Slashdot Mirror
CA Law Demands Public Disclosure Of Break-Ins
AuntieMisha writes "BusinessWeek has an article about a new California law passed that
requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."
Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit.
Wouldn't want those wacky hackers to know that people were on to them and actually investigating the crime! Who makes that decision? Chief Moose?
In honor of this special day, I am offering a special discount - all mods can lick both my balls for the price of one!
Your pal, Neal
Companies will stop paying any attention to security logs, or will at least make sure that nobody ever speaks of anything as a "break in" or a "security problem".... There will only be "network configuration issues".
If you don't report a break-in, how is anyone gonna know it happened? (Unless an employee narcs, at which point it becomes a messy paper/email/word-of-mouth trail)
Seriously, it's not like the CA government is gonna be able to "audit" companies like they do if they suspect fraud in other self reported areas. (Like tax fraud, emissions, etc...)
Small businesses can hire me as a security consultant. And I can do my consulting by hacking^H^H^H^H^H^H telecommuting my way into California from my New Hampshire home.
-- Thou hast strayed far from the path of the Avatar.
What does this law have to do with sticking up for the little guy? If a company that I have a stake in, ESPECIALLY if that stake is a good amount of money, I want to know if they're getting owned. If my investments aren't safe, I have a right to know. Granted, most financial institutions are federally insured, but that won't help me if Bob Hacker over here can make it look like I never invested in the first place. The matter is A LOT more of problem if I'm highly wealthy, in which case I'm SOL on any amount higher than 100k.
All in all, they have an obligation to tell the world, not just for their current customers, but to let potential future customers aware of the situation so that they can make sound, informed financial decisions.
Finally, math books without any of that base 6 crap in them.
How can California insist that anyone make it public when they are hacked? Do they insist it is made public when a company is physically broken into? I doubt it. This will just cause companies to not even call the police in order to save their reputation.
Information asymmetry leads to inefficency, in this case through adverse selection. If my bank gets hax0r3d every other week their reputation should be tarnished. Also the article states that investigations by the federal government are exempt, not private investigations. This bill was constructed by consumer advocacy groups becasue it is good for consumers.
So you only have to disclose the break in if you don't have the ablity to investigate it and find out how to stop it from happening again?
So if you can prevent it from happening again you don't have to tell other people how to protect themselves. But if you can't protect yourself you have to tell the hacker that you don't know how to track them down and they should be sure and hack you again.
Why is it that when people go into politics they suddenly become stupid?
-jon
Computer Associates is writing laws now? And I thought Microsoft had influence with the gov..
oh, right, California...
I don't trust the expedience with which the law was passed, nor do I trust its conveniently broad sweep. No mention was made of any actual damages or improprieties, nor was it made mention why they didn't disclose about the attacks for two weeks after they were aware of them. So, my conclusion is that if I were wanting to pass another security bill, I would fake an attack on myself and then go bawling to the legislators. They've been waiting, bill in hand, for me to take my cue and play my part. Curtain close. Next act, Orwell-capades!
Voodoo Girl is the bomb!
I second the point on smaller businesses not having the cash to maintain bogus investigations just to delay the release of information, but this can be easily fixed by establishing a deadline that cannot be easily stretched (something akin to "even with an investigation running, you must notify your customers within one month").
Special clauses must mention that when sensitive information is compromised (trade secrets, credit card numbers, etc) customers should be notified IMMEDIATELY, barring a judge authorizing a delay of that to protect an investigation for justified, specific reasons - ie no blank checks should be given for non-disclosure.
--- "I didn't think anyone would understand it" -Prof. Bob Muller
It seems like the submitter is a little too polarized on this issue, but I don't feel the compulsion to take every attempt to legislate order into the digital world as an insidious attempt to undermine small business.
In fact, why is it that Slashdot seems to think that any attempt to introduce order through legislation as a bad thing? Get a grip already. This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.
?-|||-----x<*))))><
How about for break-ins that the admin didn't know happened? I can't imagine that this law would require reporting of something you don't know about. Any admin could feign ignorance of something to avoid reporting.
Who is going to care if stuff isn't reported? If you don't report something, who is going to sue you? I can see a new type of hacker: "I broke in but you didn't report it, so now you owe me One Million Dollars (bwah hah hah)."
What would the purpose of this law be anyway? For law enforcement to gather data? I didn't read the article or text of the law, so maybe some of my concerns are addressed. I don't see how it would ever work given the Slashdot writeup.
From the article:
California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised.
This isn't nearly as bad as the alarmist description at the top of this story. This doesn't say that Company B has to announce that their Web server was hacked to say "1 0wn U!" It says that the people affected by a break in (i.e., the people whose confidential records were exposed) must be notified.
A couple of years ago, I had to cancel a credit card after some charges from Russia showed up. Eventually it came out that an online retailer had lost a bunch of card numbers. They should have told me when it happened, not after my credit card company was ripped off.
Seems like a good law to me.
I would have to say that this COULD be a good thing. It could provide incentive for companies to tighten security. And most importantly, in my mind, I would want to know as soon as possible if an information with my SSN, credit card numbers, etc had been hacked, so that I could keep a closer eye on my accounts and be ready to provide information to law enforcement and the credit agencies should my identity be stolen.
Unless I misread the article, I get the feeling that by "investigation" they meant a legal investigation. If that is true, then businesses couldn't just start an internal investigation to put off disclosure forever. If this is not true, then well, it should be restricted to legal investigations only.
But again, I do think this is a good step in the right direction. When I give my personal data to a company, they need to manage it and secure it. I expect them to inform me if a problem occurs. With laws like this, they will have to.
So if your web server is hacked and defaced, you don't have to reveal anything. If your credit card database is hacked, you do.
I don't see the problem with this. As it is, confidential information is exposed, and no one knows about it.
Excellent. Since companies will now fear losing their reputation, perhaps they will put more thought into the operating systems they choose for keeping customer information.
Up until now many companies don't seem to care that they use insecure MS products to store information since it didn't really matter to them if their customer's privacy was being violated. If this now affects the company's reputation, you bet they will care!
Maybe that's obvious to the submitter, but I was horrified that such a burdensome and unnecessary law was passed. And reading other posts, a lot of others didn't get it either.
What I'm listening to now on Pandora...
Microsoft (Nasdaq: MSFT) filed documents with the SEC today relating to a breach of network security.
According to the filings, at 5:23 AM last Tuesday, Microsoft's network was "owned" by a hacker calling himself "Z3r0 kew10r". While the hacker refered to himself as "1337" in his defacement of Microsoft's webpage, Microsoft CEO Bill Gates indicated that the security breach was very minor.
In a press release accompanying the filing, Gates said: "t#1s punk th1nks h3's 1337 but h3's just a littl3 scr1p7 k1dd13 and i'm g0nna sh0w h1m what 1337 is when m3 and the M$ haxx0r cr3w crak his b0xx0r!"
>> The only loophole is if there is an ongoing investigation
I would like to point out that ongoinginvestigation.com is still available for registration. Imagine the business you'll get in California! Certainly it will be worth a few bucks a month to a company's reputation to hire you to keep the investigation ongoing.
IMHO this is a good law. Businesses have a responsibility to keep confidential information confidential and failing to do so may be considered negligence. Obviously, "negligence" is subjective.
Your point about the law not requireing specific details about the type of breach is well taken.
-73, de n1ywb
www.n1ywb.com
Mom and Pop shops will be hurt by this. Notice this targets small busniess who probably run free software to reduce costs. Large companies can handle this, even find ways around it.
I agree with it to an extent. I have a feeling breakins are far more common than any of us truely know. Only by making this public will the problem get better. Constantly pushing it under the rug is how MS has gotten away with security problems for so long.
On the upside this law will help the IT industry since it'll create more IT jobs for network/security auiditing etc.
I hate to see goverment medle in business matters, however the tech industry doesn't seem capable/willing enough to handle the security issues alone. I know most people are sick of it, and when people get sick of it, they start passing laws. The tech industry really has no one to blame but itself.
"Breaking in" is an inherant part of security auditing, isn't it? In order to see if your computers are hackable one must, in fact, hack them. Would this law require that network security companies announce when they find a client's systems vulnerable, becuase technically it is a "break in"? If so, wouldn't the end result of that be companies completely ignoring security all together becuase the less they "know" about the break ins on thier own site, the less they have to report?
"Your superior intellect is no match for our puny weapons!"
If this was a law requiring companies to keep break-ins confidential you'd be bitching about that saying that these things should be made public knowledge!
So now the hackers have a new trophy to go for. Their bragging rites will be "How many investigations failed to find you" Seems to offer the same kind of trophy for virus writers in regards to the virus rating schemes that some anti-virus vendor use.
Life moves pretty fast; if you don't stop and look around once in a while, you could miss it. -FB
Even though I don't think it will do any good for the prevention of such crimes as identity theft, perhaps it will send a message that a tighter grip is required for confidential data.
However, I see some problems. As one poster already noted, how do you enforce this if an admission has to be made voluntarily?
Also, the 'loophole' is wide enough to drive a Mack truck through. It would prove very handy to business or government entities that did not want to disclose that they had been hacked.
Of course, if the goverment really wants to help people who have had their private stuff lifted, perhaps the Feds should change the law so it is possible to get a new Social in case of theft. Your SSN can be used to create all sorts of havoc, but the Gov't will not give you another one, even if you can prove that someone is ruining your life with it. Very sad.
I'll investigate any break in or security breach for ten bucks a day. The following terms and conditions may apply:
Minimum length of investigation: 20 years
No more than 1 byte processed per day.
Results cost extra.
How about it? For a little over $3000 a year, you'll never have your reputation damaged by a hacker again.
Playing ignorant with law enforcment and the legal eagles is a dangerous path to take. I wouldn't advise anyone on it. They have much more time to screw with you than you do with them, and they play hardball. Not to mention they have the final word.
A break in is unauthorized access. Period. It isn't even decided by the admin. What the admin wants is irrelevant, it's what the corporate executives want. If the execs don't want something open to the public, then someone publicly access it, the admin gets fired/sued and the person who broke in goes to jail. It's a very simple concept many of todays prima donna admins don't grasp.
---
YourMissionForToday
Sounds like I could have an 'ongoing investigation' for the rest of my life.
<Quote>
Small businesses that don't have the resources to maintain an investigation will have their reputations ruined
</Quote>
I'm sorry, but if the choice is between their reputation and not knowing that some joker out there can steal my hard-earned cash at a moment's notice because he has my credit card information, I think I'd choose wrecking their reputation.
Chivalry is not dead, it's just frequently misspelt. - M. Langley
Companies might just pour millions into Microsoft's own services. After all, Microsoft has pledged to make security its #1 priority these days.
Microsoft may just sell companies its own security and consulting services, or companies will simply hire any one of the thousands of unemployed paper MCSE drones that are now floating around.
First off: I submitted this yesterday with a much less biased writeup. "Luck of the editor", I guess. My overall /. submission record is now 2 and 16.
Second: the problem is not big business vs. small, or even public sector vs. private. The issue is confidential data about the public and what expectation the public should be able to place on those who promise confidentiality. I don't think it's unreasonable for the legislature to define what that expectation is, the same way they define what the expectations on a company are in terms of pollution or accounting or workplace safety. Businesses have to meet certain standards to operate in a particular region; doing what they say with respect to confidential customer data is just one more standard, and probably a more important one than some of the other standards a business has to meet.
The argument that disclosure harms enforcement and education is only true as long as disclosure isn't mandatory for all. Once there's no longer a choice about disclosure, the public will quickly learn who can be trusted, and law enforcement and the business community will quickly learn what are the most common security issues to address. The marketplace will quickly put an appropriate premium on security once this law forces information about lax security out into the open. It's an effective way of letting the public determine how important security is - this is a much better solution than the state just requiring a particular patch level or certification or something like that. We say we don't want the state dictating how software is written - ensuring full disclosure of software faults is a great way to allow the public more voice in determining the right tradeoff, rather than having the state do it.
And if a vulnerability is discovered for which there isn't a patch yet, some people ask whether the company should be in trouble for not taking their systems off the 'net and getting 0wn3d. Of course they should! Their inability to plan a secure and maintainable computing infrastructure should not necessitate the exposure of my personal data to all and sundry. Just like the BIA, if you can't show that you're secure, you need to be off the 'net. This will have the effect of placing a premium on computing platforms that are quicker to patch when security problems are found, likely making Open Source solutions more popular. All in all, it's a win-win-win situation once the adjustment period is complete.
Your right to not believe: Americans United for Separation of Church and
``This is not good''
And ``see no evil, hear no evil, speak no evil'' is?
Break-ins are a reality. It happens. IMO it's better to be open about it. If I were a customer of a company whose network got cracked, I would rather know that it happened and what measures are being taken to prevent this in the future than to be told nothing and later find out by different means (possibly painful).
Openness could also result in a better understanding of what software/people/practices lead to lower or higher risks of break-in, and improve security accross the board.
I also disagree that this law favors large businesses. Small businesses can carry out investigations just as well, and even investigations carried out by large companies come to an end, after which the break-in has to be disclosed. Bogus investigations aren't harmed by disclosure, so that's not a real option. Wealthy corporations _do_ mess with laws to the detriment of small businesses in Real Life, but I don't see this law making it much worse.
Please correct me if I got my facts wrong.
Yahoo is planning to move their entire company to Grand Forks, North Dakota....Company representatives were unavailable for comment at this time.
If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
Hmmmm... So if I don't like the company I work for I can just do a little inside hacking job to ruin their reputation and move on. Sounds great.
I wonder how many times Slashdot has been hacked that we don't know about.
10: PRINT "Everything old is new again."
20: GOTO 10
On one hand you have lawmakers calling hackers 'thugs' and 'criminals' because -- and this is generally after months of reporting the problem to, say, Microsoft -- they notify the public that there is a security hole.
NOW they're going to make it illegal to not notify the public. Is telling the world about a security breach irresponsible or isn't it?
Yeesh. I feel like the whole gang from Bloom County who didn't know if they were watching "F Troop" or CNN and thus whether they should be enjoying the carnage or not.
My
Limekiller
Microsoft.
0 break-ins reported, 7,435 break-ins currently being investigated.
What? Since when did IIS overtake Apache in web server market share?
This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm). Never opened a small business, eh? Let me enlighten you. Most small business (under 50 employees) are sole proprietorships or partnerships started by either a single person or a small group of individuals with limited resources.
These shops use MS Windows and IIS for the following reasons:
1: It is similar to the machine used at home. For someone who has used Win9x or NTx Workstation, Windows Servers are pretty easy to get started with.
2: Most of the services (file sharing, email, web) are free as in beer with Windows.
3: It is prety easy to set up a decent site with Front Page.
Debian will benefit. Debian's "apt" facility is extremely simple for end-users to use and understand, and helps system administrators keep large numbers of boxes up to date without causing RPM hell or any other conflicts that one may experience when using a distribution like RH that does not regression test their patches.
Only in Linux Land. Since when did apt become easier than Windows Update?
Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.
Wrong again. I have contracted for the Fed and much of their critical stuff not only runs on MS, it is secure as all hell. In fact, the biggest vulnerabilty in the gov't systems I have seen has been the fact that several different platforms and apps are in use - a network admin's nightmare. (e.g. MS Windows of all vintages, SOLARIS, AS/400, OS/390, a dozen different databases, etc.)
Please, not everything in the world that takes place is related to Linux. Give it a rest.
the article doesn't mention ...where a break-in occurs because of a(n) ... issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible...).
So companies/whatever which can't be bpthered to patch their holes get a buy? I don't think so.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
You can't handle the truth!
Every day I stand on my wall watching for intruders and protecting my web servers. Web logs indicate that my servers survive a constant barrage of attacks.
Most attacks fail however every once in a while some lucky script kiddy, or spammer finds a chink in the armour.
Where do you draw the line on what needs to be reported? Last week a spammer found that a poorly configured formmail.pl script on one of my servers and used it to send their spam.
If the law allows judgement calls where a company is only required to report serious breaches then a company would try to have everything classified as trivial.
On the other hand if a company is required to report every possible breach then the company might try to flood the public with a bunch of trivial information like a formmail script that was abused for a few hours, and then try to bury a serious problem inside the noise.
I'm Mr. Average Invester.
I find out that my #1 favorite stock i dumped thousands into on the advice of my dentist has recently fallen victim to a 11 year old IRC junkie.
Do I:
a. invest more money in my company, showing appreciation for the companies candor.
b. Murmur something very Zen to myself about the strongest tree bending in the wind, while noteing the fact that no real damage was done.
c. put a humming bird to shame franticly clicking the refresh button on IE6, neuroticly waiting for the stock to move a tick up or down.
d. scream "SELL SELL SELL" into my cellphone while barely avoiding a headon collision in my SUV.
e. dump all of my money into precious metals and move to an obscure island nation in preperation for the inevitable global ecconomic collapse.
and.... pencils down.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
AppAssure lets you watch your data center 24 x 7,
even when you're not there. More Info
Laws like these will force companies away from overly insecure Microsoft products and force them to actually care about security. With a more concerted effort towards IT security, our personal data will become safer, and alot of high paying security and Linux related jobs should open up. Why would anyone here complain?
Comment removed based on user account deletion
Where do you live that has logical thinking consumers?
mebbe *you* should get with the pr0ngram, bizzitch. It's 'pwn3d!!'
1. Buy Microsoft products
2. Exploit MS security holes
3. Disclose information about the break-in
4. ???
5. Profit!
May I be excused, now?
Any sufficiently well-organized community is indistinguishable from Government.
What this will do is weed out companies that lack the responsibility to maintain safe and secure computers. Responsibility doesn't cost money, any company can afford to keep their servers updated and properly patched. The size of the company does not matter either, if the company is small, chances are they don't have massive server farms that need 20 man teams watching them around the clock. Ideally the amount spent on computer security should be proportional to the annual revenue.
nuff said.
At first this slant slashdot has taken to program the slashbots to think this law is bad seemed odd.
Then i remembered they just moved to the west coast.
Slashdot wouldn't want to have to public post reminders of all the times it got hacked.
The best one was when they didn't even use a vulnerability! The shit was just configured so fucking poorly that they did it without exploiting anything but stupidity!
HAha! Slashdot likes to laugh at other companies that get hit by some kiddie with a 0 second spoilt but when slashdot gets hacked becuase they completed misconfigured the fucking site they just laugh sheepishly and no one hears anything about it ever again unless you had the good fortune to catch the defacement before it was covered up.
The new California computer security/privacy law referred to in the Business Week article is available here: http://info.sen.ca.gov/pub/bill/sen/sb_1351-1400/s b_1386_bill_20020926_chaptered.html
No, because
The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation.
Emphasis added.
Lacking <sarcasm> tags,
Well the quickest way to compliance is to purge all social security, credit card and user info (could be a good thing) or maybe put the info on a system with an "air gap" between it and the internet and in a secure room. (not all that useful) The reality is that businesses will ignore it till one of them gets busted with it. They'll watch and see what happens then decide if they want to take steps or live with the consequences. Since the gov't sites are just soooo secure I can see how the gov't is in misery and they want company. Should be interesting to see how fanatical they are about disclosure when they get held to their own law. Maybe they should purge their records. Why exactly do they need that info. Oh Right! Control the public, rather then serve. hmmm... Now why did the OLD social security cards used to have the words "not to be used for identification" printed on them again? hmmm... need social security for job or no money. no money equals ineffective voice. hmmm... present papers at checkpoints. Yup! free country alrighty. Oh well too many deep thoughts. Ignorance is bliss ahhh...
I have thought about owning some stock in several large companies who run MS and then waiting for a break-in. Once it happens, start a law suit about bad management.
Here's the text of the bill
I haven't read all the way through, but one important point right at the top says:
which means that internal "investigations" to conceal security incidents probably won't work.
That doesn't mean there's no bias against the little guy, though... big companies are more likely to be able to get long, involved criminal investigations going. But still, when the investigation is over, the info becomes available.
Like a fox. Jane Legislator has to show the constituents that she's getting things done and preferably things that look good in the newsletter (because there is no significant news coverage of state legislative affairs.) Constituents are worried about their credit cards being stolen over the internet, so what to do? Make it against the law to steal the info? Been done. Make it against the law to enter into the servers? Been done. Make it against the law to not report that you've had a break-in? Bingo!!
So, it sails through committee, the floor, the other house because John and Joe Legislator want to be on record (and show in their newsletters) that they are doing something(tm) about that internet id theft.
After it's on the books, people look at it and realize that it is unclear, misguided, and not enforceable, but that wasn't the ultimate purpose was it? Plus fixing it or adding more practical legislation gives Joe, John, and Jane something to do next year.
So if Ca. Congresscritter Berman's cyber vigilante bill passes, there will be a surefire method of dealing with pesky business competitors: attack their systems on the pretext that they might have some of your copyrighted data. If they report the breakin, they'll get bad publicity. If they don't report it, have your lawyers point out that fact to the appropriate authorites and they get busted for not reporting the breakin, also generating bad publicity for them. On the upside, this looks like a full-employment bill for security types.
It's just as easy for a small business to say, "Yes, we are still investigating this" as it is for a big business to do so--I didn't notice anywhere that concrete proof of an ongoing investigation was necessary. Matter of fact, it may be easier for a small business to argue that their investigation is still ongoing, since they could easily contend that their resources to investigate are limited.
Your 'special clauses' solution also provides a bias for big business, since larger businesses are more likely to be able to afford the attorneys to get the court orders every time they are hacked - whereas mom and pop businesses could easily go out of business just from the legal fees, not to mention that the mom and pop businesses are more likely to abide by the letter of the law instead of playing fast and loose.
Besides, it is much more likely that a big corporation would have a judge in their pocket than a small company.
Denver Isuzu Suzuki
So where's the cut off for how severe an attack is before it has to be reported? Do I have to report that some WaReZ vendors guessed our FTP password (it's really not hard and we give it out to customers all the time) and uploaded some software? Do I have to report when someone vandalizes our site? What about if they break into a database that contains non-vital data? Or data that has been encoded? There are many types of attack that are mere annoyances. Do these need to be reported?
I believe the assumption is that if there is any kind of personal/private information on customers stored there, people should have a right to know that it has been potentially stolen.
If the video store is broken into, and someone steals some tapes, I don't care.
If their database of customers and credit card info, identification, lending habits, etcetera, is stolen, I want to know about it.
Take that, US Gov!
Bye!
What's funny/scary is that someone used your card to buy a wife, opium, or a suitcase nuke..possibly all 3 depending on your limit.
Finally, math books without any of that base 6 crap in them.
Life does not stop and start at your convenience, you miserable piece of shit.
Big corporations will have an internal investigation department and thrus never reveal nothing...
Small corporations will simply classify the event as "computer malfunction" and reinstall all the software and document the event as such...
In the end, California will be the only place in the world where there isn't any break in at all... at least reported publicly...
Cheers...
It's almost never in the public's best interest to hide vulnerabilities from them, even if there's no solution. If one person has exploited one system, there are almost certainly other victims and the numbers will almost certainly continue to grow. Most are probably undetected.
Even if there is no fix out there, it gives people the option to reevaluate the need to run the system, and also consider switching solutions/vendors. The "bad guys" are going to know if you say somethign or not, while telling all of the innocent bystanders lets at least some of them protect themselves.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
After reading the text of SB1386 (the Bill referenced in this article) I think the Slashdot blurb on this was a bit misleading. California isn't demanding "Public Disclosure Of Break-Ins." This makes it sound like whenever there is a break in it must be disclosed. This isn't really the case. Notifications only have to take place when the following criteria is met: "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(f) For purposes of this section, "personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
As for this "investigation" loophole this only applies to ongoing investigations being conducted by law enforcement agencies. I know that a large company may have a bit more clout in getting an investigation started, but even so they can only delay disclosure if "a
law enforcement agency determines that the notification will impede a
criminal investigation." So I'm not sure how big of a "loophole" this is.
As for the notification methods, it doesn't look like full public disclosure is what the bill is aiming at. It looks more like they just want the people who's information was compromised to be notified. Here is the section on notification:
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
So there doesn't appear to be what I would consider a "full disclosure" requirement anywhere in this. It looks like you've got to notify the people who's info got out, which seems reasonable to me.
How often do you read about new laws from Mississippi?
Consider the recent RedHat patch that boiled down to "you should run this patch but we can't tell you why" and the lawsuits where large software giants have threatened lawsuits because possible exploits were released before they the company was notified and allowed to investigate internally. Is it possible that a company may disclose the details of its incident and end up in violation of the DCMA or their EULA's?
> Also, the article doesn't mention the contingency
> where a break-in occurs because of a
> software/hardware issue for which there is no
> released technical solution (i.e. anyone else who
> has software X would be susceptible to the same
> type of break-in). This is not good."
If "software X" (e.g., IIS) is broken quit using it. If you can't figure out any way to secure your system short of taking down your server, tough shit. "We can't figure out any other way to do it" is no excuse for compromising your customer's confidential information.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
1. Kick susano_otter's arse
2. ???
3 Profit!
Does the company have to be incorporated in CA, have offices there, or just their servers? Also, does the break in have to happen in California, or do they have to report it if the CA companies datacenter in New York gets hacked?
What are we going to do tonight Brain?
It may be too much to ask that people submitting items that reference published articles read the articles first. But, as often seems to happen, the Slashdot "editors" didn't read the article either. This isn't going to improve their job prospects after VA Linux/Software/Burgers/whatever finally tanks..
Now a company can point to a DAMAGE that has LONG been accepted by the courts. I think this is just the 1st step in holding software companies to the same liabilty all other products have.
This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.
I say, bullshit. The net is mostly built on public right of way. That makes it mine, yours too unfortunately. The order of slavery is enforced by brute repression. In any case, the net will be worthless without mass participation or it becomes a one way push fest like TV or something. Oh yeah, we own the airwaves too, I keep forgeting that.
Eggplant man, does that mean "eat me"?
Friends don't help friends install M$ junk.
Perhaps, they are afraid of the TRUTH.. If you've been following c-span lately, you'll notice that there is a hidden war going on. This war on terrorism is really a spiritual battle of "arthodox catholic views" and the true Gospel of our lord and savior Jesus Christ, which is against the catholic view of "under the law, under the law, SIN, SIN, SIN!" People should know by now that works of the law are fruitless! For as many as have sinned without law shall also perish without law: and as many as have sinned in the law shall be judged by the law; 13. (For not the hearers of the law are just before God, but the doers of the law shall be justified. What exactely is the law now people, sin unto death or obediance unto righteousness! 10. For with the heart man believeth unto righteousness; and with the mouth confession is made unto salvation. 11. For the scripture saith, Whosoever believeth on him shall not be ashamed. 12. For there is no difference between the Jew and the Greek: for the same Lord over all is rich unto all that call upon him. 13. For whosoever shall call upon the name of the Lord shall be saved. 14. How then shall they call on him in whom they have not believed? and how shall they believe in him of whom they have not heard? and how shall they hear without a preacher? 15. And how shall they preach, except they be sent? as it is written, How beautiful are the feet of them that preach the gospel of peace, and bring glad tidings of good things! 19. Now we know that what things soever the law saith, it saith to them who are under the law: that every mouth may be stopped, and all the world may become guilty before God. 20. Therefore by the deeds of the law there shall no flesh be justified in his sight: for by the law is the knowledge of sin. Governments need to be be very careful on how they are to "isolate and torture" those who don't bow down to their ways of SIN AND DEATH and do just as "johnny should do", these people are nothing more than "salt of the earth", to be cast out, and trodden under the foot of men who are in authoritative positions in governments around the world. So take heed those who believe the TRUE OXYMORON of "separation of church in state", if you dare preach a different gospel than the ones the states and catholic churces endorse(works unto death), you will be cast out and discriminated against way worst than the blacks had during the sixties.
1. Buy Microsoft products
2. Exploit MS security holes
3. Short MSFT
4. Disclose information about the break-in
5. Profit!