Slashdot Mirror
Ashley Madison Hack Claims First Victims
wired_parrot writes: Toronto police are reporting that 2 unconfirmed suicides have been linked to the data breach. This follows pleas from other users of the site for the hackers to not release the data before it was exposed- an anonymous gay Reddit user from Saudi Arabia, where homosexuality is illegal, pleaded for the data to be kept private: "I am about to be killed, tortured, or exiled," he wrote. "And I did nothing." And when The Intercept published a piece condemning the puritanical glee over the data dump, one user who commented on the article said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life. Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there.
Ashley Madison has now offered a $380,000 reward for information that leads to the arrest and conviction of the hackers who leaked the data. Security researcher Troy Hunt has also posted about the kind of emails he's received from users after the data leak.
This should create the head of steam required to get some legislation passed to make companies and specific executives SUFFER if they screw up their data security. Ultimately that means if an executive is advised that a system is insecure, fails to act and it gets hacked, the executive needs to personally liable, with a small taste of prison. It happening once is all that is required....
That's an oddly specific reward. They really couldn't spring for $400,000?
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Want for us all.
FIRST
"I am about to be killed, tortured, or exiled," he wrote. "And I did nothing."
No, what you did was expose yourself using social media to an authoritarian, abusive government. Realize that or do not.
When you define any extramarital intimacy as "cheating", you've already cut off the debate paths that the victims from the summary illustrate. Not, mind you, that AM's marketing did much to discourage that definition.
But, hey, enjoy your puritanical two-minute hate, and don't worry about collateral damage.
(Posting as AC, even though I've never gone near the site, because I'm stuck with this country's puritanical environment and the consequences it imposes for even talking about ethical decisions that don't fit the standard mold. And, yeah, I guess I'm a bit of a coward.)
Yep. Been there. Thankfully signed up for a free account under a pseudonym with a throw-away hotmail address. Never gave them any credit card info nor other identifying info. Never did anything but browse. Whew...
That's too bad and I feel sorry for these people but for fuck's sake, why the hell did you think using a site like this would EVER be safe? You want to meet up and hook up with other people and your spouse is okay with it? Fine. You want to be poly and love whomever you like? Fine. You want to be in an open relationship? Fine. But if you want that shit kept private, DO THAT SHIT OFFLINE.
OK, so in Saudi Arabia homosexuality is illegal and may be punished with death, but there are negative things about the country too.
Perhaps if you live in such a country you shouldn't go on a computer network and post information that would lead back to you and get you killed. Sounds like some people earned themselves Darwin Awards.
OK, just kidding, I know we should be more compassionate towards the homosexuals until there is a cure for their sickness,
I'm an American. I love this country and the freedoms that we used to have.
While I believe that there might be some people who had no "morally" dubious intents, I fail to see why anyone with a traditional moral compass would sign up for this website.
Even if you are not married and simply looking for a one nighter, you are still signing up to site where married people are looking for an affair. It is right on their main landing page: "Life is too short, Have an affair". While it sucks for them, I feel it difficult to feel pity for them when signing up to a website which main intend is to make is to make it easy for people to cheat.
The other people could have simply signed up for a different website where the main intent is not cheating. It seems there would be plenty, and none of them are getting hacked
I love how now they're willing to spend $380K as a reward after the fact. They should have spent that money on their security in the first place.
The added schadenfreude of it being a website for people interested in cheating on established relationships is just a sideshow.
Sony
OPM
Anthem
Target
Home Depot
The list goes on and on. These people collect all this information into central repositories that are neon targets of opportunity for criminals. Still think digitizing your records is a good idea?
These people had already checked out of life, and the suicide was just a follow through.
... but they got treated exactly they way they treated others. Secretly broken commitments ...
I do feel bad for them
Pretty sure laws don't stop hackers. I also doubt these laws would ever become reality.
" one user who commented on the article said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life. Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there."
At the end of the day these people signed up for a site whose primary market is marital infidelity. I feel a bit sorry for the woman referenced above, but I also have to wonder if the partners of the people she's "engaged with" on AM were as accepting as her husband was. I kind of doubt it.
There are a lot of other sites out there that don't specifically target cheating that she could have used instead. By choosing to have her hookups through that site she was pretty much guaranteeing that she was actively screwing around with someone else's relationship.
Agreed.
People say there's no privacy on the web and, in my opinion, that's largely because there's no accountability for the private data hoarders who keep the data for future use (ex. marketing and more) and to increase their company valuation.
If we consider that getting hacked is a real possibility even when security is tight, and in the case of A.M. it looks like there was no security to speak of, then the solution is to legislate data retention to include civil and criminal remedies. For this company, it's a slam dunk case. They kept data despite charging people to delete it.
100% of the worlds pain and misery come from these people who find glee in forcing their beliefs on others.
Do not look at laser with remaining good eye.
It would be hard to collect the reward when they're bankrupt.
I agree. If any, the guilty here is AMs poor security and data management.
And its nothing new, people cheat, we are good at it . I think it's a little over the top to "make a new life because... Oh the shame".
Rest assured that the new legislation will make hacking a crime worthy of being hung, drawn and quartered while at the same time not changing anything about how corporations have to secure data, or even (god forbid!) be punished for having sloppy security.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
People paid him to have their personal info deleted. He took their money but did not delete anything. Put him in prison for fraud.
Apparently there's some indication that AM was an inside job (too lazy to dig out, link to the articles; just google it). If so, any such legislation would likely not be applicable in this case.
But that figure is unconfirmed.
"Can you give any details about those suicides? What countries they occurred in?"
Nope.
"OK. That sounds entirely speculative, but we'll report it in such a way as it might probably be definitely true."
The hackers won't get away with this!
SNAFU...
“He’s not deformed, he’s just drunk!”
Toronto police are reporting that 2 unconfirmed suicides have been linked to the data breach.
so, basically corollary conjecture pertaining to sets of potential outcomes of a data breech.
Dont get me wrong, as a homosexual I'm not at all condoning the death of a person for their sexuality. I think puritanical elation is at best inappropriate as a response to the incident. But frankly Ashley Madisons catchphrase was 'lifes short, have an affair.' As a saudi national, someone is unfortunately about to find out exactly how short that life can really be. Standard issue infidelity aside there are numerous gay dating sites you could have chosen. numerous potential outlets for gay, straight, questioning, bisexual, whatever your heart desires. But selecting Ashley Madison shows a puerile approach to interpersonal relationship as well as sexual orientation in general. Homosexuality is not the same as a casual extramarital affair.
Good people go to bed earlier.
It sounds like the Saudis know how to deal with ass-bandit faggots. Suddenly I'm feeling much more multi-cultural! They always did tell me I should be multi-cultural, that places like Saudi Arabia are just "different" and I should never judge them. What a conundrum for the SJWs! - their love of gays vs. their love of brown people with non-Christian religion!
As much as I'd like to drag all the cheap-ass executives who shortchange IT security and reliability with an eye on promotion and their own bonuses into the street and have them tarred and feathered, I can only imagine that such a regulation would have loopholes a mile wide.
What makes a system insecure? The system integration/networking? The software, especially third party software with its disclaimers about "no liability for implied merchantability and fitness for a particular purpose"?
Who judges a system as secure/insecure? If I get a third party to sign off on it, are the execs then immune? How long does a system retain its status as officially secure? Can you patch it with new patches, which theoretically could introduce their own flaws?
How about unknown zero-days? You could judge a system as secure and then a new zero-day appears in some critical security juncture that renders it insecure. Worse yet, what about unknown exploits used for which there are no patches?
To me it smells like Sarbanes-Oxley all over again.
And as long as we have people in power who don't know the first thing about computers and think that laws can solve problems this won't change.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This should create the head of steam required to get some legislation passed to make companies and specific executives SUFFER if they screw up their data security. Ultimately that means if an executive is advised that a system is insecure, fails to act and it gets hacked, the executive needs to personally liable, with a small taste of prison. It happening once is all that is required....
Let's do that for homeowners too. If you are told that your door is unlocked, but you still don't lock it, and some robber comes and steals your stuff, the homeowner should be thrown in jail. And the burglar should be given a medal for exposing the lack of security in the house.
Sadly, somebody will think this is serious and not just an analogy.
If you are not allowed to question your government then the government has answered your question.
When he was CEO of SUN, Scott was once quoted as saying "You already have no privacy. Get over it."
If telephones are outlawed, then only outlaws will have telephones.
And, of course, don't forget carving out huge exemptions for copyright holders aggressively being assholes^Wdilligent ... there will be one of those.
And one for law enforcement, because hacking is OK if you're law enforcement.
And to protect the children. You can do anything if you're protecting children.
And national security, even if it is unrelated to national security. You know, that way the Stingray devices are still OK.
By the time all of those exemptions get made, it will boil down to "it shall be illegal for any private citizen to exploit the security holes we have ensured are in place", and will be utterly meaningless.
But, nosirree, we can't risk impacting quarterly profits and executive bonuses by ensuring corporations have legal responsibility to safeguard data. That would be like Communism.
Lost at C:>. Found at C.
Legislation is useless because no one bothers to prosecute these crimes unless it's easy. Oh, and we don't need legislation because we already have it, which is why I can say with authority it's useless...
Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
Actually I thought homosexuals are automatic winners not because of their sexual orientation but because being one automatically removes oneself from the gene pool.
Forgive me for being the odd duck out here, but what ever happened to "Personal Responsibility"? I, too, think it's wrong for the hackers to release that information. It sounds like a despicable act of misguided morality to me, but that's irrelevant.
These people took their own lives, the external stressers don't really matter; they CHOSE to commit suicide. Maybe if signing up and using that site was such an emotional risk for them, they shouldn't have done it?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
And when The Intercept published a piece condemning the puritanical glee over the data dump...
It's not puritanical to value honesty. I have plenty of polyamorous friends who have multiple partners, but even in that scenario it is still important to be honest with the people you are intimate with.
Yes it's bad that a few "innocent" people are being caught up in this, but the site is *for* being dishonest with your partner(s).
Doesn't seem to be a campaign issue that will make a difference. Such are the foibles of majority rule.
“He’s not deformed, he’s just drunk!”
This is a bit like saying you're going to send someone to jail for getting rear-ended waiting at a traffic light.
I totally agree, data security is a big deal - but I think "gross negligence" probably covers the fact that someone did not put proper security in place. Beyond that, it's an arms race. You can't hold someone responsible for being hacked, unless they've demonstrated that they didn't even try to avoid it. Reasonable preventative measures.
The same reason you can't claim insurance when you don't have any locks on your house. But if they really want to, that moat and electric fence won't stop someone from breaking into your house.
.
Also, if someone lets you know a brick can go through your window, better replace is with bullet proof glass.
Though I think companies holding massive amounts of data should be held to a higher standard than people protecting their own stuff, I do agree with your general point.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Didn't take long before the panicky, nanny-state types came running with the "we have to make a law about this, NOW! No time to think, just write something, DO SOMETHING!!"
I don't suppose you realize that this is how so many bad laws have made their way onto the books.
Any casual searching on Slashdot will show that there are plenty of Slashdotters who believe just that. If you leave you front door unlocked, they are perfectly fine with someone wondering in and taking your stuff. In fact many say they would.
If I leave my door open, and my stuff gets stolen, I am the one who has been punished.
If some asshole corporation fails at security, and my stuff gets stolen, I am still the one who has been punished.
See, the stuff being stolen here ... It's not the property of the corporation, and they're not the ones who suffer when it is stolen. They've deemed themselves trustworthy to hold onto your data, and failed to safeguard it.
Oh, sure, they might get a little bad PR, and the stock might slip a little. But that asshole executive who decided security was too costly? It's not his data being stolen, and it's not him who has to deal with it.
So he, being an asshole executive, says "wow, we're not really sorry but if we say it will you shut up and go away?"
This is more like I've got stuff in my safe deposit box, and the bank gets robbed, and the bank say "wow, that's totally not our fault".
Your analogy sucks.
Corporations failing to protect the private and sensitive information they have been entrusted with are not the fucking victims, and they don't get to play the victim card.
Lost at C:>. Found at C.
Was that a dig at Hillary?
Yeah I could row in behind this. We need governments in particular but also corporations to enshrine peoples' right to privacy in hard legislation. The net is turning into a sick dystopian version of its original golden promise.
What makes a system insecure?
the fact that it's been broken into
Who judges a system as secure/insecure?
maybe it could be the people whose credit card info has been stolen
How about unknown zero-days?
Why not make it really simple? If your system gets broken into, it's your fault. This same logic is very successful in many other such situations. The threat of punishment is enough all by itself to keep bad actors in line. You don't need to construct more government apparatus to oversee them.
If you are told that your door is unlocked, but you still don't lock it, and some robber comes and steals someone else's stuff you held for him, you would likely lose a civil case.
Yes because when a truck smashes down your door to break into your house it's your fault for not making your house stronger
I have put some things online that could be embarrassing. Nothing really earthshattering, nothing I could lose a job over. Back when the "anonymous" nature of the web first started, I was always wary. Maybe not as smart as I should have been, but smart enough. Accounts, posts, passwords, etc. These things are all ephemeral and all can be compromised. I always understood that.
The real question here is why people continue to think of the internet, "the web", and the myriad of online services as secure. I'm not apologizing for what those who have compromised these accounts have done, but really, at this point everyone should know nothing that is done online is secure. There have been too many compromises.
Who has inspired this trust?
Why do millions continue to put faith in something that proves over and over again to be untrustworthy?
That is the real question.
We play the game with the bravery of being out of range
If you are told that your door is unlocked, but you still don't lock it, and some robber comes and steals your stuff, the homeowner should be thrown in jail.
what's the point? losing your stuff should be motivation to lock your doors
Wrong analogy dillweed. To use your homeowner analogy, the company that supplied the lock on the homeowner's door was told that there was a master key out there in criminal hands for their locks and they did nothing about it. So despite homeowners locking their door criminals were still able to to break and enter. The homeowner is the victim, the criminal is the criminal and the lock company is responsible for the homeowner's loss.
Current Ad Campaign:
"Is he cheating on you?"
Enter his email address. Find Pics and Profiles from over 70+ social networks
Let's do that for homeowners too. If you are told that your door is unlocked, but you still don't lock it, and some robber comes and steals your stuff, the homeowner should be thrown in jail.
Not really the same. But I would argue the insurance company might have a leg to stand on in a fraud case if they had some extra data to prove you enticed the burglar to enter.
A better scenario, is if you rent out rooms in your apartment complex, and you are told that the door locks you installed on the rooms are defective and allow anyone with a toothpick and dreams of glory to enter, and you choose not to fix it, and then people are robbed/raped/murdered in their sleep you probably share some of the blame. You may not have at all intended for those things to happen, but you made it possible and failed to fix your property which was designed for the purpose of keeping unwanted people out, and your tenants weren't free to replace those locks on their own.
How stupid do you have to be to misunderstand the parent post so badly? Adequate data security stops all but the most skilled hackers. Laws are already in place to force corporations to act better than they otherwise would in other areas and there is a good case to be made that that should be the case with data security as well. When you're responsible for other people's personal details, you have to act responsibly and have proper data security. Just like airlines must follow safety regulations and are penalized if they don't, corporate executives should be held responsible if data security is neglected. The main question is how to formulate it into a law and the parent proposed a solution which I don't fully agree with but I do agree with the idea. We've seen it happen over and over and over again - corporations need to be held in a short leash through laws because their ultimate incentive is always shareholder wealth. A bad reputation is nothing that a good PR campaign won't fix cheaper than preventing the problem in the first place.
Look, if you cheat on your wife, that's NOT OUR BUSINESS.
You don't get the right to vilify and laugh and insult someone because they betrayed someone else.
Worst of all, I have never seen a case where someone cheated on a virtuous spouse. Every single case of cheating I have ever heard of or seen among my friends was one shallow shmuck marrying a clear and obvious player and then getting upset that the player played.
My sister married her law professor - after he divorced his 2nd wife (yes, she slept with him before he was divorced). Surprise surprise, he cheated on her also. What happened to her is pretty much exactly like what happens most of the time.
excitingthingstodo.blogspot.com
You are a fool. Anyone can be hacked. You think you are special, and all your users are security geniuses? The only thing stopping companies from being hacked is lack of effort from the hackers. Any company, any networked computer, can be hacked.
"Life is short, have an affair." HAHAHAHAHAHAHAHAHA!
not changing anything about how corporations have to secure data, or even (god forbid!) be punished for having sloppy security.
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars? If you violate any of these rules on your structure fine or punish you? Should we lighten up the sentences for "breaking and entering" or even burglary?
Personally I think with certain exceptions like public Utilities etc that already enjoy a special relationship with government and a captive market, that companies ought to be allowed to have whatever security posture they like. They should simply have to be honest about it with consumers. Government ought to do one of the few things its Constitutionally supposed to do and set some standards of measure.
Develop some NIST definitions for overall information security postures. If companies then want to claim they have a 'Double plus good can't hack me bro' rating there is a way to prove that. Then if one of these breaches happens and its done in a way that should not have been possible while in compliance like 'plain text data on laptop found on bus' we would all be able to go after them for contract fraud or false advertising etc.
Additionally we should have some disclosure laws, just like food labels there need to be some standardized categories and forms companies that maintain any information that is personally identifiable other than firstname, lastname, current address, billing address, and primary phone number, should be required to disclose that on a standardized and both electronically readable and human readable format. Maybe a nice TML or INI like file.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
The most depressing piece about this article is the exchange rate. Makes it expensive to vacation and buy stuff down in the US.
I agree. If any, the guilty here is AMs poor security and data management. And its nothing new, people cheat, we are good at it . I think it's a little over the top to "make a new life because... Oh the shame".
"If anyone"? That's overboard. I agree that to a degree, AM is complicit due to their poor security and negligence with their clients data, yes, but still the truly guilty party here, quite simply, is the one who actually committed the crime and stole data they were not entitled to. I'm a fool if I leave my house or car unlocked at night; nevertheless, if someone breaks in and steals stuff, they have committed a crime, not me; I was naive, negligent, careless, but I didn't steal anything. Granted, I'd feel more culpable if I had several friends' gear in my house or car that got stolen, as that's less excuse to be so careless, and some responsibility must be shouldered in that case, but still, I am not directly responsible for the behavior of a thief, he is. The thief must still be found and held accountable. That is not debatable.
Why isn't the criminal responsible for the homeowner's loss?
If you are not allowed to question your government then the government has answered your question.
Considering that Ashley Madison as a whole is illegal in most jurisdictions I would be really surprised if those laws had no effect.
In NC, USA, the Ashley Madison website is in direct violation of several marriage statutes, namly around willful alienation of affection, which is punishable with jail time.
Affairs are probably illegal in most states in the U.S. If not all. Facilitating criminal conduct intentionally IS a crime in every state in the U.S.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
You really don't want that. Want to know what pissed off lawmakers will do? They, almost certainly, won't do anything to help actual security. Here is what they would pass:
1: Mandatory DRM stacks for all devices connecting to the Internet, so files or messages that match a certain signature get auto-redacted and deleted.
2: Mandatory key escrow, perhaps under the guise of secure authentication.
3: Mandatory registration before Internet access is given... think captive portals.
4: More DRM where you have to prove you have the right to play/read music/movies/books, and if a MP3 file isn't "authorized", it gets auto-deleted and the authorities notified.
5: Real time tattling, similar to what the pirate sites mentioned feel about Windows 10. If the tattling stops, then that is considered a criminal offense ("tampering with proper divulging of telemetry data".
6: More IP laws, similar to the one in the TPP making dressing up as Stuporman a felony.
Will any of this stop real hackers? Nope. Will it make the private prison corporations happy, as well as the *AAs? Ya bet.
Because he likely is unable to actually compensate for the loss. Most criminals breaking and entering houses are poor. That's why they are B&Eing houses.
So replace the home with a Bank then.
Does it make any sense at all to put the owner of a bank in prison because their bank got robbed, and the robbers managed to blast open the vault and made off with the contents of a bunch of safe deposit boxes?
The goal wouldn't be to stop every attack. The goal would be to require a minimal standard of security that would stop or hinder all but the most determined. If that standard isn't met (as POTUS, Senate, or the NSA want with backdoors -- likely the reason such a law wouldn't go forward) the company is held liable with more than a slap on the wrist and free credit monitoring.
I also doubt a law would ever become reality, but every article that has an organization complaining about how difficult it is to deal with fully encrypted phones, drives up the sale of those phones. If a company that deals with security tapped into that market, the end result would be the same.
The thing that's stupid about your analogy is that houses usually only hold the homeowner's stuff. The real analogy should be about the owner of a bank failing to properly secure it.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
If you're honestly conflating the statement, which I interpreted as "security was inadequate, they should have upgraded it before the issue got worse" with some idea that they can't be hacked because they were throwing money at it, without proof that is actually what is being implied, congratulations, you're an idiot.
If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
If that's the case, then it just begs the question as to why one person had so much access to data. Apart from top level executives, there's just no reason for one person to have so much access to data. Especially to those "deleted" records. They could easily have segmented them by week so that at no point would one person have more than a week's worth of records available to them.
Also, there's the question of getting the data out. The machines shouldn't have been connected to the internet and there should have been no way that a non-IT employee could stick a USB or other disk in there to pull data out.
It's virtually impossible to completely prevent leaks, but the scale of this points to neglegence. After Snowden, it's not even a theoretical problem, it's a problem that any halfway competent CTO ought to know about and deal with.
British, Israeli and American pilots are currently flying under Saudi colours, and participating in day and night bombing raids against the entire civilian infrastructure of non-Islamic State controlled areas of Yemen. As a direct result, Islamic State is gradually taking over Yemen, just as it is doing in Syria and Libya and Iraq.
Yet Dice LIONISES Israel and Saudi Arabia whenever possible, and stoops to the most depraved tactics to suggest life if wonderful under the rule of the House of Saud. Saudi Arabia is a rock solid ally of Obama, and Obama never stops singing its praises. Yet it is OFFICIAL GOVERNMENT POLICY in Saudi Arabia that all homosexuals are subject to unthinkable TORTURE (years in prison with a brutal flogging EVERY WEEK), and that all females in Saudi have the status of SLAVES and CHILDREN.
Islamic State is the irregular terrorist FRONT of the Saudi rulers. Its weapons and training come from Israel, Britain, France and the USA. The finance comes from the Sunni/Wahhabi Arab States. Wherever IS takes control, judges trained by the Saudi government are installed.
To be a Saudi citizen and yet live a PROVABLE life that contradicts Wahhabi teachings is a road to ruin UNLESS a member of one of the ruling clans. ALL your SJWs are allies of politicians who in turn defend Saudi Arabia in every possible way. THINK ON THAT FACT.
But this isn't a bank vault. This was someone hiding the cash in a box under the bushes and claiming it was safe.
My blog. Good stuff (when I remember to update it). Read it.
My credit card number was stolen a few months ago and was used at Ashley Madison.
I looked through the data dump and found my name and partial home address in the credit card transactions.
I now have the name and email address of the guy that used my card.
He also used a few other stolen cards from other people at Ashley Madison.
Keep this in mind if you find someone you know in the data dump. They could be a cc fraud victim like me.
if the data hackers grabbed ak 47s and stormed the colocation facility and ripped out hard drives, then your analogy works. the company is innocent and the hackers deserve full condemnation
but obviously that's not an analogy to what we happened with ashley madison or other infamous corporate hacks
more like the bank president installed a keypad on the bank vault by a well known manufacturer whose name is written on the keypad and is known to have default passwords on their products. he never changed the default password. or he wrote the password on a post it note above the keypad
the hackers simply punched in the obvious password, walked in and walked out. the hackers aren't innocent, no one is suggesting that. but obviously the bank president is hardly innocent either. his negligence is disgusting
now you have a valid analogy to what we are talking about here, and absolutely the bank president needs to be punished
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This should create the head of steam required to get some legislation passed to make companies and specific executives SUFFER if they screw up their data security.
Why don't we just instead make cheating on your marriage partner punishable by death.
Clearly that will prevent any data leaks like this one from occurring in the future *sarcasm*
That's why it's usually a matter of due diligence. Keep the systems patched, maintain an airgap between sensitive systems and the internet and so forth and there's unlikely to be anything to prosecute.
Nobody is going to be prosecuted for a 0 day vulnerability, but they are going to be prosecuted for failing to keep the systems properly secured. We don't need perfect security, we just need security that's good enough that it's too expensive to bother breaking into.
My question: Where would laws be aimed at?
I fear that we would get laws like the CFAA aimed at stringing up intruders in the US, but because most attempts are coming from overseas where the local governments either ignore or actively encourage security breaches, it would not help anything. However, with the cosplan ban that the TPP [2] gives, we likely will see effort along these lines just as scare tactics and security theater.
If we get laws at businesses, it may not help either. Sarbanes Oxley and HIPAA were to address security, and the last time I've heard of someone going to jail under those was someone who caught too many fish and was prosecuted under SOX because he tossed his stash of dead grouper.
If a law stipulates "reasonable measures", a lot of companies would do nothing at all, throw their hands up and say that the bad guys can get through anything, and point to Target and Sony as being heavyweights, but yet nailed [1].
If a law stipulates exact OS methods taken, the OS controls in Windows NT are significantly different from the ones available in Windows Server 2016.
[1]: Even though basic network segmentation would have stopped Target's attack, and locking/warning IT about brute force AD password guesses would have helped mitigate Sony... and an IDS/IPS would have stopped both.
[2]: Here in the US, treaties come before laws. Even Marbury vs. Madison doesn't allow judicial reviews on treaties.
If I leave my door open, and my stuff gets stolen, I am the one who has been punished.
Well, you got burglarized, but that doesn't automatically mean the burglars get away with it. Insurance will still pay, the police will still make arrests, and if you're lucky, you might even recover your stolen items. So, you're not really being punished.
Your claim that it is 'puritan' to challenge promise breakers is pure labelling to avoid the issue. Whilst politicians are accepted to lie, there's no reason for the rest of the community to descend to such a level. If a couple makes promises to each other in marriage, it is reasonable to expect them to live by those promises. It is reasonable for society - attempting to encourage couples to stay together so that children get to benefit from a stable background in which to grow up - to challenge behaviour that damages children, and therefore society.
People in power don't need to be knowledgeable about computers to pass decent laws. They need to have a good base to draw knowledge from. They don't have such a good base, but could.
Nobody in public office can be an expert at everything, and the best of the best admit where they lack knowledge and bring good people on board to advise them. Claiming equilibrium is impossible unless a office holder knows the answer is quite frankly irrational.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Because he likely is unable to actually compensate for the loss. Most criminals breaking and entering houses are poor. That's why they are B&Eing houses.
Yes, that would be why they always go straight for the refrigerator and the pantry.
If you are not allowed to question your government then the government has answered your question.
So despite homeowners locking their door criminals were still able to to break and enter. The homeowner is the victim, the criminal is the criminal and the lock company is responsible for the homeowner's loss.
No, the criminal is responsible for the homeowner's loss. Not even the most strict product liability law would find that the lock company is responsible for a homeowner's loss, since they could easily argue no reasonable person would simply rely upon door locks to prevent burglary attempts.
If you store other peoples' shit in your home for money, damn right you are responsible for its security. Nobody cares if your own stuff gets stolen.
“He’s not deformed, he’s just drunk!”
Bad analogy. This is closer to "We should jail the bank CEO if the bank's security is lax enough that a bank robbery succeeds. They should have alarms, armed security, and steel vaults!"
Think standards for corporate server security, not penalties for end-users whose laptops get hacked.
I'd modify your analogy a bit. Imagine your door lock breaks and you don't fix it for a month. Then someone comes along and steals your stuff. Your insurance isn't going to cover it because you didn't take the necessary precautions to secure your premises.
But if your lock broke, you fixed it the same day, and then a month later you were robbed the insurance would cover your losses as you took the steps needed.
In both cases the burglar would still be wrong for stealing your stuff.
Well, you got burglarized, but that doesn't automatically mean the burglars get away with it. Insurance will still pay, the police will still make arrests, and if you're lucky, you might even recover your stolen items. So, you're not really being punished.
Obviously this AC has never been the victim of a serious crime.
.: Semper Absurda
Bad analogy. Closer to the truth is having a photocopy of a combination lock taped to the front door along with a note "Do not enter unless you know the combination!"
You are absolutely right. The already extant laws that make the Ashley Madison hack a crime clearly did not stop perpetrators. Unfortunately, for you, GP was talking about laws that would punish those responsible for the security of sensitive personal information when they clearly do not take adequate precautions to protect that data from the lawless hackers. Get it now?
FWIW, negligence is tough to prove. Criminal negligence, even more so, but I'll wager that what those responsible for security at Ashley Madison failed to do, or more likely, what they were prevented from doing by their superiors, is as clear a case as there has ever been. We all know the story. The security team warned the developers, then the operations guys, who warned the CISO (if they had one) who damn-well better have warned the Board. Somewhere along the way, operations/profit won out over security. It's probably going to ruin Ashley Madison. It is clearly going to ruin thousands of lives of people who had a reasonable expectation of privacy. That is nothing, if not a crime. Why is it not being treated as such? Why is it not treated as such every time it happens?
I've been working 20h/day since the leak happened, searching the databases on behalf of various divorce attorneys I know and work with on other computer-related business.
So far I've provided information that devastates their opponents' positions in court. Absolutely devastates them. And, it's all admissible.
AshleyMadison is a Canadian website
Federal laws already exist that require companies to properly maintain computer files that contain data for, from, or about you.
Enforce those by financially screwing those who fail.
Market-based solution should make right-wing weenies happy while keeping the rest of us more safe from incompetents.
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars?
If you're in business and promising your customers that you're keeping their stuff secure, well, yeah, there should be legal penalties for not meeting some standards of due diligence (admittedly, there's quite a bit of wiggle room as to where those standards should be set).
/. If the government wants us to respect the law, it should set a better example.
"Why not make it really simple? If your system gets broken into, it's your fault. "
So your home gets burgled, and its *all* your fault? Not the burglar's? Regardless of the precautions you took?
Though in this case, it was not an innocent home burgled , but an Alibaba's cave full of stolen goods.
It's not the property of the corporation, and they're not the ones who suffer when it is stolen.
Well, no, the data is the property of the corporation. The data is about you, but it is not your data. They do suffer. You also suffer.
I agree the status quo is fucked up, but your statement's not really correct there.
We don't have a state-run media we have a media-run state.
Isn't "willful alienation of affection" a tort instead of a crime? Adultery is listed as a crime in some states, but I didn't think marriage interference was.
Eating pussy is also illegal in NC. Who cares?
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
If you leave your door unlocked and some robber comes and steals your stuff, the insurance company is likely to stiff you for failing to take due precautions.
The robber can be prosecuted for illegal entry/trespass and theft and/or whatever laws they throw around in the locality in question, but that doesn't excuse failure to lock the door in the first place. Burglars can easily circumvent locks, but at least if you locked it, the insurance company would consider that you tried.
In NC, USA, the Ashley Madison website is in direct violation of several marriage statutes, namly around willful alienation of affection, which is punishable with jail time.
Alienation of affection and criminal conversion in NC are torts, which involve a suit for damages, not jail time.
All of this seems to presume that a site CAN be made 100% hacker-proof. I don't think that is likely.
This position reminds me a lot of the folks that want to sue gun companies when someone commits a murder with a gun. The people who released this data have the blood of the two (so far) victims on their hands - they're at least partly resonsible for their deaths.
If you leave your front door open, and somebody comes in and steals all your stuff, it's still stealing. If caught, the thief would still go to jail.
If there was such a thing as a secure system, maybe it would make sense to prosecute executives. It would be how therapists are legally required to keep their files behind two sets of keys (say, a safe inside a locked house). However, such a model doesn't work in a world where we have zero-day exploits and even high-security targets such as the CIA are getting hacked.
Slashdot: providing anti-social weirdos a soapbox, since 1997.
Your own Apples to other people's Orangutans comparison.
The Government requires you to have vehicle insurance because you impact other people if you wreck on a road. Banks are required to have insurance protecting a specific percentage of deposited wealth. You will go to jail if you kill someone while driving even if it was on accident if you don't have insurance. Banks have had people go to jail when they lied about or have not met obligations required by law. Why should a business be treated differently exactly? No reason, except that we lack enforceable regulation.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
This should create the head of steam required to get some legislation passed to make companies and specific executives SUFFER if they screw up their data security. Ultimately that means if an executive is advised that a system is insecure, fails to act and it gets hacked, the executive needs to personally liable, with a small taste of prison. It happening once is all that is required....
Unfortunately, this also means that the IT executive (and likely staff) will be hauled off in chains too.
Doubt you're going to be able to hire even one executive that doesn't want to pass off that legal responsibility, or at least ensure those in charge of the electronic fences are held to the same level of culpability.
And of course, any IT executive with a brain knows it's impossible to guarantee security, so fat chance of finding many who would willingly agree to go to jail given the landscape we face today. Even offline systems can get hacked.
Perhaps the aim should be at nations that kill, torture, or exile people for these so-called crimes which are non-violent and personal, posing no threat or aggression toward anyone else.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
And that is the root cause of this whole situation. We need to find a way to change the overall mindset (especially in these here Unitee States) towards other people's personal sexual congresses. Not only should it be nobody else's business, but nobody should even **care** what some person they're neither related to nor dating is doing.
If someone's cheating on a spouse (and the spouse does not approve of extramarital sex), the spouse will likely find out one way or another at some point. What happens to the couple is up to them. But what your employees, or Congressional reps, or sports/music/theatre idols do in their personal lives including sex, just plain shouldn't matter.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
Apart from what other commenters have said, remember, that some people really do make an effort to secure their systems and still get hacked.
The commodity system programming model does not seem to be compatible with strong security.
There will always be some vulnerability in even well maintained code on fully patched systems in well laid out networks.
Yes, it would be more difficult to pull off than the Sony hack, but it would still definitely be possible.
I'm hoping for a full post-mortem of this hack like for the HB Gary Federal one over at Ars a while back.
I would not be surprised at all to learn that AM actually did put in considerable effort but still got owned.
Unfortunately, that is incorrect. Consider the all too common stories of homosexuals who keep their orientation secret and enter into supposedly normal relationships to help conceal it (having children), only to ruin another human being's life later when they come out of the closet. Clearly heterosexuals are more moral than homosexuals, as we never hear of any secret heterosexual who lived a gay life for decades and then came out as straight, destroying their partner's life in the process.
I'm an American. I love this country and the freedoms that we used to have.
Wait a second, people are committing suicide because they got caught cheating or trying to and it's the hacker's fault? The hacker's committed a crime in breaching AM's website, but they didn't influence anyone to use the internet to cheat.
The hackers here are nothing more that whistle blowers. AM was breaching contract with people who paid them to forget their data, and users were attempting to cheat on their spouses.
What we do with the hackers over this is unknown, but suicides based on getting caught trying to cheat shouldn't even come up when deciding the hacker's liabilities.
You can't hold someone responsible for being hacked, unless they've demonstrated that they didn't even try to avoid it.
Sure you can, this is why we have insurance. If I put stuff in a storage unit and it gets broken into, it's the storage unit's fault. Period. They will have to pay me. It matters not if they tried to keep out the burglars or not. They will get paid by their insurance company but it is most certainly their fault that my stuff got stolen.
dear AM; this was an inside job.
no ethical hacker group is interested in applying devastation at this level; which is affecting millions of innocent families and children.
Affairs are probably illegal in most states in the U.S. If not all.
marriage is a civil contract, how does that work?
alienation of affection, which is punishable with jail time.
Bullshit. Even in NC, alienation of affection is a civil matter.
Affairs are probably illegal in most states in the U.S. If not all.
Also bullshit. Just a few states still have these laws on the books.
Furthermore, such laws are plainly totalitarian, they misplace responsibility, they view a marriage as little more than a property deed, and they elevate particular religions to sources of law. No small government conservative, nor any other supporter of a free society, could possibly support such a law. The only reason they haven't been declared unconstitutional is that no relevant case has yet reached the Supreme Court.
One NC attorney, quoted in the Wiki, says it quite well:
One North Carolina divorce attorney has written: "Adultery is not uncommon, but an alienation-of-affection case just polarizes everyone and devastates everything in its path including the children and both spouses....The world has changed. Women are no longer viewed as property. Alienation-of-affection is something that dates way, way back, and if there was ever a law that needed to be removed, this is it."
.: Semper Absurda
Yes, many intruders have been caught cooking their victims food, using their shower and napping in the fuckin house they just broke into. Nobody here said they were smart.
If the law really is a bad law, then nobody deserves its consequences.
If it is an otherwise good law which is broken as a necessary side effect of an act of civil disobedience, then the punishment should still be in effect.
For example, a public display of same-sex affection as civil disobediance for anti-homosexuality laws might also put someone afowl of public disturbance laws. Such demonstrators should be punished for the public disturbances, but should not be punished for the anti-homosexuality laws which are being challenged.
Of course they still will be punished. But that punishment is a morally wrong action on the part of the government. Whereas the additional punishment for public disturbance might not be morally wrong.
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars? If you violate any of these rules on your structure fine or punish you?
if you are a bank or are otherwise holding precious customer value, then sure.
With almost 40 million members, if we discount the kids, the prison inmates, the elderly etc it's almost one member in every marriage.
That's why you should never use real names on the Internet.
You are not talking about your own stuff here so stop making invalid comparisons! If You were holding all of your neighbors crap and didn't lock your doors would YOU be held liable? That is the question you should ask, and the answer is "YES, there is such an thing as criminal negligence." Especially in the case here where you are copying personal data from your neighbors and keeping copies even though you tell them they are safe.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
If you really want to make an analogy between AM and a bank, this is more like the bank CEO letting people go into the vault and take whatever for weeks just because they asked a certain way, no ID required.
If you store other peoples' shit in your home for money, damn right you are responsible for its security. Nobody cares if your own stuff gets stolen.
My wife has a yarn store and import/distribution business for fancy schmancy yarns. We have customer data, not by choice, customers demand it for their convenience. I happen to be a security/crypto type engineer. So we worked out what the plan was based on the notion that a yarn store is helpless in the face of electronic warfare.
1) Outsource anything touching PCI-DSS. The payment card machine doesn't attach to the computer. The online payments are through a service that handles the card data on their servers while appearing to be on our web site and PCI-DSS compliance is part of their service. PCI-DSS sucks (I've read the specs - It's not pretty). But it's what we have. So pay someone else to hold the responsibility who on the surface may be better positioned that a yarn store to handle such data.
2) Don't keep customer credit card data on a computer. Use other means.
In general, there's nothing anyone can do who isn't deeply involved in computer security and cryptography, which on average is everyone. Those few who are involved in the intersection of retail and computer security are disempowered by the payment card companies who dictate terms, avoid liability and push absolutely useless security standards on the rest of us.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Well, the truth is because of the fact that he's gay, he's done something terribly wrong - in Saudi Arabia. It's bad lucky to live in such a country but, according to laws of the country, he HAS done a horrible thing. What's really regrettable here is that such countries exist.
Rest assured that the new legislation will make hacking a crime worthy of being hung, drawn and quartered while at the same time not changing anything about how corporations have to secure data, or even (god forbid!) be punished for having sloppy security.
So in your world it's important that we don't up the penalties for the perps because it's the victims of crime who need to be punished. In my world that makes you an asshat.
This is a bit like saying you're going to send someone to jail for getting rear-ended waiting at a traffic light..
Don't joke about that, that exact scenario nearly happened to me a couple of years ago. Old geezer never touched his brakes. When he hit my car, he was moving fast enough that my car knocked the car in front over top of a motorcycle and wedged both of those to the car in front of them. When the cops arrived they instantly assumed that I had caused the accident and were starting to write citations until witnesses confirmed that I had been sitting still and that I had been rear-ended.
Legal supremacy of treaties over the civil rights of US citizens is a really, really tetchy subject. There are very few if any US courts that will side with an international treaty over a US citizen in, say, a 1st amendment issue.
You are talking about two different coins, not even two sides of the same coin. I believe that if you leave 100.00 on your door step you should not expect it to be there when you get home. The person who took it is not right for doing so, but you are not right for leaving 100.00 on your door step where people would be tempted to take it and in other circumstances would not have done so.
What GP said is that if you leave your doors unlocked and get robbed, people would claim that _you_ should go to jail. Which is not a valid argument since AM is not holding their own stuff, they are holding EVERYONE ELSE'S STUFF!
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
We've got enough people in prison. Just make it so that if there is evidence of horrible security that the affected users have a simple recourse. Have some tiered system set up ahead of time that says what compensation you are entitled to for various breaches. Once you have that massive liability insurance firms are going to get involved and most likely require their own security presence.
X
I noticed that you never asked about the responsibility of Ashley Madison to delete the records they were paid by their customers to delete, but did not. Or the responsibility of Ashley Madison to protect their credit card transaction data (almost certainly contractually required by their bank and processors). Or the responsibility of Ashley Madison to protect their customer data in the first place.
Does the Corporate Person have no Personal Responsibility at all?
Fuck you and people like you. "Yikes a tragedy, let's create legislation!"
For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars?
Your analogy is inaccurate. Add to your analogy that you are conducting a business to store something valuable in your home for other people: should you then be required to follow certain due diligence as it relates to security? There is a purpose to some regulation: to make it more difficult for a business to deceive the public, and to setup consequences if found guilty. It is perfectly reasonable to suggest that this company deceived the public into believing they had a secure system, when apparently they did not. It seems fair to posit that the people who profited from this deception be held to some sort of account.
I don't think anyone at all is denying the responsibility of the criminals. However, this does not exclude the possibility that there are additional persons responsible as well.
Ideology: A tool used primarily to avoid the bother of thinking.
I believe this data is considered "property"
So if any site possesses this data, or creates a search to find if your e-mail was exposed, aren't they breaking the law by being in possession of stolen property?
Beyond that, it's an arms race. You can't hold someone responsible for being hacked, unless they've demonstrated that they didn't even try to avoid it. Reasonable preventative measures.
That's not really true.
Reasonable preventative measures include not saving unnecessary information like (1) credit cards, (2) home addresses, (3) full names for a site that only exists for a form of social networking.
Extreme preventative measures include not keeping any electronic transaction records, instead only saving printouts of data.
Both approaches would be expected for an online business that makes its profit from anonymity.
Well a couple of good places to start for standards in this area would first be the NERC CIP standard and once you have got that down then proceed to the Cybersec Procurement Language for Energy Delivery Systems (warning PDF) for a set of industry best practices that are highly encouraged to be in vendor contracts. While they are written for energy management systems the ideas and regulations should mostly be applicable to all other systems that need computer security as well.
Time to offend someone
Ashley Madison has now offered a $380,000 reward for information that leads to the arrest and conviction of the hackers who leaked the data. Security researcher Troy Hunt has also posted about the kind of emails he's received from users after the data leak.
Like they're really going to pay it. They will most assuredly find a way of weaseling out of writing that check. Most likely scenario is they will bankrupt out from under it due to a half a billion dollar judgement. All why the people in charge have protected their own assets.
1) How about using a site that doesn't promote lying to one's spouse (I'm sorry, but there are PLENTY of sites like AdultFriendFinder that allow you to engage in anything AM allowed, without the advertising that basically says 'Life is short, cheat on your husband/wife') I have sympathy for those who are affected by this, but you knew what you were doing, had ways to hide your identity, and had other sites you could have used.
2) We should have laws in place to punish system providers who CLEARLY don't follow PCI standards (there should be NO CC info in your systems, period) and worse, have very lack security around their data storage (why wasn't the data encrypted IN the database? I mean, come on).
3) People's data should not be held hostage, and all sites should be forced to provide an 'instant delete' to support the right to be forgotten.
4) The perps should be caught, and charged with whatever relevant computer crimes are applicable. If the system isn't yours, you should NOT be hacking it with the purpose to release confidential data on the web, and you certainly should not be able to ransom the site once you have the data.
So if you're running, say, a law firm ... and someone uses a 15-ton piece of construction equipment and a crew of ten people to show in the middle of the night, smash the roof off your office building and crane-lift the 1,000-pound safe out of your office (thus losing you control over sensitive customer information), you'd consider yourself to be at fault for that loss? Be specific, on that exact scenario.
Don't disappoint your bird dog. Go to the range.
I'm betting that if any laws do get passed they will be to allow stiffer penalties for hackers, not the incompetents who said they'd keep people's personal data secure.
The DMCA?
At the risk of shilling for the NRA, the 1A is already dented by the WIPO treaty. The 2A is up next with the UN Small Arms Treaty.
The DMCA has already been vetted as the law of the land.
Yes, this is quite unfortunate. However: given a random selection of 30 million individuals, at what rate would suicides be observed? Make sure you know the answer to this question before jumping to conclusions.
A security audit at the level of a ISO/QS quality registrar would open quite a few eyes. There needs to be a worldwide security standard such that any company hosting private information can voluntarily submit to for a rigorous audit that not only tests their security at all levels but makes sure that systems are in place to keep it up to date. Sure, building up a secure system to be able to pass the audit, and the actually going through the multi-day audit takes time and deep five figures of cash. Private industry needs to jump in and set living standards that have to be met. Companies that pass the audits can advertise that they have state of the art security online. Until this becomes the norm, expect corporations to continue to look at security as a cost and not a commercial advantage.
For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars? If you violate any of these rules on your structure fine or punish you?
Nope, but that's a flawed analogy. A better analogy would be, if you offer a service that involves storing stuff for other people, being liable for any loss or damage of their property due to negligence. If you run a hotel and your customers are robbed because you use cheap locks that mean that anyone can get into the rooms, then you should be liable. The government doesn't need to force you to enact specific procedures, it just has to prevent you from having any liability shield in the case of gross incompetence.
I am TheRaven on Soylent News
I don't have much sympathy for those persons whose names were exposed. Every time I sign up for a social media site I expect I have no privacy. I say what I want, but never expect privacy. I'm gay and have signed up for some pornographic site, but only after discussing it with my partner. I am spending our money after all. As to 'cheating' ... if you have to, shouldn't there be some full disclosure to your partner, straight or gay? If you need to there must be a reason, reasonable or not. If not ... I think your marriage is over already. Why wait?
As to being a national in a overly sex involved government. That's was an upfront issue. You should know better than to put yourself at risk with your government.
As to how this applies to Americans. It's time to get the equal rights and protections extended to all so that these private things don't affect day to day business of everyone else.
Well, you got burglarized, but that doesn't automatically mean the burglars get away with it. Insurance will still pay, the police will still make arrests, and if you're lucky, you might even recover your stolen items. So, you're not really being punished.
Ha!!!!!
No, the police will write a report. The insurance company will tell you your stuff isn't covered and you'll never see any of it ever again. How do I know this? Because that's exactly what happen when someone broke into my house.
OP specifically uses a burglary to make his point, which I responded to.
When I worked the late shift at a convenience store during the summer of 1991, I got held up by two dudes, one with a gun. Thankfully, I didn't get shot. Is armed robbery a serious enough crime for you, asshole?
Maybe people just shouldn't cheat on their spouses...
Just dessert? Provably so.
This is a bit like saying you're going to send someone to jail for getting rear-ended waiting at a traffic light.
It's more like saying that you're going to send someone to jail because they left their bus unlocked and your briefcase was stolen out of it.
This isn't an accident. They were negligent and allowed a malicious actor to access private information. Both they (for negligence) and the hacker or hackers (for deliberate and malicious action) are to blame. Ashley Madison did do something wrong. Perhaps not criminally wrong. But wrong. And what the hackers did was certainly illegal.
By contrast, in your example, the person getting rear-ended did absolutely nothing wrong while the person who hit the car was negligent. There's no malice there at all. And there's only two involved. With Ashley Madison, there's three groups: the users as clear (albeit not quite innocent) victims; Ashley Madison whose negligence allowed that victimization; and the hackers who acted with deliberate malice.
Don't forget they added extortion to their rap sheet.
Boy, if they get caught, they'd better hope it's the police and not some disgruntled A-M users who find them first.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
If you're committing suicide over this then you must not have thought through your actions when signing up.
Same with people about to lose everything financially, it's just that in todayâ(TM)s World, that people are still foolish enough to participate in this site, it's hard to have empathy/sympathy.
"If any question why we died, Tell them because our fathers lied."
No, the police will write a report. The insurance company will ask what was taken and you'll lie about it and get lots of far better stuff. How do I know this? Because that's exactly what happen when someone broke into my house.
Absolutely. +1
I'd modify that post to re-iterate:
"They've deemed themselves trustworthy to hold onto your data, and failed to safeguard it."
"Corporations failing to protect the private and sensitive information they have been *entrusted* with..."
Saying "Entrusted" implies I had some say in the trust relationship. The bald truth of the matter is that we rarely have any say in our data or privacy. In this case AM was offering secure deletion of data for a fee and then blatantly not deleting it. In my mind that's just plain ol' blackmail so I don't know how they get to still be in business. I wouldn't be surprised if they flagged people who asked for their accounts to be deleted as "potentially juicy gossip targets" - I mean, if you're asking for your data to be deleted then you must have something to hide.
Nothing is going to come of all this. The analogies of securing a house miss the truth that these software projects are really, really, really BIG houses. There's a maddening level of complexity involved in these systems. Securing the front and back door of a house is trivial. Securing a 1,000,000 sq ft mansion is quite a bit harder. Someone is bound to leave a window unlocked somewhere.
"Toronto police are reporting that 2 unconfirmed suicides have been linked to the data breach."
The suicides are unconfirmed or the links are unconfirmed? Because last I checked it's not to fucking difficult to tell if someone is alive or dead.
Romans 12:19
"Dearly beloved, avenge not yourselves, but rather give place unto wrath: for it is written, Vengeance is mine; I will repay, saith the Lord."
What we see with the Ashley Madison data dump is the vengeance of the Lord upon the vile adulterers and fornicators through his instrument, the Impact Team. They alone were chosen to do God's work.
https://www.youtube.com/watch?v=Uzae_SqbmDE
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars? If you violate any of these rules on your structure fine or punish you? Should we lighten up the sentences for "breaking and entering" or even burglary?
Let's apply your analogy to the corporate world. Imagine if a bank doesn't install a security system, and a robber makes off with your retirement savings. Would you accept their reasoning that it's the robber's fault?
There's an implicit expectation that corporations will protect their assets (including your data) when you do business with them. Companies that fail to meet that expectation are negligent.
When you put your shit in a storage locker it's usually at your own risk.
If it gets stolen you're shit out of luck.
This just requires all these services to put a waiver in their policies saying that if they get hacked you get nothing.
I have watched cyber security technicians dressed in full Traditional Saudi gear, carrying large white boxes (filled with donuts, no less), walk right past armed guards at military installations without getting checked. This is actually how some of my family members make their money (private security contractor). I can tell you from experience that our National Security is a sham. Knowing that, and understanding that the US government developed the internet as a tool for mass surveillance of ALL people, anyone that has faith in the security of a website is delusional.
Ah - the joys of straw man argumentation.
The idea that it might possibly be appropriate to challenge behaviour that is objectively damaging to society and especially its most vulnerable members, children, is ultimately what it means to be a society. That we have chosen to stop treating adultery as a crime doesn't mean that it's not a bad thing. We DO punish child cruelty...
I cannot wait for all of the well sourced and clearly not biased articles(Which were written by friends!) which will blame Gamergate for this.
If a parcel is left on your doorstep do you have any reason to complain if it's taken? If you tell me where you live I'll pay you a call just after UPS stops.
But in this case it's not the credit card information that anybody cares about -- it's the customer data.
Imagine that you could tell somebody's deepest-darkest secrets based on what kinds of yarns they looked at! You'd now have to protect the core of your business data (that's a lot harder to meaningfully encrypt when you have to spend most of your time actually processing that data).
dom
If you run a business, say, protecting other peoples' stuff then yes.
So, let's get this straight. You're outraged that the government should tell a business that they MUST secure customer data, and at the same time you're OK with the government telling businesses that they MUST maintain certain information...which they then are not required to keep secure?
And why do techbro libertarians really not take the time to think their statements through?
The "free market"...it's a cookbook!
You are welcome on my lawn.
I'm not sure it makes sense to make complicated legislation regulating computer security specifically. It seems to me that this is part of a larger problem.
First let me say that I'm not a lawyer and I don't know the technical ins-and-outs of all of what I'm talking about here. I don't mean to be speaking on a technical level, but just speaking generally on a broad problem. The problem I'm speaking about is this: It seems that people running corporations and working within corporations are no responsible for their actions or negligence. We see this when there are environmental disasters, in financial disasters, and in these kinds of disastrous data leaks. You have some big company acting completely recklessly, causing massive destruction as a result, and nobody gets punished. The worst punishment for these problems is that the company is asked to pay a fine, or sued for some amount of money, but none of the individuals involved in the decision to act recklessly face any personal punishment. Even when the company is guilty of criminal behavior, there is no criminal prosecution of any individual, and the punishment to the company is to pay a relatively small fine.
These sorts of things seem like a serious instance of moral hazard. First, the damages to the offender are monetary and not criminal, i.e. if a company kills several people due to negligence, there's no way to lock the company up for manslaughter, so they fine the company. So already, that's somewhat inappropriate. If I kill several people with my negligence, I'm going to be sentenced to several years of prison for manslaughter. I shouldn't be able to buy my way out of that, no matter how much money I have (although admittedly, it seems that rich people can buy their way out of prison with expensive lawyers). But aside from the possible inappropriateness of punishing crime with financial penalties, there's also the problem that these penalties are inflicted on the company, and not individuals within the company. If I'm the CEO and I make decisions that cause my company to act recklessly, it's unlikely that I'll ever be held responsible for those decisions if they go bad, but I'll be rewarded if they improve the company's bottom line.
The end result is a system that encourages reckless sociopathic behavior from people running businesses. I don't know how you fix it, but I do think it's a problem that warrants legal reform. Maybe the answer is to strip away some of the protections granted to corporations, or maybe the answer is to create new laws holding officers of corporations legally individually responsible for certain kinds of decisions, and requiring that those decisions be documented to show who was responsible. I don't know what's feasible or practical, but it does seem like the current system is unsustainable.
Ashley Madison Data Dump
http://themobilebay.org/torren...
Don't expect to betray spouses and remain anonymous
None of that matters to the legislation. It can be very simple: If you expose people's private information, that your company has collected, then the CEO and board of directors do jail time.
You would see better security overnight.
It's funny how law and order only seem to apply to people who have to struggle for a living.
You are welcome on my lawn.
Now you tell me.
You are welcome on my lawn.
1) you were remarkably stupid to admit you left your home unsecured; 2)you have crappy insurance; 3) police do catch burglars because (since we're using personal anecdotes here) they caught the ones who broke into my duplex while I was attending college. There were other houses in the neighborhood that got hit over 2 week period, so the police stepped up the patrol and just happened by my duplex as they were rolling out my audio equipment into their truck. The thieves hadn't moved most of the stuff they had stashed in their own house yet, so most of the people who got burglarized got their stuff back.
Your house is exposed to a relatively benign security environment where you can expect criminals who try to break in to have a reasonable risk of getting caught and punished. The perpetrators are likely to be within reach of law enforcement, and the average house sees way less than one attempt per year.
Contrast this with the Internet, where security gets probed at least hourly and the criminals are likely to be in Russia, out of reach in the vast majority of cases.
At this point security breaches should be treated like we treat natural disasters: Building codes and risk of prison for those who endanger others by not following best practices.
Finally! A year of moderation! Ready for 2019?
My wife says it already is.
You are welcome on my lawn.
A funny statement, considering that either spouse may file suit. The one thing you can't accuse the law of is being biased against women.
Gamingmuseum.com: Give your 3D accelerator a rest.
See, the stuff being stolen here ... It's not the property of the corporation, and they're not the ones who suffer when it is stolen. They've deemed themselves trustworthy to hold onto your data, and failed to safeguard it.
In the United States, except for a very limited class of information, the person that collects the data owns it. If you have a credit card with your bank, they own the data associated with your account such as purchase history. If you have a cellphone, your carrier owns the data generated by your account such as your calling history. This is why companies are allowed to re-sell their customer data to marketers, etc. Only very recently has legislation been passed in the States to require certain types of consumer data to be handled in certain ways.
In this case, the data that was "stolen" was most certainly the property of the corporation. You could try to sue them in court for damages, but there's no legal requirement that they secure their data in a particular way.
Yes, but the box was marked, "Fred's Bank". It's kinda up to the depositor to know what kind of establishment he's doing business with.
source: https://en.wikipedia.org/wiki/...
So, a willingness to cheat on your spouse couldn't possibly be indicative of character traits that an employer or the constituents of some politician might find concerning? At a minimum it shows a lack of judgement and a level of dishonesty that may extend to more important things. Not a few politicians and employees have been busted for embezzlement because they needed funds for an extramarital affair.
As to the spouse finding out "someday"... well, I've known people who were cheated on for years and only found out through chance. For some cheating spouses, chance just happened in the form of Ashley Madison.
Look, if you want to play hanky-panky, I agree, that's your business. When you make the boneheaded decision to use a web site to facilitate your shenanigans, don't be surprised at the repercussions of that choice. If large entities like banks and governments have breaches, why would you ever trust some hook-up site with information that could ruin your life? The power of technology can work for and against you...
My question: Where would laws be aimed at?
I fear that we would get laws like the CFAA aimed at stringing up intruders in the US, but because most attempts are coming from overseas where the local governments either ignore or actively encourage security breaches, it would not help anything. However, with the cosplan ban that the TPP [2] gives, we likely will see effort along these lines just as scare tactics and security theater.
If we get laws at businesses, it may not help either. Sarbanes Oxley and HIPAA were to address security, and the last time I've heard of someone going to jail under those was someone who caught too many fish and was prosecuted under SOX because he tossed his stash of dead grouper.
If a law stipulates "reasonable measures", a lot of companies would do nothing at all, throw their hands up and say that the bad guys can get through anything, and point to Target and Sony as being heavyweights, but yet nailed [1].
If a law stipulates exact OS methods taken, the OS controls in Windows NT are significantly different from the ones available in Windows Server 2016.
[1]: Even though basic network segmentation would have stopped Target's attack, and locking/warning IT about brute force AD password guesses would have helped mitigate Sony... and an IDS/IPS would have stopped both.
[2]: Here in the US, treaties come before laws. Even Marbury vs. Madison doesn't allow judicial reviews on treaties.
Sox compliance only covers public companies. Private companies not on the stock market like Ashley Madison don't fall under these regulations. It's also meant to reign in the illegal accounting and security practices when reporting quarterly numbers. Bigger companies have their own auditors in house under their payroll who help them formulate SOX compliant reports. In the end it's just more money being spent for the same old thing.
Your analogy is poor. There is a third party here who claimed to hold data security paramount and failed at that job. In your example you would pay your neighbor to make sure your car was locked up and when the thief steals from the car because it was unlocked don't you feel the person you were paying to secure it should be liable?
AM is as responsible for this as the hackers. Their entire job was data security, to allow people to put very personal data and details online in a secure manner. If they had told the truth about their data security no one would have ever used the web site. IMO they probably hold higher responsibility for this action than the hackers.
If we're going to use a more accurate analogy :
This is like sending someone to jail for driving an unsafe vehicle that shouldn't have been on the road in the first place, as it was a hazard to others around them. Like when its brakes locked up (without the brake lights turning on), as they were approaching an intersection, and the driver behind them didn't have sufficient warning to stop.
But that'd apply to anyone with an unpatched server ... in this case, they were telling people how secure they were, and weren't. So also reckless driving for showing off to their passenger by weaving through traffic just before their brakes locked up.
Build it, and they will come^Hplain.
The U.S. Constitution is the supreme law of the land. Any treaty agreed to has the weight of legislation, and if found unconstitutional is unenforceable. Some people hold otherwise, but the constitution itself established if primacy. And every federal judge and official swears to uphold the constitution.
A US Appeals court has rejected a corporate's appeal against being prosecuted by the FTC for failing to ensure its security was up to what it had promised https://www.washingtonpost.com...
not changing anything about how corporations have to secure data, or even (god forbid!) be punished for having sloppy security.
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars? If you violate any of these rules on your structure fine or punish you? Should we lighten up the sentences for "breaking and entering" or even burglary?
Personally I think with certain exceptions like public Utilities etc that already enjoy a special relationship with government and a captive market, that companies ought to be allowed to have whatever security posture they like. They should simply have to be honest about it with consumers. Government ought to do one of the few things its Constitutionally supposed to do and set some standards of measure.
Develop some NIST definitions for overall information security postures. If companies then want to claim they have a 'Double plus good can't hack me bro' rating there is a way to prove that. Then if one of these breaches happens and its done in a way that should not have been possible while in compliance like 'plain text data on laptop found on bus' we would all be able to go after them for contract fraud or false advertising etc.
Additionally we should have some disclosure laws, just like food labels there need to be some standardized categories and forms companies that maintain any information that is personally identifiable other than firstname, lastname, current address, billing address, and primary phone number, should be required to disclose that on a standardized and both electronically readable and human readable format. Maybe a nice TML or INI like file.
The government already requires permits, inspections, specific codes you must follow for wiring, water, heat, etc when building a house. If these don't pass inspections your house doesn't get built. If you add to your house and don't get a permit you can pay massive fines and possibly have to rebuild it. In hurricane prone cities they have increased requirements for buildings. So yes, it sure does make sense. It also make sense when you collect and maintain personal data of others. If your house was hit by a Tornado and someone walked in the next day and stole all your customer data you would be liable. Whether it involved putting it in a safe or encrypting it electronically it's your job to secure this info or don't collect it at all.
It's really depressing that this thread is filled with self absorbed psychopaths who are only concerned with structuring the world to protect them from responsibility for any possible future consequences to their actions.
I haven't seen a single comment expressing compassion for the people whose spouse cheated on them. They were betrayed by the person they trusted the most. They were exposed to disease. The wealth they accumulated to pass on to their descendents was placed at risk. Their children are going to be seriously psychologically damaged.
Not only that, we the public were betrayed. These people accepted the benefits that go along with marriage. They took the tax benefits from our pockets, but instead of delivering a healthy family full of well adjusted future citizens, they snuck around spreading disease and discord in our communities.
I find it so ironic that the same people who will get themselves worked into a frenzy over vaccinations have no problem with cheating spouses spreading disease through the community. You'll force a child to accept an injection, but you won't hold a married man accountable for fucking anything he can get his hands on...
This community makes me sick
-1 Uncomfortable Truth
But in this case it's not the credit card information that anybody cares about -- it's the customer data.
Imagine that you could tell somebody's deepest-darkest secrets based on what kinds of yarns they looked at! You'd now have to protect the core of your business data (that's a lot harder to meaningfully encrypt when you have to spend most of your time actually processing that data).
dom
Yup. If you're planning to process sensitive customer data, it's not enough to expect an IT department to do it. You need to make procedural and cryptographic security the core of your business and put practitioners of those disciplines in senior positions in the company.
If not, you and your customers are just lambs to the slaughter.
We don't attach people's names to transactions unless they ask for it. So the yarn-dark-secrets link is relatively safe from the 2000 or so hacking attempts that get made on our little server every day.
I think I could make a secure system for handling customer data, but it would be a full time job and I already have a job.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
The Saudis are pretty popular with our ruling class, and they've got tons of oil. We can't really afford to piss them off without making some huge changes to how we live...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
She's (sadly) more qualified than most politicians on tech issues. At least she knows what a mail server is. Many still don't even use email.
Trump would build a firewall and try to get the hackers to pay for it.
Any insufficiently advanced magic is indistinguishable from technology.
I'm a fool if I leave my house or car unlocked at night; nevertheless, if someone breaks in and steals stuff, they have committed a crime, not me; I was naive, negligent, careless, but I didn't steal anything.
If you are holding property for someone else, then yes your negligence is (may be) criminal, particularly if you are being paid to store their stuff and advertised your services as secure.
"Grab them by the pussy" -- President of the United States of America
I, as a cat owner, care deeply about this, thankyouverymuch.
LOLOLOLOL
Great idea, we should hold a rally and try and get every Ashley Madison subscriber (and their spouses) to write their elected officials to get the laws changed...
That would work, right?
Ken
Apples to other people's Orangutans comparison
This made me chuckle.
Policies would just be in place to ensure the executive was never advised the system is insecure or at least that such advisement is never documented.
I'm not a big fan of cheaters in football (Looking at you Troy Aikman) or Relationships (Bill Clinton/Josh Duggar). But to blame suicides on some cheaters getting caught is silly. Cheaters especially married ones will almost always get caught. The best thing to do is don't cheat if you don't want to get caught. More importantly don't leave any information on the internet you don't want anyone finding out. It doesn't matter if its your personal data or your dating preferences, if you put it out there someone is reading it.
If you had any idea how much frustration that gave me, you wouldn't say that.
If you store other peoples' shit in your home for money, damn right you are responsible for its security. Nobody cares if your own stuff gets stolen.
My wife has a yarn store and import/distribution business for fancy schmancy yarns. We have customer data, not by choice, customers demand it for their convenience. I happen to be a security/crypto type engineer. So we worked out what the plan was based on the notion that a yarn store is helpless in the face of electronic warfare.
1) Outsource anything touching PCI-DSS. The payment card machine doesn't attach to the computer. The online payments are through a service that handles the card data on their servers while appearing to be on our web site and PCI-DSS compliance is part of their service. PCI-DSS sucks (I've read the specs - It's not pretty). But it's what we have. So pay someone else to hold the responsibility who on the surface may be better positioned that a yarn store to handle such data.
2) Don't keep customer credit card data on a computer. Use other means.
In general, there's nothing anyone can do who isn't deeply involved in computer security and cryptography, which on average is everyone. Those few who are involved in the intersection of retail and computer security are disempowered by the payment card companies who dictate terms, avoid liability and push absolutely useless security standards on the rest of us.
You have a choice, you (the payment card industry) self-regulate, or the government steps in and tells you how to do it.
If you don't like the PCI-DSS, try to imagine what government's version would be.
Exactly. No actions are taken in a vacuum. They all have repercussions on other people, coworkers, strangers, etc.
said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life. Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there.
Christian 'tolerance' of others' views, that's the problem, not a data breach. Sarah gave Abraham permission to have child with her handmaiden out of love for her husband, understanding that he so desperately wanted children. This act is not considered sinful by the priesthood of Israel, is the very loving act of a wife who truly cares about how her husband feels and yet if the Jesus crew full of love and tolerance think differently, they'll throw you out of work, isolate you in your community...
People need to realize that this 'tolerant' Christian worldview is only a mask over snearing, idolatrous faces.
It should be mandated that public companies get an audit statement that the system is adequately secure. OK - weasel words, but provides external oversight and an evidence trail. Good point though!
This is why you would end up with, if not in red letter law then in case law, exemptions in for "reasonable effort" to secure systems, even if reasonable effort ended up being pretty heavy lifting (ie, certified vendors, regular external audits, well-defined security practices, etc).
I would imagine that any law would get so watered down by interested parties that it would be only the egregious cases eligible for prosecution or litigation. Anyone who could wave an audit around would be basically exempt because it would provide a reasonable effort shield which would deflect criticism.
That will simply mean executives make darn sure no one will dare give them such advice.
No, what's required is understanding that handling identities is a specialized task with the consequences of failure being a matter of life and death. In other words, it needs mandatory insurance - anyone's name gets out, they get paid massive mandatory damages sufficient to start a new life if they so choose regardless of whether they actually come to any harm, and the insurance company then handles punishing the culprit by trying to recover their money either through the courts or through higher rates.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
I had my home stereo stolen and they caught the burglar, the insurance didn't pay because the items were recovered, but it also sat in evidence for a year while his lawyer delayed trial over and over again and finally got him a slap on the wrist. By the time they finally returned the stereo system I had purchased a new one, and the one that was stolen somehow got water damaged while in evidence.
Social media is for fools. It's not just Ashley Madison. It's Facebook too. It is just amazing to me how people will pony up so much personal information and entrust other people to "manage" it.
How long is it going to be before someone hacks into Facebook and steals millions of user account details? Email addresses, phone numbers (in some cases), family photos, where you work (in some cases), all your friends (in some cases), you name it.
Buyer beware.
Actually, in some circumstances, leaving your car or house unlocked is considered an attractive nuisance, which is a crime.
Just a Tuna in the Sea of Life
Society as a whole pays for the problems of it's members. To say that I shouldn't care that someone is cheating on a spouse is to say I should ignore those costs.
I pay, in part, for every divorce that happens in my community. I pay in the form of higher taxes to pay for the judicial additional judicial load and in a slower court system.
I pay, in part, for kids of parents having marital problems that act out at school or in public. They may simply throw fits at the store that I must endure (small inconvenience) or they may become vandals or violent.
I am affected by co-workers who are distracted because of a divorce or because their parents or friend or neighbor is going through a bad break up.
My sister was in an accident and had a lot to deal with because the other driver was distracted by her problems with an unfaithful spouse.
This is not to say that the community government should meddle in any specific relationship problem. It is to say that we all should care for one another and all should realize that no one is an island. The actions of any one of us effect those around us. If someone is a jerk to their spouse, we should care and do what we can to prevent more jerks.
Extortion!?!? I'm guessing they won't except a cash payment in a dark alley.
A corporation isn't a person. It is a bad argument that it is silly to force a corporation to do something if it is silly to force an individual to do the same thing.
I think it is a reasonable expectation that companies dealing with personal information should have a certain security standard. You can argue that the market will take care of the issue, and that some corporation will emerge from the chaos promising both the features you want and the security you want. However, most people are too unfamiliar and uneducated to demand better security. Furthermore, there is little, if any, profit margin from doing it.
We (in the US) expected broadband internet providers to compete and provide us better service, and that never happened. Why are corporations going to want to spend money on security and make a better product for us if they don't have to?
I can see having a security standard being onorous for small businesses, and maybe they should be exempt from standards (unless they deal in medical history, credit info, SSN's, or large quantities of personal data.) But if you're pulling in millions of dollars a year, I don't want to hear about how you can't afford proper security. A site like Ashley Madison? Give me a break. Make it mandatory to put a big red flag on your site if you can't meet a certain level of security. Right now nobody knows what is secure and what isn't.
You can up the penalties 'til they border on insanity if you can't catch them it's moot and won't change jack shit.
For reference, see copyright.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So you'd go to jail if someone else's stuff was there, then. I borrowed my friends PS3. My house got robbed. Now I should go to jail for not protecting their PS3 well enough, with a de facto conclusion of "if they succeeded in perpetrating a crime against you, then it's your fault and you should be punished". Gross.
The reaction (or lack thereof) I've seen from AM is absolutely appalling.
I am not sure that the Execs are the ones to blame here. If you are a CEO, you probably know shit about crypto and security, and if you hire a 'Expert' security coder you don't really have any way of evaluating if they are good or bad short of waiting to see if they fail to secure your data. I'm not sure that it sets a good president to allow people to be jailed based off their hiring capability.
Anti-hacking laws aren't going to help much, as a lot of hacking crosses borders. It is already a federal crime, what are you going to do, make it a double federal crime? That would totally stop all the black hats.
Perhaps it is on the consumer to ask critical questions of companies that you are giving your personal data to, and be more selective about who you do business to.
HA! I just wasted some of your bandwidth with a frivolous sig!
Facebook went past you unnoticed? People don't give half a shit about privacy or security. They don't even understand the implications of having their private data compromised. They will only notice when it hits them personally because it simply is a non-issue. It's neither broadcast in the media (even though it sure makes for a good scare story, imagine someone taking over and ruining your life) nor tackled in any meaningful way by politics or industry. The last because they certainly have no interest in ruffling feathers, the second because they themselves don't understand it (if there is any doubt about it, just listen to any politician when he opens his mouth about anything IT, it should dispel any kind of doubt you might have that he's talking out his ass) and the first because it simply is a too complicated topic for any kind of scare TV show aiming at the usual lowlife TV junkies.
There is no audience for security and privacy.
Private industry won't do shit in this area because it is not in their interest. You identified it yourself that security is a cost factor without any chance to EVER create revenue. This will NEVER be done voluntarily.
Sorry, but the idea that "the market will sort itself" is a myth. It requires a demand side with full information transparency. And that simply does not exist.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
None of that matters to the legislation. It can be very simple: If you expose people's private information, that your company has collected, then the CEO and board of directors do jail time.
If that was the letter of the law, then the company officers in this case wouldn't be liable - they *didn't* "expose the data". Their private servers got hacked. In much the same way if I were to get mugged, I didn't "expose my wallet", the muggers simply took it by force.
Perhaps if you reword it...
I'm a minority race. Save your vitriol for white people.
Banks are required to have insurance protecting a specific percentage of deposited wealth.
Do you advocate sending bank executives to jail if some robs the bank? But you do advocate sending a company's executives to jail if a hacker steals personal information. What's the difference?
Again, This was an inside job. Interestingly all of my posts are deleted.
Ethical hackers aren't interested in hurting innocent victims... such as families and children. Releasing such sensitive material; this was not done by a hacker.
The volume of data acquired. It was an inside job.
Look at the "Sony hack". Inside job. Very similar dna. similar dna.
Again, This was an inside job. Interestingly all of my posts are deleted.
Ethical hackers aren't interested in hurting innocent victims... such as families and children.
Publishing such sensitive material; this was not done by a hacker.
The volume of data acquired. It was an inside job.
Look at the "Sony hack". Inside job. Very similar dna. similar dna.
Publishing/hacking data like this is usually an inside job.
It is close to impossible to "hack a computer" via the internet.
How do you want to handle companies holding date of/about their customers and an employee leeks that data?
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
You suck at analogy too! I'll give one more. Past here you are either not trying intentionally or a complete flipping moron who is beyond help.
If a bank manager is negligent and it results in you losing your money should the bank manager be held accountable? YES! If his negligence made him rich should he be forced to give back all of the money he made using ill gotten means? YES!
This is not rocket science, though one may begin to think so. There is a huge difference between the scenario above and what you said. You figure it out and tell people the difference.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Lots of people conflating individuals with corporations here.
If you leave the back door open and your customers' stuff gets stolen, you should be liable, criminally and civilly. Just as if you don't maintain your underwater oil rig properly, and there's a catastrophic blow-out and millions of gallons of crude get dumped into the ecosystem, you should be criminally liable.
You are welcome on my lawn.
Sometimes nasty angry lesbians marry men for financial and political gain and produce abomination children. I know of one who even suggested to the public that if she didn't care who her husband slept with that they shouldn't either.
And there is the little thing that really skilled hacker do not pull pranks like these and destroy lives. They can earn far more money on the white-hat or grey-hat side without the risks. And once you made sure all the not-so-good to terrible hackers do not get in, you are pretty secure. The reality these days is that even amateurs have a chance to hack well-known sites. That has to stop.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Oh, sure, they might get a little bad PR, and the stock might slip a little. But that asshole executive who decided security was too costly? It's not his data being stolen, and it's not him who has to deal with it.
While I agree with the overall sentiment, in this specific case the hackers look to have grabbed the full source of all the parent companies' websites, and the CEO's emails... which they recently released.
Let's say your law is enacted.
Your wife sees your email address in the dump, and throws a glass of wine at you. $40 shirt: totally ruined. Oh, and she won't have sex with you anymore, ever. And Johnson in Accounting (who keeps his johnson in his pants, whereas you're obviously a total poon-hound) got that $10k/yr promotion instead of you (and the boss admits that you-being-in-the-dump was a factor in his decision). How much does the CEO of AM owe you?
I basically agree with your idea of holding them responsible, but if I'm on the jury, my damages award (so far; feel free to continue the story) is $0.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Lots of people conflating individuals with corporations here.
If you leave the back door open and your customers' stuff gets stolen, you should be liable, criminally and civilly. Just as if you don't maintain your underwater oil rig properly, and there's a catastrophic blow-out and millions of gallons of crude get dumped into the ecosystem, you should be criminally liable.
The situation in this case is more analogous to there being no blow out, but deliberate sabotage. Seriously, you, at some time in your life (maybe even right now) have had under your control at least one machine with a zero day exploit that you did not know about. Should you be penalised when someone actually exploits the ...erm... exploit?
I'm a minority race. Save your vitriol for white people.
What exactly was the nature of the Ashley Madison hack and what indemnification did the providers of the software platform provide to Ashley Madison in the event of a security breach?
It is close to impossible to "hack a computer" via the internet.
You have an interesting learning experience heading your way.
You have a choice, you (the payment card industry) self-regulate, or the government steps in and tells you how to do it.
If you don't like the PCI-DSS, try to imagine what government's version would be.
Imagine if they farmed the spec writing out to a list of likely suspect techy companies who have shown themselves able to create secure specs. They couldn't do worst than PCI-DSS or the government.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Sure, maybe it does indicate something about their personality, but that is neither here nor there. AFAIK this wasn't public knowledge previously, meaning someone went through the effort to find this information and release it against the will of at least one person. Not only is that illegal, but also immoral. It's no one person's place to just find shit about others to smear on the walls. Does that mean cheating/thinking about cheating is okay? Probably not. But stealing this data for a smear campaign is definitely wrong.
Not saying this takes blame off of any of the parties involved, but I think your stance on it is a bit strange.
Honesty may be the best policy, but by process of elimination, dishonesty is the second best policy.
Thanks for making me think. I tend to agree that this case isn't the best one to provide a clear model of financial liability, because as you eloquently point out, the damage here isn't the sort that gets a sympathetic hearing for financial liability. However there is an expectation of privacy, and that has been violated because the AM site didn't make a decent attempt at security, and for that it deserves to be punished.
A more general case arises over medical data, or data that would enable identity theft. In the case of medical - or indeed legal - data, there is a very strong presumption of confidentiality because that is at the heart of what those professions are about. I need to be able to trust those professionals in order to enable me to benefit from their services. If I'm not confident what I tell my doctor will stay private, I'm liable to edit what I tell him - and end up with the wrong diagnosis. Whilst it may be difficult to identify specific damage from a particular data loss, the overall effect of destroying confidentiality would be very serious. To the extent that this fiasco chips away at that real trust, it has a far wider significance than a 'financial' calculation points to.
Damn right - and let's throw other victims of criminal activity under the bus too, while we're at it.
Unless you have access to some information that I don't about how this hack was perpetrated, we have no idea whether or not it was lax data security, a disgruntled employee, social engineering of a credulous employee, hacking into data backups somewhere, etc etc etc.
The hackers are the ones at fault here. Let's not forget that. First they stole the data, then they attempted to blackmail the organisation into closing down, and then they released the data, punishing - it should be remembered - not the ashley madison site (which I'd never even heard of before, so they're certainly getting some free publicity out of this) but the (largely innocent probably, perhaps guilty only of fantasy and poor judgement) users of the site.
I find it as entertaining as the next guy to see a Christian Right Wing blogger have his dirty laundry aired in public, but remember that the criminals in this situation are the hackers, not the hacked.
I'd say its not a fair declare fault until we know with 100% certainty that it was in fact a "hack" of some sorts. Lets say it was an inside job and a simple case of data theft in the workplace. Even the NSA cant guard against such things (Snowden). Of course you can permission control data, etc. But there is always a small few that has complete access.
Besides, in many countries what you say is already in place. Under things such as the Corporations Act. Directors are held liable for the companies behavior. The problem being nobody prosecutes these laws. I'd go as far to say that Executives having knowledge of security issues and not acting is negligence in its most simplest form.
One of the fun bits of life on the internet is that you encounter people who have such radically different view points from yourself that you go: 'You what?'
The general conclusion of modern society is that 'open marriages' don't work; there really is something about sex that is fundamental to a marriage in a way that can't be proved, but is the general experience, and does tend to lead to early divorce. Certainly one of the problems of the open marriage model is that it tends to be imposed on the weaker partner by the stronger, and is part of their dominance of the other. Beyond that? Living by a radically different moral code is interesting, and may make you some remarkable friendships. However given the complexities of your situation, for the sake of your possible partners, you have a duty to declare this belief of yours very very early in any relationship.
Eating pussy is also illegal in NC. Who cares?
Animal rights activists and cat lovers everywhere ;-)
The same thing could be said of rape and murder. We need to find away to change the overall mindset towards rape and murder. Not only is it nobody else's business, but nobody should even **care**what some person they're neither related to nor dating is doing.
If someone's murdering someone or raping them, the victim will likely find out one way or another at some point. What happens to the murderer/rapist is up to them. But what your employees, or Congressional reps, or sports/music/theatre idols do in their personal lives including rape and murder, just plain shouldn't matter.
You see, idiot, many victims of both say that being cheated on was worse than being raped. Cheating on someone is worse than raping them -- but you, idiot, think everyone should just giggle and go out for ice cream when cheaters are exposed. You are defending one of the worst crimes a person can commit against another simply because your government's not getting its hands dirty with punishing cheaters like it used to.
Affairs are probably illegal in most states in the U.S. If not all.
Also bullshit. Just a few states still have these laws on the books.
Nope. Adultery is still a criminal offense in 21 states, which isn't quite the "most states" the GP mentioned, but it is nearly half.
Furthermore, such laws are plainly totalitarian, they misplace responsibility, they view a marriage as little more than a property deed, and they elevate particular religions to sources of law.
While I agree with you that criminalizing adultery is a bit ridiculous, that's certainly not the only place where adultery enters law in most states.
In particular, adultery is also used in many states in divorce proceedings as official legal grounds for divorce (where divorce can still happen "for cause," as opposed to "no-fault"), and in most states adultery can be a factor in determining various aspects of asset division, child custody, etc. in a divorce.
In those latter cases, adultery is a symptom of a kind of breach of the marriage contract -- and if you want to get your "particular religions" out of marriage law, then marriage is basically reduced to a civil contract.
That civil contract of marriage has been pretty well understood in most cultures throughout human history to preclude adultery (or at least adultery that is not approved by all parties in the marriage). Even polygamous cultures generally recognize marriage (i.e., plural marriage) as a place for valid sexual relationships to take place. Many cultures have traditionally held women to higher standards of fidelity than men, but the basic idea of some sort of sexual fidelity coupled to marriage is nearly universal among human societies.
So -- given that fact, it seems reasonable to me that there can be legal consequences to adultery, as a violation of a civil contract -- unless the parties in a particular marriage choose to waive that requirement. Though I do agree with you that criminal penalties are a bit ridiculous (though the whole civil regulation of marriage has quite a bit of ridiculous nonsense appended to it).
No small government conservative, nor any other supporter of a free society, could possibly support such a law. The only reason they haven't been declared unconstitutional is that no relevant case has yet reached the Supreme Court.
As long as the government is bothering to regulate marriage, it seems like it has to mean something. That something seems very much in flux these days, but approval ratings for adultery are always ridiculously low -- much lower than even approval ratings for polygamy. Given that SCOTUS tends to mostly overturn laws when they have public opinion on their side (or nearly on their side), I think it's at least possible -- though perhaps unlikely -- that theat all part of the general meaning of marriage.y might still uphold the constitutionality of adultery statutes. And even if they overturn criminal statutes, they certainly aren't going to expunge adultery statutes from divorce law... and nor should they as long as sexual fidelity is assumed to be part of the common law meaning of marriage.
if the data hackers grabbed ak 47s and stormed the colocation facility and ripped out hard drives, then your analogy works. the company is innocent and the hackers deserve full condemnation
Not sure about where you live, but you'd need more than AK47's to storm a colo in Australia. We're a country that doesn't have gun nuts and mass shootings twice a week but even our datacenters are designed to be extremely secure buildings. There will be under 10 windows, windows on the ground floor will not permit direct access to data halls, the glass will also be bulletproof and the place is under 24 hour guard. They are this secure (by law) because of the sensitivity of the data they keep. This is even if you get to the front door, datacenters are surrounded by 2.5 metre high fences and remotely controlled gates.
A datacentre is the kind of building I'd look for in the event of a Zombie apocalypse.
Calling someone a "hater" only means you can not rationally rebut their argument.
More laws?
You people are out of your fucking minds.
Do you see this happened due to legislation shortage?
Mother fucking fuck of all fucks. A world run by lawyers. Who has the lawyer jokes?
If any legislation is to be written about data security.. it should be:
1.0 If you rely on Windows 10 for your data you should be culled for the benefit of the greater good of mankind.
Now pretend you don't understand or that I am implying Ashley Madison was running Windows 10. Pretend you don't get what I am saying. Act stupid. Become a professional actor.
If they were stupid enough to cheat on their spouses on some online hookup site with real information, their divorces are already enough legal system revenue.
They modded you 5, Insightful. Live long and prosper idiots. Marriage is already a joke in the USA. Now somehow this hydra's into we need more legislation for data security and oh by the way also Windows 10 is free. oy vey.
Pay attention to bullshit, and WHO bullshits you.
So I shouldnt care if a child is being molested? Or if someone is being raped? What kind of sick world do you want to live in.
If someones cheating on a spouse they are doing real damage to multiple people, not only the spouse but the familys affected by it. Adultery should be illegal, people should punished for the serious pychological harm they are willing to do to everyone involved.
In Aus, its a legal requirement that you fence a swimming pool to secure it from children. I don't care what you do about your own security, but you have a duty of care to anyone you invite to use your facilities.
This is a bit like saying you're going to send someone to jail for getting rear-ended waiting at a traffic light - if the person was parked at a green light, drinking, in the middle of the night, with the rear of their vehicle spray-painted black to hide any reflective markings.
It's not that a hack happened.
It's that a hack happened due to willful negligence and incompetence.
Really? Oops.
I think you overestimate the security of offline life.
The choice is not between using a possibly insecure website vs risk-free means of meeting people.
Ashley Madison notwithstanding, I suspect that the online route is still less risky than other ways you could go about arranging secret affairs.
Furthermore, such laws are plainly totalitarian, they misplace responsibility
As opposed to say no fault divorce where a man or woman can come home and find their partner merrily engaged in a foursome and it has no legal standing? Come off it. You're why marriage is collapsing hard, it has become a contract wherein there are no penalties for acting in bad faith and no matter what happens it's usually the man who gets the shit end of the stick.
When will men stop being treated as financial investments?
" Banks have had people go to jail when they lied about or have not met obligations required by law."
Yes, sir we sure saw that when the last few financial meltdowns happened. Yes sireeee.
thank you for over-analyzing a throwaway analogy and completely missing the fucking point
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If the online payment service appears to the end customer to be on your website, then a malicious hacker could replace your website with a version which harvests credit cards. I realize that PayPal (and possibly Stripe) successfully lobbied for their embedded form service to be excluded from the more rigorous PCI auditing category (forgive the ambiguity, it's been awhile since I dealt with PCI compliance), but that's politics, not security. I wouldn't count on it lasting, either.
That depends. Is the bank insured and can the bank provide full compensation for the stuff lost? If not then yes, they should be in jail.
If the owner of the bank got robbed and their insurance covers them and their customer who entrusted them with things are no worse off, then no they should not be in jail. Their punishment is loss of faith and a lovely little run in with their insurance company.
The analogy extends every which way you want regardless of who or what you replace in the analogy. You drive a car on the road and wreak yourself, boo hoo. Wreak someone else, you better have the money or the insurance to cover them.
No one cares if you punish yourself, just don't punish others.
This is a bit like saying you're going to send someone to jail for getting rear-ended waiting at a traffic light.
If you're sitting in a car and get rear ended you're not affecting someone else. Your analogy is not right.
It's more like rear-ending someone at a traffic light when you don't have insurance or money to cover the damage you've done. No one cares if you lose your car, but if you can't cover the damage to the innocent 3rd party that's when some very strict regulations should kick in.
You're entrusted with other's things then you should be able to compensate people, if you can't there should be very severe penalties.
Oh No No No No and HELL NO.
In a country that tortures women who choose not to wear a Burka, tortures women who think, tortures women who drive a car (anywhere else but the great desert) and whose Brothers committed the "Punk of the Century" by commandeering USA civilian Airliners to crash into the World Trade Towers, The Pentagon and a "gravel pit" in Pennsylvania .... No Fuck'n HELL NO.
DIE IN FLAMING DEATH ass whipe.
He knew he was gay, he knew it was punishable by death if discovered where he lives, and he trusted his secret to a Canadian website.
Is there no part of this story that is the victim's fault?
Ken
hackers deserve full condemnation
The hackers do deserve full condemnation. Whether or not the Ashley Madison hacks were relatively easy to pull off, as in your analogy, or whether they were actually very difficult, is unknown at this point. There seems to be some indication that it may have been an inside job even.
i specifically said the hackers aren't innocent. do you see your prejudice at work in your statement when go from "deserve full" condemnation... because it "may have been" an inside job? your own words betray your uncertainty while you jump to full judgment
regardless, when you store the sensitive personal information of millions, you have assumed a heavy responsibility. including keeping close tabs on your employees. carefully vetting them, making sure they are happy, and quickly getting rid of them if indicate malice
the owners of this company cannot escape any culpability here, no matter what the final story
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Good points, but one thing I'll caution on. You can outsource the responsibility but you can't outsource the ultimate accountability. Recognizing that you're not able to handle a particular task is a fine reason to outsource it and this is a perfect example. But at the end of the day, you hired them.
Even with the best indemnification agreement your wife's business will suffer to some degree if there's a breach. It is, after all, your wife's brand first and foremost. If she accidentally sells subpar yarn due to a screwup at her supplier she can't completely wash her hands of the affair when customers complain. Same thing if your PCI vendor lets you down.
With the possible, make that probable...um, make the eventual disclosure on any 'secret' information on the internet, a question arises?
Will certain behaviors continue to be damaging to ones reputation, will the internet increase damage, or will certain behaviors, as we learn they are extremely common, lose their taboo? Example: the other day I heard some interesting person on the radio predict that in 10 or 20 years we will have a President who has naked selfie on the internet, a selfie they took when they were around 20 years old. Because, such a high % or 20-ish year olds today do that.
I think the answer is mixed, and like Ashley couldn't-keep-it-behind-the-firewall-,eh? some members will be devastated and some couldn't give a fart.
Prediction: eventually there will be a release of the names of millions of women who have had an abortion. This will make the Ashley Madison info release look mild. Thousands of women will suffer damage, such as being fired, when anti-abortion employers or people in Human Resources start mining the lists, for example.
Right. I did a little research that suggested the payment processor wasn't incompetent when it came to security. However the average yarn store owner wouldn't know how to do that.
She can tell bad yarn a mile off though. We already dropped a couple of suppliers who moved their manufacturing to China and the quality dropped. However don't take that to mean all yarn that's been through China is bad. Chinese yarn processors apply the superwash process to some quality yarns.
The card processor is not supposed to hang onto card data, but we have no way of really knowing. There are limits to what you can achieve because you are forced to rely on a number of external organizations (banks, networks, payment card processors, equipment vendors etc.) that you have not much choice in.
If PCI-DSS specs were well architected and written, payment card equipment would be more secure and enable integration with point of sale systems without passing sensitive information through the PoS, thus reducing the attack surface.
If the business grows large enough, we would hire some serious security experts and developers to develop our own secure payment processing. But the business couldn't support it right now and I get paid much more by working as a security expert for a large semiconductor corporation.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
If the online payment service appears to the end customer to be on your website, then a malicious hacker could replace your website with a version which harvests credit cards. I realize that PayPal (and possibly Stripe) successfully lobbied for their embedded form service to be excluded from the more rigorous PCI auditing category (forgive the ambiguity, it's been awhile since I dealt with PCI compliance), but that's politics, not security. I wouldn't count on it lasting, either.
Nevertheless, it's the right thing to do from a practical standpoint. The higher audit levels would require every mom and pop website software to be audited. Encapsulating in a window served from their servers is the right way to shield customers from the mess that is random website design and actually get it out there. If you had the higher audit levels, it wouldn't get used at all and we would have people typing thier card data into nasty php scripts written by a friend of the proprietor's daughter.
There is little in the PCI specs that adds to the security of card transactions. These are the same people who've held back the adoption of EMV for a decade and the specs focus on vendor 'process' more than things that matter, like defense in depth system design. We have a shiny new EMV and NFC compatible card reader and it has a big sticker on the bottom proclaiming it to use triple DES, like that's a good thing. Look a bit deeper and it's 1024 RSA for the key agreement and some mode of DES for the transactions. The 1990s called and wants its crypto back. This is written in some software on a microprocessor in the box. I have no way of knowing how crappy that software is, except my years of experience in secure system design that tells me it'll have more holes than Swiss cheese. But it would violate PCI-DSS rules for me to open the box and take a look inside.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
People like Bruce will fill the position with minimum wage and little power to exercise. Bruce would be the fall guy.
Change is certain; progress is not obligatory.
What makes a system insecure? The system integration/networking? The software, especially third party software with its disclaimers about "no liability for implied merchantability and fitness for a particular purpose"?
That is the problem, right there.
If you want to run a secure system, you should not be allowed to use such software on it, period.
True, Free Software is great, and often of the highest quality. But why is there no market for secure software, if we have such a need for it?
Because it matters little if you download your server software from Github or buy it from Vendor X for half your money plus your firstborn son. When the shit hits the fan, both of them will point to some clause in the license that absolves them of any and all responsibility.
To me it smells like Sarbanes-Oxley all over again.
No, SOX is too weak to cover this.
Disclaimer: I was the head SOX guy at a company.
It's patently ridiculous how you can be absolutely compliant with very little effort if you kick out the consultants and put some actual thought and understanding of your business systems into the compliance topic. If consultants designed your compliance, you are almost certainly spending at least twice as much as you need to, and probably ten times. If you get them in only for the testing, you're doing it much smarter.
We need liability, not compliance. That's a different thing.
If I can buy software that the vendor actually guarantees for, and is sure enough in to take liability for, then we are going somewhere.
Worse yet, what about unknown exploits used for which there are no patches?
Software has bugs. But we know how to write software so that it has at least one, possibly two orders of magnitude fewer bugs than the crap we produce every day.
It's just that it's a bit more expensive.
If there were liability, suddenly that equation would change. If bugs cost you actual money and not just the effort of fixing it and a small risk of reputation loss, companies would understand that writing almost bug-free software in the first place is cheaper.
Assorted stuff I do sometimes: Lemuria.org
how corporations have to secure data,
Corporations are trying.
IT is not supporting them very good in doing it.
Our software is shit, our systems crap, our understanding of business laughable. We are not the solution, we are the problem.
Readers excercise: Customer is requesting a company website, with a CMS system so his PR people can manage it. Build it securely. What are you going to use? List the systems you want to use. After you have selected them (don't read on until you did!) - imagine you did this three years ago. Check how many bugs your selected systems had in this time that could have been used to hack this website.
Would you have accepted liability for any successful hacks on this website? Why not? The corporation wants to secure its data and is even paying you for it. I'm quite sure it's not their interest that makes this fail, but your inability or unwillingness to provide.
Because you can't. Such a system would have to be custom-built, almost from the ground up. And not just the software. The whole management environment, the whole password management scheme, if your customer is a high-profile target, maybe even the hosting and networking. Heck, there are so many BGP attacks that can get that website redirected elsewhere and everything you did on the system was for nothing.
Assorted stuff I do sometimes: Lemuria.org
Sounds like someone's being reading the promotional material. I don't know what part of Australia you live in but I actually work in many Australian data centres and I *promise* you, I could get in without an AK-47. I have personally coat-tailed in to many of them, behind complete strangers, on more than one occasion. I make a game of trying to do just that, in fact - just to see if anyone ever stops me. In all the times I've done that, I recall once that the person in front of me, who I was coat-tailing, actually stopped me and asked me for my ID. Considering he was not even an employee of the datacentre but just a colo customer, I don't know what he could even have done, had I told him to get stuffed.
Many of them would be trivial to break in to, if I didn't care about leaving physical damage behind and the only ramification would be I'd be caught on film (which would hardly be a major issue for someone willing to think it through).
For all the talk about being extremely secure, many are basically if not completely (usually completely) unmanned after hours, many are in normal office buildings in and around the various CBDs and rely on little more than a swipe card preventing you selecting a specific floor from the lift and not having a hammer to break the invariably glass door past said lift (which may be tempered glass but it's still only a couple cm embedded into an aluminium frame, so bullet-proofing isn't going to help, here). There are a handful of higher tiered ones scattered around that do have (a single) security guard(s) after hours but I they're usually little more than a concierge.
As with all things in Australia, the vast majority of our datacentre physical security comes down to our national security policy of "it'll never happen, so why worry about it".
I have been in datacentres that house equipment belonging to a certain American company, that starts with "G" and ends with "oogle" and the only enhanced security they had was a yellow mesh around their racks, made out of the same stuff that fails to protect the doors and windows of residential houses from 12 years olds on a daily basis.
I've been in the supposedly "most secure, tier 3" commercial datacentre in the country and seen the perimeter fence and main access doors propped open by reels of cabling, because electricians doing onsite work didn't want to have to be buzzed in, constantly, while collecting stuff from their vans. I've even had an electrician who was testing onsite UPS hold doors to secure areas open for me, without asking me who I was or if I had access to them (without me even asking him to). Security in Australian datacentres is not quite where it should be.
In general, there's nothing anyone can do who isn't deeply involved in computer security and cryptography, which on average is everyone.
This.
Don't think companies aren't trying. But it's incredibly hard, and one mistake is all it takes and you're owned.
Assorted stuff I do sometimes: Lemuria.org
I actually see this differently. I prefer my politicians to be truthful and faithful in their marriages. If they lie to the person closest to them, how could I trust anything they say to the public? How could I believe they refuse bribes if they cannot refuse sexual advances?
While funny, that is also 100% spot on.
To answer the GP: Because it's none of our business and the people involved should decide what is permissible and what not and what the punishment is.
Assorted stuff I do sometimes: Lemuria.org
Who eats cats?
A stable environment is the best basis to bring up children - that's as clear cut a conclusion of social science as I know of. Marriage should provide a bulwark in achieving that stability. That you seem unwilling to accept the value of stability or the value of marriage towards that stability, I find perverse. That your perception of human nature is so pessimistic, I just find sad.
Underlying society is a set of implicit and sometimes explicit contracts that make the place operate. One of the explicit ones is the terms on which a marriage is entered. Historically there was also an implicit understanding that children would only be born within marriage.
Modern rebelliousness has resulted in marriages becoming less worked at, and the need to get married before children are born has disappeared. The result is a lot of messed up kids. It's also led to an epidemic of loneliness.
We've now arrived at a society where 'personal fulfilment' has become the ultimate good, to the de facto exclusion of all other considerations. A society will fall apart if there is that freedom to do whatever you want without regard to your responsibilities. Bread and circuses may get us through a few more years, but Islam will be along shortly to appeal to those who have had enough. I assure you that that won't be fun...
The bible records a lot of things. That it's 'in the bible' doesn't prove that it's OK. The story of Lot being got drunk by his daughters and then seduced by them (Genesis 19) doesn't give a commendation for their behaviour. There are passages that you can argue endorse behaviour that we can't accept - but this isn't one of them.
i specifically said the hackers aren't innocent. do you see your prejudice at work in your statement when go from "deserve full" condemnation... because it "may have been" an inside job? your own words betray your uncertainty while you jump to full judgment
Sorry, I don't follow. They deserve full condemnation, whether or not it was an inside job. If it was an inside job, then I suppose in some sense they're not 'hackers', but nevertheless are clearly quite bad people. I don't see what you mean by 'prejudice' in the context of what I said.
Plus, if it was - say - a disgruntled employee, how on earth is it possible to hold the company to account for that? What if he or she hid his or her disgruntlement (quite possibly not a word) from their employer - how is an organisation supposed to operate if they become liable for every bad thing that any of their employees get up to? Which is why I cannot possibly agree with:
the owners of this company cannot escape any culpability here, no matter what the final story
No fault divorce works both ways and can give a man a quick way out if he is being treated as a financial investment or comes home to what you described - no need for evidence, statements etc. Think beyond the juvenile fantasy to how difficult it would be to deal with the reality of the word of four against one or possible physical violence, plus ongoing drama of multiple people being dragged through legal proceedings that are likely to not get to court for a year or longer in many areas. Life is not TV. Accusations and counter accusations really fucked things up for a lot of people back in the day and the juicy bits used to end up in the papers - bad idea all round even if the person who the accusations stick to the most gets the shit end of the stick, and guess who that normally was even if the wife was the only one who was actually playing around?
Complain to your local representative if the judgements are unfairly skewed where you are. If you are old enough to vote they will take some time to listen. It's probably far less skewed than back when fault was required and an unproven suggestion of wife beating was all it needed to give the man the shit end of the stick.
Ok, now the posts about the puppies are making a bit of sense.
Disagreement becomes hate whenever you're dealing with an extreme leftist. Don't gulag me bro.
No fault divorce works both ways
Gosh maybe that's why I said "a man or woman" above. So having set up that strawman you proceed to tackle it with all your might.
can give a man a quick way out if he is being treated as a financial investment
You really have no idea what happens to men in the family courts, do you. I mean this comment is flat out nonsensical.
Accusations and counter accusations really fucked things up for a lot of people back in the day
And they still do, especailly when it comes to children. Seriously you've no idea what you're talking about here, so I suggest you educate yourself before sticking your oar in.
No it's just become very clear that you are quite young - nothing about disagreement since the other posts were just about stuff you had missed not about opinions.
Oh you mean stuff you made up and assumed without bothering to find out first? You realise you can still have divorce on tap while applying penalties in seperation proceedings for things like adultery, male or female? As it stands many of the assumed obligations in a marriage (and do not start accusing me of gender role enforcement for pity's sake, that's not what I'm referring to) have little to no legal standing which to my mind isn't simply unjust, it's bad contract law.
"Does an anecdote prove a thesis? No, but it can disprove one."
Whilst a persistently recreatable test tube based experiment will disprove a thesis in 'hard' sciences, in the social sciences, the best that is on offer is a degree of correlation: this pattern of behaviour is associated with more positive outcomes than this pattern. It's on this basis that the claim that marriage acts as a bulwark for family stability is made - there is a marked propensity for married people to stay together, thus providing kids with the stability they need - whereas there's a propensity for the unmarried to split up. Now there will be exceptions - and the fact that you can show an example of an unmarried couple staying together is good to hear - but it doesn't disprove the thesis.
Alienation of affection laws misplace responsibility because the third party with whom an affair is conducted is held financially liable, even though personal responsibility lies with the unfaithful spouse.
I get that you want the government to protect you from your own bad decision making and inability to form meaningful relationships, but such things have no place in a free society.
.: Semper Absurda
As long as the government is bothering to regulate marriage, it seems like it has to mean something.
I think that's pretty flimsy, but the shocking thing about the 'alienation of affection' laws under discussion is that they hold the third party liable, essentially for 'stealing' the (historically female) spouse, who is themselves viewed as a piece of property with no decision making capacity. That's the definition of marriage the government is supposed to uphold using force of law?
.: Semper Absurda
I'm not in favour of holding third parties responsible, they didn't sign anything, although I can see how my comment might be construed as such. Given that mutual fidelity is an assumed if not explicit part of the marriage contract, why shouldn't adultery factor into divorce proceedings? Nice touch with the whole "it's your fault if your partner cheats" thing though.
Assuming contract law is the same is one example. I'm not accusing you, just attempting to enlighten you a little bit in both cases but those jumps to conclusions based on tiny bits of the picture are a bit of an impediment.
The one thing you can't accuse the law of is being biased against women.
Lawyers familiar with the application of the law disagree with you, but even if we stipulate the extraordinarily dubious idea that men have no advantages over women in our legal system, alienation of affection laws arise from common laws which were explicitly or implicitly targeted against women, who were/are viewed as nothing more than property with no decision making capacity. That's why the laws hold the third party financially responsible.
.: Semper Absurda
And that's if you can afford insurance (and perhaps legal representation), police take your complaints seriously, and the lost property doesn't severely affect your life.
Getting robbed sucks no matter what, but imagine how bad it would be if you were poor and lost something critical to your career.
.: Semper Absurda
So, if this wasn't a theft of PII by network hack, but instead a physical break-in/raid resulting in the loss of all paper files, should all the executives still be on the hook? Say, if Ashley-Madison operated before the internet age, where customers visited an actual brick and mortor location and filled out paper forms, rather than electronic. Should a physical store be required to be Fort Knox before executives can be considered blameless for a breach?
Given that mutual fidelity is an assumed if not explicit part of the marriage contract, why shouldn't adultery factor into divorce proceedings?
No one has said that it shouldn't in this thread, which was about so-called alienation of affection, and by extension the criminalization of adultery (and government enforcement of civil/financial remedy) rather than the bearing of adultery to divorce proceedings.
Nice touch with the whole "it's your fault if your partner cheats" thing though.
I first explicitly wrote "responsibility lies with the unfaithful spouse." Then I only implied that the other spouse could share some responsibility as well. As you say, the third party didn't sign anything.
.: Semper Absurda
Your vast ignorance on these matters is best highlighted by your comment "No fault divorce works both ways and can give a man a quick way out if he is being treated as a financial investment", which of course followed the passive aggressive personal attack and was followed by continuing dimunitives in a desperate attempt at damage control.
I guess I'm done here.
If someone's cheating on a spouse (and the spouse does not approve of extramarital sex)
If they do approve, is it still cheating?
Have you ever seen a storage contact. The almost always disclaim any possible risk including burglary, fire, and natural disaster.
My stance is that the people using that site should have known better and I have little sympathy for them, playing with fire and all that. Was the hack illegal? Sure, and also inevitable at some point. I never meant to imply that it was OK in itself. I do think, however, now that the cats out of the bag, that there's nothing wrong with searching it and possibly acting on the results of that search. Maybe two wrongs can make a right at this point?
This would be unworkable, or rather would be socially impossible.
Companies cannot and will do business online if we hold them responsible for every security flaw in all software they run. Lets assume some brave company wants to do any business online (take orders, have customers and whatnot), they would have to have the technical knowledge to write (or be able to audit and completely and fully understand) every line of code of all software in their infrastructure from BIOS to OS on servers workstations and even appliances like network switches and then be able to fix it as anyone of those could have a flaw that would allow an attacker access. That would like demanding in order to own a car you have to be able to build one from scratch with all embedded systems too. It is completely infeasable. And would likely lead to lots of proprietary solutions as if you are completely secure and your competitor is not, hey thats an advantage.
What would probably work best is have a set of guidelines or standards. Patching known vulnerabilities within x days. Not running out of date systems. Securing user information with appropriate security and whatnot. Not storing plain text personal information. And then fine any company that doesn't do this massively. We are at a point where the cost of doing things reasonable proper should be cheaper than the fine and would hopefully make companies do it.
There are tons of 3rd parties to handle this sort of thing for small companies as well
you refer to hypothetical situations, yet you are willing to give the hackers 100% of the blame already
why are you so quick to rush to relieve the owners of any blame? you have an agenda and a prejudice. you have recused yourself, you have lost all credibility to properly allot blame
and if you say i am the same, i was the one saying the hackers are not innocent, before you jumped in with your prejudice and curious desire to deflect all blame from the owners
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Yep, the only thing tougher laws will do is increase the punishment for the intern who loses the blame lottery.
"The wisdom of the Patriarchs was that they *knew* they were fools." --Master Foo
With the exception of a few horrendous examples of gay people fearing for their lives, I'm not aware of danger of PHYSICAL attack as a result of this fiasco. And if you were in the slightest hearing me as suggesting that would be good thing, then I've got it badly wrong.
But suppose this hack had been of the identities of people watching child pornography? Wouldn't the reaction from the majority have been far more negative? Instead of a mixture of embarrassment and tittering, the people exposed would have excoriated by wider society. And yet, it is arguable, that a WATCHER of child porn is less destructive to real children - especially if that porn is CGI generated - than an adulterer who destroys a family.
To my mind it is appropriate to challenge BOTH these behaviours to a substantial extent. Yet in practice the adulterer tends to be easily forgiven, whilst the child porn viewer is held up to public rejection for ever more. How would you react if a friend of yours got sent to prison for watching child porn? And how would you react if she got caught in flagrante delicto with another person?
Ultimately it's all about WHERE we draw the line, and why. Everyone draws the line somewhere: Overt racism will probably get you booted out of most circles etc etc. I think the adulterer deserves the same treatment as a racist. YMMV. But to dismiss my treatment of an adulterer as the behaviour of a lynch mob but condone similar treatment for an overt racist shows a failure to think. Adults are expected to think - that's why they let us vote...
"You can't hold someone responsible for being hacked"
And if it were a complex exploit or a zero-day, maybe. That's like getting robbed a fancy movie when the thieves rappel in through the ceiling and use special tools to disable the motion detectors and open the vault.
But in these cases it's more often than not just due to being lazy and cheap. I can't find the exact article, but basically it sounds like they had internet-exposed network devices with default passwords. Basically, their security was a back door with a cheap lock, a motion-detecting lamp, and a safe with a combination of 1-2-3-4. Stupid shit like that just shouldn't get a pass.
Yeah! Let's execute employees when shoplifters take stuff!
You fucking tool.
Legislation made in the heat of the moment is always a good idea.
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
This may seem like a moot point but I would think it's the thief's fault your stuff got stolen.
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
If the management removed all the locks from the doors to save money and get bigger bonuses YES they should be on the hook. You, and the other people, keep ignoring the negligence which results in these massive hacks.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Brilliant video (20 minutes), absolutely must-view for anyone riding the morale high ground here:
http://www.ted.com/talks/esthe...
Assorted stuff I do sometimes: Lemuria.org
And that is the root cause of this whole situation. We need to find a way to change the overall mindset (especially in these here Unitee States) towards other people's personal sexual congresses. Not only should it be nobody else's business, but nobody should even **care** what some person they're neither related to nor dating is doing.
If someone's cheating on a spouse (and the spouse does not approve of extramarital sex), the spouse will likely find out one way or another at some point. What happens to the couple is up to them. But what your employees, or Congressional reps, or sports/music/theatre idols do in their personal lives including sex, just plain shouldn't matter.
I agree with your larger point, other people's sex lives are none of our business. Unless they make it our business. If a Congressman campaigns against homosexual activity and then gets caught engaging in homosexual activity, that is our business. The same for so called "Family Values." Anyone making claims to some sort of puritanical ethic and trying to force that ethic on others.
Basically, anyone vilifying other people for their personal activities is fair game.
Some privacy policy Slashdot.
So if you are eating pussy right now in North Carolina, drop it and move away from the pussy slowly.
Does that include US Government employees? If so, half of Obama's Cabinet would be in jail now.
Not that they shouldn't be anyway.
not changing anything about how corporations have to secure data, or even (god forbid!) be punished for having sloppy security.
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, ................... .
This is almost interesting -- if we look at the Pile of Stuff that is WindowZ the need to install patches is astounding. The need to run an anti virus add on is too obvious.
One dog in the yard called Windows 10 may act like a government forcing a home security update process on ya.
We can debate what could go wrong but for the vast farms of attack bots assembled around the globe and under
control of random bad and "good" guys the move we are seeing with Windows 10 may help.
Nothing keeps companies and agencies like the State Department from doing bad things. There is a hook to allow
a company to take charge of the update flow....
But yes, we are mandating health care in the US and via proxy software vaccinations.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
One reason why you don't hear about many people being jailed for SOX or HIPAA violations is that the people in question typically don't want to be jailed. They tend to do whatever they have to to avoid being perp-walked out of the building.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
The message is be responsible for your own actions and their consequences. He did all that knowingly. He's just sad that he got caught. Now man up!! (No pun intended)
Some corporations are trying today, but this comes after decades of cost cutting at the expense of the customer. People quickly forgot about the Melissa virus and how it killed companies.
Executives tend to make the decisions which make them and their companies the most amount of profit and maintain customer content. That last part does not imply that the company really gives a shit about the customers data, but may worry about continued revenue from a particular customer.
Without the Guardian, Intercept, and other uncontrolled media sources you might not have heard about the AM breach.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
The idea behind corporate liability is that boards of directors are supposed to hire executives who aren't going to trash the company. Unfortunately, it's pretty clear here that boards are typically delinquent in their responsibilities to shareholders, giving us CEOs who are serial company-killers and obscene executive compensation.
The problem with monetary vs. criminal penalties are twofold. First, we can levy only monetary penalties on corporations (up to and including bankrupting them, which is the closest thing we'll get to a corporate death sentence). Second, to inflict criminal penalties on a person, we need evidence showing beyond a reasonable doubt that that particular person did some specific illegal thing. We usually don't have that in cases of corporations committing crimes (and we tend not to prosecute when we do, a different problem).
In this case, we have a company that kept personal information and had it revealed, ruining people's lives. They can sue for damages, but who do we convict? I'd be willing to bet that nobody in the company did anything specifically illegal in handling personal information, but that top management demanded results with low costs, basically excluding security, and the workers did what they could with the resources allocated.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
What you'd get is companies being unable to keep private information, or mass resignations. It's possible for a company to make security a priority and still be hacked into. The hackers have to outsmart the security guys only once. Nobody qualified for CEO or BoD is going to want to take the risk of imprisonment for something they can't directly control.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
True, there is a history of legislation introduced in a rush going horribly wrong. OTOH, unless an incident occurs, legislators are unlikely EVER to act. Actually the prospect of a successful group litigation might concentrate a few minds as much as legislation; a few shareholders asking 'Is the CEO confident that the cyber security of your firm is adequate' might then concentrate minds. Certainly it's got the subject publicity!
And, don't forget, the new law will not apply to members of Congress.
You have an interesting learning experience heading your way.
No, I haven't :D E.g. my computer is behind a router (which implies firewall, which implies no one form the outside even sees it, next try?)
Or you have a different interpretation what the word "hack" actually means.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
(and we tend not to prosecute when we do, a different problem)
But maybe that's actually the big problem. Like I said, I'm not a lawyer, certainly not one expert in this field, but the general perception that I have (and I think that the public has) is that if I were a CEO, I could order criminally negligent actions by my company, have a paper trail detailing my orders, and still nothing bad would happen to me. My company might get fined, but in my worst-case scenario as CEO, I'd probably walk away with a golden parachute.
From the things I've heard about, I almost feel like... If I dumped poison into someone's drinking well, and they die, I'll get charged with murder or at least manslaughter. If I'm a CEO and I knowingly order people in my company to dump poisons into the ground water, thereby poisoning a bunch of wells and 30 people die, then my company settles for several million dollars and I walk away scot-free.
Now, that might be a problem with enforcement rather than the law on the books. Or it might actually be a problem with perception, with how these kinds of disasters are reported, and that I'm not getting a clear picture. However, somehow, something's wrong here, and it seems like it's important to fix it.
I'd be willing to bet that nobody in the company did anything specifically illegal in handling personal information, but that top management demanded results with low costs, basically excluding security, and the workers did what they could with the resources allocated.
Well whether someone did something "specifically illegal" is very dependent on whether there's a law against it. If I leave a bomb in a school playground, whether that action is "specifically illegal" is a question as to whether there's a law against that, but that shouldn't stop us from asking whether it should be illegal. So part of what we're talking about here is not just whether the people at Ashley Madison have done something currently specifically illegal, but whether they did anything so reckless that it ought to be illegal.
I don't particularly know the answer to that. I don't know all the details about how this leak happened, what the laws are, or what the laws should be. However, I do have a feeling that when something like this happens, there should be a government investigation that determines whether there was some wrongdoing that lead to the leak. And further, if there was wrongdoing by an individual, I don't think they should have some kind of individual punishment.
I love your baive optimism. Hope it works out for you.
Actually, the law is almost always on the storage facility's side. In general, the facility is not responsible for your items, assuming reasonable precautions are taken. You should carry your own insurance (through the facility or outside insurance), because the facility's own insurance may only be liable for the buildings themselves.
As has been pointed out to me though, there apparently was little to no security for the Ashley-Madison breach, which is much like a storage facility with no fence, no secured access, and no provision for you to even attach your own lock to the door of your unit. I don't think any judge would absolve such a facility of responsibility for such a lack of security like they would for one that took reasonable precautions against theft.
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system,
They take credit card data so yes they are REQUIRED to have security in place. So yes they MUST.
Develop some NIST definitions for overall information security postures. If companies then want to claim they have a 'Double plus good can't hack me bro' rating there is a way to prove that
Not only is their NIST standards already in place but also PCI/DSS standards they were suppose to follow.
As bad as they got hacked they didn't follow these standards so yes the bastards should go to jail for being non-compliant. Somebody sweep their vulnerabilities under a rug and now they're screwed for not fixing these vulnerabilities before they were hacked.
I pen test for a living you would be suprised at the lack of security I see in order to save a buck on a company's P&L statement. Especially WITH BANKS. The truth is your money is safer buried in the back yard.
Yes, it does, rofl.
As you simply don't know the difference between hacking and getting "infected" the learning experience is up to you :D
If you want I give you my IP address and guest log in on my computer, then you can happy hack away to "own" it ... good luck.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
This statement
the owners of this company cannot escape any culpability here, no matter what the final story
Is plainly unsupportable. The key part being no matter what the final story.
The owners may be to blame, they may not. It would depend on what the final story is, wouldn't you say?
Because infidelity, lying, and cheating should be protected by LAW, damn-it!
Or perhaps that bit about all other powers remaining with the states and the people. So yeah, completely constitutional at a state level.
On a side note -- it's pretty stupid to call these guys "Victims". They chose to do what they did -- being exposed does not make them a victim.
Actually, no.
They are holding their own stuff. Namely - their customer list. This list does not belong to the customer, the customer does not lose anything (other than anonymity in their deceit). This is neither personal property nor intellectual property. It's just sunlight being shone where they don't want it.
So what was violated?
Nothing.
They had a privacy policy that stated they would not share your personal information.
They didn't. It was stolen by an outside entity that has already demonstrated the ability to expose much more "secure" operations.
They never held the property of the customers.
The closest thing you could come to with that would be credit card information. But that's already protected by the credit card fraud dept.
Nothing to see here, except a bunch of scumbags getting caught (quite literally) with their pants down. But sure, call them "victims".
I'm sure they had no idea that they were actively cheating on their spouses.
Why don't we just instead make cheating on your marriage partner punishable by death.
I agree 100% with your suggestion.
Don't fornicate. Seriously, just don't do it.
And why do techbro libertarians really not take the time to think their statements through?
Its perfectly thought thru. Biggest problem with the free market is the imbalance of information. If everyone had perfect information than we would need almost no regulation of the market place at all. We could all make great decisions all the time.
So Yes as a "techbro libertarian" disclosure requirements are one of the few types of regulations I'd be willing to support.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Social Engineering. Stupidity. Lack of training. There are plenty of ways of making a system secure technically, but even if you do all that, it's the squishy parts that can throw a wrench into the gears. Lock everything down? Too much any it is impossible to do anything useful, and people will find was around it that open you up to risk. Heck look at Snowden and the CIA or Bradly with the Army... Give someone access who has believes they have sufficient cause, and no matter what you do, you can't protect against it. Who watches the watchers so to speak. Heck if your sysadmin was in there trying to fix some data issue, suddenly finds is wife's name in there... well he might have a change of heart about the kind of work he is doing and decide to do something rather rash...
"Adequate data security stops all but the most skilled hackers."
And if the person already has access... Say a sysadmin that randomly finds his wife's name in the DB, confronts her, has his life ruined...
Erm,,,, You didn't exactly post as AC you realize...
>The world has changed. Women are no longer viewed as property.
Perhaps women aren't. But men are. As very disposable property.
when you control the delicate personal details of millions of people, you are held to a standard far and above that of a corner deli manager managing shoplifting
the owners are not going to get 0% blame, ever. you provide top notch security. or heads roll, period. it's not as deadly as a nuclear power plant, but that's more the direction you should be thinking in terms of security, way way above and beyond this "bad guys do bad things, oh well (shrug)" bullshit lack of proper accountability you are trying to push here for some retarded reason
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
AM is actually a good example.
With the data analysis coming out now, it becomes clear that not the fact they couldn't keep customer data secret will damage them, but the fact that the data reveals their shady business strategy (for example that almost all the women profiles are fakes or inactives).
Many companies have skeletons like that in the closet. You think Facebook or Twitter user numbers represent actual, active users? Of course not. If the true numbers were reliably exposed, their customers (advertisers) would not be willing to pay prices based on the inflated numbers anymore.
Assorted stuff I do sometimes: Lemuria.org
If an executive ordered the dumping of poison into the ground water, and this came out, the executive could be prosecuted. However, they're very good at providing insufficient evidence for prosecution. If they order poison confinement systems, and don't budget enough for good ones, who's legally at fault when one leaks? (Gold mines are an example', as they tend to leave a log of cyanide on site.)
With Ashley Madison, to convict an executive, we'd have to find something specifically illegal the executive did. If we're speculating on what the law should be, we'd have to figure out what sort of law we'd like in place, that would make it possible to convict the executive but not endanger people who were trying to follow the law. I don't have any good ideas for such laws.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
My vast ignorance? Sorry kid but the obvious is obvious here. Not noticing the silly hugo political games as they are and not understanding the implications of your suggestion above indicate not being on this world for long.
FaceBook is Stasi 2.0 - Stasi being the acronym for the former Eastern Geman "Staatssicherheit" https://en.wikipedia.org/wiki/... // The smart thing with FaceBook is: you don't have to pressure people into telling who their friends are, who they meet, what they read, what they think, and so on. People provide the data by theselves.
It seems like search engines should only provide very specific data to specific queries or general data (don't name names) in response to general queries. cheatmaps.com just returns the number of paid users on a given street, for example.