Twitter To Establish Information Security Program 72
An anonymous reader writes "Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the 30th case the FTC has brought targeting faulty data security, and the agency's first such case against a social networking service. Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers."
Message in the Bottle (Score:4, Insightful)
Twitter must also donate five nickels to five charities. At least three of those charities must be entirely independent of Twitter. Maybe the message is: if you marginally screw with the President, we marginally screw with you.
Barred for 20 years? (Score:5, Insightful)
Comment removed (Score:5, Insightful)
FACEBOOK (Score:4, Insightful)
I was just about comment about how they should be hounding Facebook for all shit they pull.
Constantly changing options and putting them by default onto the most open setting? That's maliciously hoping that people are either too lazy or stupid to change them back.
Hiding the delete option for FB accounts and implementing it in such a fucking retarded way, forcing the account holders to search out and delete every comment, photo, tag, and other info they put in instead of just having a delete button? Utter bullshit.
Re:The hell? (Score:5, Insightful)
This doesn't make sense (Score:5, Insightful)
The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain administrative control of Twitter,
The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”
Does NOT seem to be a misrepresentation. If they employ any measures at all.
it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:
The FTC's ideas of what "reasonable steps" are sure does make me laugh... I am sure as hell glad the FTC's job is NOT to dictate proper IT security policies. They are clearly carrying around some pretty whacky notions of what security measures are basic and reasonable.
Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
Wait. "Hard to guess" and "Not used for other programs" are separate criteria.
It is not necessary to require that last bit, to have strong security against intruders. It is not reasonable to expect that users of a computer network memorize a separate strong password for each service, change it frequently. The whole notion of "strong password" is a direct contradiction of "remembered (but not written) password". Any password that is not weak, by current security standards, is not able to be memorized by a human.
Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
It is well demonstrated that this does not improve security. Instead, it encourages people to choose weaker passwords, or write them down. Password expiration only helps if an account has been compromised, but (for some reason) the hacker has not used the password yet.
The likelihood of this is slim, the security improvement is practically ZERO, and the cost is very high.
Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
It is not necessary to 'prohibit employees from storing admin passwords in plain text'. To have security
Your admins must know better. Chances are your company doesn't have a specific policy that says "Admins may not write their passwords on giant signs and carry them down the hall. At a certain point, it's just ridiculous (and doesn't improve security) to say "But you didn't prohibit X?!"
Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
This does not improve security. Actually, it increases the chance that an administrative account could be disabled by an attacker, making it more difficult to determine the nature of or respond to an ongoing attack.
A strong password will be secure, even in the face of a brute force attack. A brute force attack can be mitigated using less disruptive techniques, such as automatically banning any IP address for 10 minutes, if a certain number of failed logins are attempted.
Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
This is only more secure, if you assume that an administrative login is known, and compromised.
An additional web page for admin logins just creates another potential point of exposure to attack, has to be secured separately from the main login page, and the result is likely a less overall secure system.
Compromise of individual users' Twitter accounts leaks private information, just as badly as a compromise of an administrative login...
Particularly if the use of administrative logins is monitored carefully, and a co
Re:WTF? (Score:2, Insightful)
To employ Godwin's law: Hitler, we have all gotten together and we agree... No more Holocausts for 10 years, okay? Thanks Adolf.
Re:Message in the Bottle (Score:5, Insightful)
I don't know 20 years seems like an awful long time to be barred from doing something illegal...
Re:Legal Stuffs (Score:2, Insightful)
IANALBIFWI
...What did you call my mother?