On Tue, Sep 25, 2012 at 2:35 PM, Patrick Mylund Nielsen <cryptogra...@patrickmylund.com> wrote: > It's interesting how the level of technical expertise of an organization's > members seems to have almost no bearing on how sophisticated the > organization's infrastructure is. > > On a related note, I was recently surprised to learn that even the IACR > stores passwords in plain text. Right now (in the US), its cost effective to do nothing (i.e., neglect security). IEEE, IACR, et al, are being grossly negligent because they can be.
The US needs harsh data breach laws to protect consumers and users. Waiting for companies and organizations to "do the right thing" is not working. And the definition of what constitutes "sensitive" information needs to be expanded (its narrowly defined around PII, but should take a more general definition and include items such as passwords). Recently, the *first* class action due to a data breach moved forward (http://www.infolawgroup.com/2012/09/articles/motion-to-dismiss/eleventh-circuit-rules-damages-properly-alleged-in-data-breach-identity-theft-lawsuit/). It's about damn time. Jeff > On Tue, Sep 25, 2012 at 1:12 PM, Steven Bellovin <s...@cs.columbia.edu> > wrote: >> >> >> On Sep 25, 2012, at 1:47 PM, Kevin W. Wall <kevin.w.w...@gmail.com> wrote: >> >> > >> > -kevin >> > Sent from my Droid; please excuse typos. >> > On Sep 25, 2012 1:39 PM, "Jeffrey Walton" <noloa...@gmail.com> wrote: >> > > >> > > In case anyone on the list might be affected... [Please note: I am not >> > > the "I' in the text below] >> > > >> > > http://ieeelog.com >> > >> > For shame. This should make for a "nice" article in a future _IEEE >> > Security & Privacy_. >> >> I'm on the editorial board; I passed along the message along with this >> suggestion... >> >> --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography