Not a rumour; it actually happened.

I hear you. He answered my question as well in a similar fashion, and perhaps I'm too cynical but "fighting malware" = "disrupting botnets" = "ticking off organized crime". One cannot operate in Moscow and dodge that crowd.

Nonetheless I appreciate the guy taking time to answer the questions and provide his views. Can't say I was expecting anything controversial although I was hoping for a surprise or two.

Hey Editors, how about getting Mikko Hyppönen to answer some questions next time?

Good for the Spider guys to discover this problem. It would be more helpful if they named/shamed the companies that are exploiting this.

Anyone have this info?

Yes, interesting.

I'll give you semi-recent example of b).

Fred is server tech and spends his days setting up servers, installing and configuring the necessary services, and configuration management. In addition a third of his time is taken by meetings and change/problem/incident management crap. Most days his work is planned well ahead with some occasional changes. He's pretty much the only person that does what he does.

He gets a request to attend a meeting on Tuesday so that some requirements get finalized for a new implementation. No documentation or agenda, basically like 80% of his meetings, he's expected to provide answers and estimates on the spot.

He calls sick on Tuesday, he informs his manager and tells him about the meeting. Manager asks him if he can call in, but he's seriously ill so he politely declines.

He is also sick on Wednesday.

He returns on Thursday. At 9am sharp he gets hauled into a meeting asking why he did not do his part on Tuesday. He says calmly that he was sick. Blank stares. The "project director" informs him that due to his lack of contribution the project missed a milestone. Fred's manager sits there quietly and says nothing.

Fred loses his coolness. He tells them that if the project managers were any good they would have done these items way ahead of time. He also asks his manager why he didn't attend the call or asked someone else in IT to at least to assist? He also asks what is the impact of the "missed milestone".
Fred is told that his tone is not appreciated. The meeting ends.

Fred hands in his resignation Friday morning. He finds another job with similar pay, a tad more structure and closer to home.
The project never happens due to some "scope change". The IT manager is let go 4 months after a "re-structuring". The "project director" is promoted to CIO a year later.

Thank you; I was just curious, except for the typical keystroke logger and the Adsense phishing e-mail, I hadn't seen or heard of actively heard of any "Chinese" into Gmail.

Even though you may have not actively been on top of your password, it didn't strike me that were the kind of person that would also been oblivious if something funny was happening.

Thanks again, just thought that the successful Adsense phishing happened to someone else.

Forgot to include the Apple numbers reference:
http://www.theverge.com/2012/8/9/3232018/confidential-apple-samsung-sales-numbers-trial

... that they're a late player in the tablet game and have had terrible experience with their smartphone OS.

Apple shifted two million in its first quarter.

Even the stupid playbook shifted a large number (shipped, not sold, half a million in Q1) and then its numbers went off a cliff.

I think the Q2 numbers will be more insightful.

Serious question; do you use Adsense? A lot of accounts were compromised with some pretty impressive (well, compared to others) phishing accounts.

Yeah, I've had a close call that made me change my approach as well.

Err, not even. MSDN costs an arm and a leg now as well. I was shocked when I found how much they charge for MSDN Professional. Seems like it pretty much doubled in costs in the last 2-3 years. When you had Visio and the Office Suite so that you can interact with the rest of the corporate lemmings, you're in $5k worth of MS licenses, which is crazy.

I thought Embarcadero's suites were pricey. Not anymore compared to MS.

If I didn't have my expenses covered, I'd be dropping VS2012/C# and making a strong case to use Java with Eclipse or something like that.

Mr. Kaspersky are you safe?

Your operating out of the same country that has a ton of botnet operators and raking in some decent dought with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.

There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?

Nicely caught. I meant to say "malice" instead of "stupidity". I'm stuck in a two-hour meeting with the project management team at work, so my subsconscious let out a small cry for help in my post.

Well done. Yeah, I suck at car analogies. The thing is, the muffler is an important ingredient in the overall product.

One could argue that the only "key" (pun partly intended) feature is the security of the room protected by the lock as you rightly stated, and yes, it failed to do so. The other pieces would be the management of the cards, auditing of entry to the rooms and the wow factor to the clientele.
Could also the argument not be made that it would deter 99.99% of unauthorized access? In most circles, that would be pretty good. This is not a trivial exploit either.

Your analogy has more potential than mine: maybe you expect BMW to get you a Tesla or a new set of country-club friends?

Considering that he went for glory by not providing some professional courtesy (your mileage may vary) and disclosing this to Onity before his Black Hat presentation, he may get suffer potentially a bit by "enabling crimininals to circumvent the protection offered by the lock". It is a Black Hat conference after all, so the motivations and the spirit is a tad different other "community" InfoSec conferences. I won't argue what the right approach is. At the end of the day, the vulnerability probably shouldn't exist, so the fault lies entirely with Onity there.

As well, Onity is asleep at the wheel. It was July when the problem surfaced. In September the thefts happened. It's now November.

Someone in PR and Media Relations at Onity isn't doing their job. R&D is probably working overtime and Legal Affairs is probably writing up something nice to make an example of Cody.

Easy now; don't blame something on stupidity that you assign to sheer incompetence. Or a third variation, towards a quest of more profit!

I can design a super-secure lock. It will cost more to develop, and then it will cost more to produce, which will raise its price. Which in turn will lower my potential customers (90% of folks just want a lock that can be easily managed and is simple for their users). The accounting people said, "Do the simpler version, it will be good enough and return us 87% more profit. BTW, we already printed the brochures so your comments are moot."

If Onity comes up with a more secure model then it could well be that there is a cost associated. Mind you, this is a PR nightmare, so some companies would just eat the cost.

The hotels bought a lock for a specific purpose. It provides a decent detterent. Someone motivated will always find a way in.

Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?

Doesn't Windows have some of "Windows Validation" when people run WindowsUpdate? Well, revoke the activations at that point for the mistankly-issued keys. I'm sure MS has other ways of disabling a copy.

Big deal. What's the loss here? $20k worth of "licenses"? More, less? Still no big deal. No one is going to lose their job on this one. As we keep saying here in /., a pirated copy is never equal to a lost sale. This is a blip.

It is amusing though.