[ale] OT: Egghead cracked

[Robert L. Harris]

> 	It's bad enough that they are running unpatched servers.  I would
> love to hear someone explain WHY they are storing those card numbers on
> the same server as their web server and not sinking them into a oneway
> database on a separate chunk of iron from which they can not be retrieved.
> They can make all the excuses they want about unpatched IIS and unexpected
> web exploits, but there is no excuse for not protecting those things
> from on-line access by using an isolated server for secure storage.

I've seen some of this.  Some budget counter will argue that the sales guys
who sold them the IIS server said it was safe/secure and more bang for
the buck.  Or the MCSE they hired for minimum wage who is an expert
swore the same thing.  And all the M$ publicity makes it more believeable
to those who don't know better first hand.

> 	Not the first time and won't be the last time.  Simple precautions
> could prevent the compromise of the credit card data even if the web
> server gets compromised.  You would think they would learn...

The one who get scape-goated will learn and the guys who have to fix and
also get reamed will learn.  The manager above them will think that the
scapegoats were to blame and that the next one will fix it and all will
be ok, because the sales droid says so.

Robert

P.S. please excuse any typo's.  I'm on some nice pain killers.


:wq!
---------------------------------------------------------------------------
Robert L. Harris                |  Micros~1 :  
Senior System Engineer          |    For when quality, reliability 
  at RnD Consulting             |      and security just aren't
                                \_       that important!
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.