SoylentNews is people
SoylentNews
Bruce Schneier's blog talks about the recent hack of CIA director John O. Brennan's AOL account (among others) and says when it comes to social engineering attacks:
The problem is a system that makes this possible, and companies that don't care because they don't suffer the losses. It's a classic market failure, and government intervention is how we have to fix the problem.
It's only when the costs of insecurity exceed the costs of doing it right that companies will invest properly in our security. Companies need to be responsible for the personal information they store about us. They need to secure it better, and they need to suffer penalties if they improperly release it. This means regulatory security standards.
Schneier goes on to suggest the government should establish minimum standards for results and let the market figure out the best way to do it. He also partly blames consumers because they demand any security solutions be easy to use, ending with:
It doesn't have to be this way. We should demand better and more usable security from the companies we do business with and whose services we use online. But because we don't have any real visibility into those companies' security, we should demand our government start regulating the security of these companies as a matter of public safety.
Related: WikiLeaks Publishes CIA Chief's Personal Info
(Score: 4, Insightful) by Tramii on Thursday October 29 2015, @11:30PM
You can't just create blanket penalties like that or everyone will leave the market screaming and your packets will need to go to another country for service.
First of all, not everyone will leave the market. It will definitely discourage any company from collecting any information they absolutely do not require. This is a feature, not a bug. Lots of companies will stop asking for your personal data. Most companies will stop writing custom software to handle things like charging credits cards, and a few huge companies who have the expertise and know-how will end up handling most of our sensitive data. This all seems like a good thing to me.
Second, I do not accept the excuse that it is impossible to secure information. (I mean, it literally is impossible to 100% guarantee that no one can steal something from you. But we've lived with this possibility for a long time and society hasn't collapsed yet.) It is certainly possible to eliminate 99% of the information leaks that have happened in the last few years. With proper security practices, you could get some hardened systems running in a few years. Let the companies buy insurance or whatever they need to mitigate the risk, but you don't let people off the hook because something is "hard".
(Score: 2) by mojo chan on Friday October 30 2015, @11:02AM
Companies will just buy insurance to cover the cost. The question that business will ask is always "given a rate of x hacks/year, is it cheaper to pay the fines, get insurance to pay the fines or improve security?"
I'd prefer a system where profits are garnished. If a company is hacked there is an investigation. If they failed to encrypt the data properly, if people lost money as a result the fine is higher. The fine is always a multiple of yearly profits, so it scales with the business. Profits are garnished until the fine is paid off.
const int one = 65536; (Silvermoon, Texture.cs)