Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@DubbaThony I was the same, I needed to see the actual tweet to believe it, what’s worrying is that I was with Virgin Media a couple of years ago, and WAS considering going back to them
-
@Commodore sure 🤣
-
@Commodore indeed, it's priceless because its worthless
-
@Adjrenaline @TheOneFuzzyBit in Europe it is illegal to do so (GDPR). OP is fully in his right to file a complaint and let that company be fined.
-
@Codex404 This is false.
I can store how I want personal information.
GDPR has some mandatory rules (warning, access to information, right to be forgotten, etc). But technical side is only contingent on the presence of an effort to protect user information.
Example : I can (CAN ! keyword, not WILL) store passwords in plaintext. Then click on “Transparent encryption” button in Azure). Done: I can argue that I put an effort in securing user data.
And any way not ONE company in a world, who uses tiers party apps is compliant with GDPR. As it states, that to be compliant all your vendors need to be compliant. See recursion here? Down the chain there will always be ONE who is not respecting some made up rule.
(For info, I use BCrypt with encoding stregth at 11) -
@NoToJavaScript no encryption at all is big flaw especially for something like an ISP who is by law required to store personal data.
Did they do everything in their reach to keep customer data safe? That's a firm no. That by definition is a breach of GDPR. It's not "has there been effort to secure data" but "have they done everything in their reach to protect data"
A small portfolio website can get away with security a bank, Healthcare provider or ISP absolutely cannot.
I know a ton of edge cases but this sure as hell ain't one of them. I don't know if you have actually studied the law itself or just read the summaries in laymen texts like most people who claim to know what GDPR is. -
@Codex404
Oh, I agree with you 100% and it should be punishable !
Exact, your formulation is perfect: “have they done everything in their reach to protect data”
But is very easy to argue in tech word:
“We didn’t have enough resources to implement more secure way to store data”.
Well, applied to an ISP, not sure it can hold ground.
We had similar problems with ISP in Canada. If you knew user ID (Which is… first char of first name, first char of last name and sequential number) yu could order ANY additional services for them. -
@NoToJavaScript
Go figure our ISPs
Customer id is just your typical integer, 4 maybe 5 max 6 digit.
They use it as password for invoices they send in pdf... Over unencrypted smtp (yes, they are rocking old plaintext not tls SMTP server)
So its even worse. Anyone who "can plug cable in proper place" can intercept this email, spent 5 seconds on bruteforcing passwords and do what the hell ever he wants with ability to confirm other invoices, change your services etc.
And they recently introduced that pdf password which introduced IMHO even bigger security issue than it was in first place....
And just in case attacker would you know, see its passworded and wanted to give up, they mention in email body that its your customer number (aka its easy to crack, come on, dont give up just yet)
My email to them was gracefully... Ignored.
Related Rants
Kind of sad when you think about it.
Fuck me, big fucking security flaw with a UK internet service provider, my head has gone through my desk and hit the floor it’s that bad.
rant
plain text passwords
security means nothing
isp
security fail