Salsa Scoop> tag: ”blog:security“

This Blog Is a Phish for the No-Fly List

The TSA -- the very face of obnoxious, ineffective, ham-handed government to anyone with the misfortune of commercial air travel "in the wake of September 11" -- has launched a blog. This'll be interesting. Smarter folk than I find this promising, but it's hard to see where this is going, especially since the bloggers profess surprise at the torrential commentary. What are the distinguishing characteristics of this institution that makes it a good fit for this communications medium?
StructureNetworked, sharingTop-down, secretive
User's AlternativesGoof off elsewhereHitchhike
Characteristic discourseQuestioning, conversationalPettily dictatorial
Liquids allowed?Downright encouragedWar on States of Matter continuing unabated
Punitive Measures AvailableTroll-ratingExtraordinary rendition

Read more (1 comment)

A Few Notes on Security

DIA competitor Convio suffered a major security breach that unfolded publicly last week, as many readers may know. This post is well past its immediate news cycle, but we've quite understandably been asked in light of that event about our own security procedures as well, and wanted to put them on the record. For anyone unfamiliar with the story, the thumbnail version is that a compromised password enabled an intruder to download scores of Convio clients' lists ... and that those downloads included hundreds of thousands or millions of plain text (rather than encrypted) versions of ordinary users' passwords. The NTEN blog summarizes the affair here. Allan Benamer's initial alert -- and accompanying comment thread -- have a lot more. Any system could be hacked or compromised, of course; this is a risk all online providers face and strive to minimize -- we're doing the reflexive sympathetic wince over here that you do when someone on TV gets clobbered in a sensitive spot. But beyond the initial intrusion, the compromised passwords are the real problem. Since many users re-use the same passwords across many different systems -- including financial presences such as online banking, PayPal, and the like -- it's potentially hugely damaging. So, most importantly for users of DemocracyInAction's Salsa platform: this particular aspect of the breach has not happened and could not happen in our system. We use, and always have used, industry-standard one-way encryption algorithms to protect passwords for all users and campaign managers. Neither intruders nor organization administrators nor users themselves can ever actually see even their own password.

Read more (14 comments)