Unsure why people are moved to throw their data into the hands of someone (company) that would never treat their data sacred. I don't care what argument you put forth, no one is going to care (security wise) about your data as vigilant as you would (and should). Math wise, the cloud makes no sense to me, even on the free model.

1) wait for you to download your data over the Interwebs (mobile you say... tick tock)
2) There is NO GUARANTEE someone in the company isn't looking at your data or selling it. You're simply trusting they won't

Storage is dirt cheap. 2TB drives are like what 100-200 US per pop give or take. They're compact enough to throw in a messenger bag along with a laptop. Data availability is much faster than downloading it over the wire. Throw on crypto (say Truecrypt) and you have a decent amount of security. Only concern, is your HD goes bad. In either event, another backup 2TB is 100-200. Cloud pay for play? @ 10.00 per month, its STILL the cost if not more than buying your own device.

"Foreign intelligence" speaks for itself. Any country complaining about it is playing a shell game. The reality is, they'd do the same if they had the capabilities to do so.

Either his site is being SQLi'd to death or he is being /.'d ctf.notsosecure.com no worky. Maybe he can come back and monetize this CTF to include: "How to run a webserver while being visitedDoS'd"

Guidelines meet nothing. All a guideline means: "this work(ed,s) for $INSERT_AUTHOR" and this is what many constantly fail to realize. If standards and guidelines worked, many compromises and security lapses would not occur. Guidelines are so outdated and based on re-hashed (herd following the herd) concepts that they are laughable. Further, too many individuals and companies often do follow guidelines and use that as the de-facto "we are secured." As someone who has had to deal with MSP, and MSSP functions catering to these companies, I can tell you some scary stuff. Many of the staff tasked with this (security) are like fish out of the water. They don't understand security, but DO UNDERSTAND SCADA based systems. There is always a disconnection from the Praetorian Guard and those in the infosec/hacker community.

This is what happens when you let companies oversee themselves without any real penalties. Imagine a speeding sign. You speed, cop pulls you over, gives you a warning. You do the same, he pulls you over and gives you a warning. ... You will keep speeding. Government has allowed many of the NRCs to self-govern causing all sorts of stupidity ranging from: "we can't do security testing here, it will bring down the grid!", to all other forms of nonsense the NRC lobbyists will throw around. The reality is simple, the gov can't just "shut these places down." What are you gonna do, allow NYC to go dark. The entire regulatory "Dosey Do" one's partner is as old as the industry itself: "If you speed..." All bark and no bite. Its surprising we haven't had any major malfunctions on a constant basis

You "assume" SSL certs would have done something. The reality is, SSL certs can and have been stolen in the past. Malware authors do this all the time (steal certs) to overcome warnings. This does not include the fact that SSL vendors have also been compromised (http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/). SSL doesn't do as much as you'd like and if you're solely relying on that, then you maybe need take some advanced offensive security classes.

There has been some commentary via mailing lists and Twitter feeds that this was not a big deal. Firstly, hats off to HD and his team, there was nothing they could have done about it. Secondly, this isn't to be taken lightly. Sure the attackers were minor script kiddies, but the reality is, the attack could have been extremely vicious. Consider an attacker replicating the content of the site and simply replacing the applications (nexpose, metasploit) with backdoored versions.

Companies like Register and GoDaddy are lacking in the validation category. ANYONE can create fake identification using GIMP, Photoshop, etc., the fact they did not offer anything other than a fax request is mind bogglingly stupid. They should have called BACK the registrant's number to confirm the change request. But, companies would argue: "that would be costly" not even thinking of turning that kind of validation into say a business model: "for $10 extra per year..." when they should be doing it from the jump. (Neither here nor there) Personally, I hadn't been running any updates, but if I did, I would be going back, wiping my machines, and re-installing.

while( var = Backdoor() )
{
  fluff goes here
}
else
{
just give em selinux
}

Over 10 years ago, the US gave everyone a glimpse of their tapping capabilities via way of Carnivore aka DCS1000. Then news came out about Magic Lantern which was used to collar mobster Nicki Scarfo. That then should have been a no-brainer: "the gov is/can watch you..." Few years later, idiots^W people took to TOR which was initially a Navy project. They created an "E-Bay like" site where people can "rate my drugs." What a bunch of illiterate morons who used the site. If I were a reporter, my story would start something like: "Silk Road users were so technologically advanced, yet dense on common sense..."

grep -vir selinux would never work France!

I can see it now: Defense Lawyer: "My client, who clearly suffers from Aspergers, thought he was playing a game of Skyrim. Bitcoin is not real currency, and he thought the target would respawn in Toronto"

Would be nice to have an article linked correctly... https://medium.com/the-physics-arxiv-blog/716ca39266c9

Not if you're driving a Prius it isn't!

High Frequency Trading isn't new... http://en.wikipedia.org/wiki/High-frequency_trading This past June, a news article caused a $28million dollar gain: "If you’re a high-frequency trader, a few milliseconds is a big deal. And in this case, a 15-millisecond head-start meant that $28 million in shares traded hands before the number was even published, http://qz.com/91242/the-15-millisecond-head-start-that-led-to-28-million-in-trades/" This shouldn't come as a surprise that companies in the business of making money will do everything that they can to (drum roll...) make money

You're missing the gist of it here. The reality on production server is, most are locked down from egress attacks. This does not stop, minimize, and or deter an attacker from hitting you up with a client side attack on a non-production machine, passing a hash, then to and from trusted sources until it gets out: Attacker --> client side --> workstation workstation --> attack --> production server production server workstation workstation --> via SSL --> attacker. This would fill a wiki page so I will stop there. There was a point to be made without me having to spell things out