[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8=E1vCCy6fvjs=+0=-z3MFp=Or+87t1_DisM65bgaHN8g@mail.gmail.com>
Date: Sat, 7 Jan 2012 21:09:26 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response
On Sat, Jan 7, 2012 at 8:42 PM, <Valdis.Kletnieks@...edu> wrote:
> On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
>
>> imo public shaming(ie. owned by kiddies, usually they get bigger media
>> attention) can force companies to take security more seriously, but imo
>> hiring the kiddies isn't the solution.
>
> It matters a lot less than you think. Go look at Sony's stock price while they
> were having their security issues - it was already sliding *before* PSN got hacked,
> but continued sliding at the *exact same rate* for several months, with no visible
> added dip due to the multiple hacks they had.
Sony has a chronic, progressive problem with data security. Sony (or a
child corporation operating under their name) had been hacked at least
43 times in the past
(http://attrition.org/security/rant/sony_aka_sownage.html).
Adding insult to injury, Sony laid off security folks before the
spectacular breach
(http://techgeek.com.au/2011/06/25/lawsuit-sony-laid-off-security-staff-before-data-breach/).
Sony is the poster child for driving drunk on the information super
highway. Computing is a privilege, not a right. They should have their
privileges revoked.
> The hack at TJX didn't cripple that
> company either. Cost them a bunch, but nothing they couldn't survive - most
> companies that size already budget a lot more for unforseen events than the
> hacks cost them.
It cost TJX next to nothing, if I recall. It was less than 1% of one
quarter's earnings. The executives were awarded bonuses for a job well
done, and the loss was passed on to the share holders.
> [SNIP]
>
> Remember that computer security is almost always a cost center, not a profit
> center, and one of those "bad priorities" is usually "make more money".
>
> They aren't going to change the flawed process (which will cost money), unless
> you can demonstrate how that will impact the bottom line. Just like I *could*
> replace my already-paid-off car that gets 27 miles to the gallon with one that
> gets 42, and save $50 month in gas- but then have a $250/month car payment to
> make. That doesn't make fiscal sense, and often neither does fixing the flawed
> process.
>
>> of course many of them will get owned, lose a good chunk of money, some of
>> them even will go out of business, but until most of them can get away with
>> those broken model, they won't try to fix the underlying problem.
>
> And you know what? *Every single decision* a business makes is like that.
>
> [SNIP]
Sadly, you are right.
In the US, we need a legislative change - broader, more encompassing
laws and definitions which benefit the users (whether its a user with
a credit card on file, or a user with PII on file). We need harsh
penalties to act as a deterrent against corporate indifference, and
board members to be held criminally accountable. With harsh penalties
and board accountability, I would argue you could relax legislative
oversight - give them enough rope to hang themselves, and see how many
executives will opt for 'lets spend 10 years in prison' because its
cheaper to do nothing.
Its probably a pipe dream, though (I know it is while corporate
america gets to participate in the oligarchy via bribes (err, PAC
contributions)).
Jeff
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists