October 30, 2011
October 7, 2011
How do I feel?
I feel like the justice system has let me down, like the Wall Street protesters who, e.g. want to see the executives of my former employer who lied to congress at least get arrested.
TD Ameritrade (TDA) has refused to pass a security audit, and the attorneys supposedly representing the class are OK with that. If TDA had secured their customer data properly, they would, most certainly, be eager to show their customers and target market.
My friends and I are angry that TDA’s security is still Swiss cheese. Earlier this year, they accidentally admitted that they didn’t even have an IDS or IPS system in place! I hear they still don’t encrypt customer data and still grant staff far more customer data access than is needed to do their jobs. They’re in violation of Massachusetts law. They’re literally making millions serving customers over the Internet that they wouldn’t make without the Internet, but not taking the small steps necessary to protect those customers. They spent millions on attorneys (at one judge-managed mediation session, there were ~30 attorneys present.) Instead of covering up their mistakes, they should be doing the right thing.
They profit off the Internet, but won’t invest in it! Their databases are an open book to gangs and even determined high-school students. They should be hiring and training their staff and deploying resources so that they can pass a security audit. They’ll get hacked again. And when they do, they’ll be back in court. And this warning, which I delivered in court, will haunt them.
The Armstrong court cherry picked which objections in my final filing to address and which to ignore. The court demonstrated that it doesn’t even understand the 9th District’s own General Order (regarding PDFs) because it’s too technical! (Even though it’s quite simple.) There’s no way it understood all the key technical security issues in this case.
There’s been a news blackout with respect to the fact that TD Ameritrade actively covered up the security breach, as the whistleblower-sourced information I’ve published here details.
I’m glad that TD Ameritrade has at least received some bad press for its disgraceful behavior, and that those who filed claims are expected to receive significant compensation. I’m glad that the bulk of the class is at least somewhat aware of the breach. Unfortunately, the insignificant cost of this settlement sends the message that executives who underfund the Information Security department and direct the cover-up of a security breach breach are making the right choices, as far as the financial interests of shareholders go. TDA would need to spend more than it spent settling this case to shore up its security enough to pass a proper audit.
July 11, 2011
I’m sick and tired of having essentially no choice but to intentionally expose my computer to attack and root compromise by any resourceful and motivated adversary. It’s time to do more about it. COMING SOON: elvey.com/insecure
April 18, 2011
Leave a Comment
Should I sue the makers of this film for copyright infringement?
I’m joking, of course, in case that wasn’t obvious. However, this film does a damn good job portraying what the InfoSec department at TD Ameritrade was (and, unfortunately, still is) like. Counsel recently informed me, probably not realizing the foolishness it exposed, that TD Ameritrade DID NOT HAVE AN INTRUSION DETECTION SYSTEM(IDS) (or an Intrusion Protection System (IPS)) in place!
Watch it. (just Episode 1! It’s just 4 minutes. Definitely skip Episode 2. Episode 3 is weak too.)
And no, I’m not endorsing AppSec or DBPROTECT.
April 18, 2011
April 18, 2011
Leave a Comment
I will make them talk. A, B, C, and D (not their real names) are all current or former members of TD Ameritrade’s InfoSec group.
Over a month ago, I filed and served a legal subpoena for their emails about the breach. I also subpoenaed all the reports by internal staff and involved outside firms, which include ID Analytics, Mandiant and Protiviti, regarding the breach, which I understand will cover at least five security audits related to investigating the breach.
But TD Ameritrade has refused to honor the subpoena – AT ALL.
The other things I subpoenaed were:
C) A copy of the circa September 18, 2007 deposition of the former TD Ameritrade CSO (Chief Security Officer) regarding this breach.
D) TD Ameritrade stated on September 15, 2008, “We know specifically when the breaches began.” We request a copy of a document disclosing that date.
E) A copy of each Letter to the Audit Committee and Letter to the Audit Committee Chairman from the company’s auditors from 2005 to 2010, inclusive. Discusson of deficiencies that could have no impact on customers could be redacted.
December 10, 2010
NEW: You can review and comment on the key documents, which I’ve posted in editable wiki form at http://caringaboutsecurity.wikispaces.com! Cool, huh?(I’ve not posted the less important documents to the wiki. Just exhibits A, F, and G for now.) Please take a look and provide feedback.
On December 9, 2010, I filed and argued in court against the motion for preliminary approval:
Elvey_Response_to_Kreinder-TDA_offer.pdf describing our concerns. I’d highlight them thusly: We pushed for an effective audit. This settlement proposal notice is misleading and poorly publicized, and so cannot be fair. It has an audit component that to the untrained or hasty eye is meaningful compensation, but (more…)
March 29, 2010
Judge Walker has said that the audit component primarily benefits TD Ameritrade, not the class. Here’s why I think a good audit component substantially benefits the class. (more…)
June 16, 2008
This IS a good piece of software.
I’ve used it, and found it was roughly comparable to similar suites from the big guys: Norton/Symantec and McAffee. (Like all of them, it will cause problems on some PCs.)
However, as a component of the settlement there are significant issues: (more…)