tag:blogger.com,1999:blog-37798047.post8669313377529142939..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: "That's not the lesson!!" Lessons unlearned from the Blippy CC number exposure.David Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-37798047.post-54524438773568231712010-04-26T00:21:35.468-04:002010-04-26T00:21:35.468-04:00My first reaction via Twitter (having seen the sea...My first reaction via Twitter (having seen the search results via twitter in my not-so-smartphone's OpenWave WAP Browser) was simply: "*headdesk*"<br /><br />Since the links didn't work, I figured it was fixed some time ago, or maybe fixed immediately after the "crapstorm" hit twitter. Regardless, I couldn't really dive any further into it, being in a doctor's waiting room using only my phone.<br /><br />Without seeing how many (or rather, few) pages of results there were, I couldn't tell how far-reaching this problem was, but on my drive home, I got to thinking it might not be a bad idea for WAF's to block anything that looks like cardholder data (properly-formatted numeric strings that are Luhn-algorithm true, for example) or that search engines might flag a page containing that kind of data for some kind of manual verification.<br /><br />Granted, there are a lot of long strings of numbers that happen to resemble card numbers. And for all I know, this technology already exists. My primary thought along the drive home was "why on earth is this cached?"<br /><br />By the time I got home, Google was dishing out "you're a bot!" style error messages for the blippy searches. Problem solved, in my book. Thanks for injecting a dose of sanity into this FUD-fest!Ax0nhttps://www.blogger.com/profile/12145109647562469601noreply@blogger.com