| ▲ | bawolff 5 days ago |
| Make company liable for damages when breached. If you want companies to care about security then you need to make it affect their bottom line. This wasn't the work of some super hacker. They literally just posted the info in public. |
|
| ▲ | standardUser 5 days ago | parent | next [-] |
| There has to be a better way than just adding another deterrent to starting a company. Could there be an industry standard for storage security? Certification (a known hurdle) is better than "don't fuck up or we'll fine you to death". |
| |
| ▲ | sigseg1v 5 days ago | parent | next [-] | | Regulate software development. Other industries already do this. You could:
- make Software Engineer a protected title that requires formal engineering education and mentorship as well as membership to your country's professional engineering body (Canada already does this)
- make collecting and storing PII illegal unless done by a certified Software Engineer
- add legal responsibility to certified Software Engineers. If a beach like this happens they lose their license or go to jail. And you easily know who is responsible for it because it's the PEng's name on the project
- magically, nobody wants to collect PII insecurely anymore or hire vibe coders or give idiots access to push insecure stuff
- bonus: being a certified Software Engineer now boosts your salary by 5x and the only people that will do it actually know WTF they are doing instead of cowboys, and that company will never hire a cowboy because of liability. The entire Internet is now more secure, more profitable for professionals, and dumb AI junk goes in the trash | | |
| ▲ | aaronmdjones 5 days ago | parent | next [-] | | For writing lists with one item per line, Use two line breaks on HN to start a new line Like this | |
| ▲ | jjmarr 4 days ago | parent | prev [-] | | Canada does this but it is barely enforced. Many non-certified people call themselves "software engineers" with no consequence. |
| |
| ▲ | LPisGood 5 days ago | parent | prev | next [-] | | I think fines are very reasonable. If you can’t safely do the thing, you should be punished for doing it. If you can’t safely safely do the thing then there is no issue. | |
| ▲ | bawolff 5 days ago | parent | prev | next [-] | | Certification is essentially "don't fuck up or we'll fine you to death" with extra steps. Especially because it mostly comes down to the company self-verifying (auditors mostly just verify you are following whatever you say you are following, not that its a good idea). Its not like anyone intentionally posts their entire DB to the internet. | | | |
| ▲ | crx12 5 days ago | parent | prev [-] | | Professional Engineer (PE) certification for cyber security professionals would help. Without personal and professional consequences, the default 1 year of credit monitoring for weak security is just the cost of doing business. | | |
| ▲ | bawolff 2 days ago | parent [-] | | How would that help? By all accounts this app has no security professionals involved with it. Its not like there was some incompetent cyber security expert saying its ok to skip ACLs in firebase. |
|
|
|
| ▲ | ryandrake 5 days ago | parent | prev | next [-] |
| This is the only way to deter this. Negligence and incompetence needs to cost companies big money, business-ruining amounts of money, or this is just going to keep happening. |
|
| ▲ | swat535 5 days ago | parent | prev | next [-] |
| > Make company liable for damages when breached. This won't be enough, you have to make PEOPLE liable for breach. Making a corporation being liable is useless, it's a legal Person and it can simply declare bankruptcy and move on. |
|
| ▲ | itake 5 days ago | parent | prev | next [-] |
| the problem is what are the damages? how much are those damages? My SSN / private information has been leaked 10+ now. I had identify fraud once, resulting in ~8 hours of phone calls to various banks resulting in everything being removed. What are my damages? |
| |
| ▲ | bawolff 5 days ago | parent [-] | | I would suggest that damages should be punative, not to make the victims whole. So i dont think it matters. | | |
| ▲ | admissionsguy 5 days ago | parent [-] | | Punitive damages are no-go in Europe given they would mostly result in money transfers from the ruling families to common people. | | |
| ▲ | bawolff 5 days ago | parent [-] | | Have you seen the GDPR? Its basically the definition of punative damages. |
|
|
|
|
| ▲ | tonymet 5 days ago | parent | prev | next [-] |
| I agree, but relying on lawsuits is far too slow and costly . We can reduce the latency of discovery and resolution by adding software protocols. |
| |
| ▲ | bawolff 5 days ago | parent [-] | | Having the threat of lawsuits is not really about the actual lawsuit, its about scaring people into being more careful. If you actually get to the lawsuit stage, the strategy has failed. > We can reduce the latency of discovery and resolution by adding software protocols. Can we? What does this even mean? [Edit: i guess you mean the things in your parent comment about requiring including some sort of canary token in the DB. I'm skeptical about that as it assumes certain db structure and is difficult to verify compliance. More importantly i don't really see how it would have stopped this specific situation. It seems like the leak was published to 4chan pretty immediately. More generally how do you discover if the token is leaked, in general? Its not like the hackers are going to self-report.] | | |
| ▲ | tonymet 5 days ago | parent [-] | | The signatures would appear in the drop . A primitive version would be file meta data or jfif. Even the images themselves or steganography could be used | | |
| ▲ | bawolff 5 days ago | parent [-] | | I guess, but it seems a bit like a solution that only works for this specific dump - most db breaches don't have photos in them. My bigger concern though is how you translate that into discovering such breaches. Are you just googling for your token once a day? This breach was fairly public but lots of breaches are either sold or shared privately. By the time its public enough to show up in a google search usually everyone already knows the who and what of the breach. I think it would be unusual for the contents of the breach to be publicly shared without identifying where the contents came from. | | |
| ▲ | tonymet 4 days ago | parent [-] | | dark web scanning is common. the developers would be notified when those signatures appear in dark web indexes . jfif is just an example. any file format or metadata could be used as a signature depending on the storage type. | | |
| ▲ | bawolff 2 days ago | parent [-] | | There is no indication that this particular breach was ever on the "dark web" before widely being discovered. Yes dark web scanners are a thing, but just because something exists does not mean it would work for a specific situation. I'm doubtful they would work most of the time. |
|
|
|
|
|
|
| ▲ | GoatInGrey 5 days ago | parent | prev | next [-] |
| That's a reactive measure. Certainly, it's worth pursuing. Though like the notion that you can't protect people from being murdered if you only focus on arresting murderers, there is a need for a preventative solution as well. |
|
| ▲ | TZubiri 5 days ago | parent | prev | next [-] |
| Maybe the idiot that published this didn't even form an llc, "waste of 200$" |
|
| ▲ | spixy 5 days ago | parent | prev [-] |
| GDPR makes company liable for damages when breached. That is why Tea did not operate in Europe. |
