Yes, the security of Stratfor was unacceptably lax, and yes, getting mad is generally a waste of energy, but you can't legitimately compare the criminals who broke into Stratfor and committed credit-card fraud to a five-year-old who's gotten into the cookie jar. They are old enough to take responsibility for and be held accountable for their actions; a five-year-old is not.
And, unlike a five year-old, they have the aptitude to pick specific targets and continue to do so. Tactics of a hack are secondary. Intrusion is intrusion, and whether or not they sneak in like a spy in a James Bond movie or just walk in the back door is far, far down their list of their goals.
Can we get past relating them to children now? Many of them are professionals, and if we're lucky, will soon enough be ones who are running next Stratfor. Afterall, folks like these guys founded the infosec industry.
Interesting, I hadn't thought along those lines when I wrote that because I was focused on how lax the security was, and not thinking about culpability. I updated the post with a note about that.
Like I said, I've love to see legislative effort aimed at making this sort of negligence criminal; I have absolutely no legal background so I have no idea if there's current legal ground to pursue on.
They did store CVVs and expiration dates in addition to credit card numbers, so I'd imagine there's some sort of PCI violation going on.
Me too. I'm actually pretty pissed at Stratfor because it's a huge inconvenience.
Unfortunately, I used an email address that I use on other sites, so now I have to decide whether or not to create a new email account for everywhere else, which is extremely, extremely annoying. Luckily, I used a separate password for Stratfor (12+ characters).
Also, unfortunately, the cc was my main cc number, so that means I have to change EVERYTHING, which is a huge hassle.
I guess this means I just have to keep creating throwaway email addresses for every new service that I sign up for, which is turning into a management nightmare.
Why would you need to change your email account? As long as you don't have a compromised password, you shouldn't need to worry about it. The credit card number seems like your primary concern.
Or have people started spamming that list of emails (more so than every email address in existence gets spammed)?
Why should Lulzsec be held accountable and not the ignorant/arrogant developers of the Stratfor/Mtgox/PS3 sites?
Everyone, EVERYONE, should be using something like LastPass, it makes me like MORE convenient than when I used the same password for everything and it's more secure because I have unique passwords everywhere.
As for credit card data, my understanding is that there are legal recourses for sites that store that data insecurely. Sadly, no one has taken my idea of an oauth style payments system where stealing a "credit card number" would be entirely meaningless.
For passwords, I typically use a Mandylion (http://mandylionlabs.com/products/token.htm). It has helped out quite a bit, the downside being I have to run a Windows VM for the token software.
All I'm getting is jargo overload from that page. I don't understand what that offers me over regular password generation/storage, besides having to use a VM would pretty much mean no deal unless I'm missing out on some killer feature.
Stores 50 passwords at a max of 14 characters? I have many passwords over 20 characters and have well over 200 passwords stored in LastPass. LastPass also supports two-factor auth via Google Authenticator now as well.
I really feel like I must be missing something. Its a glorified notepad? With the ability to XOR the passwords with another string for additional "protection"?
Seriously, what is going on with this post? Why does everyone feel the need to downvote it? Even the reply from the parent poster is basically "yeah, there's not a lot of modern day use for it".
I swear to God, I get more unexplained, unwarranted downvotes in the last month on HN than I can possibly wrap my head around.
And now my original post too? What the fuck? Are there really this many people here who have no taste for discourse or downvote posts that they simply don't like (maybe because it implies they ought to be accountable for their own actions?) Does anyone care to explain why irresponsible sites shouldn't be held accountable, why it's excusable to use the same password everywhere or why a friendly suggestion of LastPass is so out of line here?
Sorry, had to step out for some new years celebrations.
The long story short, I've had the mandylion for several years, before LastPass came to be. It was the only solution at the time that offered automatic generation of passwords, automatically re-generating them after a configurable amount of time, and something I could take around with me between various machines at my university / work. Now, I could use LastPass but I already have the Mandylion worked into my daily habits.
Anything that's a passphrase is something like a sentence out of a book or song, so I just remember the passwords for them. YMMV.
