[kardashev]

Aaron Swartz faced 35 years in prison for leaking JSTOR articles.

Instead of fines, the Chief Security Officer should be fully responsible and face 35 years in jail if a breach happens.

You better believe they'll care about security then.

Many companies would also rethink whether they need to track and keep personal information at all.

[PakG1]

I'd revise that from "if a breach happens" to "if a breach happens and the CSO demonstrated criminal negligence." The attack surface for security is too large, and it's not fair to hold a CSO of a cafe chain to such a standard when zero-days are also possible. Punish for being negligent, not for being attacked by a zero-day, or something else really obscure.

[Kerrick]

What if the CSO ignored bug reports about this for a full 8 months? Would that make it negligent?

[tptacek]

What if the CSO informed engineering teams, got stonewalled, and, a few weeks later, escalated through the company's risk process (Panera is public, or was before it was bought by a public company, and will have a risk process). What do people here think a CSO does? If your mental model is: "decree that something is safe to deploy publicly, or else forbid its deployment", your model is broken. Most CSOs have an advisory role in the organization, and the real institutional power comes either from engineering or from the CIO.

This security director handled Dylan's bug report badly and deserves the reputation hit he's getting. But if we're going to suggest liability (let alone criminal liability) for security flaws, we should at least have some idea of what it is we're regulating.

[smileysteve]

Pull the plug.

The final "stick" and reason for a C in the title is the responsibility to shut down the data (and website) until such a point it can be secured.

It's should be considered more of a fiduciary duty (protect shareholders, customers) to protect data as making the right investment or HR decisions.

[tptacek]

"Pulling the plug" is almost never a capability provided to a company security team.

[tedunangst]

What happens when the CIO plugs it back in?

[smileysteve]

The CIO then accepts full liability.

[benmmurphy]

If we were running under the liability model the CSO's final option would be to resign which sucks. But he is basically in the same situation that any employee is who is being forced to do something that is clearly illegal. But, I guess that is a good argument for why liability might not work because you end up not having a security team or you put good people into legal dilemmas that they shouldn't have to deal with.

[PakG1]

For example (issue may or may not have been legal, but point is the guy resigned): https://arstechnica.com/tech-policy/2016/10/report-fbi-andor...

[notyourday]

Which is why we need jail time for execs.

It is very simple: with big $$ there should be a big risk.

[bradleybuda]

Yes

[RKearney]

Aaron Swartz faced 35 years in prison for breaking and entering and unauthorized access of a computer network / hacking amongst other things.

It's a shame it ended the way it did, but please don't downplay what he did and use his name to push an agenda.

[Buge]

> breaking and entering

Is that true? It was an unlocked closet. The walls were covered in graffiti.

[coldtea]

>Is that true? It was an unlocked closet. The walls were covered in graffiti.

So, if your house has the door ajar, and the walls are "covered in graffiti" it's open for all?

[Buge]

It wouldn't be breaking and entering.

And a house is different than a school. MIT has an open campus. MIT has a long history of celebrating students who transgress boundaries and go where it is unexpected[1]. I don't have a history of celebrating people who enter my house uninvited.

> Swartz had connections to [MIT]: "He was a regular visitor to the MIT campus and interacted with MIT people and groups both on campus and off. … He was a member of MIT's Free Culture Group, a regular visitor at MIT's Student Information Processing Board (SIPB), and an active participant in the annual MIT International Puzzle Mystery Hunt Competition. Aaron Swartz's father, Robert Swartz, was (and is) a consultant at the MIT Media Lab. Aaron frequently visited his father there, and his two younger brothers had been Media Lab interns." [2]

If a good friend of mine sees my house has the door ajar, and the walls are "covered in graffiti" it would be perfectly reasonable for him to check inside.

[1] https://en.wikipedia.org/wiki/Hacks_at_the_Massachusetts_Ins...

[2] http://swartz-report.mit.edu/faq.html

[coldtea]

>MIT has a long history of celebrating students who transgress boundaries and go where it is unexpected[1]

Only when it's conservative enough and doesn't break the law too much. And not officially. In fact the very wikipedia link says:

"Although the practice is unsanctioned by the university, and students have sometimes been arraigned on trespassing charges for hacking, hacks have substantial significance to MIT's history and student culture".

>If a good friend of mine sees my house has the door ajar, and the walls are "covered in graffiti" it would be perfectly reasonable for him to check inside.

Not really. Especially if they know they're not welcomed if found inside, and they have no business there.

[Buge]

MIT's official campus guide brags about the hacks as a way to try to attract students[1]. They are advertising the police car on the dome as a positive thing.

I don't see any reason to think they would be upset about him going in an unlocked closet. The previous quote mentions he was part of a puzzle hunt. If he was creating a part of that hunt and used that closet as a part of a puzzle I would think they would have been ok with it. The walls were covered with graffiti. How many years of prison were the students who drew the graffiti threatened with?

[1] https://institute-events.mit.edu/sites/default/files/documen...

[zimpenfish]

> It wouldn't be breaking and entering.

I think it would qualify for the UK equivalent.

https://en.wikipedia.org/wiki/Burglary_in_English_law#Elemen...

[Symbiote]

35 years for any victimless crime is ridiculous.

[1690v]

That is a terrible idea. Imagine sentencing programmers to jail for security issues in their code.

[toomuchtodo]

Why is a software developer an engineer when it fluffs their ego, but not an engineer when regulation and consequences for failures are necessary?

Yes, if the security failure is grossly negligent, you should face criminal proceedings. As a C level executive, you are responsible for your chain of command.

[kasey_junk]

Is there any evidence that software engineers are protected in some way from criminal negligence cases?

The reality is that it is vanishingly rare for any engineer to face criminal charges for their professional actions. It doesn’t seem to me that software is held to much lower a standard.

[toomuchtodo]

Not protected, simply not pursued, although it’s usually outright fraud that is the target of most prosecutions.

Watching the SEC closely to see how many ICOs they prosecute. Also was helpful to see someone involved with their breech response who attempted to profit from non public material information prosecuted (although that’s tangential to the breach itself).

Someone relatively important is going to have to get burned before more software professionals are pursued for grossly negligent security failings.

[kasey_junk]

You misunderstand my point. Are there examples of other sorts of engineers being brought up on charges?

It only happens in the most egregious of negligence cases as it is and even then convictions are rare.

I'm saying your impression that software engineering is protected is wrong, because no engineers (to any normal approximate) are brought up on criminal charges.

[cbcoutinho]

Lawsuits are commonplace in civil/geotechnical engineering because faulty work has life and death consequences for the general public. To be a certified professional engineer and sign-off on design plans in California you need to pass an exam, after which could result in issues of liability. This law practice defends professionals that may be in a dispute [0]. Here's a breakdown of why engineers might get sued [1]. Here's a case where a company was held liable for damages associated with a construction project [2].

The title 'software engineer' without any notion of liability is an exercise in stroking ones ego.

[0] https://mylicenseattorney.com/california-board-for-professio...

[1] https://design.insureon.com/news/3-reasons-engineers-get-sue...

[2] http://caselaw.findlaw.com/ca-supreme-court/1671856.html

[zpr]

By that extension if a McDonald's drive thru employee accidentally spills hot coffee on a customer, the CEO is responsible and should be charged with assault?

[wybiral]

If they create a work situation where by cutting corners on container safety, protocols, and employee attentiveness I think they are guilty.

And in the modern security context we're pushing deadlines just to race to the latest features with almost no regard for security in the process.

Something has to change. If this kind of negligence were causing similar problems in physical realms there would be regulations.

The tech companies behind these mistakes won't have that free roam forever. Every major screw-up is a step closer to regulations and everyone will cry about it when it happens... But so many companies today don't seem like they're ready to behave responsibly.

[toomuchtodo]

Is that grossly negligent? No. Is keeping the coffee excessively hot for cost reasons, thereby causing the customer to receive third degree burns on their genitals and winning in court? Yes.

https://en.m.wikipedia.org/wiki/Liebeck_v._McDonald%27s_Rest...

Your culture is set by your leadership. Make good choices.

[perl4ever]

While I fully understand that without universal insurance in the US, it may be most expedient to go after someone like McDonald's with deep pockets, I am tired of hearing how shocking and unconscionable it is that coffee could be served at a near boiling temperature.

I make coffee nearly every morning by boiling water in a tea kettle and pouring it over coffee grounds in a Melitta filter. If I poured or spilled it on my genitals, that would be bad. Doesn't make an approximately 200F temperature incorrect though.[1]

[1] See the National Coffee Association on how to brew coffee at http://www.ncausa.org/About-Coffee/How-to-Brew-Coffee

[zpr]

I'm familiar with the case, that's why I mentioned it. My point was that although they lost the civil suit, there weren't any criminal proceedings against C-levels. I understand the argument of negligence being as guilty as malicious intent but it creates a sweeping blanket that's hardly fair or enforceable.

I agree with your principles in theory but it's just impractical.

[toomuchtodo]

The Department of Justice was able to dismantle Arther Anderson after their fraudulent audits of Enron. Lots of things that are impractical are possible with sufficient effort. And the government has unlimited resources for those efforts.

You must hold systemic negligence and corruption accountable, or it perpetuates the cycle.

[ams6110]

They keep the coffee that hot because customers like hot coffee. That's the main reason I get coffee at McDonalds, not because it's great coffee (though it's not bad) but because it's HOT. Half the time I get coffee at Starbuck's it's only a litte better than piss-warm.

[perl4ever]

I don't think forbidding hot coffee at drive-thrus is unambiguously in favor of safety, since not-so-hot coffee encourages people to drink while driving, which could cause an accident. Some people want to drink on their way to the office or home, and others want coffee that is still hot when they get there. The consequence of the litigation seems to be that the former group of customers is privileged, but I'm not certain that is an overall social good even if you prioritize safety - and some would of course be happy to trade off others safety for their own hot coffee.

There seems to be an unlimited supply of people always popping up to "debunk" the "myths" about the Liebeck case who seem to deflect from the fact that it is normal for coffee to be brewed at near boiling temperatures[1] that cause the sort of damage that was at issue. I could burn myself severely while draining pasta too, if I pour hot water all over my pants and don't remove them; it doesn't mean boiling water is too hot for cooking nor that say, a manufacturer of a non-defective pot is to blame.

Added reference due to downvoting:

[1] http://www.ncausa.org/About-Coffee/How-to-Brew-Coffee

"Your brewer should maintain a water temperature between 195 to 205 degrees Fahrenheit for optimal extraction."

[thrownaway954]

it's unfortunate but leaks and breaches happen in programs (which a website is). it's coding, it isn't perfection and no one should go to jail or be ridiculed because they unintentionally introduced a bug that caused whatever problem arise (WE HAVE ALL DONE IT). This is why it is ideally best to have some sort of peer review and/or buddies reviewing our code for things we don't see before they are pushed into production, however unfortunately, this doesn't happen in all cases.

the only crime was not fixing the problem and keeping it a secret AFTER IT HAD BEEN DISCOVERED. in this case, it wasn't the mistake that was the crime, it was the cover up.

[richsherwood]

Engineers in other disciplines are held liable for their mistakes. Imagine a civil engineer signing off on a building and then having it collapse. If it was found that the engineer was negligent then you can bet your ass there will be reprucussions. As an engineer, you are the top of your field and with that comes a professional responsibility that is important to fully realize. Mistakes are mistakes sure, but if those mistakes end up being responsible for criminal activity then you’re fully responsible. It’s why the chain of command exists.

[arkades]

> imagine a civil engineer

But there isn’t an equally trained engineer dedicating his energy to taking down the bridge - it only has to not collapse under normal usage.

When a bridge is intentionally destroyed by enemy action, it’s engineer is not held liable.

[zimpenfish]

> Engineers in other disciplines are held liable for their mistakes.

To be fair, they have several hundred (if not thousands of) years of trial and error, documentation, etc. behind them to (try and) help people avoid the mistakes.

Computer Science has barely 70 years of half-arsed fumbling about.

[toomanybeersies]

Italy jailed scientists for failing to predict an earthquake, despite the fact that it's not possible to predict an earthquake.

They were eventually acquitted, but the very fact that they were even charged in the first place is ridiculous.

[notyourday]

Sounds like an excellent idea:

Jr. Developer - automatic pass. Low money

Sr. Developer - likely a pass, provided 'i' are dotted and 't's are crossed - decent money

Tech Lead - no pass unless tried very hard to get it resolved, big money

Exec - no pass, very big money

[stef25]

Didn't Iran put a developer in jail cause some of his open source code was used on a porn site?

[joering2]

True but worth mentioning different forces were at stake there and here (although both very dark).

In Swartz case, prosecutor was trying to make example of him because his public University made/is making tons of money for providing information that should be free (or already is)

In this case, I would imagine they want peoples info to be leaked and exposed as much as possible, just to have a good reason to fine those for-profit private companies.

Edit: in other words - show me a priest who doesn't want you to sin, or a cop who doesn't want you to break the law, or a doctor who is not fine with people getting sick. Otherwise they would all be out of job.