Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
pojzon 5 days ago

Did you see Google or facebook or Miceosoft customer databases breached ?

The issue is there is too little repercusions for companies making software in shitty ways.

Each data breach should hurt the company approximately to the size of it.

Equifax breach should have collapsed the company. Fines should be in tens of billions of dollars.

Then under such banhammer software would be built correctly, security would becared about, internal audits would be made (real ones) and people would care.

Currently as things stand. There is ZERO reason to care about security.

lr1970 4 days ago | parent | next [-]

> The issue is there is too little repercusions for companies making software in shitty ways.

The penalty should be massive enough to affect changes in the business model itself. If you do not store raw data it cannot be exfiltrated.

slivanes 5 days ago | parent | prev | next [-]

I’m all for companies to not ignore their responsibility for data management, but I’m concerned that type of punishment could be used as a weapon against competitors. I can imagine that certain classes of useful companies would just not be able to exist. Tricky balance to make companies actually care without crippling insurance.

arvinsim 4 days ago | parent | prev | next [-]

I agree. When it becames penalized by law, project owners/managers won't be tempted to take shorcuts and will have the incentive to give developers more time to focus on security.

Xx_crazy420_xX 4 days ago | parent | prev | next [-]

There is some incentive to leave 0days in customer software, as it creates a commodity to be sold on gray 0day markets. On the other hand, securing your own garden brings less value then covering and deneing that your 'secure' cloud platform was whacked.

conception 5 days ago | parent | prev | next [-]

Microsoft lost their root keys to Azure. ¯\_(ツ)_/¯

baobun 4 days ago | parent [-]

And had the Russians reading their exec emails

reactordev 5 days ago | parent | prev | next [-]

We need both. The allowance by law enforcement to do cyber security as well as engineers not writing shitty software and lax IAM permissions or exposing private keys or the myriad of ways they mess up.

bobmcnamara 5 days ago | parent | prev | next [-]

> Did you see Google or facebook or Miceosoft customer databases breached ?

Are you being facetious? Yes, yes, yes, they have.

abenga 4 days ago | parent | next [-]

Do you have concrete examples of incidents? Honestly asking.

bobmcnamara 4 days ago | parent [-]

This is the first notable, semi-reputable Google result for each "${COMPANY_NAME} data breach". Some of these are examples of an API being leveraged to exfiltrate database records rather than direct database breaches like getting the admin password to postgres.

If you want to see more for the same company, try appending "-{YEAR_OF_KNOWN_DATA_BREACH}" to skip the ones you've already read, though this will tend to exclude companies who have multiple data breaches in one year.

https://en.m.wikipedia.org/wiki/2018_Google_data_breach

https://www.npr.org/2021/04/09/986005820/after-data-breach-e...

https://support.microsoft.com/en-us/topic/national-public-da...

5 days ago | parent | prev [-]
[deleted]
Den_VR 5 days ago | parent | prev | next [-]

I’m curious. What do you think about legalizing “hack-back” ?

red-iron-pine 4 days ago | parent | next [-]

not a solution

clown_strike 4 days ago | parent | prev [-]

Given how many attacks are false flags conducted through proxies this would be disastrous.

However, open intermediary victims up to contributory lawsuits and everyone will have to take security more seriously. Think twice before you connect that new piece of shit IoT device.

GlacierFox 5 days ago | parent | prev | next [-]

Didn't Sharepoint get hacked the other day? :S

jaynate 5 days ago | parent [-]

Yes, but those were on-prem deployments of Sharepoint, not Microsoft's infratructure.

Spooky23 5 days ago | parent | next [-]

Many of those deployments were there because Microsoft can’t deliver the required assurance level!

samplatt 5 days ago | parent | prev | next [-]

It was for ALL on-prem deployments. This wasn't due to the user being insecure, this was Microsoft's fault.

If anything it's yet another point AGAINST them - if they can't guarantee secure software without the caveat of running on a closed hardware black box then it's not secure software.

sugarpimpdorsey 5 days ago | parent | prev [-]

Is the non-defective software only available in the SaaS version?

tempnew 5 days ago | parent | prev [-]

Microsoft just compromised the National Nuclear Security Administration last week.

Facebook was breached what last month?

Google is an ad company. They can’t sell data that’s breached. They basically do email, and with phishing at epidemic levels, they’ve failed the consumer even at that simple task.

All are too big to fail so there is only congress to blame. While people like Rho Khana focus their congressional resources on the Epstein intrigue citizens are having their savings stolen by Indian scammers and there is clearly no interest and nothing on the horizon to change that.

gruez 5 days ago | parent | next [-]

>Facebook was breached what last month?

source? A quick search suggests the "breach" is a bunch of credentials that got harvested/phished got leaked, not that facebook themselves got breached.

>Google is an ad company. They can’t sell data that’s breached. They basically do email, and with phishing at epidemic levels, they’ve failed the consumer even at that simple task.

In other words, they haven't been breached, but you still think they're bad people.

tempnew 5 days ago | parent [-]

To me, Facebooks’ entire business model seems like spyware and selling personal info to third parties. Whether people at such companies are good or bad is not at issue. I assume most people everywhere are good people. But are the companies themselves “good”? Microsoft and Google maybe, certainly in the past (Google wave was very innovative). But Facebook?

The context was privacy and people being victimized by Indian scammers. We know those scammers use Facebook to gather info and target victims, all without any actual breach taking place. To me, not having a breach does not make Facebook “good”.

gruez 4 days ago | parent [-]

>To me, Facebooks’ entire business model seems like spyware and selling personal info to third parties.

"seems like" is doing a lot of the heavy lifting here. I'm not aware of instances where facebook was "selling personal info to third parties". It does use personal info to sell ads to third parties, but characterizing that as "selling personal info" is a stretch.

>We know those scammers use Facebook to gather info and target victims, all without any actual breach taking place.

This just sounds like "scammers are viewing public facebook profiles and using facebook messenger to communicate with victims", in that case I'm not sure how facebook deserves flak here.

reactordev 5 days ago | parent | prev [-]

Agree. Google is buying the data for ads and ad brokerages. Don’t kid yourself. They may use a 3rd party to distance themselves but they definitely buy the data.