> The issue is there is too little repercusions for companies making software in shitty ways.

The penalty should be massive enough to affect changes in the business model itself. If you do not store raw data it cannot be exfiltrated.

I’m all for companies to not ignore their responsibility for data management, but I’m concerned that type of punishment could be used as a weapon against competitors. I can imagine that certain classes of useful companies would just not be able to exist. Tricky balance to make companies actually care without crippling insurance.

I agree. When it becames penalized by law, project owners/managers won't be tempted to take shorcuts and will have the incentive to give developers more time to focus on security.

There is some incentive to leave 0days in customer software, as it creates a commodity to be sold on gray 0day markets. On the other hand, securing your own garden brings less value then covering and deneing that your 'secure' cloud platform was whacked.

Microsoft lost their root keys to Azure. ¯\_(ツ)_/¯

We need both. The allowance by law enforcement to do cyber security as well as engineers not writing shitty software and lax IAM permissions or exposing private keys or the myriad of ways they mess up.

> Did you see Google or facebook or Miceosoft customer databases breached ?

Are you being facetious? Yes, yes, yes, they have.

I’m curious. What do you think about legalizing “hack-back” ?

Didn't Sharepoint get hacked the other day? :S

Microsoft just compromised the National Nuclear Security Administration last week.

Facebook was breached what last month?

Google is an ad company. They can’t sell data that’s breached. They basically do email, and with phishing at epidemic levels, they’ve failed the consumer even at that simple task.

All are too big to fail so there is only congress to blame. While people like Rho Khana focus their congressional resources on the Epstein intrigue citizens are having their savings stolen by Indian scammers and there is clearly no interest and nothing on the horizon to change that.

I’ve still got time left on identify theft protection I’ve been given for free due to breaches

What about a white hat hacker license? Not sure what the criteria would be, but could it be done?

Then there would be some sort of evidence the guy was a "good guy". Like when a cop shoots your dog and suffers no consequences.

This is a horrifically bad take, I know you probably see it this way because you can't imagine how easy some of these mistakes are, however I can assure you that there are MANY TIMES that I've accidentally found issues with systems.

I do work in security, the average person would write this off as "oh just shitty software" and do nothing about it, however when one know what the error means and you know how the software works, errors are easy to turn into exploitable systems.

I once had a bank account that fucked up data validation because i had '; in the transfer description of 120 characters. Immediately abusable sql injection.

After my first time reporting this OBVIOUS flaw to a bank along with how it can be abused in both database modification and xss injection, I had to visit the local law enforcement with lawyers because they believe that 'hacking' had taken place.

I now report every vuln behind fake emails, on fake systems in non extradition countries accessed via proxy on vpn. Even then I have the legal system attempting to find my real name and location and threaten me with legal action.

Bad actors come from non extradition countries which wouldnt even TALK to you about the problem, You'd just have to accept you get hacked and that is the end of the situation.

Its people like yourself who can't see past the end of their nose to realise where the real threats are. You don't have "it straight".

If we did give bad actors an escape hatch, what harm would it do in a world already filled with untouchable bad actors?

If a security researcher knocks out the power grid of a town, we should consider ourselves lucky that the vulnerability was found before an opposing nation used it to knock out the power of many towns.

> How do we prove you just responsibly hacked into a system full of private information then didn't actually look at a bunch of it?

Pinky promise?

If we're strictly talking about software there should be some way to test in a staging environment. Production software that cannot be run this way should be made illegal.

But you would like to be notifiedby your neighbours if you have left your window open while away, right? Or are you going to sue them for attempted break-in?

The issue is not that its illegal to put on a white hat, break into the user database and steal 125 million accounts as proof of security issue.

The problem is people getting sued for saying "Hey, I stumbled upon the fact that you can log into any account by appending the account-number to the url of your website.".

There certainly is a line seperating ethical hacking (if you can even call it hacking in some cases) and prodding and probing at random targets in the name of mischief and chaos.

Adding "full stop" doesn't strengthen your case, it just makes it sound like you are boiling the world down to be simple enough for your case to make any sense.

There are a lot of shades of grey that you are ignoring.

You claim sole responsibility. Do you accept sole legal and financial liability?

I think allowing red-teams to run wild is a better solution, but I can agree with other solutions too.

If those who claim sole responsibility want to be responsible, I'm okay with that too. I really just want us to pick a lane.

So again, are you willing to accept sole legal and financial liability?

It seems like passing legislation that imposes harsher penalties for data breaches is the way to go.

username checks out

That sounds like a perspective from deep in the trenches. A software system has SO many parts, spanning your code, other people’s code, open source software, hardware appliances, SaaS tools, office software, email servers, and also humans reachable via social engineering. If someone makes a project manager click a link leading to a fake Jira login, and the attacker uses the credentials to issue a Jira access token, and uses that to impersonate the manager to create an innocuous ticket, and a low-tier developer introduces a subtle change in functionality that opens up a hole… then you have an insecure system.

This story spans a lot of different concerns, only few of which are related to coding skills. Building secure software means defending in breadth, always, not fucking up once, against an armada of bots and creative hackers that only need to get lucky once.

Take a broader view of what "building secure systems" means. It's not just about the code being written by ICs but about the business incentives, tech choices of leadership, the individual ways execs are rewarded, legacy realities, interactions with other companies, and a million other things. Our institutions are a complex result of all of these forces. Taken as a whole, and looking at the empirical evidence of companies and agencies frequently leaking data, the conclusion "we cannot build secure systems" is well founded.

> Building secure systems is trivial

I'd suggest you try and build a secure system for > 150k employees before you make sweeping statements like that.

Sometimes it is the management that doesn't understand anything. In their perspective, security doesn't improve the bottom line.

I worked for an SME that dealt with some sensitive customer data. I mentioned to the CEO that we should invest some time in improving our security. I got back that "what's the big deal, if anyone wants to look they can just look..."

Looking at the number of already discovered vulnerabilities in popular applications, I would say it's actually impossible to build secure systems right now. Even companies that are trying are failing. IMO it's still way too easy to introduce a vulnerability and then miss it in both review and pentests. We need big changes in all parts of the software buliding and maintaining process. Probably no one will like that, because we are still in "move fast and break things" software development age.

This is true, but what's even more interesting is all the things that had to fail long before you had a shop full of monkeys.

i used to agree with you but i feel its naive. incompetence is always guaranteed

You're saying that creating secure systems is easy.

I'm not sure which is worse:

1) Creating secure systems is hard, and we often fail at it.

2) Creating secure systems is easy, and we often fail at it.

I don't know which is worse, but I know for sure we often fail at it.

The great thing about analogies is that they're just analogies. We can have different laws for different things. Cybersecurity vs physical security.

That's a failed analogy I won't entertain.

You're trying to say companies should have sole responsibility over their systems. I say, let them have sole legal and financial liability as well then.

We do? People can go into any neighborhood they want. They can’t break laws, but the law allows them to walk around and look for open windows, knock on front doors, take photos, scan WiFi bssid, note cars and license plate info, etc…

The crime here is the tech. The companies aren’t to blame. Programmers and tech companies are. If there was no internet or “tech industry” we’d all be so much better off it’s painful to even contemplate.

That comment came straight from the 2001. Seriously the world has moved on from hackers == bad, but the legislation has not and it is time it changes.