[gkya]

I'm going to exploit this comment which is at the top of the thread and stands above another comment that argues against government regulation in software industry to tell you guys this: hopefully this industry will be regulated from top to bottom before too long. GDPR came, hopefully more will come, w.r.t. security, privacy, and even UX standards (e.g. all companies should be required to accomodate all sorts of disabled people, probably by allowing assistive tech in browser to work properly on their websites).

You guys will not and want not to fix the status quo where shitty software is pushed onto us. You guys will not stop implementing unethical, "agressive" software. So someone should be watching over you, entrepreneurs and devs, and that someone is the government.

Government regulation need not be perfect. But it needs be there. That means companies will be more incentivised to keep their shit together. Surely your bank would be doing worse if nobody was watching over. If more budget and worktime is devoted to such regulation, it will become better.

I understand that no regulation is a strong political position in the US, but I call bullshit on it. I wouldn't bother writing as I'm mostly at the user side of things these days but I wanted to write this given most of you are devs here. It is not about some silly social network or an irrelevant SaaS anymore. The world runs on this, software is as important as medicine and food to our livelihood, and the software industry needs to be regulated like medicine or food industries are. Something simple like Twitter and Facebook affects lives of the masses. You'll have to get your... act together.

[beaconstudios]

Your argument is that banks don't have the will to fix security issues. The parent was arguing that security is hard and that the government is not particularly competent at it so is not in a position to define raised standards. You're not even having the same conversation.

[cm2187]

Some complex CPU or encryption bugs is what makes full security hard. But most security breaches are because of people doing stupid things. Unprotected public databases or s3 buckets, sql injections, plain text / easy to guess passwords, out of date software, etc. I am ready to bet that those alone constitute more than 90% of the breaches. And this is the result of mere amateurism. If tech people do not care about security or aren't competent enough to take even the most basic steps, regulation is absolutely the right response.

[beaconstudios]

So make banks liable for damages as a result of losses from security breaches. Presumably they already are. That solves the problem.

[mhjas]

> The parent was arguing that security is hard [...]

It isn't though, at least not compared to the state of things. Pretty much any government would be competent enough to mandate some sort of two-factor authentication that would greatly improve security and make a lot of phishing and hijacking a thing of the past. Of course different governments would have different success rates, if not in terms of security at least in terms of elegance. But that is like everything else. People die everyday by the lack of road safety and healthcare.

[beaconstudios]

I used to work in the security industry, I've seen what government compliance looks like. Regulations usually sound logical and great from a shallow analysis but once you've seen some implemented you'll realise they're often atrocious at achieving their intent.

[gkya]

And what impedes their ameliorement so as to dismiss them in their entirety?

[beaconstudios]

I'm not trying to say that regulations can't and never work, just that most of the time they don't because they're extremely hard to get right. They suffer from the same problems as law - it's extremely difficult to codify intent. Couple that with the fact that lawmakers usually have very little awareness of technical details. Say for example they do in fact mandate 2FA for all banks. But then all banks rush out various implementations to meet the requirements. Some provide SMS-based solutions which have known security risks, some provide codes that don't lock out, some do everything right but now people who can't get a 2FA app (those who don't have smartphones for example) can't access online banking any more. There are accessibility concerns. In the meantime, the security industry has finally cracked federated identity, but banks can't offer it because all access has to be through their 2FA solution.

Obviously that's a fairly bad-case (though not worst-case) example of how things could play out, but I think it serves to prove my point that "just force them to do X" is not always a sound approach. Well-designed regulation using sufficient consultation with experts (actual experts rather than snake-oil consultancies) and with a view to the future and how the state of the art might change can be effective (though still not flexible enough to accommodate exceptional circumstances) but that's the exception rather than the rule.

[varrock]

> Say for example they do in fact mandate 2FA for all banks. But then all banks rush out various implementations to meet the requirements. Some provide SMS-based solutions which have known security risks, some provide codes that don't lock out, some do everything right but now people who can't get a 2FA app (those who don't have smartphones for example) can't access online banking any more. There are accessibility concerns.

I'm not qualified to speak on this subject, but these are excellent points. Could you expand on any other implementations that sound like a great idea on the surface, but would have limitations? It sounds like accessibility is just one of many concerns. I'm itching to hear more.

[mhjas]

How to regulate this is up to each and every country, just like it is up to each country how to regulate things like pollution, traffic and infrastructure.

That a bank who can't handle security compromises their customers user experience rather than their customers security is a good thing.

The reason the regulate these things aren't because it is fun. It is because there are fundamental security problems that needs to and will eventually be fixed. Companies like Apple have largely already, or at least potentially, fixed these problem just only for themselves. If you want to fix it for everyone you very likely need some sort of mandate.

[candiodari]

Oh yeah ... I see it now. Instead of the "do you accept cookies" in your face idiocies we now need to identify ourselves using 2 factor authentication on every website.

That sounds SO great.

Obviously there are no realistic security measures that are 100% effective. All this will amount to is further cementing the power of large internet companies. You know this, so why ask for it ?

[mhjas]

"Do you accept cookies" is only relevant because there isn't a separate login mechanism in HTTP. Actually knowing whether you are sharing data with the website, and what website that is, would be a major improvement. Security measures don't have to be 100% effective. Just like road safety you should focus removing the impact of flaws, not to prevent flaws as such. A separate authentication mechanism would remove a large amount of security issues, including potentially phishing and password leaks entirely. These common security issues of compromising the system of the user or the company would simply not have the same impact anymore.

A not insignificant part of the large Internet companies power comes from that they are the only ones who can handle, or people trust to handle, security. It isn't that hard today to create your own e-mail system or smart phone. But managing those systems, especially for a reasonable cost at scale, is just beyond what most new entrants in the market can handle.

[candiodari]

Government mandated authentication mechanism. This question is almost a joke: what could go wrong ?

Everything can go wrong.

> A not insignificant part of the large Internet companies power

So it's about breaking the power of large internet companies ? Figures. Can we please do that WITHOUT destroying the web ? The last regulation that tried to break the power of large internet companies was the GPDR, and that has significantly entrenched the position of the large internet companies instead, while creating a ridiculous amount of inconvenience for everybody. This ... will do the same.

People WANT to share that data. Or perhaps I should say, they want the things that happen when they do. Quick searches that get them the products they want, on Google, on Amazon, on clothing shops and on tons of small webshops. Even the obnoxious image ads. People want them.

That means that a login mechanism will just be an extra hurdle with zero of the effects you want.

[gkya]

Taking an argument to its extreme is bound to make it seem ridiculous. Certain websites require certain levels of security. Not every govt building has troops with war grade guns waiting them.

[candiodari]

Perhaps, but would you have said the same if I put a comment about "accept cookies" nonsense in a pre-GPDR discussion ?

So ... perhaps not.

[vbezhenar]

GDPR is a terrible law. EU had one terrible law which forced cookie popups on every website and now GDPR forces even more meaningless popups nobody reads and I don't even in EU.

[matthewmacleod]

now GDPR forces even more meaningless popups

But it doesn't.

GDPR forces companies who are collecting user data to obtain explicit consent for that collection. The fact that companies decided to make your user experience shittier instead of fixing their approach to data collection is the problem there.

[Isinlor]

The problem is that people don't care, but governments are trying to force them to care. People don't care, because they don't bother to look for other websites without cookies, so companies don't care either.

If you enforce rule on two parties minding their own business, you encourage changing this rule in some type of mindless ritual. Ok, we will do what you say in the letter of the law, but we won't try to follow the spirit because no one cares.

And this is exactly what is happening with cookies. Companies don't want legal risks(GDPR or not), consumers don't care, voilà! Mindless cookie banners, stupidly long and expansive Terms of Service, etc.

[lambdadmitry]

That's a very bad argument. Sure, people may not care enough now, but that's just because the threat is new and poorly understood. There was a time where people didn't care about getting lung cancer from smoking, but then it changed.

[gkya]

I would become an EU citizen if I could the day GDPR went official. It is the second best thing to happen after the invention of WWW itself in this industry. Hopefully more is to come and more countries adopt similar measures, and browsers start providing standardised UI for GDPR etc. related options so that those popups, if they exist, are rendered futile.

[sievebrain]

Browsers already offered standardised UI for accepting or rejecting cookies. The EU didn't care and now every website has its own totally non standard popup that can't be scripted or automated away. It's a disaster that shows how clueless governments can be about this stuff.

[yankeehue]

Government's move slowly. Security best practices are evolving quickly.

My team is working through FedRAMP/NIST compliance right now. We have sadly adopted the saying, "Security or compliance, choose one." We have literally rolled back a more secure implementation in order to be compliant. Regulations can't keep up.

I'm not ideologically against regulating the software industry, but I have doubts it can be done successfully.

[candiodari]

> Surely your bank would be doing worse if nobody was watching over. If more budget and worktime is devoted to such regulation, it will become better.

Banks that got into trouble recently:

* Cypriot banks

* Greek banks

* Monte Dei Paschi

What has the government done : None of the savers still have 100% of their money. So no, I don't think my bank would be doing worse ...

Or perhaps you mean the expert government handling of the bank problems of 2008 ? Yeah ...

So what was the point again ?

[gkya]

Wut? We write bugs all day every day, we should just quit coding entirely if we follow that sort of logic. Mistakes happen, they get fixed, those in good faith among us help them get fixed.

[rapind]

I tend to agree that there needs to be some regulation. Probably as simple as fines for breaches that are based on the volume and details of the data leaked. This will make business think twice about what they store. It also makes it easier for providers / devs to argue for increased security if it's legally required.

Users (the market) are a big part of the problem. I run a SASS product, and I've chosen to enforce a Magic Link login for (one-time token based sign in, like Slack), to mitigate the issue of horrible insecure user passwords (E.g. sn0w3d1n). I get a significant amount of pushback on this though, and it was probably a bad idea from a business perspective, but luckily I'm in a position to force it anyways.

It's a simple formula. When you increase security, you also decrease convenience. My hope has been that the market eventually demands security (it becomes a service differentiator people value), and maybe some day it will. But you're probably right in that we need big brother to enforce it on people's behalf because most care more about convenience than security and probably don't realize how much damage could be done to them by using the same terrible password for 10 different web sites (including email and banking). I generally take a libertarian point of view on most things, but not exclusively. I do think we benefit from government involvement in some issues, and this is probably one of them. I don't mean to say this from an elitist point of view either. Security is complex and people are busy. It's naive to expect everyone to grok it.

I'd love to enforce 2FA, but it's going to be a complete mutiny from my customers if I do.