When we have regulation that protects users against things like this? It seems like every week there is a new leak so whatever regulation is in place now is clearly not working.
It's hard to say. I think the public is desensitized at this point, it might require an event that is more catastrophic than I can think of at the moment.
How would you quantify the harm to a consumer for this (or any other) specific data breach?
We won't see this meaningfully acted upon until that can be fairly quantified.
For context, research the "value of human life" in the legal system. The numbers vary widely, but its often seen as somewhere between $1m-$10m USD. Is data about your workout routine worth 1% of your "enterprise value" (your life value)? Probably not. 0.0001%? Maybe, that would be $500 @ $5m "life value".
But then again 70% of the $500 you are "owed" goes to the lawyers who facilitate the class action suit to get the money from the company, so enjoy a meager $150 :)
I don't see any evidence that "regulation" has ever meaningfully improved the security of software. This is one of those exasperated utterances that people make when they see a hopeless situation - for example a big legacy codebase - the equivalent of "someone should do something!".
Yet software security is a hard problem, and throwing more bureaucrats at the problem is not how you make progress.
That's not to say that better solutions have no governmental component. For example, it would be nice if CS schools taught actual secure programming patterns and anti-patterns, and provided practical advice to developers to teach them to write secure software that is relevant to their work in production systems. I mean, it's nice to learn about the worklist algorithm in your compiler class, but I have never met anyone who graduated with a CS degree that learned how to write secure code in college. That's shocking. The principles of secure coding were developed in the 1970s, yet our CS graudates have never been taught what a security kernel is or why its important to design your software with a security kernel rather than sprinkling authorization logic throughout the codebase. Yet they can implement the worklist algorithm. Just a shocking lack of giving our college graduates the tools they need.
It would be nice if companies could not have EULAs that disclose all liability. Lots of things like that would be nice.
But that's not what's on offer. What's on offer is some bureacratic process where if companies adopt an expensive kabuki GRC ritual and hire lots of process people to do paperwork, then they are said to be "compliant" and so shielded from responsibility for their software architects designing insecure systems lacking proper authorization.
If we look at this history of attempts to legislate security, we can start with the orange book and end with common criteria, which are incredibly bureaucratic processes involving certifications by third party labs, yet I don't think the software libraries that have been certified are more secure than those which have not. Rather, Windows got EAL 4 certification because they could afford to get it, not because windows is a more secure OS than competing OSes that can't afford to get the certification. That's what happens when you point a lot of non-technical lawmakers at a hard engineering problem and hope that regulation will solve the problem.
4 comments
[ 3.5 ms ] story [ 19.3 ms ] threadWe won't see this meaningfully acted upon until that can be fairly quantified.
For context, research the "value of human life" in the legal system. The numbers vary widely, but its often seen as somewhere between $1m-$10m USD. Is data about your workout routine worth 1% of your "enterprise value" (your life value)? Probably not. 0.0001%? Maybe, that would be $500 @ $5m "life value".
But then again 70% of the $500 you are "owed" goes to the lawyers who facilitate the class action suit to get the money from the company, so enjoy a meager $150 :)
Yet software security is a hard problem, and throwing more bureaucrats at the problem is not how you make progress.
That's not to say that better solutions have no governmental component. For example, it would be nice if CS schools taught actual secure programming patterns and anti-patterns, and provided practical advice to developers to teach them to write secure software that is relevant to their work in production systems. I mean, it's nice to learn about the worklist algorithm in your compiler class, but I have never met anyone who graduated with a CS degree that learned how to write secure code in college. That's shocking. The principles of secure coding were developed in the 1970s, yet our CS graudates have never been taught what a security kernel is or why its important to design your software with a security kernel rather than sprinkling authorization logic throughout the codebase. Yet they can implement the worklist algorithm. Just a shocking lack of giving our college graduates the tools they need.
It would be nice if companies could not have EULAs that disclose all liability. Lots of things like that would be nice.
But that's not what's on offer. What's on offer is some bureacratic process where if companies adopt an expensive kabuki GRC ritual and hire lots of process people to do paperwork, then they are said to be "compliant" and so shielded from responsibility for their software architects designing insecure systems lacking proper authorization.
If we look at this history of attempts to legislate security, we can start with the orange book and end with common criteria, which are incredibly bureaucratic processes involving certifications by third party labs, yet I don't think the software libraries that have been certified are more secure than those which have not. Rather, Windows got EAL 4 certification because they could afford to get it, not because windows is a more secure OS than competing OSes that can't afford to get the certification. That's what happens when you point a lot of non-technical lawmakers at a hard engineering problem and hope that regulation will solve the problem.