Normally i wouldnt be surprised but seeing as its a "security company" well they SHOULD have known better. Just leaves me witha few question really :

1. Why were they using a CSV in the first place, surely a DB (mysql, sql2k5 etc.) would have been a better solution, the code to go from db table to csv is nominal.

2. Why wasnt the CSV located in a folder above the site root in the folder hierarchy?, e.g. inaccessable from http, only accessable via ftp and script...

3. If the code is being used by customers, then its production code to my mind. so why were the comments left in etc. code not obfusticated?

4. Why wasnt the CSV encrypted, i mean seriously what sort of IT Security company doesnt try to encrypt everything and anything that could contain data??

It could happen to anyone, I am just glad it didn't (hasn't yet) happened to me.

Code a web site in haste and not only can you repent at leisure but you can do it in the public eye.

.csv is used in lots and lots of commercial applications since it's so easy to consume in other applications. While there are technically superior options out there many companies see no reason to change what works. I have to agree with that path as it's really easy to spend a ton of money on technical improvements that really have no impact on the balance sheet. IT people just don't seem to understand that.

When security is ignored, the balance sheet suffers MBA holders just don't seem to understand that.

That's why IT people are hired - because MBAs can't understand simple concepts like "if this data is accessed from outside the company, we may be sued out of existence, or our competitors may use it to gain a very large edge in the marketplace."

If you don't have IT and security in mind when designing a commercial Web site, you're a dangerous idiot.

Tim chubb listed only a few "best practice" elements for dealing with this type of data. Sure ... use .CSV if you can't economically make it work in a more secure way (which should be trivial for a security firm), but for crying out loud ... placing it in a web-accessible directory?!? Unencrypted?!? Yeesh. Basic ignorance of long-standing security practices. According to FaceTime's comments about this, I'll bet one could still use wget to grab the list, if one were so inclined ... so unless they've done a bit more securing than they've let on, that info is still vulnerable.

Bottom line: IT people are typically the experts in an organization when it comes to data security, and to make a claim that "IT people just don't seem to understand.." the costs of secure practices is spurious. A better rant would be "Number-pushers just don't seem to understand.." that the couple of dollars FaceTime saved in not implementing a more secure data-retention policy is now costing them big bux in PR. Big bux that would have been better spent developing a system that did not result in this PR nightmare.

I remember when we used MS servers that quite regularly a patch would change a whole set of directory and file permissions for no reason whatsoever. I'm not entirely surprised that it's still happening.

But I would have thought that anyone who was serious about security wouldn't even think about serving data from a Windows box when free unix is out there. I mean, why would you try to convert an outside crapper into a secure home when they are giving away whole houses over the road?

While they may be running Microsoft Servers (haven't probed them ... yet), at least they're using Apache for serving web stuff.

OMG!!! THEY'RE USING APACHE v.1.2.42 !!! Way past time to upgrade, boyz.

Good thing they are focused on IM "greynet" anti-virus/anti-malware and not web server security ...

"I mean, why would you try to convert an outside crapper into a secure home when they are giving away whole houses over the road?"

Nice analogy - I see free houses being given away all the time.

Another "security" firm slapped right in the face with the inadequacy of its own procedures. It would be funny if was not sad. Unencrypted files, open access to anyone with a keyboard and a clue - that's not called security by any stretch of imagination, guys.

Oh well, one can hope that, after the scapegoat hunt is over, they'll have at least learned a lesson on security and how not to approach the question.

Isn't this the same outfit that won Secure Computing magazine's 'Readers' Trust' award?

Gotta love the irony :-0