So here's a fun note - as it turns out, the Panera Bread Director of Information Security mentioned in that email exchange worked at Equifax from 2009 to 2013. There's a comment mentioning it on that page, but you can find it just by looking at his LinkedIn: https://www.linkedin.com/in/mike-gustavison-b020426/
Time is a flat circle. Everything that has happened before will happen again. Every time it happens, we will hear "Security is our top priority" or "We take security very seriously."
Correct me if I'm wrong - its also NOT illegal to do so, even if you are lying it is immoral but not illegal.
So I was once told by cop when i told them defendant is lying not showing up that he has good reasons. Unless you are under oath by very few LE organizations, its not illegal to lie.
Of course I'm not saying its a good thing; just pointing out they can say whatever they want to - there is no liability.
Absolutely agreed. It feels like corps are developing thier own infosec version of the four dogs defense.
4 DOG DEFENSE
My Dog Does Not Bite.
My Dog Bites, But It Didn't Bite You.
My Dog Bit You. But It Didn't Hurt You.
My Dog Bit You And Hurt You, But It Wasn't My Fault
Probably won't happen until some Senator gets personally burned. Equifax hasn't suffered much, for example, and they released almost all of their info for every adult in the US that ever used a credit card or had a mortgage.
I'm almost wishing some activist hacker would buy the data for the House and Senate reps and go to town...just to get their attention. Purchase pornhub accounts , shady drug site stuff, escorts, etc, and start sharing it publicly.
> My guess is that senators that have been burned have been done so secretly and are being blackmailed.
The whole bunch has been blackmailed for decades. Just not "ordinary" blackmailing, but threatening by big funders to cut said funding unless, for example, the politician keeps supporting NRA/BigAg/BigFinance-favorable policies...
I know HIBP's Troy HUnt has very carefully detailed his ethical and moral tradeoffs in what he does, and I appreciate that as a benchmark.
But I so want to lose my mind, start getting these breach db's and start emailing Congresscritters with "This email was hacked, you're screwed, we're screwed, and here's legit links to help fix our lives back up... (eff.org) (hibp) etc"
And now I'm on the watch list for when someone crazier than me actually does this. Sigh.
I feel like there could be an xkcd-style greasemonkey script that adds a winkey face to the end of any of those phrases to make them a little more accurate.
Time is a flat circle. Everything that has happened before will happen again. Every time it happens, we will hear "Security is our top priority" or "We take security very seriously."
EDIT: This just got more interesting. Turns out that despite taking the site down for an hour earlier today, they didn't fix it: https://twitter.com/briankrebs/status/980944555423002630
Also, based on the vulnerability still working at this endpoint [1], Krebs revised his estimated number to 37 million records: https://twitter.com/briankrebs/status/980949205974953984
________________________________
1. https://delivery.panerabread.com/foundation-api/users/678141...