If they didn't already have a tested deployment procedure, that is a bigger indictment upon their professionalism than the woeful communication during the incident.
By that argument, no physical tokens (secureid, yubikey, etc) add another factor - they also _could_ be stolen at the same time as your laptop is stolen.
You are absolutely correct :) If you already have a certificate on your laptop, or SMS based authentication, then adding securid token will not change the security profile of the system. Yes, you might get extra security protection if you employ additional measures (e.g. store secureid token in the office safe at all times) but the attack vectors will still be the same.
There are different authentication factors: what you know (e.g. password), what you have (e.g. token), and who you are (e.g. iris scans). In general, adding multiple types of the same factor does not actually increase the security (e.g. having password + pin is no really better than just having a password). The actual multi-factor authentication should include different factors to protect against different attack vectors.
There is, though, a difference between stealing my laptop, my phone, and my keyring. Sure, a targeted attack by a nation state aiming to get access to my multi-factor-auth services could grab all three at once, but the chance of an opportunistic theft acquiring any two or all three of those devices is _very_ much smaller than just the laptop.
While I admit to only skimming that link, all the examples I read discussed a single company tying purchase of one of their products to one of their other products.
Apple does not sell DUNS numbers, as they are not Dun & Bradstreet.
It also mentioned the anticompetitive nature of tying a weak/new product to a stronger one. DUNS numbers are not new or esoteric (although I do think of them as being old-fashioned and enterprisey).
So, I struggle with the notion that this could be illegal, but I'd be fascinated to learn more about it.
Sure is developer hostile and counter-productive, though.
Tying is illegal in the US. The question is 'is that tying?'.
The answer is: yes. The only way this is not tying is by bundling the service: apple would provide the number for you without charging.
But then, D&B competitors could say this is a trust case.
To really solve this apple must offer a list of companies that offer the solution for whatever numbering problem they seem to have. Or just drop the requirement.
Apple can't provide the number. It's not their database.
The number itself isn't the issue, it's what it represents: that your business is recorded in a large and reputable database of international businesses that is in widespread use by companies and governments.
D&B database is widespread in the US, not internationally. In fact, I own a credit card company/bank and never heard of them until I needed their number. Their database is large because they are filling it, not because companies request.
In fact, S&P and Moody's are the only ratings/registry that can get you anywhere in the banking system.
Alternatively, the ET44 is a portable electronic device, Apple Calc is a piece of software. The T3 is a radio receiver, the iPod is a stored music decoder.
Why not point out that the T1000 is a radio, and the PowerMac contains bluetooth and wlan radios? Or that both are electronic devices?
By all means, argue that the distinctions don't matter (and that the distance in time excuses nothing), but putting these examples in the same box as the Apple/Samsung ones is surely disingenuous.
If you're looking for book suggestions, I'd recommend "Growing Object-Oriented Software, Guided By Tests" by Steve Freeman and Nat Pryce. It's pretty pragmatic, and the treatment of the subject is pretty thought-provoking (at least, I thought so when I read it).
The idea sounds like it might be interesting, but I can't imagine how this works and neither your website nor the facebook page linked at the bottom tell me anything about it.
I might suspect that if I signed up with Facebook Connect that there might be more information, but it's not clear whether that's the case - and I wouldn't try it on the off chance.
I would suggest that there needs to be more up-front information to explain what happens if I use Facebook Connect to login. How does giving you my credit card work? On the face of it, that sounds like a scam. Is this service for everyone, or only people in the USA? After signing up, how easily can I opt out? etc etc.
I agree with zts. Having a giant "login with facebook!" button immediately followed by a prompt to give my credit card information does not make me feel comfortable.
we might need to rethink the fb connect signup (since we heard the same feedback from multiple sources)
also need to put more info on the page ( just for you, its only USA since Yodlee which is the service we're going to use later on is only operating in the states)
Opt Out is super easy (at this time actually we can't do the automatic donation every month so its fully opt in for each donation)
Will improve the site based on the feedback and keep you up to date
Thanks again for taking time to share your experience with us!
Trying to push to a client the crappiest implementation that seems to work is certainly everything you say that it is - but that's not the same thing as delivering the simplest implementation that works.
