Seriously this is the most fucked up concept I've heard in a while. It's the fucking job of law enforcement to work the commons. No different than cops cruising around in unmarked cars looking for troublemakers or doing undercover work posing as someone they are not.
A commons in cyberspace is just as valid a place to have a police presence both overt and covert than a commons in meatspace.
All of the other alternatives are massively worse and doing shit like this will only provide incentive to push for (more of) massively worse alternatives:
Lawlessness, massive data collection, outlawing encryption, bending rules of physics in cyberspace: special agent is better than agent Smith.
Should get coke to pitch in and launch some additional cube sats to deface the Pepsi constellation and establish a defacement foundation dedicated to defacement of all similar advertising campaigns by anyone else contemplating this.
Someone more familiar with cryptography, could you please explain why WPA3 didn't use known-good key exchange methods implemented and tested in modern protocols and instead appears to chose its own method that was found to be vulnerable?
Fundamentally I don't understand how it is even possible to prevent downgrade attacks given set of facts applicable to this situation. I know of no other protocol capable of achieving this. On its face it appears to be fundamentally impossible.
With WPA3 initially password is the entire basis of the trust relationship. How do you support automatic backwards compatibility with PSK method from WPA2 subject to offline attack when everything you see upon connecting can be a lie and there is no basis upon which to know the difference?
With TLS secure negotiation works by double checking initial set of parameters AFTER key exchange (typically RSA PKI) has occurred. If there is a discrepancy with before and after parameters the session is terminated. With TLS key exchange is safe.
In the case of WPA3 "AFTER" exchange is too late given the damage is already done by the exchange itself. Using PSK exposed the users credentials to offline attack regardless of what happens next.
It seems to be fundamentally impossible. There are schemes that can be used to mitigate the problem in the real world but they are usability tradeoffs, unrealistic and or don't offer full coverage:
1. Manual levers where clients and servers declare level of security they are willing to accept. This seems to be the best option.
3. Prefab lists and external trust relationships to secure exchange.
Please don't get me wrong about my feelings about WPA3. They made terrible decisions chief among them was the selection of a balanced rather than augmented PAKE.
Balanced precludes the possibility of storing passwords at rest in what is analogous to a one way hash format. The only option for protection is reversible encryption.
Which has nothing to do with bias. Bias, in this context, is unwarranted assumptions.
Assumptions like a specific dopey ass kid is more likely to get their vehicles wrecked than a group of older squares?
The whole point of many of these systems is rendering prejudicial assumptions of future behavior based on limited knowledge. The name of the game itself in fact the very reason these systems exist at all is inherently prejudicial.
What people interested in these things really seem to be seeking is curtailing rendering of judgment in the first place.
Men are on average stronger and taller than women, but a system which, say, ranks potential firefighter applicants using their gender as a factor instead of looking at their performance in the actual job is biased.
Who seriously believes anyone cares about modalities of decisions? If an algorithm arrives at perceived prejudicial outcomes it will be attacked and accused of being unfair by the same dopey ass kids who would rather old squares cover their insurance premiums.
The trick here in many cases technology to explain in any human understandable way underlying reasoning of neural network simulations is an area of active research beyond the reach of most "AI" users. Since a human understandable explanation is out of the question effective real world outcome is significantly different from what is implied by the text of this act.
Would these be CAs that submit all issued certificates to Certificate Transparency or CAs that do not?
What difference does it make? Nobody monitors CT logs so why does it matter?
If by some miracle you discover a cert issued by someone else it's already too late. Security has already been compromised. All of your fellow government protestors already been rounded up and carted off to the gulag. Too bad so sad.
Yes. MITM attacks are used by everyone from governments to ISPs to spread malware.
There isn't a government in the world worth mentioning lacking resources to MITM HTTPS. Numerous CAs are located in effective dictatorships, some even state run.
This fact is why it was so damaging and counterproductive for Google to have removed key pinning protections from Chrome while falsely claiming certificate transparency to be an analogous replacement. The man asked and Google complied.
As for ISPs spreading malware this is illegal criminal behavior in most of the world. Any ISP caught doing so faces criminal liability. Given fact any HTTP use carries increased risk it's not sufficient to cherry pick and hand wave "x used by everyone" to support a course of action. There should be a study conducted with concrete peer reviewed data and findings addressing the specific question at hand distinct from question of MITM generically.
Under the same theory what prevents Google from justifying total removal of HTTP? What's the difference? Why do one but not the other?
What is absolutely maddening is the fact vectors by which people are actually being compromised in the millions have nothing at all to do with BIW shenanigans.
People are actually being social engineered into compromise their own systems and accounts. For the vast majority of users HTTPS use is actually completely worthless when it comes to protecting them from actual threats they actually face. 9 out of 10 of all attacks exploit PEOPLE not systems.
Strong ZKP based authentication technologies which can mitigate social engineering risks when used consistently are actively held back from deployment in major browsers even though all of the necessary infrastructure exists and patches have been written to implement them. Why is that?
The entire internet runs on Chrome?
The entire Internet has to support Chrome users. Nobody can seriously say you are using Chrome so take a hike as doing so would preclude access by majority share of the worlds Internet population.
What percentage of internet users do you think actually know what a hash is?
Is this an issue that needs solving? Are people actually being owned by this vector? What percentage of Internet users have been attacked in this way? Where is the evidence supporting this position? Why are less assertive measures insufficient?
Or like Google's bullshit reasoning for reducing security by removing public key pinning and falsely claiming certificate transparency is an effective analogue is this just another scheme for punishing *undesirable* sites who link to third party files for download that happen to be IP literals (no DNS therefore no possibility of TLS) or otherwise don't have certificates?
This is just another step towards fixing a very old mistake. Security should be the default.
This is not an objective fact. It's a subjective opinion.
Regardless of opinions for or against there is something fucked up when one company imposes restrictions on the entire Internet because it can.
The difference is that HTTP allows practically ANYONE to MITM your downloads..
So does HTTPS. You just get one of hundreds of CAs to issue you a cert by MITMing their automated DNS/Website flag planting procedure then you can MITM that sites HTTPS downloads to your hearts content.
At approximately 120,000,000 rods, which do not sense color, if it were a convenient square arrangement, that would be a bit less than 11k x 11k. Cones, which do detect color are only around 6 or 7 million in quantity. Using the 7 million number, that would make a matrix of a bit less than 2.65k x 2.65k.
Counting rods and cones is an irrelevant meaningless endeavor. Rods are not even worth mentioning WRT TV because they can't resolve any detail.
What matters is degree of arc resolvable by cones and pixels per degree that can be discriminated which amounts to roughly 1MP (1k x 1k)
Of course this whole metric is bullshit to begin with for the simple reason eyes are not fixed in their sockets nor is head position fixed WRT to display.
Without even trying c-span channel surfing yesterday I found republicans explaining their opposition in the form of bashing Title II.
Democrats could have avoided this problem. They could have defined clean NN. If republicans still wanted to attack clean NN at least their excuses for doing so would be more transparent and less defensible to voters.
Great, so now every tech startup has to have their very own IRB? And file yet another set of paperwork with the federal government? All so the politicians can forbid Youtube from making their videos autoplay "for the children"?
I agree with you. It's one thing to require people to do or not to do something. Quite another to impose these kinds of process requirements.
Having said that in fairness requirement is only triggered in very specific circumstances.
1. Your system must have 100,000,000 unique authenticated user logins in a 30 day period.
2. You are engaged in psychological experimentation on your users. I assume this also includes random AB testing?
You STILL have no software and it's the 21st century already. Average people are not running emulators to get their everyday programs to work. Nobody is going to make software unless there's a big enough user base.
Even if people wanted to distributing non-trivial commercial software for Linux it's impossible without releasing a dozen different versions to target a sufficiently wide range of distros and versions.
Too much fragmentation, too much "deprecation" and too little effort on maintenance of stable interfaces.
Not a company, but Snowden did quite a number on the NSA.
This isn't responsive to my question. The information he gave to the press didn't directly endanger countless millions of people.
Well sure. If you follow standards and/or procedures, you are covered. If all you are doing is checkbox security, someone will get in, but you can at least point to all of those checked boxes and absolve yourself from legal responsibility.
I welcome any evidence of this ringing true WRT *ANY* major data breach.
The point is to get the GOP on record supporting something that will likely raise your cable bill (or phone bill if you're on DSL). That's an issue that can resonate with voters. From there it becomes election fodder to win seats and push the presidency over the edge.
The democratic bill allows FCC to impose regressive USF taxes on Internet access. They didn't have to do that. The democrats could have done a clean NN bill. They elected not to.
If broadband is considered an "information service" which now prevents the FCC from imposing any regulations on ISP's, why does the US government give $$$$ away to broadband carriers to offer higher speeds such as the Connect America Fund (CAF) ? If the FCC is the government's form of regulating communications services in the United States how can they offer CAF funding to promote faster internet speeds but at same time the FCC claims it can't regulate it?
The FCC maintains multiple contradictory definitions of the same terms used interchangeably to get away with whatever they please.
For example according to the FCC broadband Internet counts is 200kbit/s in either direction AND at least 25/3 mbit/s. To a normal person it's plainly obvious both definitions can't concurrently be true but hey if your the FCC anything goes.
If a CEO of a bank decided that security was not important and failed to implement known-effective security measures, don't you think that CEO should be held responsible for their banks getting robbed?
I would be curious if anyone is able to cite just one single solitary instance of a major data breach where the company holding data was deemed to have "sufficient" safeguards in place and therefore wasn't held responsible for the attack.
A 9/11's worth of people die each and every DAY in car accidents adding up to well over a million deaths a year. Are automobile companies really doing everything they could possibly be doing to prevent all these deaths? Should executives be placed in death row?
Every time someone dies in a car accident response is crickets. No outrage, no calls for heads to roll, no prospect of jail time for auto execs. People seem to be hard wired to care about single events that affect many and ignore many events that affect a small number of people.
Show me an accident and I'll dream up some way it could have been avoided and point to technology that could have been used to do so.
Show me a data breach and I'll dream up some way it could have been avoided and point to something that could have been done to prevent it.
Show me a few lines of source code and I'll rattle out and endless array of problems.
For some reason society seems willing to tolerate breathtaking numbers of people being constantly turned into road kill yet there seems to be no example of even a single instance where responsibility for any major breach on earth was not assigned to the company that was the victim of an attack.
You can think making people responsible for what happens to them is good or bad. You can believe it's great because it improves security or wrong to send people to jail for not doing enough to stop attacks.
What I'm having trouble with is existence of evidence to support the notion a CEO who pressed for implementation of "reasonable" security measures still wouldn't be held responsible if they were bypassed anyway. There as a practical matter seems to be no standard that is "good enough" to withstand the public freak out associated with events that adversely affect countless millions.
Right now corporations can even be hacked by foreign governments (Marriott) and still face being fined to kingdom come for failing to defend against hostile actions by foreign nations.
Is there in reality a standard anyone can follow that would absolve them of responsibility if attack is successful anyway?
A specific example: A can be deemed to be in full compliance with all PCI requirements to the letter of the published standard. Yet if there is a breach the company can and if big enough most certainly WILL be held responsible and fined for the breach anyway.
If the standard in reality is that people (corporations are people my friend) are held liable for every transgression against them no matter what that's not something I can support.
Negligence is whatever you can convince a judge and or jury negligence is.
Nope, it has an actual legal definition.
A legal definition whose outcome rests primarily on what a "reasonable person" would do.
So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.
In effect you are making fun of yourself. You were the one who originally asserted a relationship between revenue and operating budget when you said "such a company has sufficient resources to actually fix the security holes"
The point I was making is clear to any reasonable person. You don't need to be making a billion dollars a year to have the resources to "actually fix security holes identified by their security team".
The line is drawn here such that these regulations would only affect very large companies. Because it's those very large companies that are not being reined in by plain-ol' negligence lawsuits.
Yea well this justification sucks. If the penalties are insufficient petition to have them changed so they are sufficient. She could have done that. Instead she elected to turn the legal system into a game of magic the gathering.
I was affected by the Equifax hack. Legally, the value lost to me in that hack is $0.
At best, I could demand Equifax pay for credit monitoring for some very limited period of time. And since Equifax already provides that service, they are out a very trivial amount of money - it costs them almost nothing to turn on the monitoring software they already have.
Which means civil liability provides exactly zero disincentive to Equifax's executives.
You've communicated what you see as a problem. I'm probably on board with the premise a problem exists. This piece of crap legislation sure as hell isn't the solution to anything.
You can do any number of things legislatively that would be infinitely better than this piece of shit scheme.
- Outlaw Equifax's business model of collecting shit on everyone without their knowledge or consent and selling it would be swell.
- Adjust penalties so damage inflicted scales with company so there is no such thing as too big to pay fines.
Sending people to jail for the fruits of criminal actions executed against them is immoral and outrageous in my view. So some tech goon didn't fix a vuln fast enough. What if the attackers exploited a 0-day nobody knew about instead and got in that way? Would anything change? Would you be any less pissed? Would Equifax be any less liable? What if it was an insider who got divorced, wife got the house and went crazy? Would it make any difference?
And as I demonstrated above, the cost of those fines and lawsuits is negligible, and thus provides no disincentive for being negligent.
The central issue here is problem and solution don't match up. If your issue is fines are too damn low. Petition to make them higher.
Heck, golden parachutes mean there's virtually no incentive for executives to avoid negligence even if fines were astronomical. They'd still make a ton of money before the shit hit the fan, and the shit hitting the fan is zero impediment for getting a new job (Hi Bob Nardeli!)
It's good to be king. Don't like it? Jealous? Vote for the one promising to send the king to jail!!
Slashdot Mirror
Seriously this is the most fucked up concept I've heard in a while. It's the fucking job of law enforcement to work the commons. No different than cops cruising around in unmarked cars looking for troublemakers or doing undercover work posing as someone they are not.
A commons in cyberspace is just as valid a place to have a police presence both overt and covert than a commons in meatspace.
All of the other alternatives are massively worse and doing shit like this will only provide incentive to push for (more of) massively worse alternatives:
Lawlessness, massive data collection, outlawing encryption, bending rules of physics in cyberspace: special agent is better than agent Smith.
Should get coke to pitch in and launch some additional cube sats to deface the Pepsi constellation and establish a defacement foundation dedicated to defacement of all similar advertising campaigns by anyone else contemplating this.
I simply don't understand how this behavior can be tolerated by anyone.
Someone more familiar with cryptography, could you please explain why WPA3 didn't use known-good key exchange methods implemented and tested in modern protocols and instead appears to chose its own method that was found to be vulnerable?
Fundamentally I don't understand how it is even possible to prevent downgrade attacks given set of facts applicable to this situation. I know of no other protocol capable of achieving this. On its face it appears to be fundamentally impossible.
With WPA3 initially password is the entire basis of the trust relationship. How do you support automatic backwards compatibility with PSK method from WPA2 subject to offline attack when everything you see upon connecting can be a lie and there is no basis upon which to know the difference?
With TLS secure negotiation works by double checking initial set of parameters AFTER key exchange (typically RSA PKI) has occurred. If there is a discrepancy with before and after parameters the session is terminated. With TLS key exchange is safe.
In the case of WPA3 "AFTER" exchange is too late given the damage is already done by the exchange itself. Using PSK exposed the users credentials to offline attack regardless of what happens next.
It seems to be fundamentally impossible. There are schemes that can be used to mitigate the problem in the real world but they are usability tradeoffs, unrealistic and or don't offer full coverage:
1. Manual levers where clients and servers declare level of security they are willing to accept. This seems to be the best option.
2. Latches remembering previous sessions denying subsequent sabotage.
3. Prefab lists and external trust relationships to secure exchange.
Please don't get me wrong about my feelings about WPA3. They made terrible decisions chief among them was the selection of a balanced rather than augmented PAKE.
Balanced precludes the possibility of storing passwords at rest in what is analogous to a one way hash format. The only option for protection is reversible encryption.
Which has nothing to do with bias. Bias, in this context, is unwarranted assumptions.
Assumptions like a specific dopey ass kid is more likely to get their vehicles wrecked than a group of older squares?
The whole point of many of these systems is rendering prejudicial assumptions of future behavior based on limited knowledge. The name of the game itself in fact the very reason these systems exist at all is inherently prejudicial.
What people interested in these things really seem to be seeking is curtailing rendering of judgment in the first place.
Men are on average stronger and taller than women, but a system which, say, ranks potential firefighter applicants using their gender as a factor instead of looking at their performance in the actual job is biased.
Who seriously believes anyone cares about modalities of decisions? If an algorithm arrives at perceived prejudicial outcomes it will be attacked and accused of being unfair by the same dopey ass kids who would rather old squares cover their insurance premiums.
The trick here in many cases technology to explain in any human understandable way underlying reasoning of neural network simulations is an area of active research beyond the reach of most "AI" users. Since a human understandable explanation is out of the question effective real world outcome is significantly different from what is implied by the text of this act.
Would these be CAs that submit all issued certificates to Certificate Transparency or CAs that do not?
What difference does it make? Nobody monitors CT logs so why does it matter?
If by some miracle you discover a cert issued by someone else it's already too late. Security has already been compromised. All of your fellow government protestors already been rounded up and carted off to the gulag. Too bad so sad.
This is all certificate transparency really is:
https://www.youtube.com/watch?...
Yes. MITM attacks are used by everyone from governments to ISPs to spread malware.
There isn't a government in the world worth mentioning lacking resources to MITM HTTPS. Numerous CAs are located in effective dictatorships, some even state run.
This fact is why it was so damaging and counterproductive for Google to have removed key pinning protections from Chrome while falsely claiming certificate transparency to be an analogous replacement. The man asked and Google complied.
As for ISPs spreading malware this is illegal criminal behavior in most of the world. Any ISP caught doing so faces criminal liability. Given fact any HTTP use carries increased risk it's not sufficient to cherry pick and hand wave "x used by everyone" to support a course of action. There should be a study conducted with concrete peer reviewed data and findings addressing the specific question at hand distinct from question of MITM generically.
Under the same theory what prevents Google from justifying total removal of HTTP? What's the difference? Why do one but not the other?
What is absolutely maddening is the fact vectors by which people are actually being compromised in the millions have nothing at all to do with BIW shenanigans.
People are actually being social engineered into compromise their own systems and accounts. For the vast majority of users HTTPS use is actually completely worthless when it comes to protecting them from actual threats they actually face. 9 out of 10 of all attacks exploit PEOPLE not systems.
Strong ZKP based authentication technologies which can mitigate social engineering risks when used consistently are actively held back from deployment in major browsers even though all of the necessary infrastructure exists and patches have been written to implement them. Why is that?
The entire internet runs on Chrome?
The entire Internet has to support Chrome users. Nobody can seriously say you are using Chrome so take a hike as doing so would preclude access by majority share of the worlds Internet population.
What percentage of internet users do you think actually know what a hash is?
Is this an issue that needs solving? Are people actually being owned by this vector? What percentage of Internet users have been attacked in this way? Where is the evidence supporting this position? Why are less assertive measures insufficient?
Or like Google's bullshit reasoning for reducing security by removing public key pinning and falsely claiming certificate transparency is an effective analogue is this just another scheme for punishing *undesirable* sites who link to third party files for download that happen to be IP literals (no DNS therefore no possibility of TLS) or otherwise don't have certificates?
This is just another step towards fixing a very old mistake. Security should be the default.
This is not an objective fact. It's a subjective opinion.
Regardless of opinions for or against there is something fucked up when one company imposes restrictions on the entire Internet because it can.
The difference is that HTTP allows practically ANYONE to MITM your downloads..
So does HTTPS. You just get one of hundreds of CAs to issue you a cert by MITMing their automated DNS/Website flag planting procedure then you can MITM that sites HTTPS downloads to your hearts content.
At approximately 120,000,000 rods, which do not sense color, if it were a convenient square arrangement, that would be a bit less than 11k x 11k.
Cones, which do detect color are only around 6 or 7 million in quantity. Using the 7 million number, that would make a matrix of a bit less than 2.65k x 2.65k.
Counting rods and cones is an irrelevant meaningless endeavor. Rods are not even worth mentioning WRT TV because they can't resolve any detail.
What matters is degree of arc resolvable by cones and pixels per degree that can be discriminated which amounts to roughly 1MP (1k x 1k)
Of course this whole metric is bullshit to begin with for the simple reason eyes are not fixed in their sockets nor is head position fixed WRT to display.
Human eyes can't discern more than about 4000x4000 pixels in their field of vision.
It's more like 1000x1000 yet this metric is meaningless because eyeballs and head are not fixed at a single point.
Pixels per degree of arc is what matters in discerning whether piling on more pixels is helpful or wasteful.
Without even trying c-span channel surfing yesterday I found republicans explaining their opposition in the form of bashing Title II.
Democrats could have avoided this problem. They could have defined clean NN. If republicans still wanted to attack clean NN at least their excuses for doing so would be more transparent and less defensible to voters.
Great, so now every tech startup has to have their very own IRB? And file yet another set of paperwork with the federal government? All so the politicians can forbid Youtube from making their videos autoplay "for the children"?
I agree with you. It's one thing to require people to do or not to do something. Quite another to impose these kinds of process requirements.
Having said that in fairness requirement is only triggered in very specific circumstances.
1. Your system must have 100,000,000 unique authenticated user logins in a 30 day period.
2. You are engaged in psychological experimentation on your users. I assume this also includes random AB testing?
That's a feature, not a bug.
I'm not interested in software that comes without the Four Freedoms. I don't want your proprietary software to succeed.
Hence why desktop Linux is not being taken seriously.
Short titles of all legislation should be required to be determined by an independent nonpartisan committee.
In one of its provisions, the bill makes it illegal for the IRS to create its own online system of tax filing.
Where in the text of HR 1957 is government prohibited from offering online tax filing?
I'm sure few people expect what Google actually does, as it would require technical understanding to realize what is possible and what is probable...
how many people truly CARE what Google or Facebook is doing?
Interesting you appear to be conceding the fact people don't understand what these services are doing.
Then you proceed to make the "nobody cares" argument.
When the actual argument devolves into: How many people truly CARE about something they don't understand and don't know is happening?
It isn't clear what value if any exists in the resulting answer.
You STILL have no software and it's the 21st century already. Average people are not running emulators to get their everyday programs to work. Nobody is going to make software unless there's a big enough user base.
Even if people wanted to distributing non-trivial commercial software for Linux it's impossible without releasing a dozen different versions to target a sufficiently wide range of distros and versions.
Too much fragmentation, too much "deprecation" and too little effort on maintenance of stable interfaces.
I don't see how that helps.
Now your external box updates and serves you ads. But at least they're not coming from the TV!
SBCs that run Kodi flawlessly cost like $50. You have a great number of choices.
Not a company, but Snowden did quite a number on the NSA.
This isn't responsive to my question. The information he gave to the press didn't directly endanger countless millions of people.
Well sure. If you follow standards and/or procedures, you are covered. If all you are doing is checkbox security, someone will get in, but you can at least point to all of those checked boxes and absolve yourself from legal responsibility.
I welcome any evidence of this ringing true WRT *ANY* major data breach.
The point is to get the GOP on record supporting something that will likely raise your cable bill (or phone bill if you're on DSL). That's an issue that can resonate with voters. From there it becomes election fodder to win seats and push the presidency over the edge.
The democratic bill allows FCC to impose regressive USF taxes on Internet access. They didn't have to do that. The democrats could have done a clean NN bill. They elected not to.
Why should monopolies like Twitter, Facebook and YouTube not be required to be common carriers?
Because they are not carriers.
It's much easier in terms of capital to build new ISP than one of those.
It's also much easier to bake a cake.
If broadband is considered an "information service" which now prevents the FCC from imposing any regulations on ISP's, why does the US government give $$$$ away to broadband carriers to offer higher speeds such as the Connect America Fund (CAF) ? If the FCC is the government's form of regulating communications services in the United States how can they offer CAF funding to promote faster internet speeds but at same time the FCC claims it can't regulate it?
The FCC maintains multiple contradictory definitions of the same terms used interchangeably to get away with whatever they please.
For example according to the FCC broadband Internet counts is 200kbit/s in either direction AND at least 25/3 mbit/s. To a normal person it's plainly obvious both definitions can't concurrently be true but hey if your the FCC anything goes.
If a CEO of a bank decided that security was not important and failed to implement known-effective security measures, don't you think that CEO should be held responsible for their banks getting robbed?
I would be curious if anyone is able to cite just one single solitary instance of a major data breach where the company holding data was deemed to have "sufficient" safeguards in place and therefore wasn't held responsible for the attack.
A 9/11's worth of people die each and every DAY in car accidents adding up to well over a million deaths a year. Are automobile companies really doing everything they could possibly be doing to prevent all these deaths? Should executives be placed in death row?
Every time someone dies in a car accident response is crickets. No outrage, no calls for heads to roll, no prospect of jail time for auto execs. People seem to be hard wired to care about single events that affect many and ignore many events that affect a small number of people.
Show me an accident and I'll dream up some way it could have been avoided and point to technology that could have been used to do so.
Show me a data breach and I'll dream up some way it could have been avoided and point to something that could have been done to prevent it.
Show me a few lines of source code and I'll rattle out and endless array of problems.
For some reason society seems willing to tolerate breathtaking numbers of people being constantly turned into road kill yet there seems to be no example of even a single instance where responsibility for any major breach on earth was not assigned to the company that was the victim of an attack.
You can think making people responsible for what happens to them is good or bad. You can believe it's great because it improves security or wrong to send people to jail for not doing enough to stop attacks.
What I'm having trouble with is existence of evidence to support the notion a CEO who pressed for implementation of "reasonable" security measures still wouldn't be held responsible if they were bypassed anyway. There as a practical matter seems to be no standard that is "good enough" to withstand the public freak out associated with events that adversely affect countless millions.
Right now corporations can even be hacked by foreign governments (Marriott) and still face being fined to kingdom come for failing to defend against hostile actions by foreign nations.
Is there in reality a standard anyone can follow that would absolve them of responsibility if attack is successful anyway?
A specific example: A can be deemed to be in full compliance with all PCI requirements to the letter of the published standard. Yet if there is a breach the company can and if big enough most certainly WILL be held responsible and fined for the breach anyway.
If the standard in reality is that people (corporations are people my friend) are held liable for every transgression against them no matter what that's not something I can support.
Negligence is whatever you can convince a judge and or jury negligence is.
Nope, it has an actual legal definition.
A legal definition whose outcome rests primarily on what a "reasonable person" would do.
So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.
In effect you are making fun of yourself. You were the one who originally asserted a relationship between revenue and operating budget when you said "such a company has sufficient resources to actually fix the security holes"
The point I was making is clear to any reasonable person. You don't need to be making a billion dollars a year to have the resources to "actually fix security holes identified by their security team".
The line is drawn here such that these regulations would only affect very large companies. Because it's those very large companies that are not being reined in by plain-ol' negligence lawsuits.
Yea well this justification sucks. If the penalties are insufficient petition to have them changed so they are sufficient. She could have done that. Instead she elected to turn the legal system into a game of magic the gathering.
I was affected by the Equifax hack. Legally, the value lost to me in that hack is $0.
At best, I could demand Equifax pay for credit monitoring for some very limited period of time. And since Equifax already provides that service, they are out a very trivial amount of money - it costs them almost nothing to turn on the monitoring software they already have.
Which means civil liability provides exactly zero disincentive to Equifax's executives.
You've communicated what you see as a problem. I'm probably on board with the premise a problem exists. This piece of crap legislation sure as hell isn't the solution to anything.
You can do any number of things legislatively that would be infinitely better than this piece of shit scheme.
- Outlaw Equifax's business model of collecting shit on everyone without their knowledge or consent and selling it would be swell.
- Adjust penalties so damage inflicted scales with company so there is no such thing as too big to pay fines.
Sending people to jail for the fruits of criminal actions executed against them is immoral and outrageous in my view. So some tech goon didn't fix a vuln fast enough. What if the attackers exploited a 0-day nobody knew about instead and got in that way? Would anything change? Would you be any less pissed? Would Equifax be any less liable? What if it was an insider who got divorced, wife got the house and went crazy? Would it make any difference?
And as I demonstrated above, the cost of those fines and lawsuits is negligible, and thus provides no disincentive for being negligent.
The central issue here is problem and solution don't match up. If your issue is fines are too damn low. Petition to make them higher.
Heck, golden parachutes mean there's virtually no incentive for executives to avoid negligence even if fines were astronomical. They'd still make a ton of money before the shit hit the fan, and the shit hitting the fan is zero impediment for getting a new job (Hi Bob Nardeli!)
It's good to be king. Don't like it? Jealous? Vote for the one promising to send the king to jail!!