These days, in my opinion, sessions are done better and more securely with cookies; a cookie, for example, can be set to require a secure transmission vector (usually SSL in an HTTPS request), and aren't bookmarked as part of a URL. Yes it is more difficult to see what cookies are stored in your browser than in a URL, but most browsers will allow you to view and/or clear cookies easily enough. In addition, cookies can be set to expire automatically a set time on the client so they're only valid for a specified period of time, which can be completely separate from the server side. For instance, you could create a session that would live for 5 hours, and regularly change the session ID (say every fifth request if you like); the session cookie would get updated each time, but the overall session would live only for that 5 hour window. While the same could be done with a session ID in a URL, that session ID could still end up in a bookmark; in the very unlikely event of the session ID being reused, that bookmark could represent an inadvertent attack vector.
In addition, cookies are passed with both GET and POST requests; not every page has to be a POST request to use cookies to pass session IDs, and as I explained already, a session ID in a URL can be bookmarked. GET and POST have two different purposes, and I think everyone designing web pages could stand to read through the HTTP RFC . Logins should be done exclusively with POST in my opinion, and normal data retrieval once logged in should be done with GET. There's no reason that any search engine should ever be given a session, let alone a session ID; if a search engine needs access to otherwise secured information, there are options to accomplish that, but I can't see the logic in locking up data then making it publicly available in a search engine.
Definitely true, though I'm sure there are people at the various military contractors that knew better all along. There's no excuse for being lax about security when national security, defense, and military equipment and personnel are involved.
Yes, a video signal is different from the control signal, but any intelligence intercepted by an enemy is still a security risk. More often than not, intelligence from those drones is relayed by radio to ground units rather than being directly received by those units. (Some degree of analysis usually needs to be done.) The video signal needs to be encrypted just as much as the control signals.
My point with regards to the malware infection was more that this should have triggered a re-evaluation of the security involved in the maintenance and usage of our drones.
"Engineering without management is art." -- Jeff Johnson