[jessaustin]

I'll further stipulate that the costs of investigating vulnerabilities at tiny two-engineer firms far exceed the costs of investigating vulnerabilities at giant conglomerates like Tribune Media. When those vulnerabilities amount to "don't turn off credentials for fired employees", I still say they should pay for their own damn security work, and no criminal statute should say otherwise.

[tptacek]

That's not what they're paying for. They're paying for the cost, in employee hours and outsourced contractor hours, of ensuring that all that happened was that a page got modified. Rest assured, their CMS is surely as crappy as it was before Keys laid his stubby little fingers on it.

[jessaustin]

"Stubby little fingers"? Ouch. He's probably going to get hassled enough for his appearance in FPMITAP. It makes sense that one would need to demonize him, though. That's the same maneuver we've seen with drug users, undocumented immigrants, etc.

Why denigrate a CMS when it's well established that Tribune Media weren't removing the passwords of fired employees? If you're sure they're still not doing that, it will be grimly hilarious the next time this happens.

[tptacek]

It's super weird of you to try to position me alongside drug prohibitionists and deporters of immigrants. I take offense. Thankfully, this thread was long enough already.