[coldcode]

As usual people ignore messages that basically told them what was happening. Reminds me of the Target hack where they installed some anti hacking system which immediately tossed out warnings which seemed excessive so they turned it off for a few months.

But security is an expense and people don't like paying money.

A financial company I worked for in mid 2000's decided the only thing they needed to do was buy some encryption for the disks their databases ran on, which of course would do nothing to keep someone from just using SQL to extract all our customers credit card data.

[murphy214]

What is an acceptable signal to noise ratio for a security tool to be useful? clearly some amount of false positives to any real threat ratio causes people to just ignore it completely. Cue me looking at my npm vulnerabilities with I install packages lol.

[rusk]

We’re not talking about thermal noise here. Each and every signal has a determinate source. You need to go through each and every one, but doing this effectively often involves paying lots of money to “some nerds” (rather than your own in house supplicants) and that’s where this kind of thing usually falls down.