[fefe23]

This article proposes buzzword-level security theater. IDS! Rotate certificates and credentials! Have pentests!!

What it fails to mention is: Do not collect data you do not need. You do not need my email. Forcing me to give it to you is bad. You do not need to know my home address. Forcing me to give it to you is bad. You do not need to know my birthday. Forcing me to give it to you is bad. etc pp. The mind boggles why they thought they need to collect passport data!

IDS and certificate rotation are snake oil and security theater. Sure, they usually don't hurt. But here is some good advice:

1. Don't collect the data. If you don't have it, it can't be stolen.

2. Apply all the patches. Immediately. No you don't know better than the vendor. Install all of them. Always. Immediately.

3. No unnecessary dependencies. Yes that means don't go in the cloud.

4. Have an architecture that segregates stuff by security level. Don't put all your things in the same basket unless you are prepared to have the highest security level for all of them. No "this is just a chat server, it is less important than the database" unless those are properly isolated.

5. Minimize your TCB. The less things you have to trust, the better.

And THEN, after all this is done, can we talk about IDS and certificate rotation.

[ramses0]

The same way you can throw snark at a company for their (lack of) security knowledge, they can do the same for your lack of industry knowledge.

Generally, gathering passport data for hoteliers is a legal requirement (see here: https://www.quora.com/Why-do-some-countries-require-a-passpo... ).

Now. Agreed. Required to collect v. having available online and hackable for all guests ever is not a best practice, but it's easy to see how a hotel (quite physical-space-intensive, labor-intensive, capital-intensive business) may not have viewed or understood the risks of having this data around.

The last time I stayed in a hotel, there was a car whose window was broken in the parking lot (unfortunately). A crime was committed, on hotel property!

The question businesses are struggling with is: how can they focus on their business and either government or industry can focus on crime-prevention?

[fefe23]

I am aware of legal requirements for hotels.

Here's my technical view:

That does not mean you have to _have_ the data. Either forward the customer to a government system where they enter the data, then it's the government's fault. Or do escrow: For example, you could store the data encrypted with a public key of the government. Then only they could decrypt it. If someone stole it, there would be no problem. And the government could still view the data.

My political view is that the government has no business asking hotels to collect passport data, or indeed any data on their customers. This is a blatant privacy and data protection violation. The government does not need to know my location at all times. It's deplorable that things have deteriorated this far already.