|
Thursday, August 30, 2007
A Monsterous Email From Monster.com
You may have heard recently that Monster.com was hacked and over a million records from both job seekers and employers were stolen. Pull up a chair because it gets worse. Much worse.
[Full disclosure: I was a consultant for Monster for several years in the early days, running three
versions of The Monster Board (as it was known back then), and helped deploy the first international
sites for Canada, the UK and Australia. I also had a résumé on Monster until about two hours ago. Interesting true tidbit,
one of the project managers I worked with at Monster was Matt Romney]
But first, some additional detail. Monster didn't actually figure out that they had been hacked. Symantec Corporation, an Internet security and anti-virus company, notified them. Symantec got involved because as an anti-virus provider, they
are continually evaluating malicious Trojan horse programs. They were trying to figure out what a new Trojan, Infostealer.Monstres, was and learned it had been quietly uploading 1.6 million customer records from Monster to another server. (Monster reported
1.3 million - I'm not sure why there is a discrepency, but I'll trust Symantec at this point.) Anyway, when Symantec
realized what they had, they notified Monster who then took the weekend to perform security forensics and shut down the impacted
servers. Four days after Symantec notified Monster, they posted some of the information on their security response blog as
a public service. Still nothing from Monster until the fifth day, when they put up a message on Monster.com about the breach.
However, today Monster sent E-mail to all its users to discuss the event, how they were responding and how to prevent
this information from being used against people via phishing or spoofing scams. I read it, did a little research and got immediately annoyed and concerned.
I've posted an image of the E-mail at the end of the article here for reference. It's an excerpt - the full E-mail has
a bunch of additonal safety information following the contents of Mr. Iannuzzi's statement. But first let me walk you through
the most troublesome statements in the letter from Mr. Iannuzzi.
Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster.
It's pretty hard for me to trust Monster knowing that their definition of protecting me is to wait five days before disclosing
the breach. It's also hard for me to trust them when their disclosure method was posting something on their home page. I never
go there. I had Job Seeker Agents that mailed me any interesting positions. But it's most troubling that the disclosure happened
to be the day after Symantec went public. The security blog is dated 2:26 PM and it is likely that the author was in Symantec's
headquarters in California on Pacific Time. Therefore, Monster may (and I stress may) have been forced to disclose because
Symantec sat on it for four days waiting for them to do something and then had to go public in order to properly protect their
customers.
The Company has determined that this incident is not the first time Monster's database has been the target of criminal
activity. Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted,
Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job
seekers regarding this issue.
You will have to read this one over a few times to get the duplicity here. It starts with the second word. Company
with a capital C. The only people who use the term company and captialize it in that context are lawyers. The very next sentence
uses Monster instead of Company or company. So that tells me that parts of this letter were most likely drafted by Monster's
lawyers and poured over with a fine tooth comb. You might say, who cares?
I care. Is this letter a true disclosure, or a legal method of corporate CYA? Can you guess which side I'm going to fall on? It's CYA in my opinion. And here's why I think so:
I think the phrase, "not the first time [Monster's] been the target" is disingenuous to the facts and I think
Sal knows it. The very same day this E-mail went out, Mr. Iannozzi talked to Reuters and said that while investigating the
initial event they discovered that prior theft had been discovered with potentially millions of additional records stolen.
Does Mr. Iannuzzi's statement above make you think that the prior thefts are resolved or unresolved? It seems to me that this
is a precautionary statement by Monster to help defend against litigation.
Now look at that second sentence again. Significant amount of uncertainty. Inotherwords, they are probably not
sure how many or whos records have been stolen. How nice of Mr. Iannuzzi to reach out to us. Maybe he should have written
in this letter what he said to Reuters (quote is paraphrased by Nick Zieminski and Jim Finkle of Reuters; emphasis
in the quote below is mine).
To be safe ... each Monster.com user should assume that his or her contact information has been
taken
That's certainly not the impression I got from Mr. Iannuzzi's letter. Let me translate it for you again just
to drive the point home.
Mr. Iannuzzi: The Company has determined that this incident is not the first time Monster's database has
been the target of criminal activity.
Translation: As we worked on resolving the initial break-in, we discovered that a shedload more records had been
stolen than we knew about and that we had been compromised multiple times. And we're telling you so that you won't sue us.
Mr. Iannuzzi: Due to the significant amount of uncertainty in determining which individual job seekers may
have been impacted ...
Translation: We don't really know who's records have been stolen and we're telling you try to prevent you
from getting scammed, losing money and sueing us.
Mr. Iannuzzi: Monster felt that it was in your best interest to take the precautionary steps of reaching
out to you and all Monster job seekers regarding this issue
Translation: It's in our best interest to damage control the shit out of this because you're probably going to
get phishing emails really soon now if you already haven't. And then we'll stand a much better chance in court when you sue
us than if we didn't previously tell you that you were impacted.
Monster has had a tough time lately. The general counsel plead guilty to back-dating options, the company had to rework years of financial records for the SEC and the CEO, Andrew
McKelvey, resigned rather than face questioning. By the way, the article I linked to above from the Washington Post is really
stunning too. They spend the whole article talking about a 'former executive' before revealing just before the end that this
executive was the general counsel. If your general counsel is breaking the law and covering it up, well, that's almost as
bad as it gets in corporate governance, in my opinion.
It makes me wonder how Jeff Taylor would have handled it.
 Slashdot It!
Wednesday, August 29, 2007
New England Baptist Church Sign: August 29, 2007
This photograph may look a little odd. That's because I took it at around 10PM this evening. I spent some
time with Doc, an old friend, and decided to drive through Medford Square on my way home. Once again, the sign had changed
and I decided that I'd go ahead and post it.
There was a parking space right in front so I parked the car and put the camera on its side on the roof. The
exposure was a full 20 seconds long at ƒ8 and ISO 100. That's why the flag is a ghost image and the flowers are not sharp.
There was a bit of a breeze.
11:29 pm est
Monday, August 27, 2007
Uneclipsed Full Moon
I've complained a lot about taking pictures of the moon. I was for the eclipse before I was against it, you know. Anyway,
I picked up a 2x teleconverter rental today just in case (and before I found out the stuff in the post below). And a few minutes
ago, I realized that I wouldn't have a 445mm lens (equivalent) again soon so I should just take a picture of the full moon,
eclipse be damned.
There's A Ribbon For Everything These Days
I didn't realize just how many awareness ribbons there are. There are a lot. I mean really, a lot. Did you know there's
a ribbon for just about every kind of cancer you can think of? I didn't until I saw one this afternoon.
Now it's not my intention to dis pancreatic cancer, but this struck me as a very poor place to stick an awareness ribbon. It's a trash dumpster behind an office building where
I've been spending some time lately.
Eclipse Eclipsed
Well, I'm disappointed. I've just spent over an hour researching tomorrow morning's eclipse and concluded that it's not worth the effort to photograph it. The problem is that the moon will be setting just around totality, which is when the moon is fully eclipsed. The earth's shadow is much larger than the moon, so it takes some time for
the moon to get completely covered by it. When totality occurs, the moon takes on beautiful colors -reds, yellows and occasionally
blue crescent highlights. The problem is that according to the various moon location calculators I've consulted with, the
moon will be extremely low in the horizon at this point, less than 10 degrees. That means that unless I am elevated, I may
not actually be able to see it in totality and I'm not getting up at three in the morning to photograph a partial eclipse.
The other problem is that nautical twilight begins before totality and that means the sky will start to get bright. It looks like moon set, totality and sunrise are
all within about a half hour of each other. So there are just too many problematic circumstances to make the trip worth it.
Fear not, though, there is another total eclipse coming up in February that, weather permitting, looks to be a much better opportunity. I think I'll just prepare for that and bag tomorrow's shoot.
Sunday, August 26, 2007
Lunar Eclipse
It totally crept up on me. There is a total lunar eclipse tomorrow (well, for New England it will be something like 6 to 7 AM, local time). I need to figure out if I'm going to shoot
it. The folks at NASA are going to use totality to see if they can observe and film meteor strikes on the lunar surface. I'm just hoping for a clear morning.
Some Mystic Lakes Wildlife
As I mentioned in previous posts, on Sunday I went over to the Upper Mystic Lake at Sandy Beach a couple of
times to try to get some photos that I missed the day before. I struck out, but other stuff was happening. The second time
I returned, I also struck out with respect to the duck with the fishing tackle. But I decided to walk along the shore that
abuts the Mystic Valley Parkway to see what I would find. I was thinking I'd find some ducks.
However, I am also working on a fine art series of bugs and this setting was perfect for the type of environment I was
looking for. As I walked along, I said to myself, don't take the bug pictures, Dave, because you don't have a tripod and a
macro lens. But sometimes, I just can't resist. I love shooting pictures of water, particularly when I'm shooting small objects,
because it just looks amazing and abstract. The old brown dragonflies were out and I pulled up a rock and hung out to watch.
Before you know it, I was taking pictures. This ones not as sharp as it could be because I was hand-holding the camera at
200mm (effectively 320mm) with only a 1/200s shutter speed. That's too slow for a sharp shot without some really steady hands.
I have a method for this and it involves sitting in one place. If you find a particularly nice feature, like the point
of this rock sticking above water, a bug will eventually land on it. In the case of these dragonflies, it didn't take long
and I took about 75 photos. I didn't get that close to what I wanted for fine art, but I did catch some nice bug-scale landscapes.
It gives you a hint at what I'm working on, although those are much, much better images and black and white.
The nice things about sitting still is that other nature comes to you. I neglected to mention that in my earlier visit
I had been following a small shore-bird around the other side of the beach, but I couldn't get close enough. I even tried
walking through the woods and waiting for it to stroll by, but no luck. But here, whilst I was taking shots of dragonflies,
I sensed some motion and turned 90 degrees and saw this sandpiper hopping towards me. With extremely slow motions, I changed
my camera settings and lined up the bird for a photo. I managed to get three or four before it got scared off by the on-camera
flash. (I sometimes use it when the light is coming at me to add a little fill light to the subject).
Baptism at Sandy Beach
Sometimes, when I'm out working on pictures for stories, I encounter new stories. This happened today in Winchester at
Sandy Beach. I went there yesterday with the kids to go swimming, because the town of Arlington reservoir didn't open until
noon. By the way, I could not believe that opening time - noon on a Saturday when it's well over 90 degress and humid. And
neither could all the other parents milling about in the parking lot at 10:30 wondering what to do.
Anyway, while we were at the beach, two things happened. First, I noticed a Mallard duck that had become entangled in
fishing line and was trailing a bobber. I felt really bad about this and I wanted to get a picture of it. But I can't bring
my camera with me to the beach with the kids because it could be stolen while I am in the water. The second thing that happened
was that there was a state police car near the beach who's number happened to be 666. The juxtaposition was priceless. Police,
happy beachgoers and the sign of the devil.
The other note about taking pictures at Sandy Beach is that I try to be really discrete and keep people out of the shots.
A lot of people are uncomfortable in bathing suits or being photographed at the beach and I want to respect that even though
I have a right to be there and taking pictures.
So today I went back to try to get both pictures. I couldn't find the duck and the state police car there today had a
different number and was parked across the road. But there was something interesting going on and it had to do with
these two fellows.
As you may have guessed from my previous post, these two men were actually members of the clergy and were performing
baptisms at Sandy Beach today. Interestingly, the people being baptized were all older - I didn't see any kids. It was clearly
a very happy moment for this woman, although the child (unrelated) looks a bit trepidatious.
Me being a photographer and all, I wanted to find some way to really show the story without all the swimmers and crowds
and stuff. It's just wonderful when you have a chance to take photos of something like this in a public place, because you
can experiment with creativity as opposed to documentation. So here's my stock baptism photo that came from the session.
New England Baptist Church: Gays Are Unhealthy, Unnatural and Ungodly
After the CNN story, a friend of mine drove by the New England Baptist Church to see what they had on their sign. It
was empty. Wow, what a great picture, I thought. But I didn't have a chance to get over there until this morning, and it was
no longer blank.
By the way, there was some kind of event going on at the church today. A field trip of some sort. The buses
were all lined up down the street. Interestingly, I went over to Sandy Beach right after this and ran into a baptism ceremony
- I'll show you that later.
This rolling caravan would make quite an impression coming up in your rear-view mirror, don't you think?
|
