lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8=E1vCCy6fvjs=+0=-z3MFp=Or+87t1_DisM65bgaHN8g@mail.gmail.com>
Date: Sat, 7 Jan 2012 21:09:26 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response

On Sat, Jan 7, 2012 at 8:42 PM,  <Valdis.Kletnieks@...edu> wrote:
> On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
>
>> imo public shaming(ie. owned by kiddies, usually they get bigger media
>> attention) can force companies to take security more seriously, but imo
>> hiring the kiddies isn't the solution.
>
> It matters a lot less than you think.  Go look at Sony's stock price while they
> were having their security issues - it was already sliding *before* PSN got hacked,
> but continued sliding at the *exact same rate* for several months, with no visible
> added dip due to the multiple hacks they had.
Sony has a chronic, progressive problem with data security. Sony (or a
child corporation operating under their name) had been hacked at least
43 times in the past
(http://attrition.org/security/rant/sony_aka_sownage.html).

Adding insult to injury, Sony laid off security folks before the
spectacular breach
(http://techgeek.com.au/2011/06/25/lawsuit-sony-laid-off-security-staff-before-data-breach/).

Sony is the poster child for driving drunk on the information super
highway. Computing is a privilege, not a right. They should have their
privileges revoked.

> The hack at TJX didn't cripple that
> company either.  Cost them a bunch, but nothing they couldn't survive - most
> companies that size already budget a lot more for unforseen events than the
> hacks cost them.
It cost TJX next to nothing, if I recall. It was less than 1% of one
quarter's earnings. The executives were awarded bonuses for a job well
done, and the loss was passed on to the share holders.

> [SNIP]
>
> Remember that computer security is almost always a cost center, not a profit
> center, and one of those "bad priorities" is usually "make more money".
>
> They aren't going to change the flawed process (which will cost money), unless
> you can demonstrate how that will impact the bottom line.  Just like I *could*
> replace my already-paid-off car that gets 27 miles to the gallon with one that
> gets 42, and save $50 month in gas- but then have a $250/month car payment to
> make. That doesn't make fiscal sense, and often neither does fixing the flawed
> process.
>
>> of course many of them will get owned, lose a good chunk of money, some of
>> them even will go out of business, but until most of them can get away with
>> those broken model, they won't try to fix the underlying problem.
>
> And you know what? *Every single decision* a business makes is like that.
>
> [SNIP]
Sadly, you are right.

In the US, we need a legislative change - broader, more encompassing
laws and definitions which benefit the users (whether its a user with
a credit card on file, or a user with PII on file). We need harsh
penalties to act as a deterrent against corporate indifference, and
board members to be held criminally accountable. With harsh penalties
and board accountability, I would argue you could relax legislative
oversight - give them enough rope to hang themselves, and see how many
executives will opt for 'lets spend 10 years in prison' because its
cheaper to do nothing.

Its probably a pipe dream, though (I know it is while corporate
america gets to participate in the oligarchy via bribes (err, PAC
contributions)).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ