Grex Coop13 Conference Item 264

0-14

Author

Message

Notifying users of security breaches

May 3 18:19 UTC 2005

In another conference I was reading about a problem that was recently
discovered where users could snoop on other TTYs. While reading that
conference and some of the items after it, I was thinking to myself about how
this was a poor way to discover that my password may or may not have been
compromised.

So, would there be any problems with staff notifying all of the users of
possible security breaches? This way they could take whatever precautions they
feel appropriate (ie. change their password, check to make sure there weren't
any logins to their accounts from strange IPs, etc.)

I know it can be humbling or for some, downright embarassing, to write a
message disclosing these problems. However, I think the users would appreciate
the heads up, and in the end trust the staff a lot more for doing so.

14 responses total.

cross

response 1 of 14:

May 3 18:21 UTC 2005

That doesn't sound like a bad idea at all.

mcnally

response 2 of 14:

May 3 18:32 UTC 2005

  I agree that the users should be notified when there is cause for reasonable
  suspicion that security may have been breahced.

tod

response 3 of 14:

May 3 18:55 UTC 2005

California State Bill 1386 (SB1386) requires a state agency,
or a person or business that conducts business in California, that
owns or licenses computerized data that includes personal
information, as defined, to disclose in specified ways, any breach of
the security of the data, as defined, to any  resident of California
whose unencrypted personal information was, or is reasonably
believed to have been,  acquired by an unauthorized person.

Does this mean users like munkey need to be notified if there exists the
"possibility" of a breach?  I'm not going to pretend to be a lawyer.
What I will say though is that I believe the users deserve better than to hear
about these things shortly after a fix was put in place rather than much later
when the discussion just happens to be breached by a willing staffer.

naftee

response 4 of 14:

May 3 19:06 UTC 2005

people keep mixing up items and responses :(

scholar

response 5 of 14:

May 3 19:10 UTC 2005

i'd like to thank nharmon for entering this item.

keep it up, braw.

naftee

response 6 of 14:

May 3 19:13 UTC 2005

thanks, scholar !

nharmon

response 7 of 14:

May 3 19:25 UTC 2005

Re #3 - I would suspect that Grex is not under the State of California's
jurisdiction. Of course, I'm not a lawyer, so I'm not qualified to say one
way or another.

nharmon

response 8 of 14:

May 3 19:28 UTC 2005

Another thought: I would hope Cyberspace, Inc. would take their own advice
about not storing private data on the system, and keep members' information
off Grex. :)

aruba

response 9 of 14:

May 3 22:14 UTC 2005

Member ID information is not stored on Grex, if that's what you mean.

nharmon

response 10 of 14:

May 4 02:45 UTC 2005

So in the worse case, someone gaining hacked access to Grex probably won't
gain anyting in the way of member information. Thats actually comforting to
know.

tod

response 11 of 14:

May 4 16:17 UTC 2005

re #7
That's a bad assumption if one considers the conducting of business with
California residence as the minimum qualifier (i.e. somebody in CA uses paypal
to buy a membership)

This item really is about notifying the members and users of Grex about
security concerns, isn't it?  A corrupted password database should be enough
of a security risk to let people know they should change their passwords, imo.
I'm not saying the risk is high, but it is nonetheless never a bad idea to
remind folks to change the passwords.

nharmon

response 12 of 14:

May 4 18:29 UTC 2005

I think a note in the motd would suffice.

tod

response 13 of 14:

May 4 19:51 UTC 2005

Yea, anything is better than nothing.  Staff has done a good job, imo.  I like
this item anyways.  I hope staff isn't insulted by suggestions.

jesuit

response 14 of 14:

May 17 02:15 UTC 2006

TROGG IS DAVID BLAINE

0-14

Response Not Possible: You are Not Logged In