back to article Bethesda blunders, IRS sounds the alarm, China ransomware, and more

This week, we saw Linux get pwned, a teen hacker go down, and Julian Assange vowing to stay right where he is. But that wasn't the only news to hit over the week. Oh look, it's yet another SystemD vulnerability Linux management tool SystemD is once again getting the wrong kind of attention as researchers have spotted another …

  1. Ken Moorhouse Silver badge

    Microsoft took the step of notifying thousands of individual recipients

    How did they do that? By sending out letters using the postal system?

    It looks to me that MS are trying to market their Advanced Threat Protection products.

    As the starting point for attack seems to be fake file-sharing notifications from OneDrive I feel that MS should instead be taking more responsibility for making such file-sharing notifications less problematic in the first place. It's the old old problem of hiding vital information from the user (hiding execute extensions in Windows Explorer, hiding sender email addresses in emails, and hiding the true browsed domain in a URL) in an updated guise.

    1. Voland's right hand Silver badge

      Re: Microsoft took the step of notifying thousands of individual recipients

      How did they do that? By sending out letters using the postal system?

      More interesting is how did they manage to figure out who the targets are. OK, I can grok how they know the ones which use Office365 and the like as the fishing mails hit Microsoft mail servers. That, however is likely to be only a fraction of the target audience if the target audience is big corporates.

      So how do they know where to send the notifications? Did the Bear suddenly became "The One Birdie Told Me". That makes for a very shape-shifting Bear. Alternatively, someone just needs to continue pumping the narrative as it is a slow news day and there is nothing suitable on the news to howl about from branches.

      1. Ken Moorhouse Silver badge

        Re: ...a slow news day...

        Presumably you're not an exasperated UK citizen wondering how our f'ing* politicians (well, one in particular) can be so incompetent.

        *It is not often I resort to Rude Words on t'interwebs, but today is an exception.

    2. Anonymous Coward
      Anonymous Coward

      Re: Microsoft took the step of notifying thousands of individual recipients

      "How did they do that? By sending out letters using the postal system?"

      In my case I was contacted by Microsoft directly over landline.

      They were surprisingly helpul and even offered to do a free scan of my Windows box remotely over Logmein.

      To my horror they did find several errors in the Windows Event viewer and that several attackers had already compromised my machine by showing me foreign addresses in netstat.

      I was so impressed that I purchased their Advanced Firewall Protection that is usually only available to enterprise hardware products from Dell using their anonymous pay option of pre-paid gift cards.

  2. LDS Silver badge
    Devil

    "We must pass laws that require data minimization, ensuring companies do not keep sensitive data..."

    Now that someone might found with whom senators slept in the past four years, it's time to copy the same GDPR which was seen as an attack on US companies "innovation" just a few months ago?

    It's a bit different fearing to be stung directly by unrestricted personal information gathering and storage, and subsequent inevitable breaches, isn't it? Did they believe it only mattered those using Facebook directly?

  3. willi0000000
    Flame

    20 months

    for ruining someone's life in a particularly nasty way? . . . maybe 20 months hanging from his dangly bits then a lifetime behind bars to think if it was worth it.

    1. Version 1.0 Silver badge

      Re: 20 months

      The story "forgot" to mention that Joel Kurzynsk was an IT professional ... a very bad one. On the plus side, when he's released he's going to have the state looking over his shoulder for three years - sounds like he's such a loser that it will be surprising if he's not back in jail quite quickly.

  4. Ken Moorhouse Silver badge

    ensuring companies do not keep sensitive data that they no longer need

    The big problem with data minimization is that this will burn your audit trail and, in doing so, encourage fraud and other misdemeanours.

    1. A.P. Veening

      Re: ensuring companies do not keep sensitive data that they no longer need

      "The big problem with data minimization is that this will burn your audit trail and, in doing so, encourage fraud and other misdemeanours."

      I suggest you look into the provisions GDPR makes for the minimal legal requirement. One of those is off-line backup, so any auditor will still be able to retrieve a complete audit trail if necessary. If that isn't possible, there is an automatic suspicion of fraud and legal problems.

      1. Ken Moorhouse Silver badge

        Re: One of those is off-line backup

        It can be difficult to reconcile data from an off-line backup with live data. For example, do you continue to constrain primary and foreign keys across that partition?

        If so, then the keys concerned may need to be mapped in some way to preserve anonymity within the current dataset. Is that sufficient to prevent "casual" GDPR disclosure spilling over into a deeper search due to the presence of a reference to "other data" (which is obligatory)?

        If not then there is a discontinuity in the audit trail which can lead to either a failure to find connections, or to make false inferences - in the case of some serious investigation. As time goes on, that discontinuity becomes more and more fragmented as each archive dollop is sliced away.

        1. Richard 12 Silver badge

          Re: One of those is off-line backup

          The problem of creating unique keys without reference to any other party is long solved and built into all well-known operating systems and database platforms.

          Aside from that, data minimization means "Do not collect or store more data than is actually strictly necessary to provide the service".

          In other words: You don't need someone's gender for any online transactions at all. Don't ask for it. You don't need their social security number to sell them a widget. Don't ask for it.

          The CVV code is only needed for the period of the transaction, don't store it.

          As a rule of thumb, if Marketing are asking for the data then you probably should not store it.

          1. Ken Moorhouse Silver badge

            Re: The problem of creating unique keys...

            ...is not the issue.

            The issue is collating all transactions relating to someone together for some purposes, and not for others, without losing the connection between them.

            1. Richard 12 Silver badge

              Re: The problem of creating unique keys...

              Why do you think you need to do that?

              That's one of the things specifically prohibited by the Regulations.

              If someone buys a widget and declines your kind offer to create an account, then you're simply not permitted to link any of their future transactions to that one.

              Report fraud up the chain to the payment processor. That's the card issuer's problem, not yours.

  5. TheSkunkyMonk

    So sad Bethesda had to go and trash Fallout, this could of been massive if they had just gave us private servers and mod support, the kind of crap we'd expect with a Fallout game. But nope, they wanted a cosmetics store. Shame so many companies have gone this route and forgot what made them great, I miss pirates on Battlefield :(

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019