Ultimately, the web is an attack vector that no one is immune to. Did you read the Syria hack recently? Just a skype chat with an attractive opposite-gender is enough to download a piece of malware masquerading as a picture you really want to see. While the human aspect has always been a key element of getting hacked, products that claim to distinguish the good vs. bad are failing big time. And this has been the pillar of enterprise security (classifying good against bad) for the last 20 years and is starting to show its age.
That's really my problem -- that they're leaving their victims to speculate.
It's great that they "made every effort to close the security vulnerability". How's that going?
They hired Mandiant to "evaluate our systems and identify solutions based on the evolving landscape." Is "evolving landscape" CEO-speak for "Oh, god, we're still leaking customer data like a sieve, make it stop!"?
I'm just going to keep speculating, because if Anthem's not going to bother speaking plainly, I'm just going to assume the worst.
>It's great that they "made every effort to close the security vulnerability".
I love that quote, they try to cover their asses by saying we closed the vulnerability. My question is why did you wait till it was taken advantage of?
If we combine the Check Point firewall job posted on the Anthem Inc's website on 1/30/2015, add in the "discovery" on 1/29/2015, and think about Check Point's vulnerability to Heartbleed and Shellshock last year, one might also guess that a VPN stolen-credential compromise (like the major CHS breach last year) or a generic firewall compromise (via shellshock) are in the running as possibilities.
The security products arent great, true, but the ppl working as security engineers in companies are often quite decent.
It seems to me that its the usual issue. People don't see the need for protection until they've been hit. It seems to be a cost that doesn't make sense to them. They don't even care anymore.
I've actually had the exact opposite experience. Security Engineers at most companies have no idea what they're doing beyond running the scanner and parroting whatever it spits out.
"The scanner says your server is vulnerable"
"Ya, we patched that vulnerability weeks ago"
"The scanner says it's vulnerable"
"OK.... looks at scanner - oh, it's just reading the banner, and not taking into account that the major rev didn't change, it's patched"
"The scanner says it's vulnerable"
"OK... so what if I change the banner so it doesn't pick it up as vulnerable?"
"The scanner says it's secure now, thanks!!"
The guys who know their stuff in security generally have a desire to actually get paid well, and have time to do legitimate research. They don't really have a desire to sit in a corporate job dealing with the mountains of bureaucratic bullshit that goes along with security in a corporation. Do you really want to be the guy who gets thrown under the bus because you had to disable strong passwords because the CEO was angry he needed both upper and lower case letters in his AD password?
>Do you really want to be the guy who gets thrown under the bus because you had to disable strong passwords because the CEO was angry he needed both upper and lower case letters in his AD password?
Except those strong password policies don't strengthen security at all, neither in theory nor practice. Congratulations, the CEO's password is now "qweRTY" and it's written on a yellow sticky-note on his monitor.
A post-it note on his monitor of a secure password (they generally require a number or special character, as well as being 8 characters long), is actually better security than an extremely simple password. I can have him lock his office door... I can't prevent someone from brute forcing the password he's re-used on every site on the internet.
I literally tell my parents to have a secure password they write on a post-it note. The odds of someone breaking into their house for their password is about 1/10000th the odds of someone cracking their simple password on a website and getting the keys to the kingdom.
True that about the security engineers, but they are at the mercy of products that claim to distinguish good from bad and this has never worked, IMHO. How the hell can you write signatures against malware/documents/web-sites/files/attacks/blah when there's so much diversity and quantity of stuff to keep up with?
Disclaimer: I built the first IPS to be commercialized and yes we used signatures amongst other things.
Depends on what your expectations are. I built https://www.delayed-tweets.com for myself and I'm a heavy user of it and I tinker with it when I have time (Heroku + Stripe, if you want to know). If it also becomes a source of income, so be it. Otherwise, it costs me just a little more than using an alternate service to do the same thing (like HootSuite, Buffer, etc). But, I get to tinker with it on the side, learning new things and making little improvements as I have time. So 6 months from now, I don't have to be disappointed that it didn't go anywhere. A side project is exactly that, something that you tinker with while you still have a day job.
Very cool - just a few weeks ago, I spent two weekends (8 hours total) building https://www.delayed-tweets.com. Sinatra on Heroku + Stripe along with a bunch of gems to connect up to Facebook, Twitter and LinkedIn. It's mainly for my personal use right now, but awesome to see others having simliar needs to schedule and cross post social updates.
[edit] The "big" monthly cost for this project for me is primarily the SSL add-on. Everything else amounts to nothing since I have no long running dynos, even for resque.
Regarding ease of use, if you are a dev, there's always toto or jekyll. Throw in disqus for commenting and you are pretty much done. Each blog is just a simple haml/erb/liquid template and git push is all you need to get a new page/blog up.
I've been writing C and C++ for a long time (kernel and user mode) and what I find is, it takes a fair bit of discipline when writing C++ code (like hiding new/delete for stack-only objects or ensuring operator= works for heap objects and so on). Debugging with STL and templates can be PITA since the error messages are so convoluted in most compilers. One thing I would agree on Linus, is the talent pool of disciplined C++ programmers is pretty scarce. There are tons more C programmers that have enough OO experience of faking vtables and building structs-with-callbacks to simulate class inheritance and what not.
