Regulate software development. Other industries already do this.

You could: - make Software Engineer a protected title that requires formal engineering education and mentorship as well as membership to your country's professional engineering body (Canada already does this) - make collecting and storing PII illegal unless done by a certified Software Engineer - add legal responsibility to certified Software Engineers. If a beach like this happens they lose their license or go to jail. And you easily know who is responsible for it because it's the PEng's name on the project - magically, nobody wants to collect PII insecurely anymore or hire vibe coders or give idiots access to push insecure stuff - bonus: being a certified Software Engineer now boosts your salary by 5x and the only people that will do it actually know WTF they are doing instead of cowboys, and that company will never hire a cowboy because of liability. The entire Internet is now more secure, more profitable for professionals, and dumb AI junk goes in the trash

I think fines are very reasonable. If you can’t safely do the thing, you should be punished for doing it. If you can’t safely safely do the thing then there is no issue.

Certification is essentially "don't fuck up or we'll fine you to death" with extra steps. Especially because it mostly comes down to the company self-verifying (auditors mostly just verify you are following whatever you say you are following, not that its a good idea).

Its not like anyone intentionally posts their entire DB to the internet.

Professional Engineer (PE) certification for cyber security professionals would help.

Without personal and professional consequences, the default 1 year of credit monitoring for weak security is just the cost of doing business.

I would suggest that damages should be punative, not to make the victims whole. So i dont think it matters.

Having the threat of lawsuits is not really about the actual lawsuit, its about scaring people into being more careful. If you actually get to the lawsuit stage, the strategy has failed.

> We can reduce the latency of discovery and resolution by adding software protocols.

Can we? What does this even mean?

[Edit: i guess you mean the things in your parent comment about requiring including some sort of canary token in the DB. I'm skeptical about that as it assumes certain db structure and is difficult to verify compliance.

More importantly i don't really see how it would have stopped this specific situation. It seems like the leak was published to 4chan pretty immediately. More generally how do you discover if the token is leaked, in general? Its not like the hackers are going to self-report.]

The fact that UK politicians cannot use their brains is a separate issue. May I interest you in a VPN?

You only require ID verification for NSFW subreddits, right?

[flagged]

education is helpful, but it's also inadequate. we need good drivers, and good driver safety systems. they go hand in hand.

even the most savvy consumers slip up, or are in a hurry. it's impossible to make a perfect security decision every time

I think iOS and Android already holds the threat of app store removal over developers' heads.

Presumably the risk/reward still favors risky practices.

This is the kind of thing government regulation is useful for, when it works.

also i remember maybe Facebook trying to do this when they acquired Parse. For a while they were promoting developers host their backends on Parse / FB .

The idea has merit. You have to relinquish some control to establish security. Look at App Store, Microsoft Store , MacOS App store -- they all sandbox and reduce API scope in order to improve security for consumers.

I'm more on the side of autonomy and trust, but then we have reckless developers doing stuff like this, putting the whole industry on watch.

thanks. Yeah I think there are a lot of ways to decouple App store from publisher and auditor . That way the publisher can retain autonomy / control , while still developing trust with the consumer.

We could do better in our trade at encouraging best practices in this space. Every time there's a breach , the community shames the publisher . But the real shame is on us for not establishing better auditing protocols. Security best practices are just the start. You have to have transparent, ongoing auditing and pen-testing to sustain it.

So like those EV certs that turn the address bar green.

Linux is up to 5% of the desktop. Gog and Itch.io are DRM-free, and are slowly gaining ground against Steam. Fediverse networks are slowly gaining ground against traditional social media. Signal is more popular then ever.

There will always be lowest-common-denominator users, but there is clearly some demand for an alternative to the biggest 5 websites...

It's perfectly possible to point out a flaw without suggesting a replacement.

That still doesn't make sense. How does the ACL work? What prevents the usual shenanigans like cloaking to prevent legitimate detection from working? Moreover what secrets are you even trying to detect? The app API token?