If he simply inspected their systems, fixed any holes he knew about, provided no information to the bank about what he had done except a note to say "your system is now more secure" that might be okay.

That assumes that the existing client staff wouldn't have a clue about how to compare the systems baselines before his security changes with the state of the systems after. The diffferences between the two states would contain the "secret".

When someone who formerly dealt with highly classified information in government writes a book, the usual deal is that the book's contents get vetted by ${security_agency} before publication. It's a lot more difficult to do that type of thing if the guy is using that information to secure a client's systems.

So I can understand the concern here.

We (the US) would be better off providing such folks with golden parachutes to avoid having to tell them not to try to profit from what they learned on the job, after they leave.

How about iPads and other tablet devices that aren't phones but are likely to hold even more personal data than a phone does?

And how about a ruled and bound notebook that traditionally has held personal data? Maybe if I attach two tin cans and some waxed string to it they'll classify it as a phone and then I won't have to worry that they'll find evidence of on it.

What does "funny" feel like?

(Serious question, not trolling you.)

Can't you disable wifi on their cable modem and connect the modem to your own wifi access point? Or if not, put the modem into a Faraday cage and then connect it to your own access point?

(Yes, I know, outside the limits of ability of "most" of their customers.)

Exactly my thinking also. The multimillion dollar legal fees are the driving force and as usual in class actions, the class members get peanuts (not to defame actual peanuts, they are quite nourishing).

Or the plaintiffs' lawyers already received a "pre-settlement bonus" from the defendant companies' petty cash boxes.

Either way, the plaintiffs got screwed.

[ Because we all love anecdotal evidence, here's some of mine ]

And when I called Crucial to RMA the 4 brand new memory modules that were producing errors nonstop (when all 4 were installed, but not when only any 2 were installed) under memtest86 while other vendors' memory in the same system ran rock solid, I was told that it is probably a temperature issue and to run the system with a desktop fan blowing over the RAM. A desktop fan, like a Vornado "air circulator" they meant (and I verified), not a computer-mounted 80mm, 120mm, etc., fan. They refused to RMA the memory because I didn't have a desktop fan blowing on it.

Maybe it was just the crazy folks I happened to speak with that day, and the next day, I don't know, but I stopped buying Crucial memory after that and have stuck with Corsair, Kingston, and OCZ without problems.

And the Chicago Manual of Style Online says ..

http://www.chicagomanualofstyle.org/qanda/data/faq/topics/Usage.html?page=1

Q. I work for an organization that uses a fair amount of corporate lingo in its publications. The expression "visibility into" seems to be widely used in place of the expression "insight into" . . . this confuses me (okay, it also annoys me). Based on the common definition of "visibility," does it really make sense to say that one has "visibility into" something? Before I start a campaign to eradicate what I see as an unsightly phrase, can you tell me if the phrase "visibility into" meets the standards of acceptable usage?

A. Sometimes it's necessary to avoid turning your nose up at a word or phrase that seems to be the awkward brainchild of new ventures -- unless, of course, something old and standard does the job as well or better. A glance at the first hundred or so of the 147,000-odd Google hits (as of Monday, October 20, 2003) for "visibility into" suggests that the phrase is being used these days primarily to do a couple of things: (1) convey that whatever is going on -- corporate accounting, say -- is entirely transparent, or (2) indicate that software can offer some understanding of activities that are difficult to conceptualize or see -- such as data from myriad sources moving over a network, or products moving along a supply chain. An example of the second use might go like this:

Without the kind of software that provides continuous visibility into activity across a range of networks using a variety of protocols, you might as well send your entire staff on a field trip, asking them to report back every few seconds with a question: "Can you hear me now"?

This sort of usage can easily turn into jargon (or euphemism; think "surveillance"), but I wouldn't automatically rush to find a substitute. First, the phrase itself doesn't violate any grammatical rules. Second, in technical contexts that involve physical monitoring, "visibility into" might be more appropriate than the relatively metaphorical "insight into" -- a phrase that's lost most of its visual roots.

But, yes, it's the Chicago Manual of Style. Go find out what Oxford says, will you? And let us know.

The popehat URL you posted has as the very first item a sad tale of two extortionists getting convicted because they spoke to the FBI. Was that one of the "several great posts" you were referring to?

The popular press incorrectly "reports" lots of thing that are just plain wrong. However heartbleed.com already explained that such detection was possible if an IDS were looking for the fingerprint:

Can IDS/IPS detect or block this attack?

Although the content of the heartbeat request is encrypted it has its own record type in the protocol. This should allow intrusion detection and prevention systems (IDS/IPS) to be trained to detect use of the heartbeat request. Due to encryption differentiating between legitimate use and attack can not be based on the content of the request, but the attack may be detected by comparing the size of the request against the size of the reply. This seems to imply that IDS/IPS can be programmed to detect the attack but not to block it unless heartbeat requests are blocked altogether.

It's just that now that a patch is available most folks would rather just fix the problem than watch their systems get compromised. And like Johann Lau already noted, not many sites keep an archive of all the network traffic that has passed through their site, so retrospective analysis is extremely unlikely.

Isn't it time to admit that there is no real scarcity of food, and cutting food stamps has nothing to do with economics but with pure cruelty?

Agreed. Or maybe not pure cruelty, maybe stupidity is part of the mix.

But I also have to agree that your post is offtopic because Costco does not accept food stamps.

Yes, thanks, I know about measuring PD on one's self but given that it was already measured "professionally" I hoped to have that result (which, if I understand the law, is my property because it's part of my health care record).

And there's no reason I couldn't use FLEX with Zenni but I had about 2 hours before every optician in my area closed, on a Sunday if I recall, to spend the money having put things off all year long. I didn't have a current prescription so I needed an optometrist to determine it for me before I could order anything. And for what my FLEX paid at LensCrafters I could have bought roughly 40 pairs of glasses at Zenni. In fact, about a year or so later, I ordered two pairs from Zenni for around $12 each and they were every bit as good as what I got from LensCrafters. But I needed the prescription and I needed it that day or the FLEX would have evaporated.

The one and only time I went to LensCrafters (to burn FLEX money that was expiring that day) they gave me the prescription, after I requested it, hand-scribbled on a scrap of paper, but they refused to give me the PD measurements. Finally the decent guy who did the final "try-on" of the glasses surreptitiously scribbled down the PD values while smiling and saying that they don't normally want to do that.

I'm not sure whether LensCrafters or FLEX is the worse offender; I actually think that the FLEX rules were designed to encourage wasteful "health care" spending on behalf of the "health care industry".

(For non-US folks, FLEX is money deducted from one's paycheck that is available for use for "health care" expenses without being taxed first. But it expires at the end of the year and if you don't use it by then, you forfeit it back to your employer.)

Let's say I make 100 orders in a year. That's $1 per order for shipping. Now, you're right, I could probably get some of those free. And there are other's I'd pay say $8 for 2 day. And yet others I'd pay $15 for overnight. You know what? If it takes even 1 minute per order to figure out which is which $100 a year is CHEAP - my time is worth a lot more than that.

Dammit! The time I spent reading your post just cost me $100. But at least I didn't have to think, so it was worth it. A++++++. Would read again.

Ooooooooooh! Shiny!