Slashdot Mirror
Ed Felten: California Must Lead On Cybersecurity
An anonymous reader writes In a Sacramento Bee op-ed, (in)famous computer security researcher Ed Felten responds to the State of the Union cybersecurity proposal. He doesn't mince words: "The odds of clearing Congress: low. The odds of materially improving security: even lower. "What he suggests as an alternative, though, is a surprise. "California," he writes, "could blaze a trail for effective cybersecurity policy." He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts. It's an interesting idea. Even if it doesn't go anywhere, at least it's some fresh thinking in this area of backward policy.
From Felten's essay: Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable – they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state’s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive – especially relative to the enormous risks. Areas of sensitive data are also low-hanging cyber fruit. In health care, education and finance, California already imposes security and privacy requirements that go beyond federal law. Those legal mandates, though, are mostly enforced through after-the-fact penalties. Much like critical infrastructure, sectors that rely upon sensitive data would benefit from periodic outside auditing.
Of any state government's, California's policies also have the chance to help (or harm) the most people: nearly 39 million people, according to a 2014 U.S. Census estimate.
That's a perfect analogy to this story. Spot on.
I've worked in banking were we were audited by multiple government entities, our private auditors and auditors from our thousands of customers.
Security audits are only worthwhile if the company being audited is actually serious about security in the first place. In over a decade of such audits I don't think the audits ever found anything that we didn't already know.
During this time we aquired multiple other companies, all of who had passed security audits, and the quality of their security had very little relation to what the audits said. You can have rather poor security and people who are really good at working with the auditors and get really good reviews from the auditors.
They may identify default passwords in Internet connected devices, but if the password is changed from the default to something trivial it won't detect the problem without helping much.
Why would you say something like that? Whereas, I don't have high confidence in any governmental organization to ratify legislation that works well with tech matters, California has lead the way for many in the past that are now national standards.
Off the top of my head, there was a time where you could buy a new car without a catalytic converter, and without any emission standard requirements in every state besides California. Same thing can be said about safety equipment or specification (bumper heights, crash standards). Currently, all the requirements that had to be met for California are nationally required.
I expect we will see the same adoption nationally for small motorized and two-stroke motors in the future. Also, the Junior College system that CA has had since (at least) 1978 (sans tuition for residents) recently had national mention.
All in all, although many protest and resist change, it seems that California legislators are more intuitive than most and they seem to have lead the nation on many other models aside from the aforementioned.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
"Security audits are only worthwhile if the company being audited is actually serious about security in the first place".
I guess what matters is who holds the 'purse strings". When I observe a non-compliant issue and report it to my client, most of the time my client calls for a secondary audit. It's rare to see the same issue on the secondary. The audits I've done where I observe the same non-compliance are rarely retained by my clients.
My clients hold the "purse strings" and will accept an "anomaly", "error" or an explainable exception, but they won't deviate from agreed compliance with their clients.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
California, seems to be reactive in terms of policy.
It will try hundreds of policies many of them fail or have no impact. But the few that do work they will tout how progressive they are.
Still I want to cross the state border with my nice juicy apple.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
NOTHING is going to happen in California. Their budget is a joke. They have a double digit sales tax rate and the biggest deficit out of every state. They have the stupidest, most intrusive laws that negatively impact every other state. Their politics are almost as corrupt as Illinois. They don't do a thing about illegal immigrants and they're tipping the economy over and causing a massive crime problems. They also have a drug problem. California is the model of how you don't run a state.
And they're supposed to get tough on cyber security?
So why don't you post the fucking clue?
It little behooves the best of us to comment on the rest of us.
In California and by California are not the same things even though they sound similar.
I'm not supporting the parent's position but please understand that you are not speaking about the same things.
You mean all those industries that off-shored their IT and Security to the cheapest bidder can't secure their systems?
BIG FREAKING SURPRISE.
What they propose is not going to happen simply because of this:
He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts.
Outside auditors doing anything in CA government? We'll see that only when all else is lost, and people are starting to go to prison.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is the intent of "separate but equal" States at it's core.
That is definitely an advantage of the federal system, but it was not the purpose. The constitution was written that way to prevent the centralized government from becoming too dictatorial. Indeed, if the constitution had given the national government much more power, not all of the states would have joined.
"First they came for the slanderers and i said nothing."
I'm not sure why I would have to. The article stated the government of California which is the only entity that could be by California. This is the context the OP's comment should be examined in. You stated "in California" which is not the same thing but could encompass the same things.
No, it is clear from the context of the reply and even just the summery that the GP was talking about the government of California.
Ok, you do understand that there is/can be a difference between from or in a geographical area and caused by the leaders of that geographic area right? In other words, I understood your point or purpose but showed how it was not relevant to the situation due to nuances in language. Now if I say go get me some ice cream, and you say why, I would expect any other person wishing to comment to be commenting to your why within regard to my telling you to get me ice cream. It's just how language works. It would be silly for someone to chime in with "Your wrench is the wrong size" as a reply to your "why". In order for their comment to have bearing on the conversation, it would have to apply the presupposition that I told you to get me ice cream in order to be congruent with the conversation. Made "in" is simply not made "by" therefore bringing in the problem.
Really...how about Rhode Island? It's a small enough place, so it should be easier to secure.
Many, many people are moving from California to Texas, often following companies who are either moving their headquarters or like Apple, who is moving their new development to Texas. They come here because this is where the jobs are, and the cost of living is so much lower. The same person might make two to three times as much real income after accounting for cost of living.
They come to Texas because Texas has jobs, Texas has affordable housing, Texas has a road system that works, unlike California gridlock. Yet they bring with them the very same political ideas that have failed so badly in California. If you want to regulate your employer out of business, please STAY in California. Your welcome to come here and join in our success, but your also welcome to stay there and keep your fail. Please don't bring your fail here.
>. You are welcome to your state where a lack of laws allows employers to restrict your opportunities to change jobs. Yeah, welcome to your overlords who use the lack employee protection to push your income down.
Yeah, it was Texas where that happened, not California, right? It was Google and Apple conspiring against employees. Nope, must have been Toyota and Texas Instruments who did that.
The thing is, when the statehouse is deeply involved in business, those three or four businesses who purchase state senators have a huge advantage over all the smaller companies. Those three or four companies collude and the employees are screwed. When the politicians are expected to stay out of the way, you have hundreds of companies hiring just at one job fair in Austin alone. It's not possible for 500 tech companies in Austin to ALL collude.
18 and life you got it....
The cost of living is 28% higher in California:
http://livingwage.mit.edu/stat...
http://livingwage.mit.edu/stat...
The average dollar salary of a programmer is 10% higher:
http://www.indeed.com/salary/q...
http://www.indeed.com/salary/q...
Texas programmers therefore have average effective salaries 18% than in California. I AM having good luck.
A state run by a single party beholden to corporate interests and lobbyists and massively dependent on the tech industry. A state that is so incompetently run that it is teetering on the verge of bankruptcy, that its schools have dropped to the bottom, and that can't even solve its traffic gridlock. Cybersecurity legislation in California will do little more than exempt tech companies from any sort of liability and pour out massive amounts in government subsidies to big corporations for cybersecurity initiatives.
Real cybersecurity would require massively increasing the financial liability of corporations for any breach in security that causes their customers to lose money or waste time. For example, when a data breach at Home Depot causes banks to have to reissue credit cards, banks should be financially responsible to their customers for the many hours they have to waste on dealing with new credit card numbers, and Home Depot should be financially responsible to banks for all their resulting costs. If each of these data breaches cost corporations a few billion dollars, you'd be surprised how quickly security shapes up.
Companies are profit maximizers. They aren't making changes because the current system doesn't cost them anything. They are never going to "put their money where their mouth is", and it is stupid to expect them to or even want them to.
The reason it doesn't cost them anything is because they are effectively immune from many forms of lawsuits, thanks to "the government".
Do you think that will last if the price of oil stays down? Serious question, not an argument. I don't know the answer.
In the past the oil industry was a much bigger part of the Texas economy than it is now. It's still a large part, but there is a ton of high-tech stuff all around Texas - Apple is building all of its Mac Pro units in Texas, for example...
They also have a lot of international trade, including a major airport and shipping port too. All of that adds to economic diversity.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yeah, I was being lazy when I wrote that, and I knew it. Funny that I didn't feel like taking a few seconds to do the arithmetic, given the subject line of my post.
Eyeballing it, Texas programmers effective salary is actually about 16% higher. I still don't feel like double-checking my math on that, but feel free to.
My honest assessment is as I hinted above - business is coming to Texas FROM the states that are making pot legal, increasing regulations, etc - liberal states. That suggests to me that while smoking pot might be fun, and these liberal policies may have some benefits, they are bad for an economy - bad for jobs. I get it - I used to be a member of NORML. So I understand that point of view - I wrote some of the literature they read. It just hasn't worked well for the jobs and cost of living situation.
Hasn't worked well compared to what? People are far less productive jobwise, when they're rotting in jail for committing a victimless crime like possession of marijuana than if they were casual marijuana users working some job within their abilities. And it costs a lot more to store those people in jail than it does to ignore their activities except in cases where they're doing something negligent, like operating heavy machinery while impaired.
And this War on Drugs (like marijuana), has resulted in the single largest current violation of the US Constitution, civil forfeiture of assets - the ability to seize assets of people without actually convicting anyone of a crime.
I voted for the Colorado marijuana legalization initiative in question because it was the right thing to do. I believe in time, Texas will follow the lead of Colorado.
As to your economic rationalizations, you can't study a problem like this by only considering one cost. Putting people in jail is a cost as well. So is creating a police state or spurring real shooting wars like the current cartel fighting in Mexico.
Impinging on other peoples' freedoms, even if you are of the opinion that the intervention is for their own good, has costs as well. My view is that we live in a free society. As a result, we have to expect and accept that people will on occasion act in ways that we don't like and perhaps even contrary to their own well-being.
> As a result, we have to expect and accept that people will on occasion act in ways that we don't like and perhaps even contrary to their own well-being.
Perhaps that's applicable. There are enough gray areas to that question that we could go on for hundreds of pages discussing it. We'd never all agree, because it's a philosophical question, no a factual question. It's rather a different topic, though. What we're discussing here is jobs and the economy in Texas. In other words, as I said in the post you replied to:
while smoking pot might be fun, and these
liberal policies may have some benefits, they
are bad for an economy - bad for jobs
Similarly, maybe you think that "regulating" your employer to bankruptcy is more "fair". You and your boss can be homeless together. Okay, fine it fits your definition of "fair". I won't argue that. You are welcome to your philosophy*. It probably has some good points. Putting the employers out of business is clearly bad for jobs and bad for the economy - that's a provable statement of fact.
* You are very welcome to enjoy and IMPLEMENT that philosophy in a place where your neighbors agree with it. I request that you please do not run away from it's effects and bring it here. If you don't like the effects of your policies in California, change them, or come to Texas and become a Texan.
Perhaps that's applicable.
It is applicable. There's no "perhaps" to it. In a mostly free world people will act in ways that we won't approve of.
What we're discussing here is jobs and the economy in Texas.
And I get you think that legalized marijuana smoking is somehow worse economically than the current state of affairs with its destruction of people and the rule of law.
Similarly, maybe you think that "regulating" your employer to bankruptcy is more "fair".
OR MAYBE YOU DO. You're the one glossing over the destruction of a person's life just because they smoke or possess weed. Putting people out of business merely because they smoke something you don't approve of is pretty damned similar to the straw man you accuse me of above.
How is it more "liberal" to regulate a business to death rather than a person? Instead, I believe both are equally illiberal.
I request that you please do not run away from it's effects and bring it here. If you don't like the effects of your policies in California, change them, or come to Texas and become a Texan.
I in turn ask that instead of glibly saying that we'll never agree due to some mysterious quirk of philosophy or geography, look at the actual harm caused by the War on Drugs and then repudiate it. This is not a California thing. This is a moral thing.
As I noted earlier, the civil forfeiture of assets is the most unconstitutional thing the US and state governments do. There's also the militarization of law enforcement and the hijinks of unaccountable law enforcement, such as the Fast and Furious case where the ATF (Bureau of Alcohol, Tobacco, and Firearms) ran some alleged stings that had the sole outcome of providing considerable material support for the Sinaloa Cartel to kill people (and perhaps do other things like money laundering) in a nasty and bloody war across the border in Mexico.
> You're the one glossing over the destruction of a person's life just because they smoke or possess weed.
The morality of drug laws is not the topic of discussion in this thread. As I keep telling you:
What we're discussing here is jobs and the economy in Texas.
> And I get you think that legalized marijuana smoking is somehow worse economically than the current state of affairs with its destruction of people and the rule of law.
There's no "think" about it, the fact is that the economy in Colorado, California, and other liberal states has been getting worse and worse compared to Texas, which is thriving relative to those states. It's simple arithmetic. The unemployment umbers aren't somebody's opinion.
I'm sure someone would like to discuss drug policy with you in some other thread. I'd discuss it with someone else, someone who is still able to acknowledge that there is such a thing as arithmetic. maybe when you're a little less high.
The constitution was written that way to prevent the centralized government from becoming too dictatorial.
And how's that working out lately? And by "lately" I mean the last 9 decades, more or less.
As one wag put it, it took about a century and a half to get a Supreme Court that would rule that a man raising grain on his own land to feed his own family and livestock was engaged in "interstate commerce" as he did so.
Silly me, I thought that for an act to be commerce between states, it had to be: (1) commerce, and (2) between states. What he did was neither.
Now to await the first person to provide the Court's BS sophistry that explains why I'm the silly one in all of this. (If you do, I'll have a follow-up question for you.)
There's no time like the present. Well, the past used to be.
What difference does it make? If it's not commerce, the federal government can create a tax that will confiscate all the man's grain. Problem solved.
If a majority of the people want a larger federal government over a long-enough period of time, no constitution ever written will prevent it.
I'm interested in your follow-up question, though.
"First they came for the slanderers and i said nothing."
If you can find any of it, I think you might enjoy reading a guy from Colorado named Ray Morris. He was a big pot guy in Colorado , active with NORML in the early nineties.
It has become obvious that you're currently unable to grasp the concept that there can be a conversation about something other than weed ( too stoned?), so if you're in Colorado, please stay there. All we have down here is Mexican dirt weed anyway. You wouldn't like it.
Sorry, you didn't give the Supreme Court's BS rationale. No follow-up for you.
Just kidding. Here it is.
So, is there any action a person can take in the United States that is *not* "interstate commerce"? Walking near a school while carrying a firearm, perhaps? Operating a business which transacts with retail customers in its own state, but uses supplies that were manufactured in another state?
Once Justice Roberts said that if you call it a tax with an exemption clause for doing what the government wants you to, not a fine for disobeying the government (even if it was not called a tax in the actual legislation), it's OK. Peachy keen. No problemo. Problem solved. (To coin a phrase.)
Now anything can be prohibited or mandated by the federal government, punishable by a fine (that is called a "tax" when the wind is from the right direction at the proper time of day), apparently.
I'm not sure when the Constitution was dealt its death-blow, but it's definitely not getting up and walking away from that.
It could pull a Lazarus if the majority of the voters knew what was in the Constitution and wanted constitutional government. Or even a large bloc of voters that would be the swing voters in enough states, and enough congressional districts.
I'm not holding my breath.
There's no time like the present. Well, the past used to be.
So, is there any action a person can take in the United States that is *not* "interstate commerce"? Walking near a school while carrying a firearm, perhaps? Operating a business which transacts with retail customers in its own state, but uses supplies that were manufactured in another state?
Of course. Donating money to politicians.
"First they came for the slanderers and i said nothing."
Lol.. i explained why i wouldn't have to. I see you are ignoring content in order to focus on red herrings so i guess this conversation is over.
But here is a recap in case big paragrapg scare you. The context was obvious, no explaination needed as the article was talking of the government of california and the GP was talking of the article.therefore the attempt to associate anything that ever happened in california is misplaced and out of context.