Security Madness from Buzby
The guys over at Buzby have been busy again. This time they have been considering “SECURITY” which I think is a very Important & Valid thing to be considering (Especially these days) Only I think they need to do some more work on it.
For example, they are concerned about sending customer data back and too to their CP’s. Now this I can understand, you would not like the idea of your personal details being handed about freely over the net. So this is how the details are now securely transferred.
I as a CP upload some data over SFTP to their sever, their systems runs on the data and does what I request (All nice and secure so far). I then have access (again by SFTP) to an output file telling me which records worked, if there was any errors, etc.
Only now I get an email to tell me if there is any problem with any records. But what if my email is compromised? its not very secure so they put the text they are sending me in a file, ZIP it up with a password protection and email me the password protected file. And then at the same time send me another email with the password to the file in it. So if my email had been compromised they person would be unable to access the file since the password was in a separate email.
In theory sending the data in locked files is good, but it should be with an agreed on password so the password does not get emailed. Or maybe a PGP encrypted email? Or I could just collect the file over SFTP which was set up wit certificates, encryption, blah, blah, blah.
I’m sorry, I’m all for trying to improve security (I need to hurt one of the drones at the Insane Asylum and point out his passwords are retarded) But emailing the password to a secure zip file to the same email address, at the same time? Madness.
Also, they are not very long passwords, I’m sure a zip password recovery program would access it in no time at all. (I may test that and tell them how easy it was to access the file without the password)
I do give them ★★ (2 Stars) for at least considering security!
