MSI UPDATE

[Inigoes]

Typical Fed exuberance...pay twice as much for something that you can find in the private sector for half price.

The extra cost pays for the USPS black programs in the name of national security

 

[fightinbluhen51]

The extra cost pays for the USPS black programs in the name of national security

I can hear the RevAl now...

"USPS BlackOps is racists!"

 

[Bolts Rock]

Thank you for the email. Your pictures and info were turned over to Postal Inspectors office for investigation.

Just sayin'.........

Of course it does help when your Federal boss "accidentally" overhears you mention to someone you think you know about misappropriated Federal property and you're ordered to report it.........

 

[TopShelf]

It's very real. Lifelock is pointless. It only monitors for fraud and does nothing to correct any damage done unless you prove to them, most likely in court on your dime, that the damage was due to a "defect in their service". It is spelled out in their terms of service. You should contact Experian, Equifax, and Transunion immediately to put a credit freeze on your credit reports. Beware of the fraud alert option because it expires every 90 days and technically is only valid if you demonstrate fraud with documentation (i.e. police report). You should also buy identity theft insurance, not to be confused with credit monitoring services, so that somebody else takes care of and pays for repairing your identity records and credit reports if your identity is stolen.

Good advice! Worth repeating - freeze your accounts! If the security breach is as bad as it sounds, people whose information was compromised may well be a target of identity theft crime. The $15 and an hour of you time spent now could save you significantly more of both in the future!

 

[thebullpupkid]

I got a pile of them. Every time I go on a trip of a week or more they hold my mail at the Post Office and when I get back, they give me one of those across the counter. My guess is the Licensing Division gets them by the gross every time the mail gets dumped on them.

We got enough to focus on without bringing up odd bits.

FWIW, the post office didn't want them back and they are great to store odd junk in. Tougher than they look. I have seen people use them as planter boxes for strawberries. Never rot.

I get it and fully agree that it's a miniscule thing to point out and that they probably get them by the metric ton every time they pick up the mail.

I guess I'm just salty about what they have done in general. I feel like MSP is a bunch of ruthless bastards that wouldn't hesitate to pile on whatever charges they can. If they are technically violating the law, they should face the consequences of that as they would do to you if given the chance.

I do also agree that talking about this distracts from the bigger issue. I just feel like pointing out when the people who tell you with a straight face they "just enforce the law and nothing else" are technically in violation of the law themselves.

 

[Bolts Rock]

Meh, takes less than 20 seconds to utilize the link someone supplied and it may be just a thorn in their ass but enough thorns have an effect and it takes minimal effort. Anything that gets them noticed by the Feds is a good thing for us. Take 20 seconds, do it, move on to the bigger issues.

 

[Brooklyn]

Actually SHA can and is used as a one way encryption function to hide plaintext passwords in storage. (much like how LM hashes of passwords on older windows systems)

It's the impetus for a rainbow table.

If you want to be technical SHA does not encrypt as it is not reversible and no passwords are stored anywhere. But it does not matter. We Know PW were sent in clear. The end.

 

[FrankZ]

We Know PW were sent in clear. The end.

And this is the real issue.

 

[csanc123]

If you want to be technical SHA does not encrypt as it is not reversible and no passwords are stored anywhere.

Hence "one way function" as I described....as I said that is the impetus for a rainbow table which matches the produced hashes with plaintext input....so yes if the hashes are stored (without a salt) they can be "broken" using most of the online tables (there are petabytes of them online). The term encryption and hashing as so fudged up that security industry even sometimes interchanges the terms (right or wrong).

 

[Brooklyn]

Hence "one way function" as I described....as I said that is the impetus for a rainbow table which matches the produced hashes with plaintext input....so yes if the hashes are stored (without a salt) they can be "broken" using most of the online tables (there are petabytes of them online). The term encryption and hashing as so fudged up that security industry even sometimes interchanges the terms (right or wrong).

One way functions are never encryption. Hashs are not passwords, but only evidence of passwords. Hashs can be broken by rainbow tables even with salt. And the' security Industry' as you call it full of folks who are underqualified by a factor of 10.

Now this is not a security forum. The passwords were not protected at all The end. KISS for the public ok.

 

[csanc123]

Sorry to belay this point....hashes ARE USED to authenticate users in certain OS's when the plaintext passwords are not TRANSMITTED over the wire. The client enters a pass on the workstation, it get's hashed and MATCHED to the hashes stored on the OS...the HASH becomes the defacto password (even though it's NOT the password and only a cryptographic representation of the password)

and yes....in the 7rr case....the passwords were going over in the clear.

 

[Inigoes]

Sorry to belay this point....hashes ARE USED to authenticate users in certain OS's when the plaintext passwords are not TRANSMITTED over the wire. The client enters a pass on the workstation, it get's hashed and MATCHED to the hashes stored on the OS...the HASH becomes the defacto password (even though it's NOT the password and only a cryptographic representation of the password)

and yes....in the 7rr case....the passwords were going over in the clear.

The singular username and password used by all of the data entry people was being sent in the clear.

 

[csanc123]

The singular username and password used by all of the data entry people was being sent in the clear.

Correct.

 

[Brooklyn]

Sorry to belay this point....hashes ARE USED to authenticate users in certain OS's when the plaintext passwords are not TRANSMITTED over the wire. The client enters a pass on the workstation, it get's hashed and MATCHED to the hashes stored on the OS...the HASH becomes the defacto password (even though it's NOT the password and only a cryptographic representation of the password)

and yes....in the 7rr case....the passwords were going over in the clear.

Guess what we know that. Really we do.

The public need to hear a simple message " the passwords were not protected at all"


They do not need to hear " there is a controversy about the way the passwords are protected.".

So if you are here to help KISS if you here to cover up firvthe administration by confusing the lay press and the public -- good job..

If you are trying to impress somebody--- its not working really.

 

[csanc123]

Guess what we know that. Really we do.

The public need to hear a simple message " the passwords were not protected at all"


They do not need to hear " there is a controversy about the way the passwords are protected.".

So if you are here to help KISS if you here to cover up firvthe administration by confusing the lay press and the public -- good job..

If you are trying to impress somebody--- its not working really.

Please don't insinuate that I'm here to muddle anything for the administration. That's pretty low.

 

[Brooklyn]

Please don't insinuate that I'm here to muddle anything for the administration. That's pretty low.

Fair enough. But the effect on the lay press will be the same. Personally I do no think you are doing intentionally this is why I put it second. There is a time for nuanced tech discussions and there is a time to be so direct that even the Sun can figure it out.

I do apologize if I offended you. It was more of a counter factual suggestion and a way of sending a message to the sun that no honest reporter could miss the message " the passwords were not protected at all"

I hope we are good, you were not the target of my sarcasm. sorry.

 

[csanc123]

Fair enough. But the effect on the lay press will be the same. Personally I do no think you are doing intentionally this is why I put it second. There is a time for nuanced tech discussions and there is a time to be so direct that even the Sun can figure it out.

I do appoligise if I offended you. It was more of a counter factual suggestion and a way of sending a message to the sun that no honest reporter could miss the message " the passwords were not protracted at all"

I hope we are good, you were not the target of my sarcasm. sorry.

We're good bro...this whole fiasco has us all on edge (me included).

 

[Miss Lead]

Sometimes comparisons illustrate things very clearly. If you were to compare hacking someone's Facebook account to the PII security breach? That might make things crystal clear to the Sun!

Thanks in advance!

 

[beafly.cakes]

Not sure facebook is even remotely close to a valid comparison. The information on a 77R being released is probably infinitely more damaging than pictures of your cat, what you ate for dinner last night and your latest farmville conquest.

Besides... facebook's security is vastly better than what's being described here.

 

[csanc123]

Besides... facebook's security is vastly better than what's being described here.

Sad but so true.