On Thu, 7 Jun 2012, Corey Quinn wrote:
On Jun 7, 2012, at 4:04 PM, [email protected] wrote:
while I agree that it would be good to notice problems earlier, on a
site that allows pictures to be posted, 107MB is really not that much
data.
Oh, I agree with you-- but generally images are stored on either a CDN
in some form, S3, etc. Storing terabytes of static assets in a database
is textbook "Doing It Wrong." If the static assets are living in the
same network as the authentication database, then things have sort of
gone to custard already.
only the very large organizations use a CDN (in spite of what they want
you to believe)
I would agree that this shows that LinkedIn does not have steller
security, but as nice as it is to bash them, the sad truth is that even
as bad as they are, they are probably better than average (probably
even for organizations their size)
My sincere apologies if my previous email came across as an attempt to
bash them; that wasn't my intent. My point was (and remains) that it's
not the breach itself that's noteworthy, but rather the track record and
way it was handled.
I think the way they handled this is horrible. posts in a blog that most
people aren't going to know about are pretty worthless. The fact that I
went to their page the other day and two of the top three news stories
were about linedin vunerabilities and there was no statement at all by
linkedin is really bad
experienced security people cringe at this, but they will also agree
that it's amazing how little attention basic security needs get, let
alone advanced things that would notice traffic anomolies.
I suppose. I work with financial data, so I come from a bit of a
different world than a social networking site probably does; network
segregation and monitoring are required for compliance here. I
sometimes forget that this isn't how most places operate.
I work with financial data as well, and I'll tell you that from my
experience there are a LOT places that host financial data would
fail to notice something like this as well. I've been in this area for 15
years, and every time I am exposed to a new organization's network I
cringe. I also don't think it's getting better, too many managers and
security people are only worried about satisfying auditors rather than
being worried about actually making the systems secure.
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
