[HN Gopher] Comcast says hackers stole data of close to 36M Xfin...
___________________________________________________________________
Comcast says hackers stole data of close to 36M Xfinity customers
Author : thunderbong
Score : 166 points
Date : 2023-12-19 17:14 UTC (5 hours ago)
(HTM) web link (techcrunch.com)
(TXT) w3m dump (techcrunch.com)
| happytiger wrote:
| 0wn3d.
|
| Includes security questions and last four of social security for
| tens of millions.
|
| Couldn't happen to a nicer company either.
|
| Boilerplate response from them:
|
| https://assets.xfinity.com/assets/dotcom/learn/Notice%20To%2...
| tessierashpool wrote:
| it didn't happen to a company at all. it happened to their
| customers. if the CEO faces criminal or civil penalties, or the
| company does, then it happens to the company.
|
| what makes it worse is Comcat's quasi-monopoly status as a non-
| optional public utility with, in many areas, no competitors.
| your only choice is to give away your secrets to a company
| which will manage them irresponsibly and then act like victims
| about it.
| RajT88 wrote:
| "Starting today" - there's no date on that notice. But the URI
| suggests it was authored on the 15th. Apparently not released
| for 4 days?
| happytiger wrote:
| Admitting they suck at security is hard for monopolies. Be
| sensitive to their feelings man.
| stonepresto wrote:
| The part of the prompt that suggests its the 15th of December
| is a GET param, which just means wherever this link was
| retrieved from is where that date is coming from.
|
| The PDF could have been authored at any time.
|
| Looks like the created date embedded in the metadata is as
| follows:
|
| 2023-12-18T21:21:19.000Z
|
| Created with MS Word. But even that isn't definitive.
| crazybLanKeT wrote:
| another reason to never answer those security questions with
| actual info.
| happytiger wrote:
| Or put your real birth date.
| AdamJacobMuller wrote:
| The primary reason being when you have to answer the
| questions over the phone.
|
| "What is your mother's maiden name?"
|
| "bidah6shee8Dahkouju"
|
| "Wait, what, that is correct how ?"
|
| Every time I hear their confusion and shock, I get a bit more
| depressed that more people aren't doing this.
| tzs wrote:
| Most people want to minimize the time it takes to resolve
| whatever issue has led to them being on the phone with
| support. Giving "bidah6shee8Dahkouju" as your mother's
| maiden name does not help achieve that.
|
| Using a different made up mother's maiden name at each site
| is a good idea, but you can use short names that are easy
| to pronounce and spell for that to get the security
| benefits without drawing out the time you have to spend
| with support.
| amlozano wrote:
| Protip, use something like a https://diceware.rempe.us/#eff
| password with 6 words.
|
| They never seem to mind when you just say "litmus secrecy
| ruckus nest reason send", they don't even skip a beat.
| mdaniel wrote:
| I enjoy pointing out that 1Password has a dedicated
| section for generating "security answers" using this same
| method (they allow "horse battery staple" style with
| variable number of words, although a minimum of 3)
| https://support.1password.com/generate-security-
| questions/
|
| Like all good Bitwarden things, feel free to spit^W vote
| for a similar feature request
| https://community.bitwarden.com/t/security-questions-
| track-a...
| mhb wrote:
| KeePass, too.
| whatevaa wrote:
| Bitwarden has passphrase generation which can achieve
| similar thing.
| scarmig wrote:
| An equally likely outcome:
|
| "What is your mother's maiden name?"
|
| "Oh, some random collection of letters and numbers... I
| think there was an a and a d in it?"
|
| "Ah, okay, what info or money do you want?"
| teeray wrote:
| > and their secret questions and answers
|
| Periodic reminder that these are just passwords too. They should
| be treated as such by users (generate random responses) and devs
| (hash and salt them).
| gruez wrote:
| >They should be treated as such by users (generate random
| responses) and devs (hash and salt them).
|
| I agree for tech savvy users it's prudent to treat them as
| passwords, but it doesn't extend to the general public. If they
| should be treated as passwords, what's the point of having them
| then? They're most often used in password reset flows. If it's
| a random string/phrase, they're basically useless in that use
| case. In what situation would you have the randomly chosen
| string for the security question, but not the randomly chosen
| string for the password?
| renewiltord wrote:
| They're just recovery codes by a different name and with a
| built-in hint. I could reset the password of half of my
| friends from what I know. For a random person, I could
| probably just use something like this
| https://www.fastbackgroundcheck.com/people/gavin-
| newsom/san-... and get almost all the way there.
|
| As a user, if you want guessable recovery codes, that's fine.
| It's all in the threat model. The password for this account
| is very guessable. It used to be 000000. I don't care about
| any possible threat to it.
| eli wrote:
| I don't think most users care much one way or the other.
| But they do sometimes lose their credentials and need a
| password reset and if the reset flow assumes you'll be able
| to answer those questions anyway, you're going to have a
| bad time.
| ghaff wrote:
| In general, you don't want a forgotten password to be a
| "sucks to be you" situation or even a come to a physical
| office with two forms of ID situation.
| teeray wrote:
| > What's the point of having them then?
|
| Their purpose these days is to provide a way for anyone to
| reset your account credentials using public information or
| the answers to Facebook quizes to find out your secret pirate
| name.
| JohnFen wrote:
| For people who want to retain the convenience, my suggestion
| is twofold:
|
| 1) Don't answer the question that was asked. Mentally
| translate it to a different question entirely. "Name of first
| pet" is always answered as "color of first car", for
| instance.
|
| 2) Make the answers full sentences, not just single words. If
| the answer you're providing is "color of first car", the
| answer shouldn't be "white", it should be "The color of my
| first car was white".
| heax wrote:
| Just give your pet a random 4096 Bit string as name and
| your safe, no need to add unneeded complexity.
| tzs wrote:
| There are a couple problems with that approach.
|
| 1. That is likely to exceed the maximum length allowed
| for the form fields you have to use to enter it on web
| pages or in apps.
|
| You might find that on the page where you initially set
| it up the page silently truncated it to say 1000 bits,
| and that's what got stored on the server. But the page
| where you need to use it for password recovery handles
| 1500 bits, and the form in their app only handles 500.
|
| So you cannot get it to work in the app no matter what,
| and can only use it on the recovery page if you somehow
| figure out that only 1000 bits are on the server and
| truncate to that yourself.
|
| 2. Some places use the same security questions when you
| phone support. The support person asks you one of the
| security questions and can read the answer from the
| database. They compare that to what you tell them over
| the phone.
|
| You probably don't want to go through that with a random
| 4096 bit string.
| JohnFen wrote:
| > Some places use the same security questions when you
| phone support.
|
| Fascinating. This is something I never encountered, so it
| never occurred to me that this might be done.
| willcipriano wrote:
| Yeah, easy way to own the security conscious is call
| customer service and "authenticate yourself" by
| "answering" that you made the security response a bunch
| of random letters and numbers beacuse you were in a hurry
| and was confused about the assignment.
| dfxm12 wrote:
| The point is, if you're answering these honestly, if an
| attacker knows your mother maiden's name and which hospital
| you were born in from attacking Comcast, now they can use
| this info to reset your bank password. If you had different
| answers on these different services, attackers are still at
| square one in terms of getting your bank info.
|
| Honestly, I don't know if there's a point to having these
| questions. At least one security expert feels similarly: http
| s://www.schneier.com/essays/archives/2005/02/the_curse_o...
| 12_throw_away wrote:
| > what's the point of having them then?
|
| None for the end user! (Although I assume there must be some
| corporate career incentives or something for implementing
| security theater like this, since they keep doing it anyway.)
| bri3d wrote:
| > Periodic reminder that these are just passwords too. They
| should be treated as such by users (generate random responses)
| and devs (hash and salt them).
|
| Unfortunately this is not how almost any business treats them;
| they are frequently used as challenge/response authentication
| over the phone, so using a random response or hashing and
| salting them doesn't work.
|
| Authenticating a user over the phone is a major unsolved
| problem IMO, and responsible for a huge swath of modern account
| takeover issues.
| washadjeffmad wrote:
| I usually recommend disregarding the questions and filling in a
| common response for every field (with the current date or the
| name of the company or service, for instance), and writing it
| down.
|
| No one except hackers or certain federal agencies would be able
| to compare the results of security questions across independent
| identity management systems.
| electrondood wrote:
| Can we just have financial penalties per compromised user for
| these companies already?
| gruez wrote:
| *statutory penalties
|
| You can already seek financial compensation through the tort
| system[1]. It just sucks right now because you have to
| demonstrate harm, which is hard. Having a law that's like "each
| breach equals $50" makes lawsuits go much more smoothly.
|
| [1] eg.
| https://en.wikipedia.org/wiki/2017_Equifax_data_breach#Litig...
| eli wrote:
| And it should be punitive. The point isn't just to compensate
| me for the harm I suffered
| jen20 wrote:
| Indeed: if companies are to be treated as people, and we
| are to have a federal death penalty, corporate execution
| should be the result of breaches like this.
| tedunangst wrote:
| As a Comcast customer, I'd be kinda upset if I woke up
| one morning and my internet connection was dead.
| evilduck wrote:
| As a Comcast customer, I assume this is already your
| status quo several times a year.
| eli wrote:
| Not the connection, just the company administering and
| profiting from it.
| gruez wrote:
| What do you think happens if the internet company is
| dissolved, all the workers are laid off, and all the
| assets are liquidated?
| eli wrote:
| Why do you think that's the only way this can work?
|
| When a bank fails, the FDIC typically facilitates new
| ownership over the course of a weekend. The workers still
| have jobs and the branches reopen on Monday. The top
| executives are out and the investors take a loss.
|
| If it is _impossible_ for any other company to take over
| the service than the company is too big in the first
| place and should be broken up or nationalized. The free
| market doesn 't work without meaningful competition.
| gruez wrote:
| What's the difference between "corporate execution" and
| "large fine" then?
| eli wrote:
| Well an obvious difference is that one directly removes
| executives who were responsible.
|
| But sure, I'm amenable to a sufficiently large fine. Even
| just allowing class action lawsuits (despite their flaws)
| would be a lot better than the status quo.
|
| I'm just saying that a "corporate death penalty" doesn't
| necessarily harm customers. A large fine that an
| entrenched monopolistic provider can just pass on to
| customers the same way they do other "compliance costs"
| doesn't really help much.
| dfxm12 wrote:
| To keep with the same metaphor, death penalty trials are
| often long and drawn out. They are also rare enough that
| they often make the news.
|
| There's no way the company could be killed overnight, and
| one would have to be living under a rock to not hear
| about such a big business dying.
| supernova87a wrote:
| I propose that the fines be per piece of information leaked,
| and combinations of information:
|
| $1 for name
|
| $2 for address
|
| $3 for email
|
| $4 for phone number
|
| $5 for social security number
|
| --------
|
| _and multiply for combinations thereof_.
| jmclnx wrote:
| I can get behind this if you multiply the amounts by 100 and
| index it to inflation x 2
| cvalka wrote:
| Awesome
| vaidhy wrote:
| Given these info loss from major companies, it is worthwhile to
| assume that your name, your phone number and last 4 digit SSN are
| pretty much available for any actor.
|
| For my part, I have put in a credit freeze with all three credit
| bureaus. I am wondering what else I should be doing.
| mattwad wrote:
| actually I'm pretty sure that all our social security numbers
| leaked in full since the Experian/TransUnion hacks. I have kept
| my scores frozen ever since then. It's a minor annoyance but I
| don't know why this isn't required now
| chatmasta wrote:
| They've been leaked ever since they were shared with anyone
| other than yourself and the Social Security Administration.
| Any system using an SSN as a password is fundamentally broken
| - just the fact that a company can verify your SSN is proof
| that it's an authentication mechanism known to more than only
| yourself... (Ok, they could be hashing it, or at least the
| first five digits of it... but they're not.)
| SoftTalker wrote:
| Yes. And not just the last 4 but your entire SSN, and most or
| all of the data that Credit Bureaus maintain, such as date and
| place of birth, past places of residence, whether you own or
| rent, income, education, marital status, and on and on.
|
| It's all been exposed, somewhere, by someone who didn't
| exercise due care for protecting it.
|
| Until this data becomes a liability and not an asset that can
| be sold and expoited, it will continue.
| wimp wrote:
| It's all out there, tenfold. It's available to anyone who wants
| it enough.
|
| I've had my identity stolen. The SSA office essentially does
| nothing to resolve it, they place the burden upon you as the
| victim to fix an unfixable problem. I didn't even bother. The
| whole thing is fucked.
| CursedUrn wrote:
| Doesn't Comcast collect browsing history too? This data breach
| could be a big one
| 2OEH8eoCRo0 wrote:
| Who was the threat actor?
| hoofhearted wrote:
| I think based of the Citrix vulnerability alone, there is only
| one group to look at
| 2OEH8eoCRo0 wrote:
| And who would that be?
| hoofhearted wrote:
| Same folks behind the OPM hack
| happytiger wrote:
| Look, this isn't theater. Hackers aren't actors. Jeez.
| comcast192784 wrote:
| Not suprising. When I worked for an Xfinity "Branded Partner"
| they played it fast and loose with security. During training, a
| trainer on equal level ranking as a national director told my
| class full of new hires we should all make our secure internal-
| use Comcast account password "E@sypassword1", and later in the
| class told us that if a customer forgot their phone in their car
| we should just bypass the 2FA completely. why? Because there is a
| tracker on the door that tracks how many open/closes linked to
| the conversion rate. The conversion rate was considered more
| important than properly authenticating accounts. Im pretty sure
| Comcast knows about this and does nothing. Needless to say, when
| I made my concerns known I was terminated same day for "not being
| a good fit".
| meepmorp wrote:
| At one point in the early 2000s, Comcast's internal network
| wasn't internal. IIRC, everything (workstations, servers,
| printers, etc.) had a 24.x.x.x address with no firewall or
| other mitigations in place; you could directly connect to
| arbitrary ports on any corporate machine, from anywhere. And
| they weren't exactly on top of patching.
| xyst wrote:
| Back when ICANN was just giving any company /8 blocks of IPV4
| addresses
| jerf wrote:
| "The company says for an unspecified number of customers, hackers
| may have also accessed names, contact information, dates of
| birth, the last four-digits of Social Security numbers, and their
| secret questions and answers."
|
| Ah, yes, it truly gives me hope for the future of humanity when
| these hackers break in to a corporate database like this, have
| total access to all this sensitive data, and then, out of a sense
| of fair play and comity, run "SELECT * FROM customers LIMIT
| UNSPECIFIED" rather than just "SELECT * FROM customers". It's so
| nice of them to access only an "unspecified" number of customer's
| data rather than all of them.
| a1369209993 wrote:
| To be fair, Comcast's database software is probably crap made
| by Oracle or something. It's not totally implausible that it
| crashed partway through printing the results of "SELECT * FROM
| customers" so the last X% was never sent.
| RajT88 wrote:
| Logged in just now to see if I got the prompt to change my
| password (I did). The only mail I had waiting in my mailbox was
| identity theft scam phishing email.
|
| Good job all around guys.
| jerf wrote:
| But the password reset prompt was, and I quote, "As part of our
| commitment to you, Comcast routinely reviews and monitors
| account security. Please update your password to help protect
| you and your account."
|
| No word about a compromise or anything, just corporate bland.
|
| Also I got a kick out of their screen "obfuscating" my email to
| j***rf@jerf.org. Fantastic job there. (Anyone not quite sure
| what I'm getting at are invited to consider the domain name and
| my Hacker News nym and come to the obvious conclusion about the
| clandestine character hiding behind those three secret stars.)
| Now truly I am safe from those thousands of spams a year I get
| from spammers shoulder-surfing my email address. I really ought
| to do something about them. Their harsh whispers as they
| furtively read my email address into their phones for their
| accomplices to copy every time it's on the screen make it
| difficult to concentrate on work sometimes.
| gnicholas wrote:
| Yep, I remember being forced to change my password a week or
| two ago. It told me I had to periodically change it, which
| was weird because I've been with Comcast for many years and
| didn't remember ever being prompted before now.
| bell-cot wrote:
| Yet another reason to say "nope" when Yet Another Co. wants me to
| route my interactions with them through their app or web site, or
| give them answers to security questions, or ...
| robotburrito wrote:
| This might be bad for Xfinity. A lot of their customers may leave
| them for a variety of readily available competitors created by
| the dynamic free market economy.
| dmitrygr wrote:
| You might want to post an explanation for non-Americans about
| why this is hilarious!
| boredtofears wrote:
| Regional ISP markets are usually a monopoly or duopoly. If
| you're on comcast, its unlikely there is another high speed
| option out there for you (or if there is, the option is no
| better than comcast).
| doubled112 wrote:
| Canada too. Almost every independent ISP is just a reseller
| anyway.
| phkahler wrote:
| Starlink is everywhere Comcast is. It's not the highest
| speed, but it apparently pretty good.
| jcrawfordor wrote:
| A lot of Comcast customers in this audience are going to
| be on 500Mbps or Gbps plans. Starlink just can't
| meaningfully compete with these speeds. Most people in US
| cities will have two options, cable and either bonded
| VDSL2 or fiber from the telco. Both will be faster and
| usually cheaper than Starlink.
|
| The main competitor in most cases, after the cable
| company and the telephone company, is LTE. Also faster
| and cheaper than Starlink in a suburban area, but in
| dense areas the speeds really suffer. I was on LTE home
| internet for a good while and enjoyed 100+ Mbps at night
| but only 20 during the day, due to living too close to
| downtown. Only $45/mo though!
| smcin wrote:
| ..."in the US". That's a political issue, not a
| technological issue. And if you want to inquire about the
| root-cause:
|
| "Comcast does so much lobbying that it says disclosing it
| all is too hard" https://arstechnica.com/tech-
| policy/2019/05/comcast-does-so-...
| two_in_one wrote:
| That was a joke: "Verizon made even Comcast look good". Not
| sure if it's still around.
| chopete3 wrote:
| I think it is something to do with cabling deals Comcast did
| with local governments. Once Comcast lays the cables,
|
| 1- Nobody else gets permits to lay cables in that area.
| Governments can't even share the data about cable
| locations/network detail. You can ask, as a property owner if
| it is around a specific location and they will say yes or no.
|
| 2-The agreements also prohibit local governments from laying
| out public cables, like roads.
|
| 3-Xfinity won't share that network with anybody else.
|
| Customers are stuck whatever Comcast deoes. These breaches
| have no meanining other than getting a check for $5-100 when
| they settle the lawsuit claims.
| jmclnx wrote:
| So true, but you may be living in a fantasy world if you
| think anyone will get anything from Comcast :)
|
| Just about anyone in the US knows what this means, you
| Comcast Bill will go up at least 10% as soon as the Fed Gov
| stop watching them for this breach.
| bozhark wrote:
| Sounds like piss-poor municipalities
| xyst wrote:
| I think this was a South Park episode
| yterdy wrote:
| Boondocks. Huey's speech on the origins of American
| corporate/"customer" dynamics in the Triangle Trade and
| exploitation of slaves and coal miners should have gotten
| them another Peabody.
| oooyay wrote:
| I left the Comcast/Xfinity empire for the CenturyLink/Quantum
| empire about a month ago. There are other choices in my area
| too, but none that were fiber.
| kryogen1c wrote:
| I know you're being sarcastic and that's fine, but the target
| of your sarcasm is incorrect. ISPs are very far from a "dynamic
| free market economy". Complex problems don't lend themselves to
| pithy internet commentary though.
| apapapa wrote:
| LoL
| leotravis10 wrote:
| Comcast is a total regional monopoly in most cities so I'm glad
| that cities that do invest in municipal/community broadband are
| taking matters into their own hands to combat this.
| tky wrote:
| This on the heels of requiring bank account details to preserve
| auto-pay discounts, just like their security peer over in
| wireless, T-Mobile.
|
| What could go wrong?
| advael wrote:
| Comcast is a great example of a company I'd like to see antitrust
| law literally destroy rather than merely chastise
| orthecreedence wrote:
| Do all the big telecoms. Then maybe we'd finally get a real
| municipal fiber movement going.
| advael wrote:
| Maybe the entire class of services that can meaningfully be
| called "infrastructure" is a bad idea to make the exclusive
| purview of private, profit-motivated liability shields. Just
| spitballing
| orthecreedence wrote:
| Yeah, completely agree. Infrastructure always congeals into
| monopoly. It's incredibly stupid to even bother letting
| private industry manage it.
| advael wrote:
| Sometimes we skip the congealing step and just establish
| a government-protected but privately-operated monopoly
| for a regional utility as a matter of course, and this is
| after decades of failure on the parts of most if not all
| of these monopolies when compared to similar-sized
| government-run utilities. Something has got to give
| kderbyma wrote:
| Comcast is incompetent and unable to handle the very
| infrastructure it supposedly offers.....break them up and get
| this shit show outta here
| DoesntMatter22 wrote:
| Having worked for Comcast I can't tell you how many times I
| brought up security concerns and I was told that they were doing
| better than ever before and its a non issue.
|
| Idk which systems were hacked but I worked on thier innermost
| apps, and they were a dumpster fire.
| iFred wrote:
| Oh man, xray is just a nightmare waiting to happen.
| liquidise wrote:
| > On October 10, 2023, one of Xfinity's software providers,
| Citrix, announced a vulnerability in one of its products used by
| Xfinity and thousands of other companies worldwide. At the time
| Citrix made this announcement, it released a patch to fix the
| vulnerability. Citrix issued additional mitigation guidance on
| October 23, 2023. We promptly patched and mitigated our
| systems[1]
|
| This reads like "we didn't patch until weeks after the
| vulnerability and patch were provided" but it's worded
| intentionally unclear to differ blame.
|
| > Q: How will Comcast prevent another incident from occurring?
|
| > A: We have robust security programs in place which help us to
| discover criminal activity such as this one
|
| You have to love how their response to their own question is,
| functionally, "we won't prevent your information from being
| stolen, but boy howdy we'll sure know when it happens though!"
|
| As a long-time disgruntled comcast customer, i have to say none
| of this surprises me. But local monopolies mean my wallet doesn't
| really get a vote in this matter.
|
| 1.
| https://assets.xfinity.com/assets/dotcom/learn/Notice%20To%2...
| advael wrote:
| I wonder how many enormous breaches of so-called sensitive
| information it will take for infrastructural security to improve.
| Like I think at this point it's reasonable to assume that most
| SSNs are public information, and dates of birth arguably always
| were. Why do important services still use this as a final word
| authentication for any individual? Why is it legal for a person's
| credit score for example to affect things like mortgage
| applications, when these measures are permanently affected by
| identity theft that could happen to anyone at any time through
| the fault of one of any number of irresponsible companies that
| routinely hold enough information to impersonate someone to both
| the government and their bank (setting aside for a moment how
| fraudulent and irresponsible the practices of the aggregators of
| these scores are themselves).
| mensetmanusman wrote:
| Pass a law requiring each municipality to offer fiber isp.
| yumraj wrote:
| It seems that my info has been stolen by a variety of hackers as
| part of this and several prior hacks that at this point does it
| even matter.
|
| For all practical purposes I'm sure my info, and almost
| everyone's, is out there.
|
| Genuinely curious: Does it even matter anymore. I think all one
| can do is freeze the credit and hope for the best.
| latchkey wrote:
| Here is the PDF notice:
|
| https://assets.xfinity.com/assets/dotcom/learn/Notice%20To%2...
|
| I tried to go to the first fraud alert link in the document:
|
| https://equifax.com/personal/creditreport-services/credit-fr...
|
| 404
| technion wrote:
| What hasn't gotten enough attention here in my view is how
| astoundingly basic this exploit is.
|
| https://github.com/GossiTheDog/scanning/blob/main/CitrixBlee...
|
| You've got a single curl request to a web service that for
| magical reasons is running as root. There's no SELinux/jails/etc,
| and no logs written for this request.
|
| Remember this next time someone wants to sell you a WAF: The
| Netscaler isn't some wiki application, one of the things it is
| sold for is specifically as a WAF.
| markhahn wrote:
| we need to blame the failing party (Comcast here), we need to
| make customer data outrageously radioactive, so companies like
| Comcast try hard to avoid storing it...
| ianbutler wrote:
| As a recent Xfinity customer, I am delighted by this update.
| say_it_as_it_is wrote:
| It's probably data that Comcast shouldn't have had in the first
| place
| chaps wrote:
| Heh. Years ago I had a call with Comcast's CISO about them
| setting up a bug bounty program after I informed them about a
| leak of exposed information (sysadmin's home dir, with ssh keys
| and more). They told me that if they setup a bug bounty program
| like that, that they'd effectively go bankrupt. So here we are.
| Not expecting them to go bankrupt from this, but it's sad to see
| how their apathy turns into actual harms.
| midtake wrote:
| I have yet to see a large scale hack on services hosted on Linux
| stacks using basic technologies like SSH. Whenever large
| companies get hacked and their technology stacks consist entirely
| of overvalued "security for midwits" enterprise software, I just
| groan. It irks me that my own information security is orders of
| magnitude more robust than a company worth many billions.
|
| It is clear to me that security is theater to these companies,
| and that is why companies that resell TLS tunnels with 2000s
| technology bolted on like Citrix get away with charging so much.
| It should be assumed that there was no security to begin with. If
| you told me in 2 years that a foreign adversary had compromised
| all American companies since 2012 I would not even blink. It is
| more or less something I expect to eventually hear.
___________________________________________________________________
(page generated 2023-12-19 23:01 UTC)