Duffman100 wrote:Scase wrote:MadDogSHWA wrote:As a software engineer, I can say the sad reality is nothing is unhackable. That said I wouldn't be even slightly surprised to find out their security is garbo.
Just watched the Ashley Madison doc and learned that for the amount of money they made in 1 day they could have hired the best ID Security firm in the world. Instead, they lied about security measures that didn't exist.
I'm a Director of Product for a company that acquires independently created apps, and some of the security I've seen (or not seen) is mind boggling. While absolutely no system is unhackable, based on my experience, I would say they had **** infrastructure, rather than some borderline impregnable setup that a world class group got through
Especially these bigger companies, the amount of times I've have VPs and C levels say it's a low priority, I've lost count.
"Our endpoints are exposed, we need to deal with that."
"Yeah but how easily can someone find this stuff out."
"Just by using inspect on Chrome."
"No one really knows how to do that, we'll be fine."
My company recently discovered there was an exposed unauthenticed endpoint that if you fired a simple POST request against, it would take down the entire site.
I don't work for FAANG but probably the next tier down
The saddest part about this post, is that I've experienced this exact situation
PushDaRock wrote:Scase wrote:MadDogSHWA wrote:As a software engineer, I can say the sad reality is nothing is unhackable. That said I wouldn't be even slightly surprised to find out their security is garbo.
Just watched the Ashley Madison doc and learned that for the amount of money they made in 1 day they could have hired the best ID Security firm in the world. Instead, they lied about security measures that didn't exist.
I'm a Director of Product for a company that acquires independently created apps, and some of the security I've seen (or not seen) is mind boggling. While absolutely no system is unhackable, based on my experience, I would say they had **** infrastructure, rather than some borderline impregnable setup that a world class group got through
Especially these bigger companies, the amount of times I've have VPs and C levels say it's a low priority, I've lost count.
"Our endpoints are exposed, we need to deal with that."
"Yeah but how easily can someone find this stuff out."
"Just by using inspect on Chrome."
"No one really knows how to do that, we'll be fine."
They really don't care at all, because for most of these companies, the amount of customers they would lose over a data breach is definitely sub 1% so they see no point in spending any money towards it.
Hackers look for low hanging fruit. Nothing is really truly unhackable but nobody is going to spend time to hack something that's a 100x more difficult with some basic encryption when there are so many softer targets everywhere else.
Yep, it's the "cost of doing business". That's why I always advocate for fines to be % based vs flat values. If I get a 100$ parking ticket, I don't care, if someone making 30k/yr does, that's a big deal.
Disincentivizing things financially is where it's at, otherwise, it's always just a system to punish anyone who isn't well off.
