Tuesday, 24 July 2012

Pluralsight is good

A friend recommended me to Pluralsight Training and I now have a subscription. It's a great idea and something that is way overdue. Training tends to be either very expensive and classroom based, or it is obtained by reading a book or it can be quite amateur on YouTube or whatever. For a reasonable monthly charge of $30, I get unlimited access to all their courses.
One of the things I like about the setup is that I can find out about technologies that I might never otherwise have heard of because they are all listed in the training library. Of course, as with any training, one of the great things is learning more about subjects you already thought you had good knowledge of by listening to training run by people who know more.
Anyway, get there and learn - let us be professionals!

Monday, 16 July 2012

Why password leaks are no longer acceptable

With the announcement that Yahoo have plugged their security gap: http://www.theregister.co.uk/2012/07/13/yahoo_fixes_password_hole/ I find it unacceptable that day-after-day we receive reports of people's valuable data being leaked, albeit sometimes by sophisticated hacking.
I believe it is time the industry introduced regulation to stop this happening. If I create an account with untrustedcompany.com, I have no-one to blame but myself if something happens to that data. I wouldn't give my data to a stranger on the street. Companies like Yahoo, local authorities and various other organisations however are trusted like shops or banks and why shouldn't they be? They are multi-million pound organisations who cannot complain that they do not have the resources or skills to prevent these kinds of problems.
How on earth does someone like Yahoo buy a company and not carry out the simplest audit in the world where question 1 is, Do you store passwords in plain text? I mean, honestly, there is ABSOLUTELY NO REASON you should be storing passwords in plain text. As everyone knows, most people share their password across multiple sites and Yahoo leaking a password might well be the key into EBay or Amazon.
Since they have this certification for SSL certificates called Enhanced Verification which gives you a green browser bar, why don't these enhanced checks include basic company policy checks like password storage policy and system security policy which, if misused, can result in revoking of the enhanced certificate and something intrusive and expensive to the company to regain?
Personally, I don't accept the tired and overused, "we apologize for this loss and are increasing our security as a result", it would be like a car driver saying, "I'm sorry about driving on the pavement and killing those people, I will now modify my policy to avoid driving on the pavement". This is well known security 101 and if these companies don't get the bascs right, they simply should not be trusted to provide web solutions.