If it sounded like I was saying Wikileaks was solely responsible, my apologies but to argue that they did not at the very least is being biased. I am also not saying the US is diabolical so please do not put words into my mouth, the US government has done some things to be very ashamed of but they have also done a lot of great things too, credit where credit is due, criticism where it is warranted, what they have done to someone that has not been convicted (yet) is wrong - do you believe Manning has been treated properly?
I apologize for putting words in your mouth. Having gone through this song and dance every time Wikileaks is mentioned or anything can remotely be used to mention Wikileaks, it all starts to sound like the same tune with the same singers. That isn't fair to you.
I completely agree that criticism should be placed where warranted and, in fact, nothing is above criticism. I'm inclined to believe that there is plenty of criticism for both Wikileaks and US officials.
Has Manning been treated properly? I honestly find that hard to say. I know I wouldn't want to be him right now. But I also know that military environments are completely alien to civilian life. What is completely sane within a military context can seem insane in civilian life. Add on the fact that he is suspect of a massive security breach and likely to be on suicide watch and I have a hard time determining if the reports of his situation are unduly biased.
Whether it was Manning or not, whether the information was known already, the affect (according to Amnesty and other organisations btw) has been to a the very least start the ball rolling. It was news of the corruption in Tunisia that has opened the floodgates.
Your argument that it would have happened anyway cannot be put to the test, Are you trying to say it was coincidental that the Wikileaks information came out just before the uprising started?
I'm saying even if Wikileaks offered the spark to get the fires going, we shouldn't ignore the fact that the situation was intensely volatile beforehand. People keep pushing Wikileaks as delivering massive revelations but when I dig, I find that many of the revelations just aren't there. What Wikileaks did do is capture imagination. Which alone might be enough to ignite a spark of revolution.
A statement like "But he did achieve fame. And on that note, he has managed to be on par with the latest cast of The Jersey Shore." exposes a closed mind that has already tried and convicted him. Surely he deserves a fair trial (which I doubt is possible given the statements from even the President and comments such as the one you have made) and humane treatment.
I agree that putting Manning on the cast of The Jersey Shore would be inhumane and I only mention it in jest. My mentioning Jersey Shore is an expression for disdain over Manning's supporters and a rejection that he should be seen as a hero. I'm not entirely sure that invoking so-called reality TV is an announcement of guilt.
Manning does deserve a fair trial and I hope that he does get one. If he is innocent of the charge, I hope the poor guy gets off, gets out, and fades in to obscurity to continue his life as a free man. If not - I hope he is convicted accordingly (I would be against capital punishment as I don't agree that we are in an actual state of war).
This is a real stretch of terms. Wikileaks and Anonymous are doing considerably more than setting up stand-alone, uncontrolled networks. If the Government ever manages to prosecute members from those two groups, it won't include accusations of knowing how to set up WAPs in adhoc mode.
Is likely to??? Are you saying he is not already suffering whether guilty or not? The conditions he was held in from July to April were cruel and spiteful to say the least - this is before being convicted (a formality I suspect, regardless of whether he is guilty or not).
Fair point. I must admit, I was thinking long term and overlooked the fact that he is already experiencing just the beginning of what life will be like for him if convicted.
I have heard the doom and gloom stories regarding the release of this information but from what I can see, the aftermath seems to be a spring cleaning of oppressive regimes, it appears to be a bit cheaper than it has cost / is still costing to remove Saddam.
If Manning is responsible, perhaps he should get a medal - unless the U.S. government wants these thugs to stay in power.....
This is old ground. I find it rather disingenuous to treat Wikileaks as the sole fount from which freedom in the Arab states sprung. I would even go so far as to suggest that this was going to happen with or without Wikileaks. Otherwise it opens up some rather interesting questions as to exactly when US-sourced information is credible, when it isn't, and how easy it would be for the supposed diabolical US Government to manipulate the world.
And that doesn't even touch on the fact that Manning exposed no smoking guns. He provided no evidence of horrific crime and provided little insight to anything that wasn't already reported or known. Manning deserves no medal for putting his own freedom on the line for, in the end, not blowing any whistles. But he did achieve fame. And on that note, he has managed to be on par with the latest cast of The Jersey Shore.
None the less - here and now. Today. We can build stand-alone networks. We can encapsulate our traffic in strong encryption. We can do many things on our own without Government grant. And while there are various bureaucratic hooks that might, possibly be employed in some dystopian future... that isn't today. If anything, the systems that are being put together by Government contractors are likely to be little better than anything we can put together ourselves today (budgets and frequencies aside).
Yes. Very good. That's a link to a story about the Pentagon's statements. Nowhere in that entire article does it support the concept that a stand-alone network is an act of war. Feel free to provide a quote if you disagree.
Having the freedom to communicate does not mean you are without responsibility for what you communicate. Wikileaks is a great example. US Gov't officials are not happy about the various leaks of confidential information being discussed openly in the press. But not a single Congressman has stepped forward to dismantle the US press. Manning, however, is likely to suffer for his actions if, in fact, he is the leak.
Please show where NATO described establishing an isolated network as an act of war.
The hyperbole around this "act of war" meme is amazingly dense. NATO simply pointed out that espoionage in the digital age was just as much a potential act of war as espionage in the analog age. Granted - my concern is the difficulty of accurately identifying the actors of any given attack and therefore an accurate portrayal of an "act of war". But that is a far cry from screaming "act of war" whenever Government and computers are mentioned in the same sentence.
Here in the US, we have plenty of access to the tools to do this exact same thing (or at least achieve similar general concepts). And, in fact, these sorts of projects have been ongoing for decades now. There are those who raise eyebrows at these sorts of things and mumble and grumble about how dark and scary they may be. But they can and have done little to prevent it.
'Think back to when you were a kid and your parents dropped you off at the library,' explains Agger. 'In the children's section, the only "inappropriate" stuff to be found was Judy Blume's Forever, which someone's older sister had usually already checked out anyway.
This is the entirety of the issue in two simple sentences.
First is the fact that the library section is managed by humans. It is not collected programatically. It takes human intervention to select tittles for this unique collection. This is something that Google either simply does not do or tends to avoid. Google's selections are handled by infamous algorithms that, while generally effective, are not without error or immune to manipulation. It was Yahoo that, over a decade ago, hired librarians to try to catalog the web.
Secondly, even with human librarians making selections for the library's children's section, mistakes and interpretation come in to play. Is Judy Blume's Forever appropriate? All the controversy over this particular book highlights the indistinct boundaries of determining the "appropriateness" of material. And the fact that the article's author even raises the spectre of controversy over this particular book highlights the difficulty in managing even a small, distinctly controlled environment much less anything as vast and fluid as Internet content.
Your links are nice background / support. But they're hardly read as well. Sure - one can hash out the details via the wiki link. But I could see those details being missed without the narrative. So in this case, I would say the blog entry added something to the story unlike some blog entries we see that are simply re-hashing other blogs without adding anything themselves. If I had written the submission, I would have picked the blog entry as the primary link with your wiki link as supporting. If I had to pick one, I'd go with the blog entry. YMMV.
Wait a second - are you implying just having the ability to copy a file does not imply ownership? So then, maybe having a USB cable and a basic understanding of filesystems does not make ownership. Of course, someone also not having "immunity to the rediculous paranoia that runs around places like Slashdot" might not understand that.
Yeah, I agree that they need to be more forthcoming with detailed info. I was just defending that they are not untrustworthy as the previous poster had indicated.
I would argue that not being forthcoming with detailed information concerning the effectiveness of your product(s) has a major impact on how much one can trust a security company.
Though really, it is well understood how the system works and what information could potentially be compromised on their systems.
The devil is in the details. Compromise of seed keys means something very different than compromise of source code for a SecurID authentication appliance (as examples). There is all manner of potential but exactly what happened is important to determine the impact. Speculation is no substitute for facts.
If you can monitor someone's connection, you could gather their token and then run that timestamp against the known tokens to identify the pairing, granted you need to be able to MIM attack it, but it does raise my risk assessment by multiple orders of magnitude.
Agreed - this would mean a significant degradation of the product and expose it to a major attack scenario tokens are supposed to be thwarting (keyloggers). And again... this is why detailed information is important where generic assurances and best practice lists are no substitute.
I really own my kindle books, but that's because I have a USB cable, a basic understanding of filesystems, and an immunity to the ridiculous paranoia that runs around places like Slashdot.
Oh. I see how this works. I own my eBooks too because I know how to use bittorrent. After all - being able to acquire a copy is ownership, right?
Or to make it simpler, just make some nice OSS apps that destroy Google's lockdown on Android so that we who pay $70-90 a month for a 3G/4G cell plan (individual, not family plan) can rightfully use the service we pay through our teeth for ?
The irony to this question is that Google has done a lot to subvert the normal lockdowns that had been a staple of the US wireless telcom industry.
In fairness to RSA, they did release updated best practices to their clients right away and had reason to believe (accurately) that the attackers were interested in the defense industry specifically, so they focused on fixing that first. Really, as long as you lock your system down if someone starts using the wrong RSA token with the wrong username repeatedly, then the chances of an actual penetration are still pretty minimal, at least for any sizable key-space.
The "updated" best practices is just a rehash of normal best practices. Meanwhile, customers are in the dark as to what exactly is the threat they're dealing with. I suspect you're right in your description of the threat. But the problem is that it remains pure speculation. We just don't know. A security company should not be leaving their customers to speculate and second guess when they do, in fact, have facts available to them. RSA and their customers would be in a much better position if RSA would have simply stated what the compromise was and provided analysis on what they think that means to their customers. RSA's attackers likely already know.
No more interesting than the old Cold War days. Espionage has always had the possibility of being called an act of war and "cyberwar" is no more than espionage in an environment with new tools and a low barrier to entry.
Keep in mind that the the story is almost entirely speculation. Something happened at Lockheed. That's all we know.
The real badness is that RSA has not been very forthcoming about the incident. This opens up the kind of speculation we're now seeing with LM, L-3, and even Northrup / Grumman (though they say they jumped off SecurID shortly after the RSA compromise).
Just to muddy the waters a bit more... LM is re-issuing SecurID devices.
This is the culture of Texas. I remember during a Highschool pep rally where the school's football coach had a big announcement. He noted that the stadium was being re-surfaced with the help of state funds and the tireless work of the sports program booster's club. Everyone knew about the work put in to get this project off the ground. But what everyone didn't know - and the big announcement - was that some particular boosters went the extra mile and managed to bring in an additional round of funding that would see the surface as being not just any artificial turf but gen-u-ine name-brand Astroturf. Cheering rose up and the stands thundered as is the way of pep rallys. I wondered how much money could have been saved going with the original surface and what other school programs could benefited from the difference.
I haven't read the book myself, but it seems that Friday Night Lights does a reasonable job at portraying this culture. I'm amused by this as the season covered in the book is one season that I remember my school playing against the team followed by the book.
It gave her her five minutes of fame. In the modern world, that amounts to basically having six billion stalkers.
That and she's undoubtedly provided plenty of digital footprints for six billion stalkers to follow, categorise, and trade. That's right folks. You are safe within your "social media" fix because, after all, nobody would ever be interested in you.
I wish more GNUtards understood this. People have standards - they don't want to have to "live" with an inferior experience when compromising yields great benefits, particularly if they gain very little from sticking to the inferior option. It's just how the computing experience is at the moment.
The irony is that many "GNUtards" do understand this. But the call for a higher standard is still put out in the hopes that the environment can make strides towards that ideal. There's nothing wrong with goals. Even if we fall short of those goals.
1. Companies will take out insurance against it happening, and the insurance companies will insist on best practice and audits.
Insurance is still a cost that I'm not sure is worthwhile. Throwing money at a problem does not always solve the problem. At the least, I'd like to see money being spent on something effective. That being said - this would be an interesting way to transfer liability in to action. That is, assuming the insurance industry doesn't determine that the risk is too high.
2. If you are unwilling to let the government run anything for fear of bureaucracy or inefficiency then you can't have any regulation at all. In practice an independent regulator with real powers can work very well, and what causes most of the problems is political interference and lack of teeth.
My concern is that I want to deal with the technical issues of information security. Bureaucrats tend to end up serving the bureaucracy and so we end up with a lot of focus on the letter of compliance whether being compliant actually solves said technical issues or not.
And this isn't just a concern with Government. PCI DSS is not a Government program but it is quite the lumbering beast itself (albeit not entirely without value).
The solution is to increase the cost of failure to the point where it makes sense to hire someone to prevent it.
It's very tempting. After all, a big part of the conversations I've been in that involve this kind of thing eventually leads to the question of money. Expense is a much easier way to get a handle on these things and prod management. Laws that establish liability could help establish risk and cost.
But I have to wonder if that's the right path to take. Do we really want to invoke the bureaucracy that surrounds anything Government gets involved in? Do we need to add another layer of compliance? Keep in mind that the credit processing industry has it's own requirements - and even that raises questions concerning the drive for compliance vs. technical aspects of security. Then there is the question of user information that's not specifically financial. What was the end-user risk in the PBS compromise? And do we need to expose PBS to additional liability beyond what's covered by PCI and HIPPA?
Slashdot Mirror
If it sounded like I was saying Wikileaks was solely responsible, my apologies but to argue that they did not at the very least is being biased. I am also not saying the US is diabolical so please do not put words into my mouth, the US government has done some things to be very ashamed of but they have also done a lot of great things too, credit where credit is due, criticism where it is warranted, what they have done to someone that has not been convicted (yet) is wrong - do you believe Manning has been treated properly?
I apologize for putting words in your mouth. Having gone through this song and dance every time Wikileaks is mentioned or anything can remotely be used to mention Wikileaks, it all starts to sound like the same tune with the same singers. That isn't fair to you.
I completely agree that criticism should be placed where warranted and, in fact, nothing is above criticism. I'm inclined to believe that there is plenty of criticism for both Wikileaks and US officials.
Has Manning been treated properly? I honestly find that hard to say. I know I wouldn't want to be him right now. But I also know that military environments are completely alien to civilian life. What is completely sane within a military context can seem insane in civilian life. Add on the fact that he is suspect of a massive security breach and likely to be on suicide watch and I have a hard time determining if the reports of his situation are unduly biased.
Whether it was Manning or not, whether the information was known already, the affect (according to Amnesty and other organisations btw) has been to a the very least start the ball rolling. It was news of the corruption in Tunisia that has opened the floodgates. Your argument that it would have happened anyway cannot be put to the test, Are you trying to say it was coincidental that the Wikileaks information came out just before the uprising started?
I'm saying even if Wikileaks offered the spark to get the fires going, we shouldn't ignore the fact that the situation was intensely volatile beforehand. People keep pushing Wikileaks as delivering massive revelations but when I dig, I find that many of the revelations just aren't there. What Wikileaks did do is capture imagination. Which alone might be enough to ignite a spark of revolution.
A statement like "But he did achieve fame. And on that note, he has managed to be on par with the latest cast of The Jersey Shore." exposes a closed mind that has already tried and convicted him. Surely he deserves a fair trial (which I doubt is possible given the statements from even the President and comments such as the one you have made) and humane treatment.
I agree that putting Manning on the cast of The Jersey Shore would be inhumane and I only mention it in jest. My mentioning Jersey Shore is an expression for disdain over Manning's supporters and a rejection that he should be seen as a hero. I'm not entirely sure that invoking so-called reality TV is an announcement of guilt.
Manning does deserve a fair trial and I hope that he does get one. If he is innocent of the charge, I hope the poor guy gets off, gets out, and fades in to obscurity to continue his life as a free man. If not - I hope he is convicted accordingly (I would be against capital punishment as I don't agree that we are in an actual state of war).
This is a real stretch of terms. Wikileaks and Anonymous are doing considerably more than setting up stand-alone, uncontrolled networks. If the Government ever manages to prosecute members from those two groups, it won't include accusations of knowing how to set up WAPs in adhoc mode.
Is likely to??? Are you saying he is not already suffering whether guilty or not? The conditions he was held in from July to April were cruel and spiteful to say the least - this is before being convicted (a formality I suspect, regardless of whether he is guilty or not).
Fair point. I must admit, I was thinking long term and overlooked the fact that he is already experiencing just the beginning of what life will be like for him if convicted.
I have heard the doom and gloom stories regarding the release of this information but from what I can see, the aftermath seems to be a spring cleaning of oppressive regimes, it appears to be a bit cheaper than it has cost / is still costing to remove Saddam.
If Manning is responsible, perhaps he should get a medal - unless the U.S. government wants these thugs to stay in power.....
This is old ground. I find it rather disingenuous to treat Wikileaks as the sole fount from which freedom in the Arab states sprung. I would even go so far as to suggest that this was going to happen with or without Wikileaks. Otherwise it opens up some rather interesting questions as to exactly when US-sourced information is credible, when it isn't, and how easy it would be for the supposed diabolical US Government to manipulate the world.
And that doesn't even touch on the fact that Manning exposed no smoking guns. He provided no evidence of horrific crime and provided little insight to anything that wasn't already reported or known. Manning deserves no medal for putting his own freedom on the line for, in the end, not blowing any whistles. But he did achieve fame. And on that note, he has managed to be on par with the latest cast of The Jersey Shore.
None the less - here and now. Today. We can build stand-alone networks. We can encapsulate our traffic in strong encryption. We can do many things on our own without Government grant. And while there are various bureaucratic hooks that might, possibly be employed in some dystopian future... that isn't today. If anything, the systems that are being put together by Government contractors are likely to be little better than anything we can put together ourselves today (budgets and frequencies aside).
Yes. Very good. That's a link to a story about the Pentagon's statements. Nowhere in that entire article does it support the concept that a stand-alone network is an act of war. Feel free to provide a quote if you disagree.
Depends on the tool. Not all tools involve government controlled, regulated and monitored pipes.
Having the freedom to communicate does not mean you are without responsibility for what you communicate. Wikileaks is a great example. US Gov't officials are not happy about the various leaks of confidential information being discussed openly in the press. But not a single Congressman has stepped forward to dismantle the US press. Manning, however, is likely to suffer for his actions if, in fact, he is the leak.
Please show where NATO described establishing an isolated network as an act of war.
The hyperbole around this "act of war" meme is amazingly dense. NATO simply pointed out that espoionage in the digital age was just as much a potential act of war as espionage in the analog age. Granted - my concern is the difficulty of accurately identifying the actors of any given attack and therefore an accurate portrayal of an "act of war". But that is a far cry from screaming "act of war" whenever Government and computers are mentioned in the same sentence.
Here in the US, we have plenty of access to the tools to do this exact same thing (or at least achieve similar general concepts). And, in fact, these sorts of projects have been ongoing for decades now. There are those who raise eyebrows at these sorts of things and mumble and grumble about how dark and scary they may be. But they can and have done little to prevent it.
'Think back to when you were a kid and your parents dropped you off at the library,' explains Agger. 'In the children's section, the only "inappropriate" stuff to be found was Judy Blume's Forever, which someone's older sister had usually already checked out anyway.
This is the entirety of the issue in two simple sentences.
First is the fact that the library section is managed by humans. It is not collected programatically. It takes human intervention to select tittles for this unique collection. This is something that Google either simply does not do or tends to avoid. Google's selections are handled by infamous algorithms that, while generally effective, are not without error or immune to manipulation. It was Yahoo that, over a decade ago, hired librarians to try to catalog the web.
Secondly, even with human librarians making selections for the library's children's section, mistakes and interpretation come in to play. Is Judy Blume's Forever appropriate? All the controversy over this particular book highlights the indistinct boundaries of determining the "appropriateness" of material. And the fact that the article's author even raises the spectre of controversy over this particular book highlights the difficulty in managing even a small, distinctly controlled environment much less anything as vast and fluid as Internet content.
Your links are nice background / support. But they're hardly read as well. Sure - one can hash out the details via the wiki link. But I could see those details being missed without the narrative. So in this case, I would say the blog entry added something to the story unlike some blog entries we see that are simply re-hashing other blogs without adding anything themselves. If I had written the submission, I would have picked the blog entry as the primary link with your wiki link as supporting. If I had to pick one, I'd go with the blog entry. YMMV.
If I could magically replace my car with a free exact copy on demand, I wouldn't care whether I "owned" it or not.
Not caring about ownership has little bearing on whether you own something or not.
Wait a second - are you implying just having the ability to copy a file does not imply ownership? So then, maybe having a USB cable and a basic understanding of filesystems does not make ownership. Of course, someone also not having "immunity to the rediculous paranoia that runs around places like Slashdot" might not understand that.
Yeah, I agree that they need to be more forthcoming with detailed info. I was just defending that they are not untrustworthy as the previous poster had indicated.
I would argue that not being forthcoming with detailed information concerning the effectiveness of your product(s) has a major impact on how much one can trust a security company.
Though really, it is well understood how the system works and what information could potentially be compromised on their systems.
The devil is in the details. Compromise of seed keys means something very different than compromise of source code for a SecurID authentication appliance (as examples). There is all manner of potential but exactly what happened is important to determine the impact. Speculation is no substitute for facts.
If you can monitor someone's connection, you could gather their token and then run that timestamp against the known tokens to identify the pairing, granted you need to be able to MIM attack it, but it does raise my risk assessment by multiple orders of magnitude.
Agreed - this would mean a significant degradation of the product and expose it to a major attack scenario tokens are supposed to be thwarting (keyloggers). And again... this is why detailed information is important where generic assurances and best practice lists are no substitute.
I really own my kindle books, but that's because I have a USB cable, a basic understanding of filesystems, and an immunity to the ridiculous paranoia that runs around places like Slashdot.
Oh. I see how this works. I own my eBooks too because I know how to use bittorrent. After all - being able to acquire a copy is ownership, right?
Or to make it simpler, just make some nice OSS apps that destroy Google's lockdown on Android so that we who pay $70-90 a month for a 3G/4G cell plan (individual, not family plan) can rightfully use the service we pay through our teeth for ?
The irony to this question is that Google has done a lot to subvert the normal lockdowns that had been a staple of the US wireless telcom industry.
In fairness to RSA, they did release updated best practices to their clients right away and had reason to believe (accurately) that the attackers were interested in the defense industry specifically, so they focused on fixing that first. Really, as long as you lock your system down if someone starts using the wrong RSA token with the wrong username repeatedly, then the chances of an actual penetration are still pretty minimal, at least for any sizable key-space.
The "updated" best practices is just a rehash of normal best practices. Meanwhile, customers are in the dark as to what exactly is the threat they're dealing with. I suspect you're right in your description of the threat. But the problem is that it remains pure speculation. We just don't know. A security company should not be leaving their customers to speculate and second guess when they do, in fact, have facts available to them. RSA and their customers would be in a much better position if RSA would have simply stated what the compromise was and provided analysis on what they think that means to their customers. RSA's attackers likely already know.
No more interesting than the old Cold War days. Espionage has always had the possibility of being called an act of war and "cyberwar" is no more than espionage in an environment with new tools and a low barrier to entry.
Keep in mind that the the story is almost entirely speculation. Something happened at Lockheed. That's all we know.
The real badness is that RSA has not been very forthcoming about the incident. This opens up the kind of speculation we're now seeing with LM, L-3, and even Northrup / Grumman (though they say they jumped off SecurID shortly after the RSA compromise).
Just to muddy the waters a bit more... LM is re-issuing SecurID devices.
This is the culture of Texas. I remember during a Highschool pep rally where the school's football coach had a big announcement. He noted that the stadium was being re-surfaced with the help of state funds and the tireless work of the sports program booster's club. Everyone knew about the work put in to get this project off the ground. But what everyone didn't know - and the big announcement - was that some particular boosters went the extra mile and managed to bring in an additional round of funding that would see the surface as being not just any artificial turf but gen-u-ine name-brand Astroturf. Cheering rose up and the stands thundered as is the way of pep rallys. I wondered how much money could have been saved going with the original surface and what other school programs could benefited from the difference.
I haven't read the book myself, but it seems that Friday Night Lights does a reasonable job at portraying this culture. I'm amused by this as the season covered in the book is one season that I remember my school playing against the team followed by the book.
is it A
coincidence that the
sentence structure of posts in this thread
have started to become erratic
or is it just mE
It gave her her five minutes of fame. In the modern world, that amounts to basically having six billion stalkers.
That and she's undoubtedly provided plenty of digital footprints for six billion stalkers to follow, categorise, and trade. That's right folks. You are safe within your "social media" fix because, after all, nobody would ever be interested in you.
I wish more GNUtards understood this. People have standards - they don't want to have to "live" with an inferior experience when compromising yields great benefits, particularly if they gain very little from sticking to the inferior option. It's just how the computing experience is at the moment.
The irony is that many "GNUtards" do understand this. But the call for a higher standard is still put out in the hopes that the environment can make strides towards that ideal. There's nothing wrong with goals. Even if we fall short of those goals.
1. Companies will take out insurance against it happening, and the insurance companies will insist on best practice and audits.
Insurance is still a cost that I'm not sure is worthwhile. Throwing money at a problem does not always solve the problem. At the least, I'd like to see money being spent on something effective. That being said - this would be an interesting way to transfer liability in to action. That is, assuming the insurance industry doesn't determine that the risk is too high.
2. If you are unwilling to let the government run anything for fear of bureaucracy or inefficiency then you can't have any regulation at all. In practice an independent regulator with real powers can work very well, and what causes most of the problems is political interference and lack of teeth.
My concern is that I want to deal with the technical issues of information security. Bureaucrats tend to end up serving the bureaucracy and so we end up with a lot of focus on the letter of compliance whether being compliant actually solves said technical issues or not.
And this isn't just a concern with Government. PCI DSS is not a Government program but it is quite the lumbering beast itself (albeit not entirely without value).
The solution is to increase the cost of failure to the point where it makes sense to hire someone to prevent it.
It's very tempting. After all, a big part of the conversations I've been in that involve this kind of thing eventually leads to the question of money. Expense is a much easier way to get a handle on these things and prod management. Laws that establish liability could help establish risk and cost.
But I have to wonder if that's the right path to take. Do we really want to invoke the bureaucracy that surrounds anything Government gets involved in? Do we need to add another layer of compliance? Keep in mind that the credit processing industry has it's own requirements - and even that raises questions concerning the drive for compliance vs. technical aspects of security. Then there is the question of user information that's not specifically financial. What was the end-user risk in the PBS compromise? And do we need to expose PBS to additional liability beyond what's covered by PCI and HIPPA?