Hacker News new | ask | show | jobs
by jecxjo 2967 days ago
I'm on a home owners board with a woman who is a paralegal for her brother's lawfirm and it amazes me how much stuff they do that they think is either secure or provides some sort of authentication (in the meat world). Kind of annoying when they want to go through all sorts of rigmarole when it doesn't actually provide the features they think.
2 comments
jsjohnst 2966 days ago
I was recently meeting with the Head of Security for a large firm. He had a pretty decent explanation of the process to implementing security that I thought was very apt. The way he put it, there’s two over arching milestones, “liability” and “actually secure”. “Liability” is where you have checked all the right boxes to be able to aptly defend yourself in court and is the achievable goal. “Actually secure” is the pipe dream you will always strive for, but never obtain.
link
jecxjo 2966 days ago
In college I had a Prof who was a leader in network technology and was hired as an expert whiteness for the RIAA trials for people getting busted illegally downloading music and movies. I lost all respect for him when he was working a case where an elderly lady had an open wifi connection on her home router. He never brought up the fact that it's not possible to know what was going on behind the NAT wall and that because her wifi has no encryption anyone driving by could use it.

Now that I'm older it worries me that it is very possible to go to court and be on the right side and have a judge and jury who cannot comprehend these basic concepts. I've had bosses who work in software / hardware industry not understand concepts, God forbid I ever have to defend myself in a public forum.

link
syshum 2966 days ago
The legal world is not designed for security or to be efficient

it is designed to be as convoluted as possible to

a) increase billable hours

b) create loops hole big enough to drive a truck through that the $$$$$ lawyers can exploit for their clients

link
jecxjo 2966 days ago
Well our issues are more about things like sending someone a letter, proving they got it and that the person receiving it is the person we wanted to send it to. Even with a certified letter none of those features are actually possible with the current USPS, at least not in any real meaningful way. And don't even get me started on their use of received receipts in email.

But like you said, it's all about screwing the system and I'm sure a judge would not understand any of these concepts regardless of how simple someone would make them.

link