Hacker News new | ask | show | jobs
by marshray 3727 days ago
> "I can just walk into a big box store, take something off the shelf and walk out"

Data security is where our intuition formed from real-world experience falls down.

Physical theft in a store is bounded by many factors, not the least of which is someone actually has to carry out the goods without being intercepted. Stores deploy additional security mechanisms to alert on high-value merchandise that is small enough to easily conceal. So stores' losses are bounded by the impracticality of "scaling up" the theft attack.

But digital systems are absurdly brittle. Most systems lack defense in depth and computers are just as good at scaling up the attacker's transactions as the legitimate ones. So once the attacker invalidates even the smallest-seeming assumption made by the developers it tends to lead to complete compromise of the system.

So when you hear "random web developer made the common mistake of relying on client side validation" it's kinda like finding a leak in your submarine's hull.
1 comments
criley2 3724 days ago
>"Data security is where our intuition formed from real-world experience falls down.

Very sad to see the closed-mindedness in this thread where users reject a very valid and apt comparison because it does not meet their preconceived notion of these models.

Ironically the only factor that "knocks down" our intuition is you, when you reject points without considering them. You knocked down my valid point not fairly, but unfairly, waiving it away without consideration.

>"Physical theft in a store is bounded by many factors, not the least of which is someone actually has to carry out the goods without being intercepted. Stores deploy additional security mechanisms to alert on high-value merchandise that is small enough to easily conceal. So stores' losses are bounded by the impracticality of "scaling up" the theft attack."

Very very sad that you cannot see the obvious and basic similarities.

Do you believe it is as simple to steal 1TB of data as it is 1MB? --- So you agree there are obvious "bounds" to digital that mirror real world?

How about content type? Do you think it's easier to steal data replicated on their general purpose CDN than say account data hosted internally at one of their data centers?

Do you believe that online services don't deploy additional security mechanisms on high-value data?

Do you not realize that digital data losses are bounded by the impracticality of stealing large amounts of data, too?

I hope that users reading this thread will read + think more than they reject + talk because it's very depressing seeing this response here.

link
marshray 3724 days ago
The recent 'Panama Papers' leak shows that it is indeed practical to steal 2.6 TB of data.
link
criley2 3724 days ago
And the fact that warehouses are robbed, eighteen wheelers are robbed, trains are robbed, etc shows that it is indeed practical to steal literal tons of goods.

Practical and common, however, are not the same...

(I'll also point out that in my comment I said: is it the same difficulty to steal 1TB as 1MB? I never said it was impossible, just drawing a distinction).

link
marshray 3724 days ago
"Sony Hackers Have Over 100 Terabytes Of Documents." https://en.wikipedia.org/wiki/Data_breach#cite_ref-17
link
criley2 3723 days ago
"Man steals $280,000 by cutting hole in roof of bank"

http://www.nytimes.com/2016/04/12/nyregion/thieves-take-2800...

We can point to outliers that I admitted exist in my original statement all day long.

Even more fun: my example is temporally relevant :)

link