this post was submitted on 23 Jan 2024
255 points (92.9% liked)

Technology

59402 readers
2667 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
255
Why the ‘mother of all breaches’ is a wake up call for everyone (www.itpro.com)
submitted 9 months ago by Rapidcreek@lemmy.world to c/technology@lemmy.world
101 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] demesisx@infosec.pub 4 points 9 months ago (13 children)

Anyone who says, “think of the corporations” before they think of the people being PERMANENTLY compromised is a lost soul indeed. You are blaming the inadequacy of standards rather than the demagogues working for the corporations that enabled these lax standards. Of course there are going to be 0 day exploits that no one could protect for but that is a red herring. That’s something that could easily come out and be considered when that company is brought in front of a civil court to decide the fines, obviously!

I think we’re too dissimilar for this conversation to bear any fruit. Thanks for the well constructed devil’s advocate stance but you certainly haven’t convinced me.

[–] eltimablo@kbin.social 2 points 9 months ago (12 children)

When you say "corporations," it seems like you're exclusively counting companies like Google, Meta, etc, whereas I'm also including the mom and pop, 15-person operations that would be impacted by the same regulations you suggest. Those underdogs are the ones I want to protect, since they're the only chance the world has at dethroning the incumbents and ensuring that the big guys don't outlive their usefulness.

[–] demesisx@infosec.pub 1 points 9 months ago* (last edited 9 months ago) (5 children)

I’m not.

And what I proposed (see my revised original comment) actually protects those companies because it takes into account:

  • the amount of users infected
  • the general standards that were or were not followed by that theoretical startup rag tag team of hacks which would help paint a picture for regulators of the severity of the violation and codifying the ever-evolving concept of what is “reasonably secure”.
  • the market cap of said theoretical hacked corporation.
[–] eltimablo@kbin.social 2 points 9 months ago* (last edited 9 months ago) (1 children)

See, I figure all of those things would be accounted for in whatever civil suit gets brought against the company. Frankly, I think that's much more fair to companies both big and small because it involves a group of people working together to figure how much of a fine to levy in each individual instance, rather than having a blanket policy that may or may not account for edge cases. If the company is huge and the fuckup egregious, then the jury is (theoretically) going to throw the book at them.

At the very least, I'd want a jury in between the company and whichever government body is fining them, because regulatory bodies are prime targets for corporate shills to take over and it's harder for that to run rampant if you have a bunch of regular jackoffs acting as gatekeepers.

There's also the issue of ongoing compliance for small companies. Cybersecurity engineers are not cheap, and being all but required by law to employ one could (1) drive small companies out of business (180k a year may be cheap for Facebook, but it's definitely not for Joe Buttsniffer and Sons Catering), and (2) cause market saturation so bad that the average salary makes nobody want to do the job anymore.

[–] demesisx@infosec.pub 1 points 9 months ago (1 children)

Agreed. Corporate regulatory capture was a 100% success in the United States. It has been that way since at least Reagan. It always comes back to government corruption and what I see in these kinds of civil suits against corporations that were breached is a gentle slap (actually more of a caress!) on the wrist (and a wink and a nod when the cameras turn off) between the demagogues and the corporations that own them.

[–] eltimablo@kbin.social 2 points 9 months ago (1 children)

Yeah it really comes back to "fines are only for poor people." Google can just count the fines as the cost of doing business while simultaneously leveraging their dominance to force other companies to break regulations in order to work with them.

[–] demesisx@infosec.pub 1 points 9 months ago (1 children)

It’s VERY similar to how we (in the US) allow Congress to decide the rules that THEY THEMSELVES have to follow when you have the legalized bribery that is known as lobbying in the US.

[–] eltimablo@kbin.social 2 points 9 months ago

You know what I bet we both agree on? Limited liability in general being a shit idea.

load more comments (3 replies)
load more comments (9 replies)
load more comments (9 replies)