Hacker News new | past | comments | ask | show | jobs | submit login

Can't be mad at the speed and outcome of the response. I'm sure they would have preferred the incident not be published at all...

In any case, we've all had "oh shit!" moments before. I'd love to think this would be a wake up call about quality control, but Verizon is just so freakin' big, that I can't imagine the number of vendors that have contributed to the amount of code Verizon is running at any given time. I can't imagine the chore of vetting it all at delivery time, let alone having to go back now, realizing how bad that bug was and assuming other sloppiness likely exists.




There are security issues, and then there is this.

Not doing authentication on some things isn't a "oh shit" moment, it's a "we're doing all of this very wrong" moment.


> Not doing authentication on some things isn't a "oh shit" moment, it's a "we're doing all of this very wrong" moment.

Then again it's all over HTTP so that was off to a bad start.


Or as Dropbox showed, it really is just a moment, with no real enduring impact.


And that's the problem in the industry. Unless you close up shop, a breech doesn't really impact your business that much. Linode, for example, had several security incidents where they did not tell their customers in any reasonable time, or in some cases, lied to their customers until they were forced to tell the truth. After one such incident where card numbers were reportedly stolen (but Linode said they weren't), I closed my account, cancelled the card I was using, and moved to DigitalOcean. And whenever I mention this, I get a hundred people saying "Linode is awesome and all of that was in the past!". I don't care. They screwed me over multiple times, were dishonest with me as a paying customer, and proved to me they can not be trusted. Sorry Sony. You get breached once, I might forgive you. You get breached twice, you're doing something wrong. You get breached again and again, you no longer exist in my mind.

Security is not a game, and it's not an afterthought. But some days it seems I am the only person who feels that way. I still don't shop at Target or Home Depot. They need to feel the impact of their business decisions, instead of putting the cost of security onto their customers or the customer's bank.


Just as another datapoint, I used to keep a couple of virtual machines at Linode.

After seeing how they acted after their security breaches, I left for DigitalOcean. I've also recommended DO over Linode to other people for that reason.

I should note it wasn't the fact they had a security incident, that happens. It was the way they 'communicated' it.


I think there should be a "Fixed" in the title.

The question now becomes, for how long was this vulnerability known and exploited secretly?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: