Ask Slashdot: Dealing With Companies With Poor SSL Practices? 141
An anonymous reader writes Despite recent highly-publicized hacking incidents making the news, companies continue to practice poor cyber-security. I signed-up to buy something from [an online vendor] and upon completing signup through HTTPS, was sent my username and password in plain-text through e-mail. This company has done everything in its power to avoid being contacted for its poor technical practices, including using GoDaddy's Domains By Proxy to avoid having even WHOIS information for their webmaster's technical contact from being found. Given such egregious behavior, what do you do when you're left vulnerable by companies flagrantly violating good security practice?
what? (Score:1)
Your purpose in life is to service the corporation. Buy our shit. Keep your mouth shut.
Your comments are insubordinate, vassal.
Re: what? (Score:2)
not your problem... (Score:3, Insightful)
Use an online review tool. Like say google. Then put your grievance there. They do not want to know, well just put your sticker up then move on and do not deal with them anymore. It is not your problem to fix.
Yes there are *many* things on the internet that are broken. Yes you will find people who go 'oppps my bad' and fix it. You will also find many who *do not care*. They never will. You cant fix stupid.
Re: (Score:2)
Use an online review tool. Like say google. Then put your grievance there.
Also, name names. Why is the offender listed in the summary as "an online vendor" rather than just naming them. Why do they deserve anonymity?
100 times this!!! (Score:3)
It drives me bananas when people write posts like this and I see it online alll the time. Unless you care more about some corporation than your fellow consumer, NAME NAMES! There is essentially ZERO reason for a company to change practices other than bad PR, and you can't create that without naming them.
Re: (Score:2)
Re: (Score:2)
Re:100 times this!!! (Score:5, Informative)
It looks like this is more of a competitor trying to sabotage them, rather than a legitimate complaint. Yes, Slashdot could have gotten in trouble for running it. Honestly, they should have seen it, did the difficult step of "Look at the site first" and realized it was a non-story.
He's bitching about not being able to contact the company, yet http://kahntools.com/contact-us [kahntools.com]
Address
6320 Canoga Ave. Suite 640
Woodland Hills, CA 91367
Phone
Office: (818) 884-7000
Toll Free: (855) 585-7500
Fax: (818) 530-4249
Hours of Operation
9:00 a.m. - 9:00 p.m. Eastern Time
Monday â Friday
Email
Customer Service: sales@kahntools.com
General Inquiries: support@kahntools.com
and I found separately through the magic of g00gle...
https://www.facebook.com/kahntools [facebook.com]
Re: (Score:2)
That's you and me. I have something somewhat legitimate in there. I'm also sure you're aware that domain registrar information is rarely changed in a timely fashion, even though they're sending out the yearly reminders to make sure your information is right.
The whole registrar proxy thing is easy money for them. As I recall, they have verbage on the page that strongly recommends using it, implying it's for the safety of your domain.
I've frequently seen that the registration itself is handled by an accou
Re: (Score:2)
I am reminded of many years ago, Sprint (my cell carrier) emailed me my new password when I changed it online.
I called them to ask them to review this practice and not email me my new password. The helpful rep explained to me, "Don't worry. We only send it to your email, and your email is secure."
I responded, "Um, no. It's my email, and I'm telling you it's not secure. There is no reason for you to email me my password."
They just kept repeating, "Don't worry. Your email is secure."
I called again and got sim
Re: (Score:2)
What really gets me is when a site can send me my current password. Sending a new password over email is a much more limited security issue, one I can accept for certain classes of websites.
Re: (Score:2)
Especially when they immediately make you change it.
That should be after clicking on/entering a link in the browser that takes you to a password reset prompt. There is no excuse to send a password over e-mail, encrypted or otherwise.
Don't Do Business With Them (Score:5, Insightful)
EOM
Re: (Score:1)
Yes. That.
And, why the PHq is this even on the front page ?
-- kjh
Re: (Score:2)
EOM
...ironically you post this on Slashdot...
Re: (Score:2)
And solve nothing. Given the amount of identity theft in the news, combined with companies offering credit monitoring automatically, the potential for harm is basically self-evident today.
If the account allows access to personal information, including financial information, then you have a clear lawsuit and, with the right lawyer, are likely to win.
If the site account allows control of the financial account, such as a saved credit card being able to order products, then you can demonstrate the potential fo
Re: (Score:2)
>"Don't Do Business With Them" is terrible advice, because it helps exactly 1 person.
If it's me choosing not to do the business, then I'm that one person, which is perfect.
Shop elsewhere... (Score:5, Insightful)
There really isn't much you can do about companies like this, except shop elsewhere. Sooner or later, they will have a breach, and the "security researchers" will have your credit card data.
Re: (Score:3, Informative)
This, and ALWAYS generate a random password for each account so that the risk of exposure is limited to the one service.
Re: (Score:2)
While that helps prevent your credentials from being used on other sites successfully, that doesn't do much to protect your credit card information. If they are that lax and don't care about your user credentials, what makes you think they don't just store everything plain text in a database just waiting to be compromised?
Re: (Score:2)
Re: (Score:2)
Credit card fraud really doesn't hurt you much, provided you keep an eye on your statements. If you see a fraudulent charge, dispute it and ask for a replacement card.
Don't get a new card---get a new acc't no. (Score:3)
Re: (Score:2)
Amex will provide single-use numbers for untrustworthy vendors. They purportedly will also do single-vendor numbers, so if you give such a number to a particular vendor, anyone who steals it will have it bounce.
I've tried to confirm the latter, with no particular success.
Agreed, single-use numbers and Paypal FTW (Score:2)
That also reduces the ability of the company to coordinate your purchasing information (though your name and address are probably relatively unique, unless you also use single-use versions of those, like random apartment numbers for your house.)
Somebody else also recommended [slashdot.org] using PayPal for sites that you don't want to trust on a regular basis. Any place that you don't trust, or that you think might be lax about security, or that you're not planning to use repeatedly can get by with that.
Re: (Score:2)
I smell a business opportunity for an anonymizing postal service! Go to their site to create a fake (but real-looking) address, give that to the shipper, and have the package delivered to your real address.
Re: (Score:2)
Use bitcoin.
Re: (Score:3)
Re: Shop elsewhere... (Score:1)
DIstance Selling regulations in UK have been superceded by Consumer Contract Regulations as of 13th June 2014. it does not provide for a cooling off period for services where the consumer has agreed to provision of those services before completion of a minimum 7 day cooling period except where the provider has failed to provide information in accordance with the regulations.
more info see : http://www.which.co.uk/consume... [which.co.uk]
Re: (Score:2)
There is some truth in that, but a lot depends on the exact circumstances. For example, in some cases, the default position is now that the provider musn't actually provide until the end of the 14 day cancellation window, and if you want to get around that then various explicit acknowledgements are required from the customer about immediate supply and giving up the right to cancel once provision has started. Moreover, if the provider gets any of this stuff wrong, the penalties can be heavily one-sided in fa
Re: (Score:2)
Re: (Score:2)
Actually, that is a lot that you can do.
There is an apparent desire to leave a grievance, but if the company cared what potential customers think, they would include a suggestion box and actively solicit comment. If they went out of their way not to have a contact, it means there is nothing say-able to them; even if you had access.
Choosing where you spend your money is 100% of the choice you have about what business practices to support. Nobody cares what you think, including companies you give your money t
Re: (Score:2)
Actually, that is a lot that you can do.
There may be a lot you could do if your time is not worth much and you like to be ignored... If these people were interested in security, they would not have this drop dead amature code issue. If their management does not care and their web guys do not care, you can bleat at them until we put a man on Mars, they will ignore you or worse, put the lawyers on you.
By the way, nobody pays attention to BBB ratings when shopping on-line (or anywhere else)
Just walk away.
Re: (Score:2)
By the way, nobody pays attention to BBB ratings when shopping on-line (or anywhere else)
It can influence new business credit, and investment value. It is actually a big deal. It is certainly true that customers rarely check it.
Re: (Score:2)
There's a widespread belief that a good BBB rating means that the company pays enough money to the BBB. It's really not an independent ranking.
Re: (Score:2)
A belief existing is not a convincing argument that it is correct, or even that it is widespread. Doesn't the tinfoil chafe?
Re: (Score:2)
You don't want tinfoil; there was an MIT study that found it concentrated certain wavelengths.
Contrast the BBB with Consumer Reports. Lots of people check the one that's independent of businesses, and few people check the one that's funded by businesses.
Re: (Score:2)
Contrast the BBB with Consumer Reports. Lots of people check the one that's independent of businesses, and few people check the one that's funded by businesses.
I don't think anybody disputes that consumers check Consumer Reports and not the BBB. But a banker doesn't consult Consumer Reports at all when deciding on a business loan; they do check BBB. Also, a poor BBB rating increases the likelihood of fines if you're found to be out of compliance with some other (unrelated) regulation. As a business owner there are lots of reasons to care about the BBB rating, and numerous situations where a bad BBB rating that contains real complaints will screw you. If you are on
Re: (Score:2)
Bingo! This is your only real recourse. Also, change your password and if possible lock or delete your account with them.
Re: (Score:2)
Name them and shame them... (Score:1)
...and then vote with your feet; shop elsewhere!
Please shame whomever it is (Score:3, Insightful)
Please don't hide whom it is that I might accidentally do business with. Nothing is going to change just sending them an email, they may even go after you for doing so. However you may stop others from being suckered when their poor security becomes everyone else's problem. It's not their problem, it's going to be everyone else's.
First assumption is that there isn't somewhere that'll get broken. Everywhere probably will get successfully attacked at some point. Use a password manager. At least this way, when somewhere is broken, I'm sure that it's the only place where that password is used.
Re: (Score:2)
And make sure that that password manager is only able to run locally and NEVER transfer your password file, even though it's encrypted, via a non-secure means. If you have it on a mobile device make sure your device settings prevent it from being uploaded to a server that you do not own.
So contact them anyways (Score:2)
Then contact them using their DomainsByProxy contact info. Yes, companies, lots of companies, use that, in order to have a level of privacy. That's OK - it still gets to them, you just don't have the contact details yourself. Contact them via email and they can see it just as much as if you had their direct email address. Either they care or they don't.
Plain text e-mail... (Score:5, Informative)
Re: (Score:2)
Re:Plain text e-mail... (Score:4, Insightful)
IM networks are not safe either. Most of them use communications that are funneled in some way through some server or store client side message logs by default. A lot of them are not even encrypted at all.
Re: (Score:2)
IM is a pain in the ass. Of any group of three people or more I want to send a message to, it's dead certain they're not all on the same IM network.
It's a nice theory, but it's nowhere near universal. Email is.
Re: Plain text e-mail... (Score:1)
No, I have to remember which people won't reply to emails just like I have to remember which im network each person uses. Worse, some people do use email but only on their PC and not on their phone so replies can take hours or days. With im I know whether my "missed the train, so I'll be 30 mins late" message was read; they've no need to reply.
Re: (Score:2)
And I know people who use IMs on their PC but not their phone. An IM doesn't necessarily get read any faster than an email.
None of the IMs I've used will actually tell me a message is read. It'll let me know if it fails to deliver, but that doesn't mean Jim is actually at his desk and saw it.
I wasn't claiming there aren't uses for IMs.
My claim was that email isn't useless.
Not everyone's use case is the same as yours.
Re: (Score:2)
The email point wasnt about the email being plain text as much as them sending his chosen password in plain text, which means they store it in plain text...
They may or may not store his password as plain text. It's possible that the e-mail was generated dynamically when he entered his password in some form, while the password was in memory. They still might have used some kind of hash for permanent storage.
Re: (Score:2)
Storing authentication credentials in a retrievable form anywhere is stupid, even in memory. Kerberos has been around for decades, and it eliminates the need for a password to exist in memory as soon as it is hashed.
If Kerberos is not practical for a particular application, the same principles can be used in proprietary authentication mechanisms.
A plaintext password should never persist. Period. It is the result of a stupid decision somewhere, and we have known better for a long, long time.
How much time did you waste on this? (Score:1)
You are using unique passwords for all of your sites right, because that is good security practice. Also, if you think someone is reading your email you might want to stop using email because your provider must be insecure. Just about every site on the internet will let you reset your password (by giving you a key/link/password which are all the same thing) via email, the security of your email is the weak link in the chain.
Since when is using private registration something to bring out the pitchforks for
Re: (Score:2)
ince when is using private registration something to bring out the pitchforks for? You are the same guy that would be arguing for that privacy if you worked for the company, which you don't. Go outside.
Not the submitter, but I have no problem with requiring businesses to have a way of contacting them using valid registration info. Reputable businesses will want to be contacted when there's a problem, so they can fix it and STAY in business.
Eventually we're also going to have to have a way to verify people's online identities to help prevent frauds (Nigerian scams, etc) and abuse. People say things online that they wouldn't dream of saying in real life.
Re: (Score:2)
: People say things online that they wouldn't dream of saying in real life.
That is a good thing. If you lived in Uganda, your post would endanger your life, unless it were anonymous and untraceable.
Re: (Score:2)
Not just unique passwords, also use unique email addresses (eg register your own domain and use an address which includes the site name), that way you will be able to tell if a company has a breach which results in your email address being leaked to third parties, or if they sell your address intentionally.
And a lack of easily available and valid business contact information is actually illegal in many countries...
This is not a SSL matter (Score:5, Insightful)
Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.
Can you reset it? If so, is it done on an HTTPS form? That's not ideal, but it's not immensely worse than those millions of websites that will send a "reset password link" by email.
I'm not saying their approach is fantastic, but I don't see reasons to get your panties in a bunch. If you are concerned with their email approach (which is not the same as "poor SSL practices") reply to that email (redacting your password), and if you're not happy with their answer or lack thereof, don't buy from them anymore. You don't need to Ask Slashdot for that.
Re: (Score:2)
Your issue is apparently with them sending your password by email... Can you reset it?
Many sites will auto-generate a password and send it to you (I don't like this), and you should always reset such passwords. Indeed, many sites that do this require you to reset on first log-in.
Always pay for on-line purchases with a credit card, as you can dispute fraudulent charges, and credit card companies have pretty decent fraud detection algorithms.
I know people here will not like this: Using a random pass on every site is not realistic for most people, but you could have permutations such as a decen
Re: (Score:2)
Re: (Score:2)
Re:This is not a SSL matter (Score:5, Informative)
Sometimes it comes from the kind of users the company deals with. It can be quite a struggle to deal with the public.
I experienced that again lately. I was working on a new system for a client, and we quickly found out that people not only forget their passwords, they also forget what email address they used to create their account (Gmail? Outlook? Isp? job email?). So they create an account, forget the password, come back a few days later, try to use a different email address, it's not found so they recreate an account, and then they change their settings or place orders, and then the next week they come back and login with the first email address they used, which is linked to the first account, so they get mad because their new settings or orders created in the 2nd account are "gone". You have no idea how often this happens. Some people have created 4 different accounts in a single month, and they keep randomly login using one or the other (resetting the password each time), and of course they complain about losing their settings.
So we added a tool for helpdesk to let them "merge" accounts when someone calls to complain about losing their settings. It helped a bit. We also tried to create a "duplicate matcher" in the login page (name/address/DOB/etc) but we did not have a lot of success with it. Believe it or not, our stats indicate that almost 15% of people make a typo when they enter their full name or DOB.
So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.
So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.
But still there was a lot of complaints about password reset links not working (users looking in the wrong inbox, or using Outlook aliases, or going back to a different email address and then seeing a password reset link and being pissed that it was obsolete). So we added a one-time password feature, which is sent by email or text message (and is matched to the specific browser session). This helped a lot too. But whenever we add a feature, people find more ways to do mistakes.
So next time you see a system that looks stupid, remember that the vast majority of users are probably people with little computer skills and no patience whatsoever for passwords and security. It does not excuse bad designs, but it puts things in perspective.
Re: (Score:2)
So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.
The Stack Exchange network has a similar feature. Each user can associate a Facebook account, an e-mail address and password, and multiple OpenID identifiers (Google, AOL, Ubuntu, etc.) to his Stack Exchange user account. The one thing I'm surprised they don't support is Twitter login.
Re: (Score:2)
The one thing I'm surprised they don't support is Twitter login.
Have you tried it? It's horrible compared to the other providers. In my experience, ease of use of the authentication api is the following:
1) LinkedIn
2) Google+
3) Facebook
4) Windows Live
5) Yahoo
6) AWS Cognito
[...]
2147483647) Twitter
There are others players, like Mozilla Persona, Path, etc. but I haven't tried them.
Re: (Score:3)
Re: (Score:2)
Wrong. Between hashing and clear text there's a whole lot of encryption options.
There are situations where it's perfectly valid to store passwords in an encrypted format (as opposed to a hash). As an example, a lot of people use Keepass to store their billions of uid/pwd, and this is completely acceptable (as long as the master password is decent). There are also situations where systems integration must be performed without single sign-on. There are database connection strings, stored in config files. And
Re: (Score:2)
There are also situations where systems integration must be performed without single sign-on.
And even with single sign-on, there are situations where a system participating in single sign-on needs to store a "client key" and "client secret" for something like OAuth.
Re: (Score:2)
Re: (Score:2)
Duh. What you suggest shows a serious lack of experience because in many situations this can't be implemented, full stop. As an example, if one does not have access to single sign-on, it's basically impossible not to use passwords that are stored somewhere if more than one system must interact, unless they all support certificate authentication, which is not frequent. And in complex systems there's not always some dude waiting in front of a computer, ready to punch in a password to let a scheduled job run.
S
Re: (Score:2)
You seam to talk about something complete different from what the article is about. This is about a web store storing end users passwords in clear text in their database, not your internal system for employees or what ever. For a web store there is no reason what so ever to use the customer provided password for anything other than authenticating the user for the web service, all other access deeper in the system should use credentials set up between these services.
And even for you set up there is no reason
Re: (Score:2)
Because very few SMTP servers *require* the use of SSL. Some will use SSL if available, but fall back to plain text otherwise, and also usually not check the certificate. Many mail servers still don't enable SSL at all and plain text email is frequently sent across the internet.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Have you encountered a site savvy enough to email with encryption and dumb enough to email you a password as opposed to a secure link? I haven't.
Don't shop there (Score:4, Insightful)
Pretty simple: don't shop there.
You ignored multiple red flags, yet you are surprised when they email you your password? (Which, of course, as others have pointed-out, has nothing to do with SSL.)
Any one of these looses any company my business:
- Expired, non-matching, self-signed, localhost, example.com, etc. etc. SSL certificate
- Domain proxy registration (companies should not have "privacy")
- Hide contact information
- mailed me my password
- doesn't offer payment choices, only one payment type
Re: (Score:2)
Actually, checking DNS records isn't the first thing I do, but I do if I am suspicious.
First thing is a simple Google search:
"XYZ scam"
Where "XYZ" is the company I am researching.
As well, I will trust Amazon and Ebay resellers with a good reputation.
If I have to deal with some unknown company, I will usually check them out to some degree. I've never been burned in terms of paying for a product that I didn't get, or getting something other than what I'd expected, getting a non-wo
Hacking (Score:3, Funny)
If their security is so bad, you should be able to hack into their network.
Once you've done so, post the story of the hacking on the internet.
Nothing like public embarassment to make them clean up their security practices.
Re: (Score:3, Informative)
If their security is so bad, you should be able to hack into their network.
Worst possible advice. There is the risk of jail time, There is severe risk of being taken to court for damages, which is expensive if you win, and really, really expensive if you lose. Which is likely if you hack into their network.
And anyway, what the OP described is blatant disrespect for the security of their customers. That doesn't mean their own stuff isn't protected.
More sites like this for banks ... (Score:2)
These sites grade banks for online security
http://blog.codacy.com/2014/04... [codacy.com]
https://deekayen.net/bank-ssl-... [deekayen.net]
3 Quick Fixes (Score:5, Insightful)
1. Name and shame them. Don't pussyfoot around. Worst-case scenario, you'll get their contact info when they act all butt-hurt and make empty threats to sue (for what, exactly? Negative online reviews are protected speech). Not just on "review sites", which often are "we will remove the negative review if you buy our services" scams (cf: Yelp), but sites that YOU use. People only go to these sites after the fact. They're worthless.
2. Change your password and see if they send you back the updated info in plaintext. If they do, it's not just ONE bug.
3. Shop elsewhere. Use sites recommended by people you know who have actually used them and had good experiences, not some $RANDOM_SITE_WITH_LOWEST_PRICE that may be some kid in a basement and his mom who don't have a clue. If they're the lowest price, it may be because they're skimping on things like security and not because they have bulk buying power.
Re: (Score:2)
Dealing With Companies With Poor SSL Practices? (Score:2)
This one's easy: don't.
If they're not taking security seriously, that's a bad sign and you should reconsider giving them your personal information. If they're actively trying to hide their own contact information, that's a huge red flag and you'd be crazy to do business with them.
There's no need to overthink this. This is the internet equivalent of the shady guy selling Armani suits out of a stolen car (actually happened near me, recently). Just avoid shady businesses.
Here's a start (Score:2)
Become a tinfoil-helmet-wearing-minimalist (Score:1)
The sad part is they call a lot of the defacing "hacks" when the company has a digital equivalent of leaving customer data on their front porch with a neon sign saying "Free Credit Card w/SSN Here!"
The "security" we're calling for would be more accurately described as, "stop putting accountants in charge of IT security."
Change the mindset from Risk Management and cost control.
I wonder what the OP was buying that can't be found on amazon.com though?
Ask yourself (Score:2)
What are the actual risks? Just how likely is it that someone will breech your email and what would the consequences be? What would you suggest as an alternative means of delivering both password and password changes?
Consider that if the lost password procedure involves email, then there is no security benefit to keeping passwords out of email (the key to getting a valid password is just as harmful as the actual password if it leaks).
Re: (Score:1)
Re: (Score:2)
If they're storing the passwords in clear text, that's not good. However, they could be assigning random passwords and only storing the hash after they send it via email to the user. There's just not enough information to say.
Agreed that security questions in addition to the usual click lost password and they send you a unique URL to navigate to is a good idea and considerably improves the security of password recovery as long as the answers to the security questions aren't easy to determine from looking th
Had a couple of companies email me passwords (Score:2)
Re: (Score:2)
And the author of that one *also* does not name the offending company.
Raising the issue in a vacuum is fruitless, because there's no general panacea for corporate security stupidity. Other users won't know until they receive their passwords in the mail that they've opened an account with a company that should be marked "Fail".
So mark them. Here's a good place to start, and the above blogger should have done it also. Otherwise you're just blowing off steam.
This is not poor SSL practice (Score:1)
You described something having to do with poor password practices. SSL has 0 to do with the subject at hand.
Name and shame... (Score:3)
There really isn't much else you can do, publicise the bad companies so that those who do care can avoid them. Only if they start losing business will any company even consider doing anything about it.
Postal Letter to the CEO (Score:2)
When I have a problem dealing with a U.S. company over the Internet, I go to http://finance.yahoo.com/looku... [yahoo.com]. This site will tell me the names of the top executives and the corporate postal address of a company whose stock is publicly traded, even on the most obscure exchanges. If the company's stock is not publicly traded, I then resort to Google. Sooner or later -- yes, with some effort -- I find out who is in charge and where to mail a letter.
I compose a non-threatening, literate letter to the CEO o
Even some techies don't grok SSL (Score:1)
I was a high-level consultant recently for a mid-sized startup with many thousands of users (including some celebrity types) and a platform that spanned web, mobile web, web service APIs, CDNs, and mobile apps.
I interfaced directly with the CEO, who was quite tech savvy. But every time we would get JSON, AJAX, or cross domain type problems, as I would be directing troubleshooting to fix things, he would go into the code and turn off SSL to fix them, and then say to me to get back to other work. I kept expla
Prepare to leave the country (Score:2)
Exposing IT malfeasance can be _very_ dangerous, especially if you have a professional relationship with the company whose behavior you wish to expose. It leave you vulnerable not only to termination, but to vindictive lawsuits, "SLAPP" or "Strategic Lawsuits Against Public Participation", blacklisting, and even criminal activity. There have been some very famous cases of this, especially by governments for politically sensitive issues. The currently infamous case is Edward Snowden, but I've certainly seen
Simple ! Never share personal info! (Score:1)
http://popularbloggingtopics.c... [popularblo...topics.com]
Re: (Score:2)
email != unencrypted (Score:2)
I, for one, (Score:2)
welcome our "open-access" loving vendors. If I have sensitive information I want to remain secure, I make sure it's stored on Sony's servers
Stupidest complaint ever (Score:2)
Not even sure why I'm wasting time posting this.
Next time before you post stupidity, actually do a risk assessment. Too much 'security research' is concentrated on a single action, and people are having a REALLY hard time seei
Banks, ATMs and email receipts (Score:2)
Re: (Score:2)
whatever happened to: If you don't like the way a company does business, don't do business with them?
Monopolies happened. A lot of times, there are no compatible substitutes for a particular company's products or services despite the company's poor information security practices.