MiceAge on the latest news regarding MyMagic+ : Read it and weep.

[ford91exploder]

<sigh>

It is not a companies fault if some nutcase working for them does something on their own free time. It is not their fault if you voluntarily allowed personal information to be available to them.

Actually it IS their fault if the employee misuses information, Having been an Architect for several systems with multi-million dollar budgets I can tell you I spent almost as much time with Legal as I did working with the coders to make sure all data security laws were complied with AND that any data use could be tracked back to the person and station requesting it, Even to the point that some data access was restricted to specific stations no matter WHO was asking for it.

The biggest problem with NGE is it's total lack of transparency, I don't see any statements related to the EU's data protection act etc.

 

[Goofyernmost]

Visit a Bar in MA - most of the 'better' establishments swipe your DL as a precondition of alcohol service. The MICROS POS systems for hospitality have DL verification systems.

Swiping a DL in my home state is pretty common especially since selling alcohol to Minors is a First offense Misdemeanor second offense Felony. And it's the SERVER who gets busted and the state liquor commission does not plea bargain and they run stings weekly.

That would explain it then. I don't drink and I would only concede to going to MA at gun point, and then I'd have to give it some thought. Just kidding... I used to go to Boston quite often before I moved to NC, but, I still don't drink. Well, I should rephrase that too. I do occasionally have a drink, I just don't buy.

 

[ford91exploder]

Like I said... if a state still uses SSN on the licenses, that is a state issue that predates RealID and has nothing to do with it. You provide nothing to counter that nor clarify your claim only try to claim "no I really know"

So when you make claims like


It's a bogus statement.
1) The premise that your license includes your SSN because of 'as part of Real ID' is just false. It is a false statement to start with, and also creates FUD by invoking a worrisome topic when any truth to the matter regarding your SSN is a state issue predating RealID.
2) The statement infers everyone who scanned their license with Disney has given them their SSN - that is misleading because only people who live in a state with such outdated privacy notions on their license are actually impacted and it's unlikely Disney even touched the information anyways. Unless everyone has to provide that info (written or scanned) its unlikely they are storing it.

Have you done any information security work? If not the primary premise is that you go by capabilities ie If someone is capable of doing something you assume they ARE doing something. What you think of the probability of something being done is irrelevant.

My statements go from this assumption. And If I'm scaring someone d--m right they SHOULD be scared witless because nearly all the PII which we consider private and policies governing it were created in the day when data was PHYSICALLY secure, Your banking information was stored in a secure building with strong physical access controls and accessed only by bonded staff.

Now with universal access to data and no PHYSICAL verification your finances and good name are up for grabs, We need to develop a new paradigm for data access and verification.

 

[Voxel]

Have you done any information security work? If not the primary premise is that you go by capabilities ie If someone is capable of doing something you assume they ARE doing something. What you think of the probability of something being done is irrelevant.

My statements go from this assumption. And If I'm scaring someone d--m right they SHOULD be scared witless because nearly all the PII which we consider private and policies governing it were created in the day when data was PHYSICALLY secure, Your banking information was stored in a secure building with strong physical access controls and accessed only by bonded staff.

Now with universal access to data and no PHYSICAL verification your finances and good name are up for grabs, We need to develop a new paradigm for data access and verification.

Agreed, the current PII system is trash and bit of a joke. Security as fallen more on to the hands of the individual and lapse are becoming more common. Look at Russia for example. They just recently announced that most of their internal government systems are going away from computers back to Type writers and filing. (Easier to protect).

What is needed is real-time encryption that is constantly adapting and changing, but this wouldn't last long because Hacker's will try to break it. To stay in a technology oriented world we need to progress and work on encryption techniques faster then Hacker's can crack them.

 

[BlueSkyDriveBy]

I have to ask what planet you reside on. I have had a drivers license for 50 years and never once has anyone ever swiped my DL. Not once!

Then you've never bought booze at Target. Here in the Bay Area, Target refuses to sell any alcohol to anyone without swiping their DL or government issued ID first. Period. Even old geezers obviously decades beyond 21 have to present an ID to swipe or no sale. I suspect this will become more common in the future for legal protection of the seller.

 

[flynnibus]

Have you done any information security work? If not the primary premise is that you go by capabilities ie If someone is capable of doing something you assume they ARE doing something. What you think of the probability of something being done is irrelevant.

Yes I have - including working extensively with these guys - http://www.disa.mil/Services/Network-Services/UCCO

It's one thing to talk about theory - it's another thing to gloss over 'possible' to straight up claim someone is doing it and with a much wider impact. We call that fearmongering.

Now with universal access to data and no PHYSICAL verification your finances and good name are up for grabs, We need to develop a new paradigm for data access and verification.

In the same sense.. the old world had very little way to validating what people provided except to rely on proofing methods we assumed only the legitimate authority had (marks, methods, paper, etc). Now we can in realtime validate information from multiple independent sources to cross reference and authenticate what someone submits.

 

[ford91exploder]

Agreed, the current PII system is trash and bit of a joke. Security as fallen more on to the hands of the individual and lapse are becoming more common. Look at Russia for example. They just recently announced that most of their internal government systems are going away from computers back to Type writers and filing. (Easier to protect).

What is needed is real-time encryption that is constantly adapting and changing, but this wouldn't last long because Hacker's will try to break it. To stay in a technology oriented world we need to progress and work on encryption techniques faster then Hacker's can crack them.

I've always thought that this is the 'new' role for the various postal services - to serve as a trusted intermediary for secure data, IETF is working on protocols for a 'trustless' internet as well. But if the postal services could come up with a secure lockbox which only can be created by physically visiting a post office and using that as the central point for storing PII and then AUTHORIZING various entities to access it.

At that point PII breaches would become almost impossible as most systems would only store a pointer to your digital lockbox. Social Engineering will always be a problem though but it will be a LOT easier to trace.

The big problem is preventing the creation of a 'master key' which would provide access to all the lockboxes, I think a system that would require a virtual drill - ie once LEA's have breached the lockbox it is evident to all that they have accessed the information.

 

[flynnibus]

Of course the format itself shows that you are over the age required, But in most cases data is never requested

In the same sense... if all you relied upon was the 'format' you'd accept fake IDs readily. Part of the reason for looking at things like the date is to provide another point of credibility between the card and the purchaser. You wouldn't accept an ID blindly if it were a guy looking in his teens claiming to be 40 by the date on the card.

Obviously the old game of manipulating the ID itself (new photo, changing dates, etc) is passe in the age of technology we have now where someone just makes an entirely new license - but the key checks remain basically the same.

 

[ToTBellHop]

Then you've never bought booze at Target. Here in the Bay Area, Target refuses to sell any alcohol to anyone without swiping their DL or government issued ID first. Period. Even old geezers obviously decades beyond 21 have to present an ID to swipe or no sale. I suspect this will become more common in the future for legal protection of the seller.

He didn't mention his condition:

 

[Voxel]

I've always thought that this is the 'new' role for the various postal services - to serve as a trusted intermediary for secure data, IETF is working on protocols for a 'trustless' internet as well. But if the postal services could come up with a secure lockbox which only can be created by physically visiting a post office and using that as the central point for storing PII and then AUTHORIZING various entities to access it.

At that point PII breaches would become almost impossible as most systems would only store a pointer to your digital lockbox. Social Engineering will always be a problem though but it will be a LOT easier to trace.

The big problem is preventing the creation of a 'master key' which would provide access to all the lockboxes, I think a system that would require a virtual drill - ie once LEA's have breached the lockbox it is evident to all that they have accessed the information.

However with big government you will never prevent the creation of a 'Master key' because they will bribe and use the courts to shut down those who don't comply, Look at Lava the email client used by Snowden. Its extremely secure (The government saw this and forced the hand of the creator to shut it down). Or Tor network which the FBI has been trying to infiltrate (Grant it for good purpose, a lot of disturbing things happen thanks to some tor users.)

I would love to see a security system like Steam and Mega implement, where anytime someone accesses your information (no mater what) your sent an alert on your phone stating who and what accessed your information.

The security market is a interesting one, one that I like to study as a programmer, but its rapidly changing for better and worst.

 

[ford91exploder]

Yes I have - including working extensively with these guys - http://www.disa.mil/Services/Network-Services/UCCO

It's one thing to talk about theory - it's another thing to gloss over 'possible' to straight up claim someone is doing it and with a much wider impact. We call that fearmongering.



In the same sense.. the old world had very little way to validating what people provided except to rely on proofing methods we assumed only the legitimate authority had (marks, methods, paper, etc). Now we can in realtime validate information from multiple independent sources to cross reference and authenticate what someone submits.

My views are also shaped by too many years of working with Legal on things - "Is X accessible in your system yes or no" you do not have the option of explaining the details.

 

[ford91exploder]

However with big government you will never prevent the creation of a 'Master key' because they will bribe and use the courts to shut down those who don't comply, Look at Lava the email client used by Snowden. Its extremely secure (The government saw this and forced the hand of the creator to shut it down). Or Tor network which the FBI has been trying to infiltrate (Grant it for good purpose, a lot of disturbing things happen thanks to some tor users.)

I would love to see a security system like Steam and Mega implement, where anytime someone accesses your information (no mater what) your sent an alert on your phone stating who and what accessed your information.

The security market is a interesting one, one that I like to study as a programmer, but its rapidly changing for better and worst.

But in Snowden's case Big Govt did NOT gain access, And the Russians's reaction was a direct response to NSA's bad behavior.

The postal service at least in the US IS trustworthy, It's the ONLY service where you can send millions in Diamonds and make sure they arrive safely at the other end. If they can create a trustworthy DIGITAL service well the benefits are manifold.

 

[Voxel]

But in Snowden's case Big Govt did NOT gain access, And the Russians's reaction was a direct response to NSA's bad behavior.

The postal service at least in the US IS trustworthy, It's the ONLY service where you can send millions in Diamonds and make sure they arrive safely at the other end. If they can create a trustworthy DIGITAL service well the benefits are manifold.

The question lies though, how trust worthy would it be. Even if the government created a trustworthy DIGITAL service, their would still (most likely) be a back door for the NSA (Unless new law get passed in the next few years guaranteeing better personal security). While I believe that we are entering an age of PII security, we are entering an age of no personal security (What we are doing, where we are).

I am all in for one branch dedicated to the construction of a security trustworthy digital service. Do I believe I will see it happen? Not any time soon sadly.

 

[ford91exploder]

The question lies though, how trust worthy would it be. Even if the government created a trustworthy DIGITAL service, their would still (most likely) be a back door for the NSA (Unless new law get passed in the next few years guaranteeing better personal security). While I believe that we are entering an age of PII security, we are entering an age of no personal security (What we are doing, where we are).

I am all in for one branch dedicated to the construction of a security trustworthy digital service. Do I believe I will see it happen? Not any time soon sadly.

I think the NSA will be reined in once the FINANCIAL damage to US companies becomes evident, It was great when it was a secret - but it's secret no more and the bulk of Snowden's stuff has not even hit yet I expect more than a few political careers to go down in flames.

But we need to get back On Topic - Start a private conversation if interested

 

[Voxel]

I think the NSA will be reined in once the FINANCIAL damage to US companies becomes evident, It was great when it was a secret - but it's secret no more and the bulk of Snowden's stuff has not even hit yet I expect more than a few political careers to go down in flames.

But we need to get back On Topic - Start a private conversation if interested

Back on topic, do I believe that MyMagic+ will be as big as a security risk that everyone is making it out to be.. No. All these thing that guest are fearful about, such as retrieving guest information from the bands can be currently down with the cards that they use to use.

The biggest issue with MyMagic is the implementation. It was crazy to try to roll out something like this at the largest Disney Park first. Something like this should have been attempted at Tokyo or Hongkong. Smaller scale allows for less issues and better understanding of what they need for large scale roll out.

 

[ToTBellHop]

Back on topic, do I believe that MyMagic+ will be as big as a security risk that everyone is making it out to be.. No. All these thing that guest are fearful about, such as retrieving guest information from the bands can be currently down with the cards that they use to use.

The biggest issue with MyMagic is the implementation. It was crazy to try to roll out something like this at the largest Disney Park first. Something like this should have been attempted at Tokyo or Hongkong. Smaller scale allows for less issues and better understanding of what they need for large scale roll out.

I think smaller scale than that. It should have been rolled out at the Disney Store in Des Moines, first. Then the Disney Store on Times Square. Then the Rapunzel toilets.

 

[Voxel]

I think smaller scale than that. It should have been rolled out at the Disney Store in Des Moines, first. Then the Disney Store on Times Square. Then the Rapunzel toilets.

Actually Aulani would have been perfect.

 

[Skibum1970]

Back on topic, do I believe that MyMagic+ will be as big as a security risk that everyone is making it out to be.. No. All these thing that guest are fearful about, such as retrieving guest information from the bands can be currently down with the cards that they use to use.

The biggest issue with MyMagic is the implementation. It was crazy to try to roll out something like this at the largest Disney Park first. Something like this should have been attempted at Tokyo or Hongkong. Smaller scale allows for less issues and better understanding of what they need for large scale roll out.

I would also question why the full-out implementation of FastPass+ on attractions that didn't need it. Truth be told, I don't think that FastPass helps much at all. It interrupts the flow of the line in the queue, including the projected wait times. If they wanted MagicBands for entry, room keys, ease of payment, fine. Use that data to track what people buy and so on. If they wanted to know the flow of attractions, they could have easily tracked wait times to see which attractions were used to capacity and which weren't. I'll never understand the FastPass+ part.

 

[ToTBellHop]

Actually Aulani would have been perfect.

Don't tell me I'll have to Fastpass+ getting leid from now on...too far, Disney! Too far!

 

[Voxel]

I would also question why the full-out implementation of FastPass+ on attractions that didn't need it. Truth be told, I don't think that FastPass helps much at all. It interrupts the flow of the line in the queue, including the projected wait times. If they wanted MagicBands for entry, room keys, ease of payment, fine. Use that data to track what people buy and so on. If they wanted to know the flow of attractions, they could have easily tracked wait times to see which attractions were used to capacity and which weren't. I'll never understand the FastPass+ part.

I second what you say, FP+ part was the worst aspect of the program. The current FP program was sufficient and could have easily been adapted to work with the Magic Bands.