MiceAge on the latest news regarding MyMagic+ : Read it and weep.

[ford91exploder]

I wouldn't be surprised if Disney's system logged the user-id each time a CM access anyone's data or account.
This would be very useful for quality control purposes, CM evaluation, and repairing mistakes, in addition to security.

The designer should be SHOT if it does NOT do this.

 

[ford91exploder]

Right. My view is that giving liberal access to everyone would probably be additional work that should raise red flags at the outset. I hope Disney is that smart.

No it's actually easier as you don't need to implement an access control system, Access control systems are HARD to implement correctly and to work properly have to be fully integrated into all data types handled by system.

IBM's RACF allows every detail of a system's operation down to keys on keyboards having security applied on a per-user basis.

Access controls are usually the FIRST thing to go when projects get severely behind schedule or over budget.

 

[ford91exploder]

If they really wanted to use the facebook at all costs, they could use a fake name, fake address..etc.. it shouldn't be hard.

When I created a Facebook profile I did just that, Then I deactivated the FB account so that no one could claim to be me.

 

[asianway]

Sorry I guess because I actually worked on a drivers license project for state government in another life I don't know what I'm talking about. SSN if used by the state is on band 3 of the magstripe, It is NOT human readable but every time your DL is swiped at the grocery store to buy alcohol or tobacco products it is READ. Whether it is STORED somewhere is up to the system implementor.

All TWDC CM ids had to be reissued a couple years ago because the SSN was imbedded in the bar code & someone hacked the code....

 

[ford91exploder]

All TWDC CM ids had to be reissued a couple years ago because the SSN was imbedded in the bar code & someone hacked the code....

Why oh why do companies keep using reversable hashes, A one way hash will generate the same result if given the same (unsalted) input and is cryptographically secure. The SHA-x series of hash functions are perfect examples, MD-5 is subject to collisions and as such is not reliable and there are bugs in it's cryptosystem.

 

[englanddg]

I've read through this thread the entire way throughout the day and I have to say...I just don't care about the data thing. I assume that this will be par for the course with everything in the very near future, as it is with some things now. Also, I am very much not local so it really doesn't matter to me.
Furthermore, if I see that I am being stalked, or my wife or kids are being stalked by a CM on property, I will report their . Magic bands aren't needed for that to happen, it just happens to make it easier.

What I would like to know from people that truly understand IT is this: if CMs used personal information from the NGE for nefarious purposes, would it be easy to prove that? Obviously, if you were being followed, it probably would. But I've been thinking, since TWDC is essentially a huge pile of money, how easy would it be to establish a lawsuit? Seriously, if CMs started using this tech unlawfully, couldn't you sue TWDC? I can't see them allowing something like that to happen. Again, I know nothing about IT so I could be way off on this.

<sigh>

It is not a companies fault if some nutcase working for them does something on their own free time. It is not their fault if you voluntarily allowed personal information to be available to them. It is not their fault if you sneeze because you don't like the orange smell in Sourin.

Sheesh, this attitude is out of control.

Nothing you give Disney is verified. If you are that concerned, be like me and live mostly off the grid. The address my Magicbands were shipped to? Yep, not where I live. The CC I use for online purchases and attach to my Disney accounts? Yep, it's anonymous, a prepaid Green Dot card or Amex gift card charged up.

There are ways around this.

This is such a silly argument.

 

[englanddg]

Also, news flash...SSNs are NOT unique. They have been reissued, and they have also been double issued.

Plus, Disney NEVER asks you for SSN.

That's all I can say about that. But, please...let it go. This is a stupid argument.

 

[englanddg]

My point is, in this world, Data Security is up to you.

The most successful hackers in the world don't really hack the computer (that's actually quite hard)...they hack the people.

Take a hammer and bang that into your brain.

People are FAR more likely to give out sensitive information or allow access to it than a computer is.

IT can only limit the access so much before it becomes so onerous on the end users that it's a worthless system. It's like when I worked for the military, and we had multiple systems with multiple passwords...what did people do? They made printouts with all the usernames and passwords and put them at their desks.

After a major incident, rules came down that you couldn't do that anymore...so, what did they do? They printed their crib sheets and taped them under their keyboards.

</facepalms>

There is a point where being secure is being TOO secure.

For every complaint about people having access to your address or phone number, think about this situation...

Imagine a call center agent. You call in wanting whatever. You don't have a bill handy. She asks your account number. You say you don't have it. She says, ok, lets search by phone number then! You give her a few phone numbers, and they still can't find your account. She says, ok, lets search by address...oh, there you are!

Now she can help you.

You get off the phone satisfied with that experience.

Compare that to her saying...well, sir, without your confirmation number I can't help you.

Sheesh...this is just silly...

 

[englanddg]

Why oh why do companies keep using reversable hashes, A one way hash will generate the same result if given the same (unsalted) input and is cryptographically secure. The SHA-x series of hash functions are perfect examples, MD-5 is subject to collisions and as such is not reliable and there are bugs in it's cryptosystem.

Unless one obtains the key.

 

[Cesar R M]

My point is, in this world, Data Security is up to you.

The most successful hackers in the world don't really hack the computer (that's actually quite hard)...they hack the people.

Take a hammer and bang that into your brain.

People are FAR more likely to give out sensitive information or allow access to it than a computer is.

IT can only limit the access so much before it becomes so onerous on the end users that it's a worthless system. It's like when I worked for the military, and we had multiple systems with multiple passwords...what did people do? They made printouts with all the usernames and passwords and put them at their desks.

After a major incident, rules came down that you couldn't do that anymore...so, what did they do? They printed their crib sheets and taped them under their keyboards.

</facepalms>

There is a point where being secure is being TOO secure.

For every complaint about people having access to your address or phone number, think about this situation...

Imagine a call center agent. You call in wanting whatever. You don't have a bill handy. She asks your account number. You say you don't have it. She says, ok, lets search by phone number then! You give her a few phone numbers, and they still can't find your account. She says, ok, lets search by address...oh, there you are!

Now she can help you.

You get off the phone satisfied with that experience.

Compare that to her saying...well, sir, without your confirmation number I can't help you.

Sheesh...this is just silly...

nothing beats social engineering!

and I agree with you, you can make the most perfect system ever.. but the people who use it would still be the weakest link.

 

[flyerjab]

<sigh>

It is not a companies fault if some nutcase working for them does something on their own free time. It is not their fault if you voluntarily allowed personal information to be available to them. It is not their fault if you sneeze because you don't like the orange smell in Sourin.

Sheesh, this attitude is out of control.

Nothing you give Disney is verified. If you are that concerned, be like me and live mostly off the grid. The address my Magicbands were shipped to? Yep, not where I live. The CC I use for online purchases and attach to my Disney accounts? Yep, it's anonymous, a prepaid Green Dot card or Amex gift card charged up.

There are ways around this.

This is such a silly argument.

Wow. Just asking a question man. Just asking a question. That's the type of vitriol that makes me wonder why I post on this site...but in the end I just can't help myself.

 

[englanddg]

Wow. Just asking a question man. Just asking a question. That's the type of vitriol that makes me wonder why I post on this site...but in the end I just can't help myself.

How is anything I stated cruel or bitter criticism?

Your data security is your own responsibility. And, you don't deserve a "pay out" because you, of your own volition, shared it.

If you want to live off the grid, it's not that hard. Just don't screw with the IRS.

 

[flynnibus]

Sorry I guess because I actually worked on a drivers license project for state government in another life I don't know what I'm talking about. SSN if used by the state is on band 3 of the magstripe, It is NOT human readable but every time your DL is swiped at the grocery store to buy alcohol or tobacco products it is READ. Whether it is STORED somewhere is up to the system implementor.

Like I said... if a state still uses SSN on the licenses, that is a state issue that predates RealID and has nothing to do with it. You provide nothing to counter that nor clarify your claim only try to claim "no I really know"

So when you make claims like

If you have an AP or Premier Passport they scan drivers license magstripe which INCLUDES SSN as part of 'Real ID'

It's a bogus statement.
1) The premise that your license includes your SSN because of 'as part of Real ID' is just false. It is a false statement to start with, and also creates FUD by invoking a worrisome topic when any truth to the matter regarding your SSN is a state issue predating RealID.
2) The statement infers everyone who scanned their license with Disney has given them their SSN - that is misleading because only people who live in a state with such outdated privacy notions on their license are actually impacted and it's unlikely Disney even touched the information anyways. Unless everyone has to provide that info (written or scanned) its unlikely they are storing it.

 

[flynnibus]

All the CMs with the iPads have access to info like your address. If we were't locals, I wouldn't care.

Do you freak out if the waiter or bartender cards you then? Because you know.... they got your address than and they can see you with your kids.

 

[flynnibus]

Unless one obtains the key.

The point of a SHA hash is that the original data is never obtainable.. all you do is verify that the inputed value 'matches' the original encoded value. Hashes are one way. His comment was why bother using reversible encryption. Sad truth is, there are times when it's required and there yes, your encryption is only as strong as your key protection.

 

[englanddg]

The point of a SHA hash is that the original data is never obtainable.. all you do is verify that the inputed value 'matches' the original encoded value. Hashes are one way. His comment was why bother using reversible encryption. Sad truth is, there are times when it's required and there yes, your encryption is only as strong as your key protection.

SHA was released by whom? Do you honestly think there is no "key"?

 

[flynnibus]

SHA was released by whom? Do you honestly think there is no "key"?

You do realize the algorithms are publically known don't you? The encryption is trusted to be secure through independent scrutiny - not because the feds published it.

 

[englanddg]

You do realize the algorithms are publically known don't you? The encryption is trusted to be secure through independent scrutiny - not because the feds published it.

Yes, just like other algorithms. My point was...don't think it's secure just because it says it is.

 

[Cosmic Commando]

No it's actually easier as you don't need to implement an access control system, Access control systems are HARD to implement correctly and to work properly have to be fully integrated into all data types handled by system.

IBM's RACF allows every detail of a system's operation down to keys on keyboards having security applied on a per-user basis.

Access controls are usually the FIRST thing to go when projects get severely behind schedule or over budget.

I'm not a programmer, so I could be way off, but I figured they have to build an interface for frontline CMs to use. I doubt they'll be using MS Access or some straight up database management system. I'll go back to my FedEx example: you'll never accidentally get the driver's SSN when you track your package, even though that is in the system somewhere. In my head, the frontline CMs should just have their iPad app that scans the bands and just spits out the non-creepy info. The really personal stuff could be limited access simply by where it can be accessed from.

 

[lazyboy97o]

I'm not a programmer, so I could be way off, but I figured they have to build an interface for frontline CMs to use. I doubt they'll be using MS Access or some straight up database management system. I'll go back to my FedEx example: you'll never accidentally get the driver's SSN when you track your package, even though that is in the system somewhere. In my head, the frontline CMs should just have their iPad app that scans the bands and just spits out the non-creepy info. The really personal stuff could be limited access simply by where it can be accessed from.

This is the system that was giving users a completely different person's information.