Rich Freeman on 8 Jun 2017 10:48:21 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Password manager OneLogin hacked


On Thu, Jun 8, 2017 at 1:43 PM, Christopher Barry
<christopher.r.barry@gmail.com> wrote:
> On Wed, 7 Jun 2017 07:55:38 -0400
> Rich Kulawiec <rsk@gsp.org> wrote:
>
>>On Fri, Jun 02, 2017 at 10:33:48AM -0400, Rich Freeman wrote:
>>> > Of course we only know about the hacks that operators care to
>>> > report, which is a subset of the set they know about, which is a
>>> > subset of the set their employees know about, which is a subset of
>>> > the set that has happened, which is a subset of the set that has
>>> > and will happen.
>>>
>>> Sure, but the same is true of your own internal security breaches.
>>
>>Mostly true, except for the first clause.
>>
>>But the risks are far higher for services like these, because the
>>threat model is so different.  Every one of them is a high-value
>>target, therefore they will draw the attention of people ready,
>>willing, and able to attack high-value targets.  Given the pathetic
>>overall state of IT security, given the inexperience and naivete' of
>>the people running these, and given the highly asymmetrical nature of
>>attack and defense, it's only a matter of time until they're
>>compromised.  They are thus just about some of the *last* places
>>anyone should trust with confidential/sensitive information.
>>
> Bingo! Very well articulated.
>

Are we talking about password managers here, or IAM?  They're not the
same thing, and IAM is actually pretty common in large companies.

Chris - you're using an IAM provider to send your email.  :)

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug