WingNews logo WingNews
top | item 39031008

(no title)

danielklnstein | 2 years ago

This is a boggling level of disdain for customer security - even putting aside the insanely low levels of data security, it's mind boggling that the website remained up for months after the disclosure, and that even after being taken down the vulnerability remained open.

Great post!

discuss

order

stcredzero|2 years ago

This is a boggling level of disdain for customer security

To be fair, this usually doesn't start as a boggling level of disdain. It usually starts out as 100% ignorance. It's how the people and the group respond to the negative feedback from experts and from reality, which brings in the disdain, even spiraling to boggling levels.

There are two deep lessons herein, rooted in game theory.

EDIT: In this case, op did everything right!

stuff4ben|2 years ago

Replace "ignorance" with "incompetence". This is an "I have no idea what the hell I'm doing" level of incompetence.

OtherShrezzing|2 years ago

Given that the password hasn't changed, I'd assume that there are exactly 0 sysadmins or software engineers working at this insurance company. A web app was poorly hacked together a few years ago, and just ticks-over in the background. Nobody in the org knows about the exploit (and it's possible they don't have the capacity to understand the exploit).

Dalewyn|2 years ago

Sometimes it feels like the only way to fix these problems is for the(ir) world to burn once.

stcredzero|2 years ago

There's a serious problem with human beings. A very loud, emotionally charged warning used to work perfectly for us. "SABERTOOTH TIGER!" is obvious and it's useful for the warning to be delivered with such emotional force.

However, there's a problem when the severe danger is disguised by layers of abstraction and complexity and obscured by time. Even emotionally neutral warnings will trigger our psychological attack defenses in these cases.

Note, I'm not saying op did anything wrong. What I am saying, is that delivering negative feedback about anything complex is itself a complex operation!

A security membrane which needs this kind of feedback to work correctly should be viewed as having a serious design flaw.

toomuchtodo|2 years ago

“We’re reaching out to negotiate for the decryption key.”

“There is no key.”