Why is that "sad"? Nature has gone the same path. We have basic defenses that are "on" all the time (passive immune system - nonspecific), and we have an adaptive response that reacts to what actually happens to us, which also means threats we actually encounter will be recognized and fought more quickly and better in the future. Or houses - having lived in the US, those front doors are at least an order of magnitude less secure than any German front door, but even those are not really able to keep out any determined intruder.
Why should be mount a very expensive all-out defense against a lot of perceived threats? It's similar to "every child (programmer, etc.) MUST know this!". Making demands is easy. If people don't care there probably is a deeper reason. Yes, the heuristic gets it wrong, that's why it's a heuristic, but that it is one in the first place also has similar reasons.
It sure is possible to criticize a concrete company for concrete problems, but the blanket statement of the headline is not useful.
The problem is that this isn't about saving money overall. Users pay the primary costs of the company's security errors, so it's a moral hazard problem.
Right now, companies that lose data don't pay any costs at all until afterwards, and those costs are usually minimal. The reputational damage is reduced because no one knows until (well) after the breach, and any financial info lost is consumer credit cards rather than corporate accounts. Yes, users sometimes get free identity theft monitoring, but those services are quite cheap to account for the fact that they don't actually work.
More specifically, this is asymmetric information and therefore the market can't adjust for it. When Yahoo loses my data, will my passwords be salted and well-hashed? How could I possibly know in advance? Consumers aren't making privacy and risk choices, they're using the internet as best they can and getting repeatedly burned for it.
If you want a clear contrast, companies are enormously concerned about "whaling" attacks, and are working hard to prevent them. Those attacks take corporate money in real time, so the costs are properly factored in. Moral hazard is inherently about broken cost-benefit measurement.
The real problem is most payments & identity are pull vs push and the username is the password. If they were push, then there wouldn't be customer payment information to steal in the first place. All that would be taken would be personal shipping addresses, and those are mostly public as it is already.
Same with social security numbers and identity in general.
To solve the root cause in this case although was decided to not be good by the infrastructural organizations. Eating the fraud is cheaper than putting up barriers to payments.
If fraud liability was moved %100 to banks, payment providers and governments, we would see the problem fixed pretty quickly.
> The problem is that this isn't about saving money _overall_.
It hasn't been shown to be otherwise either though.
> companies that lose data don't pay any costs at all until afterwards
Because we don't know what they should pay. We need reliable research that nails down how much a security breach costs society, and until have it, it's impossible to provide companies with the right incentives.
Note that the cost should depend on the circumstances. For example, if Google or Facebook has a major breach, it would probably have a bigger impact (on a per-user basis) than a small service.
If you just impose a uniform per-user cost for data breaches, then you're essentially giving larger services an unfair competitive advantage.
When your front door isn't secure enough, you and/or your insurance company eat the loss. The point of this headline is that when Yahoo gets attack their customers are going to eat the loss, yet it's Yahoo who screwed up.
That's IMO a clear example of mis-aligned incentives.
Has Yahoo acted grossly negligent? (I don't know the specifics in this case) If so then they are liable for resulting damages, if not then they didn't screw up.
See, no customer is entitled to a 100% guarantee that their private data will never leak. Why? Because it is not possible to guarantee such a thing.
The only thing you are entitled to is that the corporation handles your data following industry standards which usually is at least identical but most often even better than what the law requires.
If a 100% guarantee was somehow a legal requirement then the IT industry would cease to exist the following morning.
It's not possible to 100% guarantee that data will never leak, but it's entirely possible to 100% guarantee that the company will cover the full costs of a leak. If that was somehow a legal requirement, everyone would go out and buy insurance for it and then life would go on, probably with additional emphasis on security.
I have a different position on that. My perspective is that if a company doesn't act negligent, follows all legal procedures and industry standards regarding data security then why should it be made to pay for damages caused by a third party.
It didn't cause the damage, it's been the criminals who did that. They should be held accountable for this.
That seems pretty reasonable too. I like the idea of making the business liable regardless because it more or less automatically optimizes the combined cost of security and losses. Companies will in theory spend money on security until each dollar spent mitigates less than a dollar in losses, then stop.
The trick, of course, is making sure companies estimate their risk properly and don't just screw everyone over by underspending on security and then going bankrupt when hacked. Mandatory liability insurance could help with that, since insurance companies basically exist to assess risk in something like a realistic fashion.
So you think that startups with hockey-stick growth should have to design systems which are impervious to extremely sophisticated criminals? That seems unlikely.
Edit: also, the main risk here is password reuse. How is Yahoo supposed to estimate that and why are they on the hook for user's bad security practices?
You're forced to spend money to mitigate losses. If you can do something to decrease the losses, or the likelyhood of suffering one, then the insurance will cost less.
Right, so your spending will increase up to the point where your ROI is 1:1, then you'll stop. That point will be long before you reach imperviousness.
Companies seem to hold on to extra data because, "why not?" Previously, they were limited by sorting and storing physical documents. Let's say you changed your address. In the past I imagine most companies would update their file (discarding the old address, because that would cause confusion) and nowadays I can see companies keeping the old one around because it might be useful later.
I would like a scenario where companies choose not to store data not immediately useful to them. They already have incentives to store old data (it's cheap, audits, monetizing later, direct advertising, etc). The best tool I can think of is liability.
I don't think the balance between companies and individuals are always equal. If I want to sign up for cable TV I have to agree to their contract (I don't get to negotiate terms), which commonly includes; giving them your birthdate or social security number, giving up the ability to sue by agreeing to arbitration, agreeing to a 12 month contract, etc. Yes, I'm not forced to agree to that contract and can go without cable (and I can see why they need much of that info--at least upfront), but the limited alternatives (and less-than-diligent consumers) allow companies to add creepy data collection without much pushback.
Yes, we are lamenting the situation. There is no incentive for companies to go beyond the rather lame line of duty. So we're left with an industry full of holes.
Consider many other product markets, when there is a defect in someone's product there are legal remedies. These are in place to provide an incentive for companies to do something they otherwise would not.
Examples of this would be food safety legislation, fire safety legislation, building regulations etc. In all those cases it was considered a good thing (by society) to implement laws to make companies take these things into account.
IT in general, lack this kind of legislation, and as a result companies unsurprisingly make commercial decisions not to improve security where they feel it would cost a lot of money to do so.
The problem comes in the negative externality, the company with bad security isn't the company that takes the loss, similar to the negative externality that the person who made a weak bridge likely doesn't die when it collapses.
So a logical argument might be to use legislation to fix this externality and make it a better decision for companies to improve their security...
Because attacks in software are always getting better, not worse. If it's a smaller company it's a shame - many of them simply don't have the resources to dedicate to properly hardening themselves against attack, and it can destroy their company.
I ran an unsuccessful game service for a while, and due to the nature of our product (custom 3D characters) we suspected to receive and did receive an incredible number of hack attempts for a pretty much unknown web service. Expecting the issue, we got a US $20K SonicWall hardware firewall of the class used by banks. Best investment ever. On four separate occasions we had DoS attacks that the SonicWall shrugged off without a sweat. Typically, we'd see 100-300 actual hack attempts per day for this unknown service. To handle this, it takes is being serious, and listening and following your security experts guidance without cutting corners. They are aware security is expensive and have already mentally scaled their recommendations to a balance between what they think you can afford and security you'll need. Go with their recommendation - they are the expert.
Are you conflating DoS (something a firewall can deal with) with the kind of hacking that can penetrate a system? I'm not sure a firewall can do anything about (for example) SQL injection.
I think commenter is describing his company's operation, what attacks they were facing, and that listening to advice countered them. Commenter doesn't mention a SQL Injection or claim his case applies to anything else. Instead, merely points out that listening to professionals who understand risks of your technology and following their advise can prevent problems caused by those risks. That was my take.
...that a few, inexpensive practices stop almost all the common methods currently. There's also frameworks and stacks that immunize web applications against common ones for them with little to no effort by developers. These fit parent's claim where you just follow basic, security advice with available tools for each category to stop many attacks.
Now, that's not going to cover everything. A dedicated, professional attacker or team targeting your individual business might break past it all. Most breaches we see, though, are companies not doing the basics.
> Australia's DSD said that just patching stuff and using whitelisting would've prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe languages, VPN's by default, sanest configuration by default, and so on. Residual risk gets tiny. What I just listed barely cost anything.
That's a lot more invasive ongoing work than "add piece of hardware", or "add this DNS record".
Add this whitelisting software with your main apps on the list. Install updates when available by clicking update. Done for 75% of it. Your admin using OpenBSD or Linux install instead of something else for backend is invisible to you. The developers writing apps withbone framework or library use a different one. I'm not seeing this invasive nature of easy stuff. Straightforward.
Seems more do given the number of companies with 1-5 IT people that do stuff like this. They just care, Google tech X plus security/hardening guide, and follow the advice. Apply patches, check logs on occasion. A little less apathy goes a long way.
I'm not familiar with Sonicwall specifically, but a packet-inspecting web app firewall can indeed do something about SQL injections, obvious ones anyway.
> Why is that "sad"? Nature has gone the same path. We have basic defenses that are "on" all the time (passive immune system - nonspecific), and we have an adaptive response that reacts to what actually happens to us
While it's true that nature has taken the same path for the same reasons, I don't think I'd have to look very hard for people to agree that the fact that people fall ill, sometimes seriously so, is "sad".
Because there are significant external costs that the entities sloppily handling records don't have to pay but the rest of us do. Presumably that's the reference they had in mind when they referred to the "Ford Pinto formula," since it's unlikely customers would have agreed that it was better to have cars that had some risk of blowing up and killing them so Ford could make more money.
All products carry some risk, and all companies calculate the risk vs the cost of mitigation. It's impossible to make any product if safety trumps everything else.
OK, but if it costs you tens of thousands of dollars when some bad thing happens and it costs the vendor nothing they're likely not actually making a reasonable trade-off; they're just leaving you out to dry.
Why should be mount a very expensive all-out defense against a lot of perceived threats? It's similar to "every child (programmer, etc.) MUST know this!". Making demands is easy. If people don't care there probably is a deeper reason. Yes, the heuristic gets it wrong, that's why it's a heuristic, but that it is one in the first place also has similar reasons.
It sure is possible to criticize a concrete company for concrete problems, but the blanket statement of the headline is not useful.