I think you'd have to plot a curve based on the potential reward of betrayal... I suspect that many Americans* would have their 5th closest friends committed or worse for low 6 figures. If in ~dire straits, as about half all Americans are, that number could get much lower.
* If my use of the word 'Americans' above is triggering, feel free to substitute it with 'people'.
Yea, this project gives less "my contract partners will benevolently read my diary after I die" than "enabling and incentivizing my closest friends to hold a vote to redistribute all my assets amongst themselves"
I think the parent comment is snark. They're saying that since many Firefox users are saying "Let me turn off AI features, please!" for features they don't want at all, and few to no Firefox users are saying "Let me turn on AI features!" because few to no Firefox users want AI features in the first place, Mozilla is making AI features opt-out to "satisfy" the "want" of turning off AI features.
Still seems far, far more likely that the average user will have their account stolen via password theft/reuse than the more complicated scheme the author is describing. Links instead of codes also fixes the issue.
This will never, ever, ever stop happening until executives start going bankrupt and/or to jail for negligence. Even then it won’t stop, but it would at least decrease in frequency and severity.
Unless there is willfull negligence (very difficult to prove) or malicious behavior I don't think putting people in jail will help. Most of this stuff happens by accident not by intent.
Financial consequences to the company might be a deterrent, of course then you're dealing with hundreds or thousands of people potentially unemployed because the company was bankrupted by something as simple as a mistake in a firewall somewhere or an employee falling victim to a social engineering trick.
I think the path is along the lines of admitting that cloud, SaaS and other internet-connected information systems cannot be made safe, and dramatically limiting their use.
Or, admitting that a lot of this information should be of no consequence if it is exposed. Imagine a world where knowing my name, SSN, DOB, address, mother's maiden name, and whatever else didn't mean anything.
Imagine using this defence with regards to airline crashes. "The crashes happen by accident not by intent" would be a clearly ludicrous defence, as it ought to be here as well.
If we were serious about preventing these kinds of things from happening, we could.
If we're OK with regulating SaaS companies (and anyone who connects their information systems to the internet) the way we do the airline industry, that may be an argument.
Bottom line though a good many folks here would loudly resist that kind of oversight on their work and their busineses, and for somewhat valid reasons. Data breaches hardly ever cause hundreds of deaths in a violent fireball.
If the consequences of an airline crash were just some embarassment and some inconvenience for the passengers, they would happen a lot more.
Also people almost never go to jail for airline crashes, even when they cause hundreds of deaths. We investigate them, and maybe issue new regulations, not to punish mistakes, but to try to eliminate the possibilty of them happening again.
> Data breaches hardly ever cause hundreds of deaths in a violent fireball.
Insurance people will be happy to tell you the price of the average citizen's life. Estimate the total cost to the economy, divide by the average citizen's life-value and you have the statistical deaths caused by this type of incident. Draw a fireball next to it for dramatic effect.
But generally, I don't think _every_ SaaS needs to be tightly regulated. But everyone that handles customer data needs to be. It would also very quickly make them stop hovering up any data they can get their fingers on and instead would make them learn how to provide their services securely without even having access to the data, because having that data suddenly becomes a liability instead of an opportunity.
> We investigate them, and maybe issue new regulations, not to punish mistakes,
This is not quite accurate. In the US for example, the NTSB investigates the causes of an incident, and the FAA carries out any subsequent enforcement action. Whereas the NTSB may rule the cause as pilot error due to negligence for example, the FAA may revoke the pilot's license and/or prosecute them in a civil case to the tune of a hundred thousand dollars and/or refer them to the Department of Justice for criminal prosecution.
At some point, some US department figured that they can practically budget a human life to cost around 10 million dollars - I wonder if the total amount of lives lost in airline incidents would incur the same amount of money lost as all the fraud that takes place after data breaches like these.
> Most of this stuff happens by accident not by intent.
Consider the intent of not hiring enough security staff and supporting them appropriately. It looks a lot like an accident. You could even say it causes accidents.
Hiring more people does not prevent the chance of mistakes. It may even increase them. I know places that spend lavishly on security (and employee education w/r/t social engineering, etc.) and have still been breached.
Google and Apple spend lavishly on security and are probably the most heavily attacked companies in the world, often by nation-state adversaries. Yet as far as I can remember, neither has had a successful breach like this in well over a decade.
Remove limited liability. Have the stock holder bear full economic cost of the victims without any limit. They want to profit, they take full risk with all of their property.
This can't be done in the modern financial system, I'd recommend holding senior execs and the members of the board responsible instead.
Shareholders may well be based overseas so it'd be very difficult to actually enforce the fines. They might also use overseas limited liability investment corporations, so fines would just bankrupt those companies leaving the actual shareholders never falling below zero.
There's also the political issues that'd come from potentially giving fines to millions of people because their pension funds invested in a company that had a data breach.
Haha, I still vividly remember how they were trying to make me believe that GDPR is going to a big hammer because it will finally make executives liable for breaches. I silently laughed back then. I am still laughing.
I should probably clarify: There are two types of people that climed that back then. Those trying to gaslight us, and those naiv enough to actually believe the gaslighting. Severe negligence has to be proofen, and that is not easy, and there is a lot of wiggle room in court. Executives being liable for what they did during their term is just not coming, sorry kids.
reply