Jump to content

Bradford Mint

Resident
  • Content count

    140
  • Joined

  • Last visited

Community Reputation

110 Excellent

About Bradford Mint

  • Rank
    Advanced Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Bradford Mint

    Calling all SL British Users!

    As is KCOM. Do you think that Virgin Media is a part of BT? My sarcasm detector wasn't triggered.
  2. Bradford Mint

    Calling all SL British Users!

    Except for Virgin and KCOM and anyone else where a proper LLU has taken place.
  3. Well I probably will at some point soon no doubt.
  4. We may not be in the deleted thread but the topic is the same and the same content is coming up and to be frank, my sentiments still apply. Complain to the appropriate information commissioner that someone with a fake name, holds someone else's fake name and see how that goes. They really have serious things to do. As I said in the other thread, go and issue a request for data, lets say against Blueberry or Maitreya and see how that goes.
  5. Because the common misunderstanding that all use is business use, as per the previous deleted thread where someone believed that if you have a sim, that magically means it's now a business.
  6. The word "business" does not get mentioned in the original post.
  7. So just to put some of this into perspective of what's perceived to be a problem and the likely outcome, i'll share some recent fun around some requests for personal data from large, highly "credible" organisations (I use that term loosely depending on your point of view but each of them is a well known organisation. I'll keep them brief but you'll see where this goes:- A previous employer - "we don't hold any personal data beyond 7 years". I pushed hard and magically they came back with my employment details, entire record and banking details from over 10 years ago. I asked them to delete it all as they had no lawful need to keep it. Ah bit of a problem there because it's all archived in the same dataset as others and they can't delete individual records (write only media). What am I going to do, cry boohoo to the Information Commissioner? A parking provider - "we have no data". I pushed on this one, they magically came back with a bunch of data, CCTV, locations of vehicles etc. "Delete it all" I said, it's of no use to you. They said they had. I asked for proof, they said they didn't need to provide any. What am I going to do, cry boohoo to the Information Commissioner? Besides, i'll be back in those car parks and the cars will be recorded again so back to square one. An insurance provider - These guys were really good, 8/10 on the GDPR SAR response scale, immediately understood my deliberately vague request, came back with all the data. "Delete it all" I said, I have no contract with you anymore and haven't had for 3 years. They said "no way, we're keeping it for 8 years just in case!". What am I going to do, cry boohoo to the Information Commissioner? A major airline - Hopeless, 2 hours trying to get an agent in a call centre to first of all understand that they really do have databases other than the flight booking one. Eventually, I got the data haul by going through obtuse channels but it was late, far beyond the 30 days they're permitted. What I am going to do, cry boohoo to the Information Commissioner? In this case they said that the I.C. was already aware but then they were rather busy as they had already had to fess up to a breach of 380,000 customers credit card details a week ago. In perspective, given the above, lets just consider for one moment the likely response from the Information Commissioner when presented with the following:- Complainant: *sobs* "I think someone who I don't know, in a game, just might have logged my avatar name and public UUID and *sniffs* it's not fair, I want something done!" Information Commissioner to their office buddy: "Bob, pass me the "Petty Complaints" file again would you please?" and responds back "thanks for your report" *closes file* Now i'm not suggesting that the issue isn't potentially genuine but in terms of traction with regard to potential penalties, most of these concerns are up there with complaints to the police about people in the street looking at them in a strange way. Now, on the other hand, if said database holds SL AND RL data and sensitive PII pertaining to religous and sexual traits which is then breached and releases the entire SL database to the internet, that may get more than a raised eyebrow. But....then if the database is only for personal use, it falls outside the remit of GDPR anyway so *slam dunk* end of thread. Thanks, you're welcome!
  8. Because not everyone in the forums is a Rhinoceros
  9. Actually, just to be somewhat pedantic, the only legal opinion that truly matters is that of the judge with the final say. Meaning that the opinion of the first judge doesn't count if it goes to appeal. This is kinda highlighted at the moment by a recent case where the UK Electoral Commission had a legal opinion which the judge ruled against. https://www.bbc.co.uk/news/uk-politics-45519676
  10. I repeat from the deleted thread... Casper got it wrong!
  11. @JJValero Writer You appear to have completely misunderstood what GDPR is and what it is not. Nowhere does it state that holding a database with personal information is illegal! Quite the opposite in fact, especially where it's for personal use as one example. GDPR applies to how the data is protected and what the lawful reasons for holding it are and also rights of the data subject. Shame the other long thread got deleted, looks like we need to buckle up and go for the same ride.
  12. Bradford Mint

    Password Strength and Security

    I agree Callum, the rainbow table attacks with compute arrays as listed in the first post are most suited to unsalted password databases such as would be leaked from an organisation. Nobody bothers to attack consumers across a distributed geography using brute force. The attack landscape is too wide with usually insufficient gain. Your other point about password strength is also important because it highlights that choosing a "strong" password in itself is usually meaningless given that a single letter when hashed is the same length as a 1,000,000,000,000 character long password. Phishing remains the greatest threat here.
  13. Bradford Mint

    Password Strength and Security

    In terms of lockout protection yes but the reality is that the threat is not brute forcing a password in the first place but most likely phishing and in this case phishing a PIN would only have merit if the attacker is also in possession of the second factor, which implies a physical attack has also occurred. I realise that you are aware of this but wouldn't want people thinking a strong password is the same as a PIN. So as was already mentioned by someone else, entering a cryptographically super strong password into compromised site, has provided no extra security.
  14. Bradford Mint

    Password Strength and Security

    Yes but as has been pointed out brute forcing a login (such that it would result in a locked account) isn't the threat actor in play here but rather the calculation of the hashes against a rainbow table.
  15. Not forgetting that there's a cost in dealing with fraudulent transactions which could have been mitigated by not having had the fraud occur in the first place. Hence as we know, an organisation will be interested in factoring the cost of technology change against not only profit (generally none for security) but mitigation of time and effort and financial loss (saving) in dealing with the issue. Thus in short, no not every penny spent but the delta between the cost that they presently have vs the reduction in that cost and the overall improvements obtained. Did I need to write this in bold too or is this ok do you think? Bottom line is, some SLers run around forever with L$0 in their account while others have thousands in USD flowing through and would welcome extra protection.
×