| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 7 Jan 2012 21:09:26 -0500 From: Jeffrey Walton <noloader@...il.com> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Fwd: Rate Stratfor's Incident Response On Sat, Jan 7, 2012 at 8:42 PM, <Valdis.Kletnieks@...edu> wrote: > On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said: > >> imo public shaming(ie. owned by kiddies, usually they get bigger media >> attention) can force companies to take security more seriously, but imo >> hiring the kiddies isn't the solution. > > It matters a lot less than you think. Go look at Sony's stock price while they > were having their security issues - it was already sliding *before* PSN got hacked, > but continued sliding at the *exact same rate* for several months, with no visible > added dip due to the multiple hacks they had. Sony has a chronic, progressive problem with data security. Sony (or a child corporation operating under their name) had been hacked at least 43 times in the past (http://attrition.org/security/rant/sony_aka_sownage.html). Adding insult to injury, Sony laid off security folks before the spectacular breach (http://techgeek.com.au/2011/06/25/lawsuit-sony-laid-off-security-staff-before-data-breach/). Sony is the poster child for driving drunk on the information super highway. Computing is a privilege, not a right. They should have their privileges revoked. > The hack at TJX didn't cripple that > company either. Cost them a bunch, but nothing they couldn't survive - most > companies that size already budget a lot more for unforseen events than the > hacks cost them. It cost TJX next to nothing, if I recall. It was less than 1% of one quarter's earnings. The executives were awarded bonuses for a job well done, and the loss was passed on to the share holders. > [SNIP] > > Remember that computer security is almost always a cost center, not a profit > center, and one of those "bad priorities" is usually "make more money". > > They aren't going to change the flawed process (which will cost money), unless > you can demonstrate how that will impact the bottom line. Just like I *could* > replace my already-paid-off car that gets 27 miles to the gallon with one that > gets 42, and save $50 month in gas- but then have a $250/month car payment to > make. That doesn't make fiscal sense, and often neither does fixing the flawed > process. > >> of course many of them will get owned, lose a good chunk of money, some of >> them even will go out of business, but until most of them can get away with >> those broken model, they won't try to fix the underlying problem. > > And you know what? *Every single decision* a business makes is like that. > > [SNIP] Sadly, you are right. In the US, we need a legislative change - broader, more encompassing laws and definitions which benefit the users (whether its a user with a credit card on file, or a user with PII on file). We need harsh penalties to act as a deterrent against corporate indifference, and board members to be held criminally accountable. With harsh penalties and board accountability, I would argue you could relax legislative oversight - give them enough rope to hang themselves, and see how many executives will opt for 'lets spend 10 years in prison' because its cheaper to do nothing. Its probably a pipe dream, though (I know it is while corporate america gets to participate in the oligarchy via bribes (err, PAC contributions)). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists