- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
This comment has been standardised by Corporate.
Admin
Oh well, I guess it works, and by the "If it ain't broke, don't fix it" rule, they did the right thing.
Admin
And that was a fortune 500 company? Well, just goes to show that stupidity resides at all levels.
Admin
The narrator in my head said this without a hint of sarcasm.
Admin
sechma?
No it's not my captcha.
Admin
It's fun to realize that every rule about securing customer data has been born from a breach somewhere. The entire credit card and financial industries have grown by the trial-and-error method.
It's a miracle we've been as successful as we have. It's not too late to invest by stuffing your money into a mattress.
Admin
It's a nice day here. I'll assume you're being sarcastic.
Admin
The rest of the comment has been rot26 encrypted and no one can read it:
"Jeff cannot read this database entry"
Admin
Admin
That stash of credit-card numbers is someones retirement insurance:P. Until they are shamed by a major data leak, the policy is unlikely to change.
Admin
Really. Someone should be in prison for this.
Inexcusable.
Admin
I worked at a major auction house that kept customer information (passwords and credit card numbers) in plaintext on a mssql database that anyone could access.
Admin
A company I worked for sent out a survey. The survey asked for your email address and other personal info, so that they could contact you, as there was a prize for a few lucky survey respondents.
The survey stated that was only reason for collecting that information, and would be used for no other purpose.
So, what do they do? They email the results out to everyone in the company, complete with all the personal info.
On the plus side, after this was pointed out, the next update had the fields removed.
Granted, not nearly as bad as credit card information.
Admin
This sentence was originally encrypted using ROT26. If you can read it, you have successfully decrypted it.
Admin
Sometimes it's not enough to simply highlight the security flaw - it requires a practical lesson to reinforce the point. Several thousand customer CC numbers turning up on P2P should do the trick, for example. Let's see how long the flaw remains unpatched after that.
But cover your tracks kids, us software developer types are too fragile for prison.
Admin
This comment has been ROT26 encrypted 3 times for triple the security.
Admin
I guess you haven't ever been to the Fortune 500 companies. The Fortune 500 companies set the standards of stupidity.
Admin
mmm free credit cards... Which company is that? O:)
Admin
lol I had to look up ROT26. Having never heard of it I assumed it was a real encryption method and I was confused about why the story mentioned storing data in plaintext later.
Admin
I noticed that, too. I think it is a misspelling of "smegma".
Admin
That's why we need PCI DSS.
Admin
You can't read this so don't even try. No human can defeat the complexity of double ROT13 encoding. Why are you still here? It's not going to happen, just give it up. I'm so confident in this encryption I don't even mind telling you that my password is hunter2.
Admin
I discovered a shortcut for ROT26. Because there are 26 letters, -1 is equivalent to 25. Now, using this we can convert the entire sentence (by subtracting 1) to:
"Sghr rdmsdmbd v
r nqhfhmkkx dmbqxosdc trhmf QNS15- He xnt bm qdc hs+ xnt g`ud rtbbdrretkkx cdbqxosdc hs-"Now from here, we just add one to each character again, and voilà:
"This sentence was originally encrypted using ROT26. If you can read it, you have successfully decrypted it."
Admin
Oooh, I've just worked out who you are...
Admin
At a Fortune 500? Oy.
The Fortune 50 I recently left had a lot of things messed up, but they had lots and lots of policies about not using production data in dev. In the employee handbook. And the mandatory ethics training. As firing offenses.
Admin
Personally, I'd use triple ROT26 encoding.
Admin
SPOLIER ALERT
Just double click ROT26. Oh dear.
Admin
Admin
"… containing the name, address, credit-card number, verification code and expiration date …"
Correct me if I'm wrong, but isn't storing the verification code a breach of contract with your credit card clearing center and should lead to the company losing the ability to process card payments?
Admin
You're not wrong and no correction is required.
Admin
Admin
ALL YOUR COMMENTS ARE BELONG TO US.
Admin
Admin
Admin
Your data is only as safe as the idiots you trust it with. Good thing we trust the government with our data
Admin
Is Jeff in the database?
Send him a cake with the text: "The database needs encryption", paid for with his own credit card.
Admin
Admin
Oh, and it's a SPOILER alert. I don't want things that are more spoly.
Admin
Ah, so you think you've decrypted ROT26. The joke is on you, as I've already upgraded all my encryption to ROT52.
Admin
Remy!
Admin
Admin
I'll second that. The code changes necessary to lock it all down in production, scrub it all clean for dev/test systems, plus making the output from Java's crypto package make sense to Microsoft Dynamics ... it really sucks to hear about other companies storing credit cards in plaintext.
Also, I'd like to know which Fortune 500 company that was, so I can always pay them with a money order.
Admin
Credit card have NUMBERS so ROT26 jokes are just plain stupid.
Admin
It's true; an internship always looks good on a resume.
Admin
But it was broken. You simply do not store credit card information in the clear. And that's just for starters since IIRC, they aren't supposed to store credit card verifications codes at all.
running code != working code
Admin
Admin
Yeah, but convert-to-ASCII-ROT128 jokes aren't funny.
Admin
They also aren't allows to store CC numbers in the clear. Someone should be sued into the ground for this, as this is the kind of thing that PCI standards were created to prevent.
CAPTCHA: luctus - Well, I hope I shed some light on that.
Admin
Except if it's with the White House, during the Clinton administration.
Admin