There are valid uses for some of these. Imagine where online User eXperience and User Interfaces would be without services that help tell someone what is working and what is not.
Fortunately, many US companies are starting to consider a GUID and your IP address to be PII, and no longer allow that information to be stored.
Don't discount Warren Buffet's mantra. When people are scared, he buys. When stockholders feel great, he sells. So fear=buy if fundamentals are good, exhuburence = sell and make profit.
The real definition of distributed systems is endlessly challenging as you are always balancing trade-offs.
The CAP theorem still holds, so we pick which 2 out 3 to be strengths and where to compromise as little as possible. It's a guaranteed 87.3% effective hair loss formula. I find Quiet Riot helps.
This timeline from first report to full disclosure was 10.5 months. Note that I did not go looking for a long timeline, this was the first item when I Googled "CVE disclosure timeline."
I've worked with the McDonald's web team before. They do care about performance and security. I reverse engineered an undocumented (to them) protocol for a game system in order to write tests for it--which was really, super fun to watch run.
McDonald's uses 3rd parties for most of their main development work. In the case above, the developers were in Australia, while McDonald's is in US Central Time and I was in US Eastern time. When I reported problems and provided suggestions, they usually had a conference call with McDonald's, the Aussie devs, and my team within 12 hours. If it was a weekend, it was Monday night. McDonald's core team takes this very seriously.
The difference here was that I had all the right phone numbers and am known to them. I was working for a well known publically traded company, which carried weight by itself. I don't know that if I didn't have the right contacts, hadn't been to their HQ and met with the VP/IT and Director of Online, would they have taken what I said seriously?
Secondly, this was the US Christmas and New Year's holidays. They were running a skeleton crew. As Adrian Cockcroft, former lead cloud architect at Netflix, once said, the time Netflix is the most stable is Christmas and New Year's because there aren't any engineers around.
With all that, they need to take this as a wake-up call and have a security response system, even if they contract a 3rd party for that also. There must exist, or this is a nifty startup idea, 3rd party firms that go through [email protected] emails, including the reams of spam, and there should be an optionally anonymous security problem reporting form with a captcha to get information such as this to the right people.
Lastly, 12 days is extremely short under any circumstance. While I'll admit that it can be extremely frustrating to not get a response, I believe 30-days should be the minimum time before first notification and publication with details. If a security firm wants PR for finding the problem, the post that there IS a problem first and wait the full 30-days from initial contact attempts before disclosing the details.
It seems we revisit this topic or a branch of it often enough that it's almost becoming a meme.
Here is a 2-page, 7.4K security checklist. If you verify and check each box, your application won't be bulletproof (it is software and you have 3rd party libraries), but it will be close to air tight.
--Disclaimer: I have nothing to do with this security checklist or its authors, except appreciation and respect.
Assuming a web page, does the page reload in less than 1 second?
On a full sized keyboard, the normal rate is 3.3 key presses per second. On a mobile device, I'm sure an 8 character password will take far more than 1 second.
For brute force attack defense, rate limiting a single account globally to 1/sec, i.e. independent of source IP address, should be sufficient and prevent parallel attacks by bots, but this still makes DOS attacks on a particular account easy, but not the entire system except traditional overload.
Many API systems work this way and it's proven effective.
Peer review feedback loops do tend to make one carefully consider what one says, however if the peers are too homogeneous, you may not get challenged on many things outside the bubble of their collective belief system. Heterogeneous peer systems, that is diversity, are more likely to keep you honest.
Try TheHill.com and AllSides.com. I find AllSides.com useful for presenting the same story from multiple sides and biases. The Hill aims to be apolitical and center biased, and does a fair job.
Disclaimer: I have no affiliation with either site, and I do not endorse either site. My opinions are my own.
From a rational, logical, and chemistry point of view, one cannot have a balanced view or understanding without positives and negatives.
The only thing that makes it work is critical thinking; or at least rational thinking, though rational thinking is easy enough to manipulate by any sophist. Recognizing the forms leads to recognizing the art of sophistry as it occurs. However, emotion is even easier to manipulate and inflame, ridding one of the possibilities of rational thought.
After being married over 20 years, which I still find shocking that anyone has put up with me for so long, I find that "to let her be as emotional as she wants but stay rational and prudent" frequently backfires because she wants emotional _involvement_ and support. Being rational doesn't meet her needs, even though as a man, a geek HFA man at that, I'd rather stay in the safe, predictable, rational realm. Staying married and supporting my wife is more important to me than my comfort zone, just like apologizing means you value the other person more than your own ego.
Mad props for the _ Ein Heldenleben_ reference. Richard Strauss was a genius, following in the footsteps and improving on Wagner.
Side note: I'm continuously amazed at the breadth of knowledge and reference on HN. Is it perfect? No. It is, however, frequently a breath of fresh air. It reminds me that polymaths still abound, and fondly reminiscent of the old /.
With 1 daughter in university and 2 in high school, I do something similar, adding in listening to their viewpoints, and asking them critical thinking questions about their views without necessarily disagreeing with them. It doesn't matter whether I agree or disagree, I simply ask them to think for themselves and question the reason they feel the way they do. It's often quite interesting to go into a direction which I had not considered. I've also found flaws in my own views from the exercise.
As may be expected, they also get tired of this sometimes, and they know it's coming, so I try to pick and choose items at random and just let others go. I believe--well hope really, that this encourages them to think and ask questions themselves and not dread another dinner with dad :)
Fortunately, many US companies are starting to consider a GUID and your IP address to be PII, and no longer allow that information to be stored.