[radium3d]

The concept of "I doubt you'd hear any competent IT director ever say they won't experience data breaches in the future." should tell you why we don't send people to jail for this type of thing. 100% prevention of breaches cannot be guaranteed ever [due to the infinite number of failure points in software and hardware as we've seen with the recent CPU hardware bugs, etc] so jailing IT people for breaches would only stop once every IT person was in jail because they didn't notice a line of code in millions of lines of code.

There should be some level of competence of course, leaving things wide open doesn't seem safe, lol.

[komali2]

It's about taking a reasonable level of security practice, like you said "some level of competency required."

We require this of our bridges, and our roads, and our buildings. I'm not sure why we don't for our personal information assets. Arguably the Equifax hack will cause far greater economic loss than, say, a hole in the middle of mission street opening up due to lack of review by a civil engineer, so I don't get it.

Is it because politicians are uneducated technically? We didn't have good fire law in America until a room full of seamstresses burned to death when the single exit was blocked off, do we need something similar for infosec? Equifax SHOULD have been that but whoever breached it didn't release yet (as far as I know) so maybe nobody is feeling the pain yet.

[joe_the_user]

It would certainly be good to have some professionalism imposed at critical junctures.

I don't think criminal penalties are appropriate but civil penalties for data breaches should simply have no limit, the possibility of shareholders and debtors forfeiting all value should be included.

At the same time, the problem is "professionalization".

The problem of when one needs "real software engineering" is incredibly hard to solve. It's an incredibly fuzzy line and any organization would have a strong incentive to be on the cheaper, non-professional end of the line.

[thatjsguy]

Plenty of people feel the pain, but do you really think this Congress gives two shits about regular people?

[chkdsk]

Only when the outrage gets loud enough to affect their chances for reelection (which happens with a lot of issues, just not this one).

Unfortunately, Hackernews seems to be the only place where security is taken seriously. Probably because we understand the severe collective risks involved to everything from banking to healthcare whereas most people as individuals don't care if say, their credit card number is stolen, since they aren't liable for fraud. It's hard to see the bigger picture if you aren't technical.

[komali2]

I don't think it's fair to say only this website takes it seriously, though perhaps this website is a good cross-section of people that do seem to take it seriously. You can also find those people on reddit, twitter, lesswrong, IRC, etc.

The question is, who's failing to make the whole WORLD care about it? Or at the very least, the politicians? I can count on shitty lobbyists at least ensuring that, like, the economy doesn't fucking burn us alive, because they lose money when that happens. Why aren't the fatcats also getting that about netsec? If the NYSE gets hacked, they stand to lose a lot of money. If someone opens the hoover dam gates through a hack, that's a lot of money lost. We can ignore the morality and privacy issues, and just speak their $$$language$$$ here, and it still doesn't make a lick of sense that politicians aren't eviscerating Equifax right now.

So, are we supposed to like, lobby sense into their heads? I mean, why? Because we're patriots? I guess?

Then again I've got motorcycle riding friends in Houston that don't wear their helmets, and I still have to force people in my backseat to buckle up sometimes, so I don't even know. Why don't people take any kind of safety seriously?

[emodendroket]

There is a bare minimum of precaution some of these cases don't seem to be followed.

[ghostbrainalpha]

Exactly. Yes these issue can be somewhat hard to understand for non security folks, but everyone can get the basics.

1. Do you have sensitive information? 2. Is a Password required to access that information? 3. Is that password set to "password" or something else that would be trivially easy to guess.

It's like saying it's not your fault if a hacker takes extraordinary measures to tunnel into your house from below ground. But it is your responsibility to at least shut your front door.