honey. "an earthenware honeypot"
- an enticing source of pleasure or reward. "massive increases in government -- purchases became a honeypot for the unscrupulous"
- a place to which many people are attracted. "the tourist honeypot of St Ives"
2. VULGAR SLANG
- a woman's genitals
I guess the definition we are used to is the metaphor "an enticing source of pleasure or reward."
But with the added nuance that you're intention is to trap the enticed in honey...
Because most loyalty points don't convert to US dollars...
They have a USD/EU value equivalent because they need to for legal reasons but most companies will not honor requests to convert your points to dollars, and the fine print in their loyalty program T&C has language to that effect. They will only let you convert those points into their own goods or services.
(Credit card loyalty points are different, but they're also subject to regulation.)
Especially given that most companies take advantage of these programs and hurt customers, e.g. by diluting what you can do with a certain amount of previously earned points.
* In terms of culture, it was primarily a marketing company, not a technology company. Marketroids made up much of upper management. During new-employee orientation, one of these marketroids would attempt to sell you on the company's mission by redefining the word "loyalty" in such a way that it doesn't involve trust, faithfulness, or any other human virtue.
* The office was aggressively open-plan. Engineers sat shoulder-to-shoulder at long benches, with about enough room for their MacBook and one or two monitors, and that's it. There were no "focus rooms" or other quiet places to get work done, only a few conference rooms (and of course offices for upper management). Engineering shared the same office space with sales, marketing, and the other divisions and the place was constantly loud. Even the receptionist's area was out in the open like this. It was like some of the worst boiler-room recruitment firms I'd seen, but scaled up, and you were supposed to get technical work done there.
* The pace was also aggressive. There was an expectation that new features would be implemented and go into production quickly, and this is also the sort of company where you "commit" to work for the next sprint, you do not "forecast". If what you pledged to do by end of sprint isn't done, you will be given the turd-burgling stink eye at best.
With rewards programs being implemented in that kind of environment, is it any surprise that proper care for things like security is not being done?