[Owasp-board] LivingSocial

Jim Manico jim.manico at owasp.org
Sat Apr 27 01:13:35 UTC 2013


Several members of the company do have a problem with it, Tom. And it's not a matter if the "company approves" it's a matter of using good judgement when using official OWASP accounts for communication. 

So far you have called out Apple, Living Social and several other companies for what you consider to be poor security practices from official OWASP accounts.

This is "low class" negative communication and OWASP should do better.

Now if you want to do this from your personal account, go for it. But when using an official OWASP account like @AppSecUSA, I would expect you to be more positive, more OWASP focused, and keep away from calling out companies that in your estimation have poor security practices.

What if your company got hacked and I used @OWASP to mention it, would you like that? No way. So don't do it to others, Tom. 

- Jim


> If Tim O'Shaughnessy does not have a problem with it nor should you.
> 
> On Apr 26, 2013, at 8:47 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> Tom,
>>
>> This is not about fact, this is about judgement in communication when using official OWASP accounts.
>>
>> Why do you think - in any way - that it's reasonable for an official OWASP account (not your personal account) to call out a company who is a longtime OWASP sponsor when they got hacked?
>>
>> Your lack of good judgement is disturbing. What you did to @LivingSocial is foolish at best.
>>
>> - Jim
>>
>>
>>>
>>> Yes they were hacked like many others everyday your jihad is ridiculous Jim. 
>>>  It's not a Weev troll rather a FACT
>>>
>>> Your all spun up about this?
>>>
>>> image.png
>>>
>>> Or was it something else? Lets be clear
>>>
>>>
>>>
>>> Begin forwarded message:
>>>
>>>> *From:* Erica Absetz <erica at riskbasedsecurity.com 
>>>> <mailto:erica at riskbasedsecurity.com>>
>>>> *Date:* April 26, 2013, 6:29:44 PM EDT
>>>> *To:* <dataloss-discuss at datalossdb.org 
>>>> <mailto:dataloss-discuss at datalossdb.org>>, <dataloss at datalossdb.org 
>>>> <mailto:dataloss at datalossdb.org>>
>>>> *Subject:* *[Dataloss] Cyberattackers hack into LivingSocial, 50 million 
>>>> customers impacted*
>>>>
>>>> http://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/
>>>>
>>>> LivingSocial, the daily deals site owned in part by Amazon, has
>>>> suffered a massive cyberattack on its computer systems, according to
>>>> officials at the company.
>>>>
>>>> The breach has impacted 50 million customers of the Washington,
>>>> D.C.-based company, who will now be required to reset their passwords.
>>>> All of LivingSocial's countries across the world appear to have been
>>>> affected, except in Thailand, Korea, Indonesia and the Philippines.
>>>>
>>>> The firm began sending emails to customers Friday afternoon telling
>>>> them they would have to change their site passwords.
>>>>
>>>> "We recently experienced a cyber-attack on our computer systems that
>>>> resulted in unauthorized access to some customer data from our
>>>> servers. We are actively working with law enforcement to investigate
>>>> this issue," LivingSocial CEO Tim O'Shaughnessy said in an email.
>>>>
>>>> The memo said that customer credit card information was not stolen —
>>>> it was stored in a separate database. And while the hacker stole
>>>> customer passwords, they were encrypted and "salted," or scrambled.
>>>>
>>>> "Although your LivingSocial password would be difficult to decode, we
>>>> want to take every precaution to ensure that your account is secure,
>>>> so we are expiring your old password and requesting that you create a
>>>> new one," O'Shaughnessy said.
>>>>
>>>> The company advised consumers who used their LivingSocial password at
>>>> other sites to change their password at those sits, also.
>>>>
>>>> The firm expects its customer service phone lines to be deluged, so
>>>> O'Shaughnessy warned that he may decide to temporarily suspend
>>>> telephone customer service relations.
>>>>
>>>> "Because we anticipate a high call volume and may not be able to
>>>> answer or return all calls in a responsible fashion, we are likely to
>>>> temporarily suspend consumer phone-based servicing. We will be
>>>> devoting all available resources to our Web-based servicing," he said.
>>>> _______________________________________________
>>>> Dataloss Mailing List (dataloss at datalossdb.org <mailto:dataloss at datalossdb.org>)
>>>> Archived at http://seclists.org/dataloss/
>>>> Unsubscribe at http://datalossdb.org/mailing_list
>>>>
>>>> Supporters:
>>>>
>>>> Risk Based Security (http://www.riskbasedsecurity.com/)
>>>> Risk Based Security equips organizations with security intelligence, risk
>>>> management services and on-demand security solutions to establish
>>>> customized risk-based programs to address information security and
>>>> compliance challenges.
>>>
>>> On Apr 26, 2013, at 8:00 PM, Jim Manico <jim.manico at owasp.org 
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>> Sarah,
>>>>
>>>> I trust your good intentions and I think the problem was from @AppSecUSA and 
>>>> not from @OWASP.
>>>>
>>>> I think we should have someone more responsible running the @AppSecUSA. This 
>>>> is a major error in judgement and it's not the first time.
>>>>
>>>> I also changed the password to @OWASP and shut down all connections to third 
>>>> party apps. I'll get the password to you very soon.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>> Jim and all- this particular  RT ( not original from appsecusa) is my
>>>>> fault and was trying to do something quick (retweeting something else)
>>>>> and not thinking. I will send an apology to living social.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Sarah
>>>>>
>>>>> On Apr 26, 2013, at 7:37 PM, Jim Manico <jim.manico at owasp.org 
>>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>>>
>>>>>> LivingSocial just got hacking and the @AppSecUSA Twitter account just called 
>>>>>> them out on social media. And the @owasp account retweeted it (not from me).
>>>>>>
>>>>>> This is absolutely and positively unacceptable from official OWASP accounts. 
>>>>>> LivingSocial is an OWASP sponsor and provides the OWASP Northern Virginia 
>>>>>> chapter with a physical location for chapter meetings. And even if they were 
>>>>>> not sponsors, OWASP should never be trying to call our or shame folks who 
>>>>>> get hacked. It's trashy at best.
>>>>>>
>>>>>> Who runs this account and what were you thinking? Or more like, you were not 
>>>>>> thinking. Why would OWASP ever officially try to call someone out after they 
>>>>>> were hacked?
>>>>>>
>>>>>> I'm fairly sure this was Tom Brennan. Can we please have someone more 
>>>>>> sensible and responsible managing official OWASP communication? This is not 
>>>>>> the first time...
>>>>>>
>>>>>> Regards,
>>>>>> Jim Manico
>>>>>> OWASP Board Member
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------- Original Message --------
>>>>>> Subject: ??
>>>>>> Date: Fri, 26 Apr 2013 18:36:35 -0400
>>>>>> From: Jack Mannino <jack at nvisiumsecurity.com <mailto:jack at nvisiumsecurity.com>>
>>>>>> To: Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>>>>>>
>>>>>> Wtf is this shit? They generously give my chapter an awesome space to use 
>>>>>> every month, and Mike McCabe (promoted to Ken's job after he came to work 
>>>>>> for me) serves on the NoVa chapter board with me. I have no clue who posted 
>>>>>> that, but that's a good way to get a solid sponsor to say fuck you to us.
>>>>>>
>>>>>> -Jack
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
> 



More information about the Owasp-board mailing list