> I'd also note that these companies are barely (if ever) held liable for life-compromising hacks on their platforms.
You do know it is impossible to stop all cyber attacks? Its always a matter of when, not if. Zero day attacks are developed everyday with not even the best funded cyber security systems able to thwart them. The geniuses are on the offensive side, if they want in, they will get in.
The industry is held to no standards at all. You can keep plain-text passwords in your databases, do no tests at all, and be incompetent in a million other ways. I usually get downvotes when I say this, but by now there needs to exist certain regulation on commercial software and software-based services. It should be ensured that certain practices are followed in security and ethics (do you take the basic, well known precautions against the well-known attacks?, do you respect your users' privacy at least as much as the law requires you to, do you follow the terms and conditions you declare?). What we need is CE for software, and it's sad that I can ensure my cheese comes from a certain town and is produced from the milk from cows eating according to a certain diet, but not if Twitter (or any other commercial website) hashes and salts my password, and actually uses basic precautions against CSRF or what not. These companies should be obliged to get their stuff audited by third parties, and there should be a way to tell if they are really approved to maintain a certain standard in producing their software. I do understand and share the hacker culture, and appreciate how it's possible to spin off a start-up website business on the internet, but business is business. You don't become exempt from regulations when all you do is to run a tiny B&B with 2 rooms. Similarly, as soon as you're a company selling online services, regulations and standards should kick in. Because by now those online services are no less important than food business. You say it's impossible to stop all cyber attacks. Then, as it is impossible to stop all burglary attempts, should banks just deposit their money in some apartments, or in some random rooms where all the security is a wooden door? Fire all the security guards because it's impossible they survive all the guns out there? These companies like LinkedIn are no different in banks insomuch as they deposit not our money, but our personas. They should actually be more cautious because while money can be replaced, nobody can have a new self.
> It should be ensured that certain practices are followed in security
Let's not legislate specific practices.
Imagine if we had security legislation from 1995 to follow when programming today. Imagine trying to explain to senators why last year's XSS protection rules need updating. Imagine Oracle lobbying to get their database enshrined as the "security-compliant" one.
The law should focus on outcomes: if a site gets hacked and people are harmed, the site should be penalized.
"Security compliance" is about how you use a given database, not which one you happen to use. You can securely (but inefficiently) store credentials in a plain text file.
WRT some defences becoming outdated by time, well, it probably would not be two-decades behind, but a couple years or so at most. Even then, ensuring that is better then nothing.
People need tools to judge if they can safely use some product, and that's why standards exist. Otherwise companies are going to continue to screw us until they drop the balls.
> WRT some defences becoming outdated by time, well, it probably would not be two-decades behind, but a couple years or so at most. Even then, ensuring that is better then nothing.
Not necessarily. What if the law mandates use of, say, an encryption algorithm that has been cracked? You can't move to a new one without breaking the law.
Larger organizations use ISO-27001 and SOC-2 to audit this kind of stuff. But even so, sometimes the devil is in the details and it's possible to comply with the letter of the regulation while still being unprepared for the kinds of attacks that your service attracts.
Thanks, I'll look into them, but are there any compulsory standards anywhere? AFAIK this is entirely optional, i.e. left to the good will of the company.
Oh thanks. I guess you're referring to GDPR. I'll take note to research this in the future and have found some resources after seing your comment, but I'd fancy some links if anybody has them that elaborate this topic.
Certain industries are regulated, although the regulations are not consistent. It is not uncommon for jurisdictions to require by law protections on electric grid control equipment. For example, in some places in the US, servers that can ultimately affect a large scale change in power generation equipment (such as switching the configuration of a power plant) must have anti-virus installed on them (NERC-CIP).
>You do know it is impossible to stop all cyber attacks?
This is a fallacious argument, specifically the Nirvana Fallacy. Perfection not being achievable in no way means that there can't be standard best practices that are a minimum requirement, nor that liability cannot still exist. Certain types of cyberattacks are in fact possible to stop perfectly merely by virtue of not holding onto information at all. As a trivial example, there should be no plaintext password leaks (or even easily brute force password leaks) at all, ever. Adaptive hashes/key stretching have been a thing since the dawn of security, Robert Morris described CRYPT for unix password usage in 1978. bcrypt is from 1999. There has been no reasonable basis at all for plain text or even raw fast hash primitives to be utilized, ever, yet they have been. In no other industry dealing with these kinds of privacy and safety concerns is that sort of practice considered acceptable, not should it be.
Holding personal private information at all long term should fundamentally be considered a liability situation, because it's not necessary, it's a commercial choice. Can't be hacked if it doesn't exist. If businesses choose to hold it, they should also be taking reasonable steps to protect it, and accept liability for failures. That's the natural balancing flip side to them getting profit from using it. If they're allowed to turn any costs of holding it into externalities that distorts the market.
From my random perusal of the various reports of compromises over the last few years, my impression is not that organisations tend to get hacked using the latest zero-day vulnerability, but rather that organisations get hacked because they have glaring security holes that you could drive a double-decker bus through.
For example, bcrypt has been around for how long now? And don't almost all the reports of hacks report that a database was lifted with usernames and passwords either in plaintext (for the love of all that is holy) or hashed with unsalted SHA1, or similar?
I wish there was a "web security checklist" where if you ticked all the boxes, you can be pretty sure you have the well-known holes covered. This is why web frameworks are really useful, the decent ones get you way ahead in securing your application from the most common attacks. But if you self-bake, then you have to manage the entire complexity of the web platform.
While I agree, as a CTO I would be terrified if a data breach could hold me personally liable. It'd be like a Director of Security at a bank being liable for their bank being robbed with a tank.
But at the same time there is a line. I would be for holding companies liable if, for instance, the data gets out there and you find it is entirely unencrypted and the passwords are MD5 hashed or plain text. There has to be a baseline.
Mistakes should not be punished as long as there is not also negligence.
The Director of Security at a bank should at least be fired if their bank is robbed by a guy brandishing a banana. I'd speculate that that's the nature of most data breaches: amateur attackers taking advantage of grossly incompetent security.
No one said anything about holding the CTO personally liable. The idea is to hold the company liable. This makes sense because the company is in the best position to prevent the bad outcome. If the company is always liable, it can find an optimal balance between the costs of security and the costs of breaches.
If the company is only liable when negligent, it is incentivized to minimize the cost of security to the bare non-negligent minimum. This pushes all the costs onto the people whose data are compromised. These people are not in a position to spend small amounts of money to dramatically lower the expected costs of breaches, so they just end up paying huge costs that cannot be mitigated.
The problem isn't that someone is getting IN;
it's that the company throws up their hands and says "tough sht."
Or in a worse case, when Equifax puts up a compromised site to find if you were hacked that requires a significant amount of your SSN and personal details.
> it's that the company throws up their hands and says "tough sht."
What exactly is your solution to the problem? You are more or less complaining without providing any insights into addressing the issue or without knowledge of the threat landscape.
You also can't stop all failures of infrastructure, but outside of computing, anyone calling themselves an engineer is generally required to hold to various ethical and professional standards or have their work signed off by someone who is.
It's not impossible to stop most though. and Hacks like sony, equifax, linkedin and many others are the result of what should be criminal negligence. I.e. not encrypting sensitive personally-identifiable information.
instead of investing in securing their customer data these companies pad their bottom line. so yes, they should be held accountable for failing to follow basic industry-standard data protection practices.
Silly; it's impossible to stop all murders, therefore we shouldn't bother with making it a legal liability.
If the criteria is that it must be possible to stop all instances of an action to make it a legal issue, then we should just shut down all the prisons.
Hopefully this deal is killed. Its really bad for consumers, content creators, and actors. Monopoly on too much media all under one roof is bad all around...
Crashes are actually great for the middle class. The value of the dollar increases as prices come down. Homes, land, property, etc all become cheaper during crashes. This "bull market" is the actual "crash." All its doing is depleting the value of your money
This is only partially true. It ignores the job losses that result from the fall in capital available to firms. Additionally, anyone owning equities, which should be most of the middle class although I'm aware this isn't the case, will see their wealth decrease. I'd argue that the only people who benefit from crashes are those with large amounts of cash assets, which is generally not how you should be holding your wealth. Holding cash, after all, is just withholding wealth from being productive.
> Holding cash, after all, is just withholding wealth from being productive.
Not true. Cash in hand or cash in the bank is actually an asset not a liability. Every diversified portfolio should have cash in it. Some say as much as 30% of your wealth should be in cash or in assets that can be quickly converted into cash. If all of your wealth is tied to real estate or illiquid assets than that is a problem.
"Unless you're literally storing notes under your bed, your bank is lending out your money to someone."
Banks don't lend deposits. It seems that it's one of those fallacies that never die. Maybe, because it's in the textbooks.
"[..]reserve requirement does not act as a binding constraint on banks’ ability to lend and consequently their ability to create money. The reality is that banks first extend loans and then look for the required reserves later."
From your quote: "..and then look for the required reserves later."
Banks are required to have certain reserves. It's true that they can already lend money while they are still looking for the required money to refill their reserve. But they will have to fill up their reserve at some point, and for that they need money, otherwise they will have to stop lending.
So it is not a fallacy that banks are lending deposits and it's not so strange that this is in the textbooks.
That might have been true long ago but with fractional reserve lending this linkage is effectively severed. The bank usually isn't lending out your money. The total amount a bank can lend out is constrained more by regulatory requirements and its invested capital than by the balance of customer savings/checking/CD accounts.
It's true that the lending amount of a bank is heavily constrained by regulatory requirements. But that doesn't mean that banks are not lending your deposited money to someone else.
Consider two banks in the same country, so having to comply with the same reserve requirements. The reserve requirements are defined as a percentage of the amount on the banks's deposit account at the central bank. So the bank which can transfer an extra deposit to this acount is the one which is able to lend more money.
Even putting your money under the mattress doesn't make a difference: as long it's a stable amount economy-wide, the central bank can just print enough cash to make up for that amount under mattresses. Cash is free to make.
Sure, the bank benefits, but with near zero interest rates on saving accounts (in the US at least) the wealth isn’t productive for you. You are actually losing money to inflationso it’s not a good idea to keep all of your wealth in cash.
True in the larger economic sense. But on an individual level, even the best savings accounts which typically get a bit above 1% interest will not keep up with the 2-3% inflation that we see (and the fed targets).
Nah, for an individual cash is an asset, but from an economy-wide perspective cash is free: the government literally prints the stuff for pennies on the hundred-dollar.
Any stable demand for cash by the general public can be accommodated without any real economic costs.
(But there are real economic costs for when that demand is changing, and the central bank don't adjust properly. Interestingly, that's mostly a problem of monopolized note issue. Free banking systems with competing note issuers adapt easier to changes in demand for notes.)
In perhaps one narrow sense. The middle class people who lose their jobs and savings, or whose welfare depends on economic activity (i.e., almost everyone) such as others buying, selling and investing in things don't do so well.
Perhaps there is some data on how well the middle class did in 1929, 1988, 2008, etc.
> It's also ignoring the amount of middle-class savings that are destroyed during the crash
Cash savings actually increase in value during crashes. Crashes provide the middle class with opportunities to purchase assets that they otherwise would not be able to afford.
> Cash savings actually increase in value during crashes.
I get that, but you have to have cash savings before you can purchase assets. MOST middle class individuals can't afford to keep their savings in cash. MAYBE they keep 6 months of salary in cash in the event of a lose of work, but every other saved dollar is put to work.
You'd have to destroy their life savings to give them a decent opportunity to buy assets on the cheap.
I don't see how they're great for the "middle class". A crash is generally bad for anyone who's invested. I could only see it being good for people who have cash on hand after the crash.
Fair enough... I'm not much of an experienced investor. I had always heard you should invest, invest, invest, and forget about what the market is doing or will do.
Correlation does not equal causation. This is Yellow Journalism at its finest. The researchers even stated that their "results are preliminary" and not final, but of course the media runs with everything.
This business model will fail horribly. Unlike Uber where you provide rides from random people at random locations each time. Dog sitting/walking is a pretty consistent endeavor. Walkers/Sitters will just build up a clientele of about 5-10 consistent dog owners and go to them directly. They bypass the app, removing the fees that they otherwise would have to pay to the company.
This business model will fail horribly. Unlike Uber where you provide rides from random people at random locations each time. Dog sitting/walking is a pretty consistent endeavor. Walkers/Sitters will just build up a clientele of about 5-10 consistent dog owners and go to them directly. They bypass the app, removing the fees that they otherwise would have to pay to the company.
Reducing sodium intake. You will instantly lose weight, feel less sluggish, have more energy etc. By simply reducing the amount of sodium in your diet you are increasing your chances of living longer. Over 500,000 deaths each are from complications with high sodium levels causing health problems.
I don't doubt that you might have benefited from a reduction in sodium intake but most people won't. The majority of people are not hypersensitive to sodium[1]. Limiting salt to some arbitrarily low number can have negative side effects, for example, my vegetable consumption went up dramatically when I let go of my anxiety over putting salt on them.
Keep in mind that fast food companies and a large share of food manufactures thrive on using high amounts of sodium in their processed foods to increase shelf life and improve margins (i.e. from factory until bought by consumer). I don't doubt the validity of that research, but I would be interested to see who funded it. And of course all humans need sodium to maintain a healthy balance, but many foods we eat today unexpectedly have excessive amounts of sodium in them.
Defer decisions until the last moment possible is one of the best things to do when making a tough decision. Its weird how we praise "quick decision makers." They are more or less simply gambling. Information tends to grow exponentially overtime. By waiting your chances of making a sound decision increase.
"Information tends to grow exponentially overtime. "
Maybe true. However, the opportunity cost of playing the waiting game also tends to follow a similar path.
This has nothing to do with punishment. This is the result of a broken system. Most fortune 500 companies pay the ransomware price and the public is never aware of any breach. The idea of storing information on a connected network is the problem. We need to return to the brick and mortar way of storing data, i.e. Tightly guarded central facilities. Nobody should be able to steal 148 million accounts with the click of a button.
You do know it is impossible to stop all cyber attacks? Its always a matter of when, not if. Zero day attacks are developed everyday with not even the best funded cyber security systems able to thwart them. The geniuses are on the offensive side, if they want in, they will get in.