
Servers Seized at Ukrainian Firm Where Petya Attack Began, Charges Considered - jacquesm
http://gizmodo.com/servers-seized-at-ukrainian-firm-where-petya-attack-beg-1796622607
======
dmix
> Col. Serhiy Demydiuk, the head of Ukraine’s national Cyberpolice unit, has
> not accused anyone at MeDoc of being involved with the attack. He has said
> that the company was warned multiple times about potential security
> vulnerabilities in its systems. “They knew about it,” Demydiuk told the
> Associated Press. “They were told many times by various anti-virus firms...
> For this neglect, the people in this case will face criminal
> responsibility."

Criminal charges for not fixing known vulnerabilities? That's a risky road to
travel down. Especially given the general state of infosec among various
governments around the world and the offensive first mindset of their security
agencies.

This sounds like the result of being pressured to appear to be doing something
about a very public problem rather than using the justice system to set a
meaningful precedent. Especially if enforcement is going to be arbitrarily
based on only exceptionally bad cases.

People love to use the courts as a knee jerk reaction to every problem without
considering more effective or efficient alternatives first.

~~~
ryanlol
>Criminal charges for not fixing known vulnerabilities?

Why not? Incompetent vehicle operators regularly face criminal charges too.

~~~
dmix
So you'd like to have agencies set up to fine every company that gets hacked
through 'known vulnerabilities'? Enforcing this arbitrarily after big hacks is
hardly an equivalent analogy to enforcing traffic violations. It'd have to be
consistent, well defined, and widely enforced to be at all effective.

To me this is an emotional reaction that has no regard for cause/effect.

~~~
ryanlol
>So you'd like to have agencies set up to fine every company that gets hacked
through 'known vulnerabilities'?

Not exactly, but I do feel that entities recklessly handling PII or possibly
in this case their update servers should face consequences.

>Enforcing this arbitrarily after big hacks is hardly an equivalent analogy to
enforcing traffic violations. It'd have to be consistent, well defined, and
widely enforced to be at all effective.

We definitely agree on this.

>To me this is an emotional reaction that has no regard for cause/effect.

This particular raid? Undoubtedly.

~~~
dmix
The end result will likely result in more companies wasting time of useless
theatrics like PCI compliance to protect themselves from legal liability
rather than meaningfully protecting users data and preventing their systems
from being launch points for bigger attacks.

This is why I'm highly doubtful about the ROI of burdening companies, courts,
and law enforcement with this 'solution'.

Even though it feels good to punish a faceless corporation for making a
seemingly obvious mistake.

~~~
mh8h
What's wrong with a PCI-like compliance that ensures companies that affect
this many people have their servers patched on a regular basis?

Rubber stamps like PCI compliance might look like time wasters. Not all of
them are. Given the huge increase in the amount of online credit card
transactions, the number of cases where payment information is compromised is
very low. That is partly due to PCI compliance IMO.

