Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
MrDresden 3 days ago

But the crucial bit to know here would be if that data was readable in anyway in case it was accessed?

Personally it doesn't matter if there are auditing systems in place, if the data is readable in any way, shape or form.

dijit 3 days ago | parent [-]

is that really true?

I haven’t touched a lot of these cyber security parts of industry: especially policies for awhile…

… but I do recall that auditing was a stronger motivator than preventing. There were policies around checking the audit logs, not being able to alter audit logs and ensuring that nobody really knew exactly what was audited. (Except for a handful of individuals of course.)

I could be wrong, but “observe and report” felt like it was the strongest possible security guarantee available inside the policies we followed (PCI-DSS Tier 1). and that prevention was a nice to have on top.

dns_snek 3 days ago | parent | next [-]

As a customer I'm angry that businesses get to use "hope and pray" as their primary data protection measure without being forced to disclose it. "Motivators" only work on people who value their job more than the data they can access and I don't believe there's any organization on this planet where this is true for 100% of the employees, 100% of the time.

That strategy doesn't help a victim who's being stalked by an employee, who can use your system to find their new home address. They often don't care if they get fired (or worse), so the motivator doesn't work because they aren't behaving rationally to begin with.

blululu 3 days ago | parent [-]

This really isn’t fair. It is not simply hope and pray: it is a clearly stated/enforced deterrent that anyone who violates the policy will be terminated. You lose your income and seriously harm your future career prospects. This is more or less the same policy that governments hold to bad actors (crime happens but perpetrators will be punished). I get that it is best to avoid the possibility of such incidents but it is not always practical and a strong punishment mechanism is a reasonable policy in these cases.

dns_snek 3 days ago | parent [-]

You don't think it's fair to expect a trillion-dollar business to implement effective technical measures to stop rogue (or hacked!) employees from accessing personal information about their users?

I'm not talking about small businesses here, but large corporations that have more than enough resources to do better than just auditing.

> crime happens but perpetrators will be punished

Societies can't prevent crime without draconian measures that stifle all of our freedoms to an extreme degree. Corporations can easily put barriers in place that make it much more difficult (or impossible) to gain unauthorized access to customer information. The entire system is under their control.

MrDresden 3 days ago | parent | prev [-]

Facebook/Meta has shown time and time again that it can't be trusted with data privacy, full stop.

No amount of internal auditing, externally verified and stamped with approval for following ISO standards theater will change the fact that as a company it has firebombed each and every bridge that was ever available to it, in my book.

If the data has the potential to be misused, that is enough for me to equate it as not secure for use.