This might be bad for Xfinity. A lot of their customers may leave them for a variety of readily available competitors created by the dynamic free market economy.
Comcast is a total regional monopoly in most cities so I'm glad that cities that do invest in municipal/community broadband are taking matters into their own hands to combat this.
I think it is something to do with cabling deals Comcast did with local governments. Once Comcast lays the cables,
1- Nobody else gets permits to lay cables in that area. Governments can't even share the data about cable locations/network detail. You can ask, as a property owner if it is around a specific location and they will say yes or no.
2-The agreements also prohibit local governments from laying out public cables, like roads.
3-Xfinity won't share that network with anybody else.
Customers are stuck whatever Comcast deoes. These breaches have no meanining other than getting a check for $5-100 when they settle the lawsuit claims.
It can often be out of the municipalities hands. Cable companies are big enough to lobby at the state level, bypassing whatever the cities might try to do at a local scale.
Makes opportunities for 5G and other wireless providers to get some customers. It would be even better if this encouraged the wireless providers to provide better service.
Regional ISP markets are usually a monopoly or duopoly. If you're on comcast, its unlikely there is another high speed option out there for you (or if there is, the option is no better than comcast).
A lot of Comcast customers in this audience are going to be on 500Mbps or Gbps plans. Starlink just can't meaningfully compete with these speeds. Most people in US cities will have two options, cable and either bonded VDSL2 or fiber from the telco. Both will be faster and usually cheaper than Starlink.
The main competitor in most cases, after the cable company and the telephone company, is LTE. Also faster and cheaper than Starlink in a suburban area, but in dense areas the speeds really suffer. I was on LTE home internet for a good while and enjoyed 100+ Mbps at night but only 20 during the day, due to living too close to downtown. Only $45/mo though!
Comcast/Xfinity is pushing Docsis 3.1 mid-split upgrades out with plans up to 2Gbps download and 200Mbps upload.
Competing with this using satellite or 5G Cellular is going to be difficult, both need more spectrum and an order of magnitude more hardware (cell towers or satellites) to reach those kinds of speeds.
I left the Comcast/Xfinity empire for the CenturyLink/Quantum empire about a month ago. There are other choices in my area too, but none that were fiber.
They're not too bad. I got gig symmetrical with no caps. I think Quantum is their, "Okay we're going to try" brand. fwiw, when I was a Network Engineer Century Link was the gold standard to work with in terms of backbones.
The Lumen fiber support desk is quite easy to work with, if your Fiber+ or EIA/DIA circuit goes down they will generally answer the phone in 3 to 5 minutes, determine if it's on their side in another 5 minutes, and if so dispatch someone to fix it within a few hours.
CenturyLink accidentally told me they are about to run fiber in my rural area. We already have fiber through a small ISP that properly used its federal funding. Curious how many accidental fiber cuts this will lead to. Maybe they will help drive the costs down. Agreed that when talking to them I sensed old school telco which I used to be a part of.
Boondocks. Huey's speech on the origins of American corporate/"customer" dynamics in the Triangle Trade and exploitation of slaves and coal miners should have gotten them another Peabody.
Sarcasm or irony. Leaving Xfinity for what? In my part of town the only other cable choice is NULL. AT&T used to provide ADSL, and now even that has gone.
I know you're being sarcastic and that's fine, but the target of your sarcasm is incorrect. ISPs are very far from a "dynamic free market economy". Complex problems don't lend themselves to pithy internet commentary though.
Not suprising. When I worked for an Xfinity "Branded Partner" they played it fast and loose with security. During training, a trainer on equal level ranking as a national director told my class full of new hires we should all make our secure internal-use Comcast account password "E@sypassword1", and later in the class told us that if a customer forgot their phone in their car we should just bypass the 2FA completely. why? Because there is a tracker on the door that tracks how many open/closes linked to the conversion rate. The conversion rate was considered more important than properly authenticating accounts. Im pretty sure Comcast knows about this and does nothing. Needless to say, when I made my concerns known I was terminated same day for "not being a good fit".
At one point in the early 2000s, Comcast's internal network wasn't internal. IIRC, everything (workstations, servers, printers, etc.) had a 24.x.x.x address with no firewall or other mitigations in place; you could directly connect to arbitrary ports on any corporate machine, from anywhere. And they weren't exactly on top of patching.
Comcast didn’t own 24/8, @Home did. Not sure if Comcast was part of @Home.
@Home was a coalition of cable providers who didn’t have the technical knowledge or funds to implement their own cable ISP. FWIW, when Comcast finally bought out our neighborhood cable co (mid-2005ish), we never got 24/8 addresses
Also throwing more water on your story, Comcast’s internal network was entirely 10/8 for a very long time. Around 2008 or so they went to ipv6 because they ran out of private addresses.
> On October 10, 2023, one of Xfinity’s software providers, Citrix, announced a
vulnerability in one of its products used by Xfinity and thousands of other companies worldwide. At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on October 23, 2023. We promptly patched and mitigated our systems[1]
This reads like "we didn't patch until weeks after the vulnerability and patch were provided" but it's worded intentionally unclear to differ blame.
> Q: How will Comcast prevent another incident from occurring?
> A: We have robust security programs in place which help us to discover criminal activity such as this one
You have to love how their response to their own question is, functionally, "we won't prevent your information from being stolen, but boy howdy we'll sure know when it happens though!"
As a long-time disgruntled comcast customer, i have to say none of this surprises me. But local monopolies mean my wallet doesn't really get a vote in this matter.
"The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four-digits of Social Security numbers, and their secret questions and answers."
Ah, yes, it truly gives me hope for the future of humanity when these hackers break in to a corporate database like this, have total access to all this sensitive data, and then, out of a sense of fair play and comity, run "SELECT * FROM customers LIMIT UNSPECIFIED" rather than just "SELECT * FROM customers". It's so nice of them to access only an "unspecified" number of customer's data rather than all of them.
To be fair, Comcast's database software is probably crap made by Oracle or something. It's not totally implausible that it crashed partway through printing the results of "SELECT * FROM customers" so the last X% was never sent.
You've got a single curl request to a web service that for magical reasons is running as root. There's no SELinux/jails/etc, and no logs written for this request.
Remember this next time someone wants to sell you a WAF: The Netscaler isn't some wiki application, one of the things it is sold for is specifically as a WAF.
I have yet to see a large scale hack on services hosted on Linux stacks using basic technologies like SSH. Whenever large companies get hacked and their technology stacks consist entirely of overvalued "security for midwits" enterprise software, I just groan. It irks me that my own information security is orders of magnitude more robust than a company worth many billions.
It is clear to me that security is theater to these companies, and that is why companies that resell TLS tunnels with 2000s technology bolted on like Citrix get away with charging so much. It should be assumed that there was no security to begin with. If you told me in 2 years that a foreign adversary had compromised all American companies since 2012 I would not even blink. It is more or less something I expect to eventually hear.
Maybe the entire class of services that can meaningfully be called "infrastructure" is a bad idea to make the exclusive purview of private, profit-motivated liability shields. Just spitballing
Sometimes we skip the congealing step and just establish a government-protected but privately-operated monopoly for a regional utility as a matter of course, and this is after decades of failure on the parts of most if not all of these monopolies when compared to similar-sized government-run utilities. Something has got to give
Remember when AT&T broadband customers across the USA had DSL modems from a mysterious company named 2wire?
And besides Ethernet and DSL jacks, they had an unused coaxial connection on the back, the kind that connects to TV cables, but it was not involved with their Uverse TV offering?
"You can tell a lot about a culture by its instruments."
Plus right around then, almost 20 years ago now, a consortium of internet communication companies formed the Home Gateway Initiative[0] whose original manifesto[1] is a technical document that could form the basis for achieving uniformity among the hardware suppliers and their firmware, especially when DSL was the top offering from AT&T and very few cable providers were any faster.
2wire modems bumped that up a notch for a while by pushing the physical limit for AT&T's aging network of symmetrical copper wire pairs, but Comcast's aging network of coaxial TV cable is still 30 to 50 years newer, plus with its cable having the outer grounded shield surrounding the sensitive data conductor within, it's physically capable of reliably carrying more data faster. Even though the entire cable infrastructure was far from symmetrical, more like a water faucet where content just pours out more so than could be pushed back up. At least the old POTS was a two-way communication network by design.
It was only a matter of time before useful cable speeds outran telco infrastructure, and back then I would expect 2wire to have focused on that coming date more so than anyone else.
2wire modems bumped performance up a notch for a while by pushing the physical limit for AT&T, but Comcast wasn't going to quit even though cable was a latecomer and missed the AOL boat that was made possible only by the old telco wiring.
All you have to do is read the non-technical first 13 pages of the HGI manifesto[0] to see the way that user flexibility was to be curtailed and completely replaced by "business requirements".
The final bullet point of the 13th page is what got me:
>o The Home Gateway must support QoS both in the operator network and on the home network side when different simultaneous broadband services are used. In addition, the Home Gateway must support QoS on in-home flows.
Different simultaneous broadband services.
You mean like telco and cable at the same time?
What would that be like, and who would want that anyway?
I don't think customers would want to be paying two different ISP's so the initiative must have been initiated by somebody else for some other reason, not disclosed.
One thing's for sure, AT&T was poised with their exceptional 2wire modems already in place, a single firmware change away from a merger with cable, not necessarily by starting out with some exchange of shares on Wall Street, but instead by connecting the networks from the bottom up, physically in your home(s). In a way that could have as significant an effect on shareholder value regardless.
Now what would that be like?
I can only imagine that to make the very best use of all infrastructure resources for all concerned, that sophisticated hardware/firmware could combine elements from all resources by all providers, at a price of course.
If you were an AT&T customer, IOW you responded positively to their sales "person", then you would expect to be provided your on-line service over AT&T infrastructure and pay only one bill to that single vendor. But the "perks" of the future could include a special arrangement between AT&T with local cable where their cable service would be connected to the AT&T modem at no additional effort or cost to the consumer, so that on those occasions where you (or others sharing your bandwith in aggregate) might want to effectively download data way faster than the 2 wires of AT&T could provide, well the dual modem would be able to temporarily switch over to the cable source seamlessly.
And likewise if you had responded favorably to the cable sales effort instead of telco, and the cable company wanted to provide you with more two-way or upload bandwidth than their infrastructure had at the time, then using the same type of modems AT&T could reciprocate by allowing cable companies to access AT&T's underutilized bandwidth, automatically on demand also.
For the most rewarding customer experience?
It would have to be by special arrangement like never before.
How could you get more convenient than a system that could automatically, with the help of QOS and stuff, provide the best that can be delivered to your exact premises regardless of whether a "competitive" service might have better performance for some types of data compared to others? Whichever provider you have they'll just generously lease any helpful infrastructure from the competitor as needed. Automatically, involving a sophisticated modem. As you go along. And resell it to you at a profit, even if you never see any sign of this on your bill if it did take place.
It's got to be rewarding to somebody.
Some would say that would be like having somebody's cash register in your house that you are paying for and were not ever aware of to begin with.
And it would kind of reduce to a battle of the salespeople who could duke it out after that.
Well, that didn't happen.
Then again the same 2wire hardware would have physically facilitated a more recognizable top-down merger if one would have materialized, and that didn't happen either.
I think 2wire spent more money than the company was worth, just trying to figure out what could be accomplished using the plain old unshielded wire pairs that their network to the premisies consisted of. And was probably no slouch at more accurately determining what Comcast's infrastructure was capable of in the long run also, much more aware much earlier than Comcast itself.
Not exactly "their" network, rather AT&T's network.
After that Comcast started buying up everyone else.
2wire rode off into the sunset.
And here we are now.
Customer service worth the money has been smoothly bedamned by all providers, with consumers ending up as predicted in a certain type of hell.
This might be what a fly on the wall would be hearing at the hotel bar when a couple executives run into each other after an early HGI meeting almost 20 years ago;
Comcast: "We have a network and streaming content to go with it, not you guys at AT&T WTF?"
AT&T: "Ha, we started as a monopoly and have always had seamless operation along with our divested subsidiaries ever since. We're everywhere."
Comcast: "Well, we'll get a monopoly and whacha doin' with a monopoly and not jacking up prices to the moon?"
AT&T: "OK, we'll deliver some content but can't we just call this whole thing off?"
2wire, a small player hidden in AT&T's pocket silently casting a voodoo spell: "Merge, merge, merge, ca-ching, ca-ching, ca-ching . ."
it didn't happen to a company at all. it happened to their customers. if the CEO faces criminal or civil penalties, or the company does, then it happens to the company.
what makes it worse is Comcat's quasi-monopoly status as a non-optional public utility with, in many areas, no competitors. your only choice is to give away your secrets to a company which will manage them irresponsibly and then act like victims about it.
I enjoy pointing out that 1Password has a dedicated section for generating "security answers" using this same method (they allow "horse battery staple" style with variable number of words, although a minimum of 3) https://support.1password.com/generate-security-questions/
Yeah, I knew the Bitwarden army would show up. Let's compare, shall we?
# 1Password Steps
1. Tap Edit
1. Click "add more"
1. Click "Security Questions"
1. (optionally choose one of the common questions from a drop down)
1. click in the answer field
1. click Create a New Answer
1. Observe the prefilled battery-horse-stable-ish answer
1. Click Use
1. Repeat "add another question" as needed
1. Press Save
# Bitwarden Version 2023.12.0 (15279) Steps
1. Tap Edit
1. Scroll to the very bottom
1. Drop down the select widget under New Custom Field to select Hidden
1. Press the +
ok, cool, I guess as there's no generation option on that Hidden Value field
1. search around and find "Generate" under the "View" menu, because of course it is (I'll meet you half-way on this one, since maybe a long-time Bitwarden user would know the command-G shortcut already)
1. Expand the Options section
1. Choose Passphrase
1. search for the "OK" button, realize there is no such thing, so use the Copy button to nuke whatever's in your clipboard when you started this process
1. Click Close
1. Click back into the Hidden field's Value text area which has mysteriously lost UI focus from that exercise
1. Press Paste
1. Click in the Name field and type the question the site asked you
1. Repeat as needed for other questions
1. Press Save
So, yeah, "akshully" one can do this with a vivid imagination and a piece of paper, too, but let's not pretend those two experiences are in the same universe as each other
Most people want to minimize the time it takes to resolve whatever issue has led to them being on the phone with support. Giving "bidah6shee8Dahkouju" as your mother's maiden name does not help achieve that.
Using a different made up mother's maiden name at each site is a good idea, but you can use short names that are easy to pronounce and spell for that to get the security benefits without drawing out the time you have to spend with support.
The part of the prompt that suggests its the 15th of December is a GET param, which just means wherever this link was retrieved from is where that date is coming from.
The PDF could have been authored at any time.
Looks like the created date embedded in the metadata is as follows:
2023-12-18T21:21:19.000Z
Created with MS Word. But even that isn't definitive.
Logged in just now to see if I got the prompt to change my password (I did). The only mail I had waiting in my mailbox was identity theft scam phishing email.
But the password reset prompt was, and I quote, "As part of our commitment to you, Comcast routinely reviews and monitors account security. Please update your password to help protect you and your account."
No word about a compromise or anything, just corporate bland.
Also I got a kick out of their screen "obfuscating" my email to j***rf@jerf.org. Fantastic job there. (Anyone not quite sure what I'm getting at are invited to consider the domain name and my Hacker News nym and come to the obvious conclusion about the clandestine character hiding behind those three secret stars.) Now truly I am safe from those thousands of spams a year I get from spammers shoulder-surfing my email address. I really ought to do something about them. Their harsh whispers as they furtively read my email address into their phones for their accomplices to copy every time it's on the screen make it difficult to concentrate on work sometimes.
Yep, I remember being forced to change my password a week or two ago. It told me I had to periodically change it, which was weird because I've been with Comcast for many years and didn't remember ever being prompted before now.
Periodic reminder that these are just passwords too. They should be treated as such by users (generate random responses) and devs (hash and salt them).
>They should be treated as such by users (generate random responses) and devs (hash and salt them).
I agree for tech savvy users it's prudent to treat them as passwords, but it doesn't extend to the general public. If they should be treated as passwords, what's the point of having them then? They're most often used in password reset flows. If it's a random string/phrase, they're basically useless in that use case. In what situation would you have the randomly chosen string for the security question, but not the randomly chosen string for the password?
They're just recovery codes by a different name and with a built-in hint. I could reset the password of half of my friends from what I know. For a random person, I could probably just use something like this https://www.fastbackgroundcheck.com/people/gavin-newsom/san-... and get almost all the way there.
As a user, if you want guessable recovery codes, that's fine. It's all in the threat model. The password for this account is very guessable. It used to be 000000. I don't care about any possible threat to it.
I don't think most users care much one way or the other. But they do sometimes lose their credentials and need a password reset and if the reset flow assumes you'll be able to answer those questions anyway, you're going to have a bad time.
In general, you don't want a forgotten password to be a "sucks to be you" situation or even a come to a physical office with two forms of ID situation.
Their purpose these days is to provide a way for anyone to reset your account credentials using public information or the answers to Facebook quizes to find out your secret pirate name.
The point is, if you're answering these honestly, if an attacker knows your mother maiden's name and which hospital you were born in from attacking Comcast, now they can use this info to reset your bank password. If you had different answers on these different services, attackers are still at square one in terms of getting your bank info.
None for the end user! (Although I assume there must be some corporate career incentives or something for implementing security theater like this, since they keep doing it anyway.)
For people who want to retain the convenience, my suggestion is twofold:
1) Don't answer the question that was asked. Mentally translate it to a different question entirely. "Name of first pet" is always answered as "color of first car", for instance.
2) Make the answers full sentences, not just single words. If the answer you're providing is "color of first car", the answer shouldn't be "white", it should be "The color of my first car was white".
1. That is likely to exceed the maximum length allowed for the form fields you have to use to enter it on web pages or in apps.
You might find that on the page where you initially set it up the page silently truncated it to say 1000 bits, and that's what got stored on the server. But the page where you need to use it for password recovery handles 1500 bits, and the form in their app only handles 500.
So you cannot get it to work in the app no matter what, and can only use it on the recovery page if you somehow figure out that only 1000 bits are on the server and truncate to that yourself.
2. Some places use the same security questions when you phone support. The support person asks you one of the security questions and can read the answer from the database. They compare that to what you tell them over the phone.
You probably don't want to go through that with a random 4096 bit string.
Yeah, easy way to own the security conscious is call customer service and "authenticate yourself" by "answering" that you made the security response a bunch of random letters and numbers beacuse you were in a hurry and was confused about the assignment.
I usually recommend disregarding the questions and filling in a common response for every field (with the current date or the name of the company or service, for instance), and writing it down.
No one except hackers or certain federal agencies would be able to compare the results of security questions across independent identity management systems.
> Periodic reminder that these are just passwords too. They should be treated as such by users (generate random responses) and devs (hash and salt them).
Unfortunately this is not how almost any business treats them; they are frequently used as challenge/response authentication over the phone, so using a random response or hashing and salting them doesn't work.
Authenticating a user over the phone is a major unsolved problem IMO, and responsible for a huge swath of modern account takeover issues.
Given these info loss from major companies, it is worthwhile to assume that your name, your phone number and last 4 digit SSN are pretty much available for any actor.
For my part, I have put in a credit freeze with all three credit bureaus. I am wondering what else I should be doing.
Yes. And not just the last 4 but your entire SSN, and most or all of the data that Credit Bureaus maintain, such as date and place of birth, past places of residence, whether you own or rent, income, education, marital status, and on and on.
It's all been exposed, somewhere, by someone who didn't exercise due care for protecting it.
Until this data becomes a liability and not an asset that can be sold and expoited, it will continue.
It's all out there, tenfold. It's available to anyone who wants it enough.
I've had my identity stolen. The SSA office essentially does nothing to resolve it, they place the burden upon you as the victim to fix an unfixable problem. I didn't even bother. The whole thing is fucked.
actually I'm pretty sure that all our social security numbers leaked in full since the Experian/TransUnion hacks. I have kept my scores frozen ever since then. It's a minor annoyance but I don't know why this isn't required now
They've been leaked ever since they were shared with anyone other than yourself and the Social Security Administration. Any system using an SSN as a password is fundamentally broken - just the fact that a company can verify your SSN is proof that it's an authentication mechanism known to more than only yourself... (Ok, they could be hashing it, or at least the first five digits of it... but they're not.)
The issue with leaks like these is that for wealthy/powerful/notable people (ie targets of blackmail/extortion/threats/surveillance) their non-public residential addresses are now available, making the job much much easier for criminals who work offline.
This is why my ISP account at the house where I sleep (as well as all other utilities and services for the address) is not in my name, and does not have my phone number or email address on it.
You’re just one data leak away from people from the internet being able to show up at your house in the middle of the night with guns (or outsourcing same to the police with a swatting).
I spend a lot of time and money protecting against this type of attack. It’s annoying. There should be real, actual, criminal liability for putting people at risk like this.
Maybe if someone publishes the excerpts from these with everyone with the same residential zip code and last name as all sitting US senators, something will happen. Then again, when weev did that (with just email addresses), instead of going after AT&T who leaked the PII through simple negligence, they prosecuted the guy who downloaded it and alerted the press.
It’s almost as if everyone not wealthy enough to have staff/managers/shell companies is just expected to not have any privacy.
What is a "non-public" address? All addresses are public information. It is not at all clear what you're protecting and from whom; there is a distinct lack of a coherent threat model.
An address not known to be yours, one that is not associated with your name in public records, such as the one where you or your kids regularly sleep.
Everyone knows the address on your DL and vehicle registrations is basically public record, it’s sold to data brokers and is searchable. Same with any property held directly. This is why you have a holding company own the properties, and keep your name off the public records for the holding company.
Utilities might still be in your name, however, as not everyone knows how to obtain those under aliases or remembers to have their staff do it for them. They often want credit checks on a normal person for non-commercial service plans, or for residential addresses.
App location histories, mobile service location histories, Uber trip logs, food delivery order history, all of these are potential vectors for leakage, too.
There’s a big gap between “wealthy enough to be able to pay for some
measure of privacy/safety for one’s family” and “wealthy enough to warrant spending salaries for three shifts of armed guards 24/7/365”.
Holding company owners don’t have to be public, only their managers (who need not have equity). You have to tell the IRS about the beneficial ownership but that’s not public record. The IRS, surprisingly, has been fairly good thus far about keeping private stuff private.
It’s not just data brokers who can search DL/vehicle data. It only costs a few bucks to access it. That’s their whole business model.
I know people who have been swatted, had their vehicles smashed, their children threatened, their houses shot up or vandalized or broken into, mail or packages stolen, et c. Fortunately I don’t personally know of any kidnappings or home invasions, but such an attack enables same for a sufficiently determined attacker.
People at risk like this either take steps to keep their residential addresses non-public, or hire 24/7 security forces, or both.
That's easy to mitigate, though, if you have money. Like the parent comment said all you have to do is buy all your property through a shell LLC (or Canadian equivalent), put all the utilities in the name of that LLC, and have your lawyer's lawyer file all the incorporation papers and it's very, very difficult to trace back the actual owner
The house is of course the collateral on the mortgage, and the offer was contingent upon my personal guarantee of the LLC’s mortgage. Of course, that would have been between me and Chase, which would keep my name off the public records - the goal of the whole holding company exercise.
Those are almost certainly not primary residences, they are likely not mortgaged by their owners (without a substantial rental business providing collateral, for example), and most states LLC records are completely public.
The records of the LLC’s managers are public, but not usually their beneficial owners (unless they are the same people).
The way to do it is to have your attorneys be the managers of your holding companies, then you can direct them (under privilege, afaik) to sign what you like. This is how I do it. Alternately if you have staff you trust and expect to have a long time (I don’t), they can be your holding company’s manager(s).
I wonder how many enormous breaches of so-called sensitive information it will take for infrastructural security to improve. Like I think at this point it's reasonable to assume that most SSNs are public information, and dates of birth arguably always were. Why do important services still use this as a final word authentication for any individual? Why is it legal for a person's credit score for example to affect things like mortgage applications, when these measures are permanently affected by identity theft that could happen to anyone at any time through the fault of one of any number of irresponsible companies that routinely hold enough information to impersonate someone to both the government and their bank (setting aside for a moment how fraudulent and irresponsible the practices of the aggregators of these scores are themselves).
Heh. Years ago I had a call with Comcast's CISO about them setting up a bug bounty program after I informed them about a leak of exposed information (sysadmin's home dir, with ssh keys and more). They told me that if they setup a bug bounty program like that, that they'd effectively go bankrupt. So here we are. Not expecting them to go bankrupt from this, but it's sad to see how their apathy turns into actual harms.
You can already seek financial compensation through the tort system[1]. It just sucks right now because you have to demonstrate harm, which is hard. Having a law that's like "each breach equals $50" makes lawsuits go much more smoothly.
Indeed: if companies are to be treated as people, and we are to have a federal death penalty, corporate execution should be the result of breaches like this.
Why do you think that's the only way this can work?
When a bank fails, the FDIC typically facilitates new ownership over the course of a weekend. The workers still have jobs and the branches reopen on Monday. The top executives are out and the investors take a loss.
If it is impossible for any other company to take over the service than the company is too big in the first place and should be broken up or nationalized. The free market doesn't work without meaningful competition.
Well an obvious difference is that one directly removes executives who were responsible.
But sure, I'm amenable to a sufficiently large fine. Even just allowing class action lawsuits (despite their flaws) would be a lot better than the status quo.
I'm just saying that a "corporate death penalty" doesn't necessarily harm customers. A large fine that an entrenched monopolistic provider can just pass on to customers the same way they do other "compliance costs" doesn't really help much.
I'm not really sure what to think about this yet. I suppose comcast has the consumer customer base so when news like this breaks shade naturally gets thrown their way. But it's hard to fault comcast for having netscaler infra (which i guess was acquired by citrix at some point? dont quote me on that). 9 days to patch isn't really what I call blatant negligence (which is what i'd like to think would make me likely to terminate my contract). It's not always easy to just yank node balancers from your perimiter, especially if you have as large and probably ugly permimeter as comcast does. I'm sure that most people on this site had very little faith to lose in Citrix/Netscaler prior to this incident, so it's not a surprise there's little focus on them here, but as far as the consequences in any form, I really doubt Citrix / Netscaler will face enough punishment. It's also unclear to me exactly what the consequences of this data leaking are. last four of my social? Well, my full social is already out there, thanks to equifax (if no one else).
There's also the fact that a large number of companies were and still are being popped with citrixbleed, ransomware has gotten in line for this ride, and i bet it will take 6+ months for 80% of vuln systems to be patched/purged. Again, 9 days?
Ars technica's Dan Goodin has two articles about this (ive shortened them a bit):
Comcast waits 9 days to patch critical vuln
The latest high severity citrix vuln isn't easy to fix
Having worked for Comcast I can't tell you how many times I brought up security concerns and I was told that they were doing better than ever before and its a non issue.
Idk which systems were hacked but I worked on thier innermost apps, and they were a dumpster fire.
we need to blame the failing party (Comcast here),
we need to make customer data outrageously radioactive,
so companies like Comcast try hard to avoid storing it...
This is just tinfoil hat speculation of course lol.
When this Citrix zero day was disclosed to the public a few months ago, they mentioned nationstate actors.
It seems that Santa Clause is finishing up his naughty or nice list before rejoining the little lost island of elves with the rest of mainland North Pole.
Yet another reason to say "nope" when Yet Another Co. wants me to route my interactions with them through their app or web site, or give them answers to security questions, or ...
