Salsa Scoop> A Few Notes on Security

A Few Notes on Security

DIA competitor Convio suffered a major security breach that unfolded publicly last week, as many readers may know. This post is well past its immediate news cycle, but we've quite understandably been asked in light of that event about our own security procedures as well, and wanted to put them on the record. For anyone unfamiliar with the story, the thumbnail version is that a compromised password enabled an intruder to download scores of Convio clients' lists ... and that those downloads included hundreds of thousands or millions of plain text (rather than encrypted) versions of ordinary users' passwords. The NTEN blog summarizes the affair here. Allan Benamer's initial alert -- and accompanying comment thread -- have a lot more. Any system could be hacked or compromised, of course; this is a risk all online providers face and strive to minimize -- we're doing the reflexive sympathetic wince over here that you do when someone on TV gets clobbered in a sensitive spot. But beyond the initial intrusion, the compromised passwords are the real problem. Since many users re-use the same passwords across many different systems -- including financial presences such as online banking, PayPal, and the like -- it's potentially hugely damaging. So, most importantly for users of DemocracyInAction's Salsa platform: this particular aspect of the breach has not happened and could not happen in our system. We use, and always have used, industry-standard one-way encryption algorithms to protect passwords for all users and campaign managers. Neither intruders nor organization administrators nor users themselves can ever actually see even their own password. It's an uncomfortable affair for everyone, to be sure: Convio for having to own up to the attack; nonprofits who are themselves victims for having to play the heel by telling their own supporters about it (and just about the time of year they'll be asking those same supporters to entrust their credit card numbers to them); consultants who might have oiled the relationship. Perhaps that accounts for the odd cone of silence that's descended over the matter. Even when chatter broke on the invaluable Progressive Exchange e-mail list, there was a note of insistence -- and not at all pushed by Convio itself -- about closing the conversation. But to the contrary, there's a great need for that conversation. The aforementioned Allan Benamer, who has been all over this incident, gave a discouraging account of nonprofit inaction (along with useful guidelines for what an organization affected by a breach -- this or any other -- should do).
Don't sweep security breaches under the rug. By not disclosing publicly that your site has been breached and relying instead on [only] e-mail to notify your constituents, it shows that you're more worried about the effect on your organization instead of your constituents.
It's horrible to have to give this news to supporters -- to say something that many will hear as, "I've been careless with your private information" even if the organization hasn't been careless at all, and to impose a burden adding up to countless person-hours of manually changing passwords. But if we're in this space to do good by our fellow-beings, there's no way around the fact that you can't do them good by soft-pedaling the potential wholesale violation of their privacy by malefactors unknown. In fact, though I'm not a lawyer, I'd be concerned about legal exposure for insufficient diligence given the potential for financial injury. And in the interest of following my own advice, DIA administrators who log into Salsa with passwords that they also use for other web properties should consider the possibility that those passwords have also been compromised. If it's been used to create a run-of-the-mill supporter account for an organization using Convio or GetActive, it would be a wise precaution to change Salsa passwords as well.


Is that enough?

You write: We use, and always have used, industry-standard one-way encryption algorithms to protect passwords for all users and campaign managers. Neither intruders nor organization administrators nor users themselves can ever actually see even their own password. But can users see the encrypted passwords? One-way encryption -- especially unsalted encryption of user-chosen passwords using standard algorithms -- can be broken in most cases using lookup tables. So does Salsa allow any part of the app to download or display the encrypted passwords?


Wonderful blog post, resolved to go on and even bookmarked your webblog. As i can’t hold on to enjoy a book alot more as a result of one. Tax Advice London

I invite you to the page where see how much we have in common. 토토사이트

Below you will understand what is important, the idea provides one of the links with an exciting site: 밤알바

Good to become visiting your weblog again, it has been months for me. Nicely this article that i've been waited for so long. I will need this post to total my assignment in the college, and it has exact same topic together with your write-up. Thanks, good share. 카지노사이트

I read this article. I think You put a great deal of exertion to make this article. I like your work. 온라인카지노

Awesome dispatch! I am indeed getting apt to over this info, is truly neighborly my buddy. Likewise fantastic blog here among many of the costly info you acquire. Reserve up the beneficial process you are doing here. 사설토토

Beaver says I also have such interest, you can read my profile here: คาสิโน

FAG 32207A bearing introduction

Since 1883 the German Mr.Fischer invented the polished steel ball of the ball mill and create FAG corperation so far, with the birth of the rolling bearing industry and development, FAG 32207A products almost applied in all possible fields, got the fully authentication and have played a very important role. The following list only the parts of the products of the main application fields: aviation engineering, metal cutting machine, steel processing equipment, converter, casting equipment, rolling mill, mechanical transmission equipment, paper machine, cement machine, milling machine, mining machinery, construction machinery and vibration machinery, environmental protection equipment, wind power generation equipments, the ships, the antenna and radar, textile machinery, packaging machinery, etc.FAG 32207A bearings online


Thank you for the good news and good information like this. A Few Notes on Security pgslot


The information is good, i need more, i'm still learning about it. driving directions



Good post ,i hope you came visit my site slotgame-888 สล็อตเครดิตฟรี


Best ingredient of fun can be found in our website here ::
ทดลองเล่นjoker and ทดลองเล่นpg

Please login to post comments