In another conference I was reading about a problem that was recently discovered where users could snoop on other TTYs. While reading that conference and some of the items after it, I was thinking to myself about how this was a poor way to discover that my password may or may not have been compromised. So, would there be any problems with staff notifying all of the users of possible security breaches? This way they could take whatever precautions they feel appropriate (ie. change their password, check to make sure there weren't any logins to their accounts from strange IPs, etc.) I know it can be humbling or for some, downright embarassing, to write a message disclosing these problems. However, I think the users would appreciate the heads up, and in the end trust the staff a lot more for doing so.14 responses total.
That doesn't sound like a bad idea at all.
I agree that the users should be notified when there is cause for reasonable suspicion that security may have been breahced.
California State Bill 1386 (SB1386) requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Does this mean users like munkey need to be notified if there exists the "possibility" of a breach? I'm not going to pretend to be a lawyer. What I will say though is that I believe the users deserve better than to hear about these things shortly after a fix was put in place rather than much later when the discussion just happens to be breached by a willing staffer.
people keep mixing up items and responses :(
i'd like to thank nharmon for entering this item. keep it up, braw.
thanks, scholar !
Re #3 - I would suspect that Grex is not under the State of California's jurisdiction. Of course, I'm not a lawyer, so I'm not qualified to say one way or another.
Another thought: I would hope Cyberspace, Inc. would take their own advice about not storing private data on the system, and keep members' information off Grex. :)
Member ID information is not stored on Grex, if that's what you mean.
So in the worse case, someone gaining hacked access to Grex probably won't gain anyting in the way of member information. Thats actually comforting to know.
re #7 That's a bad assumption if one considers the conducting of business with California residence as the minimum qualifier (i.e. somebody in CA uses paypal to buy a membership) This item really is about notifying the members and users of Grex about security concerns, isn't it? A corrupted password database should be enough of a security risk to let people know they should change their passwords, imo. I'm not saying the risk is high, but it is nonetheless never a bad idea to remind folks to change the passwords.
I think a note in the motd would suffice.
Yea, anything is better than nothing. Staff has done a good job, imo. I like this item anyways. I hope staff isn't insulted by suggestions.
TROGG IS DAVID BLAINE
You have several choices: