lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMnEBtdNhMwyymFOgDbHofKUAX95vRvN2gTkBJ2Oy-6pLH7e=A@mail.gmail.com>
Date: Mon, 9 Jan 2012 10:34:40 -0800
From: Bob Dobbs <bobd10937@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response

On Sat, Jan 7, 2012 at 5:42 PM, <Valdis.Kletnieks@...edu> wrote:

> It matters a lot less than you think.  Go look at Sony's stock price while
> they
> were having their security issues - it was already sliding *before* PSN
> got hacked,
> but continued sliding at the *exact same rate* for several months, with no
> visible
>

Indeed. It is surprising to me that customers don't care more about this
than they do. But the customer, in the end, doesn't seem particularly
concerned about their personal data. If they did they would stop buying,
revenue would fall, and stock price would fall.

As high priority as the IT Sec people usually think it should be, or as high
> priority as a cold hard-line analysis of business cost/benefts says it
> should
> be?  IT people tend to be *really* bad at estimating actual bottom-line
> costs.
>

I can perfectly understand the cold rationalizing of ROI on issues of
security expense. I am much less forgiving of companies who constantly say
(and they all do) that they take great care with your data, won't share it
with anyone else, implement great security, etc. Then they are owned by
some stupid means such as a flawed and out of date Internet-facing webapp
and proven to be liars.

I wish there were far more punitive punishments for customers to pursue to
help shift the ROI towards providing more security.

Bob

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ