Hacker News new | ask | show | jobs
by sandworm101 3408 days ago
And you think those other sites are more secure? The differences are slight. Giant public websites are tricky. It is very hard to deploy real security across such a large team/platform. Even if you make the effort, some security measures simply wont fly, especially in regards to change control or network segmentation. This sort of bug is only one level of the issue.

Open up any random NIST, ISO or even PCI doc to see what is involved above and beyond bug squashing.
1 comments
bogomipz 3408 days ago
I took the OPs comments as referring to the fact that management either:

a) didn't know the company was hacked.

b) claimed they didn't know they were hacked,

c) didn't bother to do proper discovery to quantify the extent of the hack until years later.

link
sandworm101 3408 days ago
And that would have been covered under nist or iso or any other resonable standard. My point is that once you look into these companieas, get beyond the tech stuff, virtually none implement proper security on such large deployments.
link
bogomipz 3408 days ago
>"virtually none implement proper security on such large deployments."

Can you provide a citation for this? Otherwise it seems you are suggesting because Yahoo was lacking that this means all SV tech giants are lacking.

link
sandworm101 3408 days ago
Well, without ndas make it hard to find actual reports, but take ashley-madison. Millions of users, talk of a billion-dollar ipo, and the post-hack report by the canadian and austrailian privacy ministers found they had no formal security plan.
link
bogomipz 3408 days ago
So you can't actually substantiate your claim that "virtually none implement proper security".

I am not sure why you think that mentioning a second incident makes your statement true for the majority of tech companies.

link
digler999 3408 days ago
so according to your logic, one massive hack means all sites are insecure ?
link
sandworm101 3408 days ago
No.. working as a compliance attorney, along with all the industry contacts that entails, allong with a steady stream of reports such as the OP (also target et al) gives me grounds to say that proper security is not an industry norm, that the opposite is more likely.

In doubt? Ask around for how many organizations have a dedicated ciso or privacy officer.

link