| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by AnthonyMouse 2215 days ago

> many people expect that the {NSA, Cyber Command, et al} are actively defending all US organizations. I don't see evidence of this (although if there was evidence, I probably wouldn't see it anyway).

If you keep your confidential research results on an unpatched server with weak passwords and exposed to the internet, what is the NSA supposed to do about that?

About the best thing they could do is to scan for and find the vulnerability before the attackers and notify you about it, which in general they don't. And it still wouldn't solve most of the problem because there would be objections if they did more than a cursory scan, which means they won't find most problems, but the attackers are under no such limitations.

> there are limits to the liabilities which would otherwise be enforceable in court

I don't think this is the kind of liability they're talking about. If your confidential research falls into the hands of economic spies, the problem isn't so much that someone is going to sue you as that your research and any relevant patents have now lost their economic value because a knockoff product will beat you to market.

> cyberinsurance

This is liable to be more of a grant hog than liability would. Not only do you have to pay the premiums -- which would be high unless researchers adopt good security practices, which having the insurance would give them the incentive to do the opposite of -- but you also then have the insurance company imposing some kind of bureaucratic best practices procedures that gives you even more compliance costs than you would get from having liability, because the insurance company has misaligned incentives with respect to the level of compliance burden to impose, since they don't pay any of it but get all the benefits.

The reality is, the researchers are the ones operating the systems their research is on. They're the ones who have to secure them. And they already largely have the right incentives to want to do that, but they also have a poor understanding of the necessity of it and the process for doing it.

What would help here are the things that would help in general. Fund vulnerability research in free software so that the software people are using (because it's what they can afford) is secure by default, and easy enough to use that people don't commonly make mistakes, and well-documented. Things like that. Make it easier to do the right thing so more people do.