Bruce Schneier's blog talks about the recent hack of CIA director John O. Brennan's AOL account (among others) and says when it comes to social engineering attacks:
The problem is a system that makes this possible, and companies that don't care because they don't suffer the losses. It's a classic market failure, and government intervention is how we have to fix the problem.
It's only when the costs of insecurity exceed the costs of doing it right that companies will invest properly in our security. Companies need to be responsible for the personal information they store about us. They need to secure it better, and they need to suffer penalties if they improperly release it. This means regulatory security standards.
Schneier goes on to suggest the government should establish minimum standards for results and let the market figure out the best way to do it. He also partly blames consumers because they demand any security solutions be easy to use, ending with:
It doesn't have to be this way. We should demand better and more usable security from the companies we do business with and whose services we use online. But because we don't have any real visibility into those companies' security, we should demand our government start regulating the security of these companies as a matter of public safety.
Related: WikiLeaks Publishes CIA Chief's Personal Info
(Score: 3, Interesting) by frojack on Thursday October 29 2015, @06:06PM
we should demand our government start regulating the security of these companies as a matter of public safety.
I think the death knell of the internet will sound out the instant you decide that the government gets to approve every internet offering, and regulate every security effort. Congress is right this minute hard at work mandating back doors for christ sake!!!
This problem isn't anywhere near as intractable as Schneier seems to think it is. It certainly doesn't need an expansion of government to take care of it. The changes that are needed are rather small: fairly simple modifications to contract law and restrictions on enforce-ability of disclaimers and damage limitations in the TOS Click-through agreements.
We already have such limitations in many areas of the law. There are all sorts of things you can't put in a contract or an agreement because they are declared by law to be unenforceable. Therefore, when you go to court, the company can't trot out the TOS and say "see here where you agreed that we have no liability? ... We move for dismissal your honor!". Every profession has some prohibitions like this, CPAs, auto-mechanics, housing, etc.
Judges and juries will handle the enforcement and penalties if we just declare, by law, some broad areas of non-disclaim-able liability. Enforcement will be done by the insurance industry, court verdicts, class action suits, etc.
.
However, even after years in the field of a security specialist, Schneier still fails to recognize that he works in a one-sided world, where the bad guys have no limitations. He is held hostage to his own Maginot Line thinking [wikipedia.org]. Its pretty hard to hold every company in the world responsible for information leaks allowed by things such as Shellshock, Poodle, Freak, and mandated government back doors.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @07:18PM
Nice straw man, but nobody's asking for or recommending that.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @08:26PM
You must be new here. That's frojack's MO.
(Score: 0) by Anonymous Coward on Friday October 30 2015, @05:03AM
frojack has an MO? I learn so much here on SoylentNews!