

"If you’re outraged by accidental breaches, you’d better sit down" - sweis
http://benlog.com/articles/2010/05/14/if-youre-outraged-by-accidental-breaches-youd-better-sit-down/
Ben Adida on the recent privacy breach disclosures:<p>"If you’re shocked, outraged, writing lengthy TechCrunch posts about these developments, you probably don’t understand computer security very well, and you’d better sit down with a stiff drink, because these issues are the tip of the iceberg."
======
JacobAldridge
I hope we're really close to a Responsibility tipping point in regards to
online security, by which I mean a general acceptance by internet users that
they, not the site they visit, must take primary responsibility for their
online security.

This doesn't remove any responsibility from my bank, paypal, Facebook etc. But
until the average person hears about a potential breach of their privacy and
thinks "What can I do differently to prevent this happening again?" then
breaches are going to be fodder for sensational journalism and outraged
users... neither of which helps solve the problem.

I will make a division between some core security - like my credit card
details on Amazon - and peripheral security - like my photos on Facebook. This
latter type will tip over first, and I hope it's soon.

~~~
_delirium
But what _could_ I do differently to prevent my bank, or employer, or sites I
shop at, or anybody else, from leaking my data? Isn't it pretty much their
responsibility to make their site work properly? It's my responsibility to not
get taken in by phishing scams, sure, but what am I supposed to do about a
bank accidentally losing a CD with accounts on it, or getting their database
server compromised?

If anything, I'd suggest it should tip over into the other direction, with
much stricter liability and penalties for those sorts of information breaches.
If somebody promised something and failed to deliver it, that's a pretty
classic case of fault. Now if, on the other hand, they said up front that they
might make my data public if they felt like it, then that's another story.

In Facebook's case, it feels a bit like the flip-side of their recent proposal
to make TOS legally enforceable. Perhaps make 'em legally enforceable in both
directions, then, as a real contract with obligations on both parties?

~~~
motters
I agree. Other than trying to avoid phishing scams and using sensible
passwords there's not much that the user can do to improve their digital
security, especially in the era of cloud computing where much of what goes on
from a software perspective is not within the user's realm of responsibility.

------
simonw
The thing about the Yelp/Facebook bug is that it demonstrates how some of
these features have pretty fundamental problems. Facebook gave Yelp full
access to their API in a way that meant that any XSS holes in Yelp would
result in a breach for Facebook. Yelp had an XSS hole.

Keeping a large site free of XSS is really, really hard (especially if you
don't have an escape-by-default policy baked in to your template layer).
Ensuring your partners are free of XSS is even harder.

------
ThomPete
It seems to me that the major problem is that there is no gradients in
security.

With my online bank I am forced to go trough the same tedious process whether
I want to check my balance or transfer money.

I think that is part of the problem in getting users to care about these
matters.

My own thinking on this is "The Ghost Protocol" peer 2 peer negotiation where
trust is build over time rather than defined by a login. This wont be
happening anytime soon but the username/password approach isn't going to cut
it moving forward IMHO.

------
Silhouette
The world is not as black and white as this article suggests.

"We do not know how to write secure software."

100% secure? No, perhaps not. But we know a few things that could be done much
better than they are today.

For one thing, you can't leak information that you don't have. Companies today
tend to default to grabbing more information for their databases and keeping
it around indefinitely. We need much stronger data protection laws than most
countries have today to counteract this.

For another thing, "pushing the envelope and releasing features as quickly as
possible to outpace your competitors" is not an excuse for not running a
decent software development process. Seriously, Google was collecting that
data for _three years_ and no-one had looked at any of it and thought
something was wrong? The cost of phishing and identity theft even in purely
economic terms are already significant, and those costs are rising and don't
take into account the more important human suffering aspect. A statutory fine
of, say, $10,000 per individual per negligent breach should focus the
attention a little more on getting basic testing right and doing something
about problems before they happen, and a little less on trying to infringe
everyone's privacy faster than any competitor can.

As I have noted before, such a level of fines would be an unacceptable risk
for many businesses and they would probably have to stop collecting and
retaining personal information at all. I have no problem with this, as long as
the negligence criterion is applied sensibly. Most companies _don't_ need to
store a lot of data about us, and those for whom it is an important part of
their business model can learn to take reasonable steps to prevent abuse.

~~~
extension
As much as I would like to see this, without a stable industry consensus on
best practices, there is insufficient foundation for a legal definition of
negligence.

~~~
Silhouette
An alternative possibility is that evidence of "reasonable" behaviour would be
heard on a case by case basis in court, and case law would start to show the
minimum standards expected. Some practices may be more hype than substance,
and anyone alleging a problem because something was not done would presumably
have to justify why that action should have been taken. On the other hand, I
think you would find a lot of consensus and evidence-based argument in some
areas of security, and there is really no excuse for not following those
practices if you're in the business of managing sensitive data.

~~~
extension
If we are going to shift responsibility from attackers to the attacked, there
needs to be a clear and reasonable way for security non-experts to ensure that
they are doing their due diligence, and for non-experts in the legal system to
be confident that they aren't.

For now, any clown can come along and tell someone that they are secure, and
another clown can verify that the first clown is an official certified non-
clown. It may be perfectly obvious to you that these people are incompetent,
but to the non-expert it ultimately comes down to your word vs theirs. Even
the clowns may not have an objective way of knowing that they are clowns.

Without an authoritative standard that provides a root of trust to non-
experts, everything falls apart. That standard requires consensus, which
requires a critical mass of competent experts, which requires the state of the
art to keep up with demand and change, which is not going to happen in the
field of security any time soon because there is too much demand, too much
change, and it's just too damn hard.

~~~
Silhouette
> If we are going to shift responsibility from attackers to the attacked,
> there needs to be a clear and reasonable way for security non-experts to
> ensure that they are doing their due diligence, and for non-experts in the
> legal system to be confident that they aren't.

I'm sorry, but I don't entirely agree with that. I think if you deliberately
take on a role that is potentially damaging to others, such as collecting
large quantities of personal data, then to some extent the onus has to be on
you to be competent in how you protect that data.

The whole premise of using words like "reasonable" in statutes and then
developing case law over time is that you can't always predict every single
possibility in complete detail ahead of time, and sometimes you have to make a
judgement in the circumstances of a particular case about whether someone's
actions were reasonable.

This problem isn't specific to IT security, of course. After all, any time you
employ a new member of staff as a company, you are to some extent trusting
that they (and perhaps their references) have been honest in their
representations to you during the recruitment process. And yet, we still have
businesses with employees, even though it is an uncertain world, and for the
most part this works fine anyway.

> Without an authoritative standard that provides a root of trust to non-
> experts, everything falls apart.

I respectfully disagree. It doesn't take a big, formal spec to understand that
you should hold sensitive information behind a secure access mechanism, and
that sensitive data should be protected to avoid leaks in transit or on
disposal of hardware.

If someone doesn't understand and follow these basic principles, then perhaps
handling sensitive data is not a good career choice for them or their
business. I would have no problem with a legal action against an organisation
that compromised, say, many people's bank credentials, by leaving them on an
unencrypted USB stick on a train.

Arguing about whether a certain state-of-the-art or controversial security
process or tool was necessary and whether failing to use such a thing was
negligent is for courts to consider, based on the testimony and possibly
expert statements from both sides. If anything, this process and a reasonable
burden of proof on the prosecution seem more sensible to me than trying to
reduce a fast-moving field like IT security to a fixed checklist that might be
obsolete within days of completion.

~~~
extension
The things you describe are reasonable in general, but break down under the
extremes of present day security, software development too. The problem is
that _most_ people who think they can do it, can't. That is, most
professionals will take on more challenging problems than they are practically
qualified for. If the bulk of an industry can't judge its own competence,
customers and courts have no chance of doing so. And yet this is increasingly
a requirement for doing business at all. You can't simply tell people to stop
using computers.

If you can't define "reasonable" for the purposes of writing a law, it's a
good indication that people won't know what it means when they try to obey the
law. You can't make laws that nobody knows how to follow.

------
dutchbrit
The chat bug was pretty stupid, how on earth did they manage to create a bug
like that (seriously, it amazes me)! Seems like they have an awful
authentication system - these things should be checked over before going
online.

------
bruceboughton
This is right on the money.

