It is with a heavy heart we must inform you, once again, folks are accidentally spilling thousands of sensitive pics, records onto the internet Everything is insecure and everything is broken, exhibits A through Z: Plastic surgery biz botches storage, leaks patient records A software vendor specializing in record-keeping tools for plastic surgery clinics poorly secured a storage bucket hosted by Amazon Web Services containing hundreds of thousands of sensitive patient …
Every time I encounter such unwarranted precision, I am reminded of this exchange:
KIRK: Mister Spock, can we get those two guards? What would you say the odds on our getting out of here?
SPOCK: Difficult to be precise, Captain. I should say approximately 7,824.7 to 1.
KIRK: Difficult to be precise? 7,824 to 1?
SPOCK: 7,824.7 to 1.
KIRK: That's a pretty close approximation.
SPOCK: I endeavour to be accurate.
KIRK: You do quite well.
Its inevitable, talent and diligence are not universal traits. Everyone and their budgie now has an IT system facing the internet and the talent is spread too thin. Add in the PFY scenario and offshoring things to countries where playing fast and loose with one's CV is standard practice and it's surprising TITSUP doesn't happen more often.
I don't go trawling for vulnerabilities but it would seem the black hats are spoiled for choice and this sort of ecology keeps most vulnerable things safe. We have to see InfoSec as an ecology now.
I'd say that this is just a symptom of using the Cloud, where PHBs have decided that having their own IT people (admins and security) to safeguard things such as this are seen as a burden and aren't required.
I deal with multiple customers, and this seems to be a depressingly common trend.
What is Emsisoft trying to do, be reasonable ? That's not how you report virus damage at a country level. You speak of hundreds of billions, not a measly single billion. You're talking computer virus. It's Armageddon time, not beer o'clock. You're supposed to scare the bejeesus out of people, not deliver a school report.
Go back and put some pizzaz on those numbers. I want to feel the fear, you understand ? FEAR.
I get reminded by my colleagues from time to time that sometimes we in the IT industry are more worked up about sensitive data than the public. Examples are, a friend who is running an experiment with an appropriately secure alternative to Facebook, no ads, no customer profiling, good server farms built by people who know what they are doing and rigorously tested. The catch is it's a subscription service, £70 per year. Uptake is low, as he expected. The conclusion is that to most people their personal data and that of their kids isn't worth £70 a year to protect.
Last week a friend enthused to me about his experience of having surgery. His doctor sent him for X-Ray and by the time he got back to the consulting room the doctor was looking at the images on his personal tablet and phone. He got a rapid diagnosis which please him immensely. I asked if he was in any way concerned that these images and his personal data had been transmitted over public networks with no requirement for him to give informed consent or even know what the security was like on this distribution of sensitive patient data. He didn't care, not one bit.
We get worked up about it, the customers don't seem to care at all.
"I get reminded by my colleagues from time to time that sometimes we in the IT industry are more worked up about sensitive data than the public.
Very much so. I get reminded of this every time I (mistakenly) speak to my boss/business owner about malware, browser security and, sometimes, even data backups.
I then have to hear him (self-righteously) rant that our data "doesn't contain anything important", doesn't contain anything sensitive, and "I'm wasting time" in the effort I place in securing the data. Never you mind the thousands upon thousands of manhours spent in building the data, nor the dozens to hundreds of hours that must be spent to mitigate any data loss.
But he knows better :rolleyes: Luckily for (his) business I completely ignore his [childish] whining and continue to carry on with my data security policies.
It's not just privacy. It's lack of seamless interoperability with F. I've fooled around with alternatives to F, the lack of being able to talk to _anyone_ in my existing networks makes the effort...unsatisfying.
As I previously mentioned, I only use F at all because it is my primary means of communication for family, religion, and politics. If I can just get those sorted, I'll be off it in a New York minute...
...depends on the data involved....
Bank credit card data = meh, bank will cancel the transaction and reimburse me, send me a new card.
Dodgy dating site the wife doesn't know about (I will cite the breached list of registered emails from Ashley Madison - just the email address field mind you) - holy ****!!!!
Name and address from the adult mental health and addictions clinic site - ughh!!!
HEADLINE - Iran accused of hacking vulnerable VPN, RDP servers
ADVICE - Keep your external-facing remote-access systems up to date and patched, folks.
yet the 'businesses' being hit are supposed to be providing 'secure' comms for their clients, we are STILL in a scary world, and we are STILL failing to learn from previous feck ups, where will it end ?
not nicely, that's for certain :o(
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
