* Posts by GloomyTrousers

5 posts • joined 30 Jun 2009

Plusnet customers SWAMPED by spam but BT-owned ISP dismisses data breach claims


user+identifier@mydomain.com not reliable

Problem with the user+identifier@mydomain.com thing: it's a commonly known pattern, so the identifier is trivially removed or spoofed by anyone seeking to obfuscate the source of their list, or direct your attention elsewhere. So you can't really rely on it to identify the source of a leak.


Zeus botnets suffer mighty blow after ISP taken offline



"...properly lubricate all objects prior to spammer insertion."

A suitable lubricant can be obtained by mixing superglue, broken glass and rusty nails. Apply liberally to object before using on spammer.


Verified by Visa bitchslapped by Cambridge researchers



If I remember correctly, way back in the early noughties when I was writing ecommerce sites and the 3-digit CVV was introduced, the instruction was that it was never to be stored anywhere in your DB, on pain of some kind of nastiness to your merchant account. I presume (but don't know) it's also not stored in a machine-readable format on the card.

Thus, the extra level of security this provides is not to turn a 16-digit number into a 19-digit one, but to guard against your card number being usable if a database where it's stored is compromised (quite likely at the time, having seen the sort of shoddy code being rushed out back then) or your card is skimmed.

So, in theory, if a card number is presented with CVV it is more likely that the person presenting it has (access to) the physical card, and less likely that they're using a card number stolen from somewhere.

I do recall having to tell coders who hadn't read the documentation that the CVV wasn't to be stored in the DB, so I'm assuming that there are various implementations out there that do store it and thus neuter it as a security measure - it's a slightly brittle solution in that respect.


Monty's 'Save MySQL' mudsling gets 15,000 backers


Spam from Monty

I recently received an email invite from Monty to sign this petition - quite obviously a bulk mailshot. Not sure why, as the only time I recall providing my e-mail address for anything MySQL-related would be many years ago in a comment on the documentation, so presumably I have a mysql.com "account".

I was pretty pissed off TBH - if Monty is no longer part of MySQL, how is he able to get hold of this data? No unsubscribe info, unsolicited, bulk, so in my book it ticks all the boxes for being spam.

Not a great way to go about garnering support...


Masked passwords must go

Big Brother

Stop watching my fingers!

The asterisks stop shoulder-surfing from people reading your screen... but not watching your fingers on your keyboard. If passwords were displayed as typed, it wouldn't take long before people started looking around a little more carefully at who's watching before typing their password, instead of being lulled into a false sense of security by the fact that their password can't be seen on screen, and ignoring the fact that watching fingers is pretty easy (see AC's 70WPM comment).

However, as in many things, there is no 'one size fits all' answer. In some cases, I can see this improving security (and, as seems to have been somewhat forgotten as one of the original points of the article, usability), although in many cases it will of course not do so.