Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Never store sensitive data you don't need. (Score 5, Insightful) 142

Back in the 80s I worked for a company that did back office accounting systems. Then I moved to a large non-profit and was in charge of both back office and customer facing systems. This was when the Internet was for non-commercial traffic only, so "customer facing" meant a live operator at a dumb terminal hooked up to a minicomputer.

My new employer wanted me to develop a system that would among other things take credit cards from donors and volunteers. I was pretty confident on the technical end of things, but I wasn't sure about handing the financial data. So I called in a CPA friend I'd met at my prior job, and he looked over a the design documentation for the system to make sure everything was kosher.

"You can't store credit card information in the database," he said.

"Why not?"

"Because it's insecure," he said.

"But it's convenient," I said.

"That's the problem," he said. "Look, any of the operators will be able to look up credit card information on any donor. Some of these donors are rich. You'd be able to go on one hell of a shopping spree with just one of their credit cards."

"What if I make it harder to look up the data?"

"Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions. And while you're keeping it around in case you might someday have a use for it, it leaves you wide open to theft. It'd be a disaster; customers won't do business with you because your reputation will be in the toilet. Get rid of it. Get it out of the database, any logs you have, and make sure it's not in any backup tapes."

And when I thought about it I realized he was right. There was no point in exposing my employer to risk for no real benefit. That's when I learned an important principle of security: don't hold onto sensitive data that you don't actually have a use for. I suppose you could generalize: don't keep sensitive data on any system where there is no compelling need to store it there.

Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world. But even though it is the *norm*, that doesn't mean you should automatically do it. There's actually a use in a web store for storing credit card data which offsets the risk (which you should still minimize). There's no reason for a restaurant to store credit card information -- that's just blind habit. Waiter takes the customer credit card, runs the transaction, and hands the card back to the customer, and then restaurant no longer has the data. You can't lose what you don't have.

Of course in this case it's probably not P.F. Chang's fault. They bought a POS system which left them open. It probably is all slick and really very helpful at keeping things moving, like maybe taking the customers card at the table. It'd be interesting to know how the POS system vendor screwed this up, because clearly they did.

There is no encryption or security architecture that beats not having the data.

Comment Re:This will hugely backfire... (Score 1) 422

You're right about the vacuum, but I think you should consider this: the government raided the treasury (or rather, borrowed with the treasury's backing, which can be the same thing if you really insist on looking at it that way) in order to keep unemployment from skyrocketing. As bad as it was, there was serious risk of a domino effect, where the failure of one industry resulted in job losses that reduced overall national income, putting strains on other industries.

As bad as the recession was, the goal was to keep it from becoming far, far worse. "Creative destruction" would have resulted in years to decades of destruction before it ever got around to any creativity, with vast misery in the process.

The bankers may well have taken advantage of that for their personal benefit; I'll leave it to others to make the argument that they got screwed over. There was plenty of screwage to go around: the economy was crashing because the musical chairs of highly leveraged money came to a screeching halt, and everybody scrambled to insist that their paper gains were more real than other people's paper gains. Everybody felt screwed over and there was no way out of this that didn't leave the vast majority of people feeling like they got the shorter end of it.

Everybody will always be able to insist that the economy would have been just fine if we'd just done it their way. It wasn't great, and I'll never be able to prove the counterfactual of how much worse it could have been. But I think it merits consideration: jobs and industries don't bounce back instantaneously, even when there's need, because of inherent friction in the economy, and I think the government acted correctly (at least in the broad strokes) to prop up the existing economy. That gave us time to hopefully put it on a sounder footing. Whether we will or not...

Comment Re:Wow (Score 1) 224

It actually is a bit different for the Republicans, in that they are caught in an internal party schism of a scale we've not seen on either side since desegregation, if even then. It's difficult for the less right to look good to the more right, undirected pushing against the Democrats is one of the few ways they have to do it.

Comment Re:Wow (Score 1) 224

Do not forget that ObamaCare was rammed through without a single Republican vote in the House or Senate.

It's the unfortunate case that Republicans don't generally support Democratic bills. Witness the recent student loan bill. There is not much question that a better educated populance means a better economy and a stronger nation. It's a truism that we could just pay for college education in a number of fields and reap economic benefits of many times the spending. Indeed, we used to do more of that and the country was stronger when we did.

Comment Re:I really dig the Obamacare comments Bruce made (Score 1) 224

You meant "you wouldn't approve" rather than "you wouldn't understand".

Positioned correctly, it isn't all that socially reprehensible to state the sentiment that you don't believe you should pay for people who drive their motorcycle without helmets, people who self-administer addictive and destructive drugs, people who engage in unprotected sex with prostitutes or unprotected casual sex with strangers, and people who go climbing without using all of the safety equipment they could.

You don't really even need to get into whether you hold human life sacred, etc., to get that argument across. It's mostly just an economic argument, you believe yourself to be sensible and don't want to pay for people who aren't.

The ironic thing about this is that it translates to "I don't want to pay for the self-inflicted downfall of the people who exercise the libertarian rights I deeply believe they should have."

OK, not a bad position as far as it goes. Now, tell me how we should judge each case, once these people present themselves for medical care, and what we should do if they don't meet the standard.

Comment Re:citation needed (Score 1) 224

Citation needed.

I just looked for a minute and found This NIMH study. If you look at the percentages per year they are astonishingly high. 9% of people in any particular year just for mood disorders, and that's just the first on the list. Then they go down the list of other disorders. The implication is that everyone suffers some incident of mental illness in their lives. And given the number of psychiatrists, psychologists, and lay practitioners in practice, it seems like much of the population try to get help at times, if only from their priest or school guidance counselor.

You are not a rock. Can you honestly tell me that you haven't ever suffeed a moment of irrationality?

Comment Re:I really dig the Obamacare comments Bruce made (Score 2) 224

Yes, seeing a doctor really is a human right.

Does that mean we should bear the burden of your bad lifestyle choices? Well, we do today. Either those folks are in our emergency rooms, or they are lying on our streets. Either way, we all pay a cost.

It's not clear to me what you propose to do with them. Perhaps you should explain that a bit more clearly.

Comment AC, please stop trumpeting fake studies (Score 1) 224


One would hope that a real scientific study would shed light on the situation. Unfortunately, this isn't it. It's a paper published by a Harvard student club and written by a gun industry lobbyist and a gun enthusiast. No balanced perspective that could lead to a real scientific paper here. The first refutation I found of the paper is certainly not peer reviewed and published in a scientific journal either, but makes a pretty good case that the statistics are cooked. It's here.

Please find a real scientific paper from a researcher without bias and then we can discuss it. This one doesn't quite meet the standard.

Comment Re:Wow (Score 1) 224

Actually, we would have had a much less expensive plan, but we couldn't get it by the conservatives. It's called single-payer, and I've used it in Canada. It has also been available to me in a dozen other countries that I've worked in, but fortunately I never needed it there. It works pretty well. So well indeed that most civilized countries have it.

I'm sorry that you didn't understand my presentation. Or that you understood it and can't accept it. I've thought about it for a very long time and I'm pretty sure of it.

Comment Re:Wow (Score 2) 224

I think you have to look at where the funding comes from for Republican and conservative causes. Don't just look at candidate funding, even election advertising has a lot of funding that isn't straight to the candidate.

Although there might be no shortage of self-employed Republicans, they don't really call the shots for the party. It's the very deep pockets who do.

Slashdot Top Deals

To restore a sense of reality, I think Walt Disney should have a Hardluckland. -- Jack Paar