Caltrops - Rants





	[quote name="Tansin A. Darcos (TDARCOS)"][quote name="Ray of Light"](3:44:03 PM) Ray: Ooom posts to complain about the eroding value of competence (3:44:43 PM) Ray: then ES, jeep, and TDARCOS come along and act out the sort of situation I had in mind, using their actual personalities (3:45:28 PM) Ray: ITT: ES is the "A" programmer, jeep the "B" manager, and TD the "C" programmer hired by jeep (3:45:47 PM) Ray: from his POV, they both have a lot of shit to say and sound like they went to school (3:45:58 PM) Ray: (PS they don't both sound like they went to school) (3:46:42 PM) Ray: ES says "go with me and I can make clalims like 'this will scale' and 'this will give accurate results'" -- TDARCOS says "I have invented perpetual motion!" (3:48:24 PM) Ray: jeep, despite being a decent manager, is not skilled enough to tell the difference, and goes with whatever is already in place / ready to go (TDARCOS' solution) (3:48:40 PM) Ray: fast forward 18 months: ONE JILLION CREDIT CARDS COMPROMISED[/quote] The only relation to reality your comment has is the eroding value of competence or the eroding <i>level</i> of competence in supposedly educated people. The only reason places are having credit card compromization events is they fail to provide adequate safeguards. Databases are to be encrypted so you can't access them except through the approved applications. When people can examine databases the level of examination should be restricted to what they need to know. A person who answers questions needs to see one person's information at a time. And that's all they should be able to see. The only time someone should be able to access or read multiple people's information is if they are involved with developing an application that's handling batch processing such as system for generating bills. And in such cases, you have two people when this is done, one who is doing the work and the second - who doesn't know them, but is also a technically qualified person - to watch them to make sure they're not copying files. And even in their case, they need to access the data base one record at a time. If you access a system from outside like a web inquiry system, it should be able to read one record, yours. But often the databases are stored unencrypted on portable equipment that can be stolen - I think the biggest reports of credit card compromises are because someone had the entire company's transaction history on a laptop that got stolen - or because someone figured a way to break into a database system or file server and used it to deliver up and disgorge their data. So guess what: proper security means that even if your external DMZ or firewall fails and they get through, all the attacker was got several hundred megabytes of garbage, because the file data is encrypted. Security is pure overhead and a lot of places don't want to spend the money on what should be done. The smart companies do and they're the ones that will survive when things go bad. Auto Zone has its data center in Memphis built on base isolators, the same thing used in really earthquake-sensitive areas to allow a building to resist even massive earthquakes. Memphis hasn't been in a really bad earthquake since the New Madrid quake series back in 1811-1812, but the ones the New Madrid Zone had were bigger than anything that hit California, and the region generally has ones big enough to feel on a yearly basis. If that area has another big one, there will be massive devastation, this is straight from FEMA. So, if anything goes wrong such as a major earthquake, Auto Zone will still be able to operate its store network. It was probably much more expensive to build the building on base isolators, but if anything happens, the "insurance premium" they paid will be nothing in comparison. If nothing ever happens, they still had the protection from disaster and would have been able to continue to operate, and complaining about the cost is like complaining because you paid for fire insurance and your building never caught fire. The same - that they can continue to operate - can't be said for anyone else operating in the same area if anything goes wrong. And sometimes even against known and expected potential disaster some people think obvious and necessary security expenses are "luxuries" that need to be cut in bad times. The Chief of the San Francisco Fire Department has to go to the City Council every year to justify the expense of keeping two fully operational fire boats available 24/7. The council always asks why they have to cover the expense. Nobody seems to remember that when the city has had earthquakes (like the one in 1989 that shut down the World Series) it lost access to the fire hydrant system, which went dry, and the only systems available for providing water to fight fires are the fire boats that can pump seawater out of the bay. Security is expensive and if you don't handle it properly the results can be worse. Credit Card exposure events are the equivalent of shutting down the fire boats and not caring if the city burns to the ground, as if you have faith the hydrants will never fail due to earthquake. "Faith" here is probably the operative word, since your security solution is basically "pray to God." Well, let me tell you, I'm an agnostic, I don't believe that's a valid solution! [/quote]