Linked by Thom Holwerda on Wed 6th Jun 2012 22:30 UTC
Privacy, Security, Encryption Bad day for LinkedIn: not only did 6 million of their passwords get stolen and published online (as SHA1 hashes, but still), their iOS and Android applications uploaded your calendars to LinkedIn (after opting in, though). The Sensationalist Headline of the Day Award goes to Ars Technica. I guess everyone's starting to feel the sting of The Verge's fully deserved success.
Thread beginning with comment 521195
To view parent comment, click here.
To read all comments associated with this story, please click here.
seanc7
Member since:
2012-03-26

I work in a financial company that must follow PCI and other standards. PCI is pain but when properly implemented and followed (key words) it's reduces the risk of passwords being stolen. Even if they are, they're properly encrypted.

I understand your concerns about the financial industry, the thefts from Global Payments and the others in the last few years are scary, but it's because those companies are NOT following standards properly. Whoever did Global Payment's audit, needs to loose their job. The auditing we're going through for PCI v2, is an even bigger PITA, but it's necessary.

Reply Parent Score: 1

Alfman Member since:
2011-01-28

seanc7,

"I understand your concerns about the financial industry, the thefts from Global Payments and the others in the last few years are scary, but it's because those companies are NOT following standards properly."

I'm not sure you are understanding the point I'm trying to make. A proper cryptographic solution takes the merchants completely out of the loop when it comes to the security of consumer bank account.

The flaw inherent in credit card security still exists in 100% PCI compliant businesses. No one within a company, no matter how trustworthy, no matter how protected the data is, no matter how secure internal encryption is, should have access to make arbitrary charges against customer accounts in the first place. PCI compliance is a bandaid on top of a fundamentally broken security model. Credit cards were a necessary evil when cryptography was impractical and networks were missing, but now we need to be looking away from that model to embrace cryptographically secure ones.


By the way there are several of us here who are more than happy to discuss the more technical side of encryption and what it has to offer if you are so interested.

Reply Parent Score: 3