good question. BoA is designing their system internally since 1997 at least.
The newest version ate up $12MM and is very cool! One of the things I like is that when you create an internal ticket that something is broken, IT Dept has access to all your computer activity; no more screen shoots, error descriptions, etc, everything is recorded on the fly. They can rewind your PC activity 10 minutes (or whatever) prior and see exactly all the steps you took for the error to occur. Very time saving troubleshooting approach.
Edit: ok I meant they can rewind and play your interaction with the intranet systems per say, not the computer alone. But they are locked down pretty much anyways.
That sounds like a horrible to place to work in... I'd feel uncomfortable doing anything other then work, and any coder here can tell you that you need to do SOMETHING other then work every now and then or you burn out very quickly in the day.
I don't think that they are talking about recording what developer workstations are doing. They are talking about recording customer sessions in a replay-able format, so that they can see how the customer caused an error condition.
Well, its a some sort of an Internet Explorer plugin that records IE session, all the clicks, even mouse movement. Within BoA you can use Chrome browsers for your personal browsing, but as you can imagine, most of the websites are cut off. But Google works! :)
That doesn't seem likely. This person didn't reveal any personally identifiable information to the public. Have there been other (IMO, frivolous) lawsuits going after people who have identified holes in banking software?
In that particular case, the person was a security expert who spent time hacking (by way of URL) their system to expose information. And they threatened legal action but never went through with it (as they had no case).
In this particular case with Bank of America, a user did nothing out of the ordinary to expose information and reported it proper.
If I had 5 cents for every time I've read an article on someone going after the person reporting the hole in their software...I'd probably have at least enough to go get a soda from the company vending machine.
The sad state of affairs is that a lot of companies are more interested in security via cheap obscurity, and will gladly go after the person who dared to publicize their security holes.
The difference here, is that unlike URL-hacking, or some-such, they would have a hard time arguing that a user using their product exactly as intended was doing something against the law.