* Posts by scottf007

13 publicly visible posts • joined 16 Jul 2009

Hungryhouse resets thousands of customers' passwords

scottf007

Responses

Hello,

This will be the last comment on this thread from me, but just some answers to questions that were posted, roughly in the order they appear.

Communication with customers: Nothing to say here, but this was poor. We could have done a much better job. The SMS people received was automatic, and was missed in our check list. People were only supposed to receive the email that went out.

Password Reset: This takes someone maybe 30-60sec. Just a link and re-enter passwords, standard security practice currently.

Payment Information: We store payment details as a token, and are PCI compliant, and are audited as such. We do not store customer payment information as anything but a token.

Password reset vs customer communication: I decided to do this as this way we would know we have done everything we can to keep customers safe, which is a nice segway into the next point.

Patterns of attacks we see: We see constant attempts to get into customer accounts through various methods. Most attacks have a user name and password already. They try specific combinations, and are not random - the attackers have lists of emails and passwords(only an issues if people use the same password as talktalk etc). We monitor attempts to login and ip addresses / sessions / device fingerprints etc. This is a game that all online companies face, and our job is to make this harder and harder, while keeping it easy for customers.

Pain to order if you can not access your email: You can order as a guest any time from our website.

Scalper: Restaurants pay us commission, and customers pay the same price as an offline order. If we find an error in prices, we change this immediately or take the restaurant offline.

Card details obtained: This can not happen as we do not have the card details of anyone. Possibly if an account login and password was obtained it could be possible to place an order, similar to most online services. We are making this harder all the time as well, through fingerprinting etc.

Checks and Balances: We are audited twice per year by an external security company. This includes penetration testing, code reviews amongst many other things. We implement all their recommendations as soon as we can. We also follow up to date security practices and try to ensure that we are at the forefront. One of these was to take the action we took today because of the patterns of attacks we see. We are not perfect, but take security very seriously, and try to constantly improve our processes and performance. We will continue this.

I hope this helps. Thanks for all the notes and feedback.

Cheers

Scott

scottf007

Very disappointing

As a long time register reader, and the CEO of hungryhouse, I can say that I am very disappointed by The Register - biting the hands of the facts.

They called me after publishing this post.

We have had no data breach.

We reacted to a data leak by 'oooWebhost'. http://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/

We have no affiliation, or relationship to them. When the customer list was leaked, we compared this list to ours. If there was an email address match, we deleted the customer's payment information and reset the password as a precaution. We took this precaution after the Talktalk leak etc.

This is sensationalist reporting, and has very few facts.

Scott Fletcher

CEO hungryhouse

Google avoids tax with ‘Double Irish Dutch Sandwich’

scottf007
Go

Very simple

It is simple to get a solution. If the company has a local sales force/presence then it is illegal to sell product from another subsidiary. If they do the directors are personally liable. Google Australia would need to bill everything through Australian company. To claim royalty fees etc they would have to substantiate all costs on an international level and disclose all subsidiary companys or it is void.

NBN zealotry in the ultra-high definition age

scottf007
WTF?

UHDTV

So you want me to pay $40 billion dollars so you can watch UHDTV???

That does not boost productivity or help small businesses.......

Turnbull storms Paris with NBN’s doom

scottf007
WTF?

You guys are smoking crack

There is one company who owns the whole network. They have a business that will go public in order to pay back the Australian People.

One company owning all access, this means one company will set prices with no other companies to compete(I think the first guy is wrong). The wholesale rate is fixed to make money - not to provide great access.

Right now you have 3 different technologies to choose from depending on where you live - cable, adsl, wireless

This is being replaced with one technology - fibre. The Telcos can not advertise saying wireless is a substitute for fibre - and instead of several companies owning networks it will be one company.

Telstra is the incumbent, but their share has been dropping with pace since deregulation, as have prices. Optus had a network, there were other independent business networks in each capital city for data. That will all go.

One network, one wholesale price. This will not come down with volume - this requires huge volume to stay at this price.

In the UK for 12 pounds ~$20 you can get unlimited ADSL. Here the cheapest plan I could find was $59(naked). We are getting bent over. Nationalising the network and recreating a monopoly is madness.

FTTN - sure that is copper for the last stretch, but that could be upgraded to fibre to the house if a particular house wanted.

How many people in Australia need fibre to their house? Our population is aging - and lots of houses are not/do not need to be connected to the internet. I am in my early 30's and almost no one I know that is my age has a fixed line phone, mobile is more convenient getting faster for data.

This is appealing for geeks and some businesses - but the general population it is a waste.

How expensive are Australian NBN services?

scottf007
Stop

This makes me mad

What you did not take into account is that in Australia it is run by the government and has not chance of price reducing. The price can only increase because of fixed wholesale costs across everyone in the market.

We have signed ourselves into high prices whether our country is doing well or not performing. There is very little chance that wholesale prices will ever get cheaper, it is a monopoly.

For Australian small biz, NBN retail prices look fabulous

scottf007
FAIL

Are you joking?

This will take us so far backwards it is not funny.

Today I can get cheaper plans at the lower end, much cheaper with more downloads. I am on internode - and we get more for less. True the higher speeds do not exist - but under the business model they can not get cheaper - they have fixed prices for 10 years.

With an open market, people innovate, new technology is introduced like White Fi, and prices have been coming down since cable was introduced by bigpond years ago.

Is the market made up from more consumers or SME's? Obvisouly more consumers - I think having to lock in society to more expensive local calls, and more expensive internet that can not drop in price is not a good thing. I am all up for speed, but at what cost?

Google Apps punts kill-Microsoft-Exchange-now tool

scottf007

No Support

They have no support and do not acknowledge users.

You have not been able to turn on Sync to mobiles for a month now, they responded yesterday and say it will be two weeks.

You can not run a business with no one to talk to if something breaks....

Google Docs updated with three-headed bug

scottf007
FAIL

GDocs do not play properly

I have dabbled with them a lot. I have a lot that I use frequently.

When you import any office document, it imports very well, with most of the formatting remaining intact. When you export anything back to office, you may as well have copy pasted from notepad.

I do not like them for this reason. There is a lot of functionality that is not there, so you need excel, powerpoint or word. And they do not play together at all, even though Office is all Open XML......

Do no evil my arse

Gmail de-goodened by contact list glitch

scottf007

Push mail to phone

This was turned on, there would be a lot more persistent connections....

Vodafone pledges fix for Snow Leopard 3G modem woes

scottf007
WTF?

Pretty different reaction to Microsoft driver woes

This is the problem with slanted journalism and fan boys.

Vista was released in Beta 1 9 months before general release. When there were incompatible drivers everyone said Microsoft sucks.

When the same thing happens to Apple everyone blames someone else....

Is Gordon Brown safe to work with vulnerable people?

scottf007
FAIL

MPs do not have a relationship of trust

"In respect of the new vetting scheme, which will be launched in October, and acts as a further safeguard around the CRB system, the guiding principle appears to be that where there is even a remote possibility that interaction between adults and a vulnerable group might lead to the creation of a "relationship of trust", individuals should be checked and registered."

Obviously MPs do not expect to be trusted by children, the elderly (>65), or anyone else. Surely this would be over half the population????

Microsoft hosts Feynman lecture series

scottf007

Get over it

What is wrong with so many people here. What is wrong with silverlight.

It is supported by over 90% of all Browsers

It is supported by over 90% of all OSs

Why would he put it in another format, and what would that format be? There is no standard format for streaming video.

I use Chrome, and most silverlight sites work in Chorme (not this one) but you are talking about less than 1.8% of the market.

If i own something, and a mechanism to stream it, then that is what I would use. Why would they use a competitors product to do this?

Full Chrome support will come, but when they release it before it is ready people always complain if anything goes wrong.

Get over it, Feynman is an absolute legend - even mentioning silverlight in the article detracts from the whole issue.

I am almost positive BillG had no actual input about where or how this would be hosted anyway.