[kragen]

this is a cautionary tale for people who hope that government regulation will solve the current computer security disaster outside korea

you cannot solve problems by giving authority to people who are motivated to solve them, but do not understand what the problem is, so that they can tell the people who do understand the problem what to do

anyone who has dealt with pci-dss presumably knows this but that is a much smaller group than all south koreans

think of that the next time someone contrasts bitcoin with the heavily regulated conventional banking system

[MBCook]

Isn’t this an issue of mandating the means and not the ends?

If the regulations said banks had to be secure by ‘taking all due care’ and follow ‘best practices’ and such, this wouldn’t be such an issue. That gives room for improvements and for problematic standards to be weeded out over time.

It sounds like the government instead said banks had to be secure by using (for example) SSL 1.0 with a 64-bit key. Because the specified the exact how, that’s what banks did. And when that how was broken the law wasn’t changed, so banks still do the old thing.

And when the old thing (Active-X) stopped working they invented new ways to do the old thing with local proxies. Because the law says they must and are safe if they do.

This is the danger of legislating an exact how. It may be the right thing sometimes, but it can also go sideways.

[thaumasiotes]

> This is the danger of legislating an exact how. It may be the right thing sometimes, but it can also go sideways.

> If the regulations said banks had to be secure by ‘taking all due care’ and follow ‘best practices’ and such, this wouldn’t be such an issue.

Legislating the outcome is even worse than legislating the means.

American medical care is regulated in the exact manner you describe - a doctor is required to follow the local standard of care, whatever that may be.

This means that every time anyone takes a precaution, it becomes part of the standard of care and must be taken in every case from now until the end of time. If you stop doing it, perhaps because on a cost-benefit analysis it has wildly negative benefits, you're not following the local standard of care and you're wide open to a malpractice suit.

Your preferred legal phrasing is a ratchet; the only outcome it can ever have is insanity.

Legislating outcomes can be even worse than that: https://www.theonion.com/proposed-bill-would-bring-4-000-tro...

[kragen]

that just leaves the courts to decide what the best practices are, and what due care is or isn't, which i think is actually what happened in south korea

that would be great if judges were hackers and legislators weren't, but that isn't the current situation

[likecarter]

In court, you bring in experts (usually professors from reputable universities) to state best practices. Judges don't act as experts in a trial.

[roenxi]

That is also how the legislative process works, and is likely how the Koreans got in to this mess in the first place. Experts at the time identified IE6 and ActiveX as dominating the market and standardised on them^. If the web had converged on IE and ActiveX it wouldn't look as stupid as it does now. Back at the time it was arguably clever, it only looked ill-advised if you were a free-market thinker.

^ The cynic in me cheerfully suggests the experts were probably endorsed by Microsoft, at the time a colossus on the net and world's most successful web browser purveyor. Hard to get better pedigree experts. All recommending that people commit hard to Microsoft technologies.

[kragen]

this is an excellent point

i had not thought of this

[kragen]

judges decide who counts as experts, and doing that correctly requires expertise

this is why so many people get convicted on the basis of pseudoscience like lie detector tests and tracy harpster's 911 call analysis https://www.propublica.org/article/911-call-analysis-fbi-pol...

it would not be especially difficult to find a professor from a reputable university who would explain that using dynamically typed languages was malpractice, or that using the waterfall model was, or that using threads was, or that running the servers on microsoft windows was just fine, or that running virus scanners was useless, or that running virus scanners was essential and therefore it's malpractice to not run on an os that can run them, or that using crypto that had lost a nist competition was malpractice, or that unauthenticated rce security holes were unavoidable and the best you can do is to patch them quickly, or that you need to prove all your security-relevant code correct with coq or something before you ship it and therefore any security hole is malpractice, etc.

[likecarter]

That's why both sides get experts.

Your reasoning is extremely reductive – I can't tell if you're just trying to win an argument here. You could say people will be misleading about anything. Your doctor, the police, the DMV clerk. At some point, you have to recognize you live in a society, and society is built on some level of trust and fairness.

[kragen]

well, you could say a lot of random irrelevant things like that but you'd probably be better off thinking about what i said

[JAlexoid]

This comment is hard to understand.

PCI-DSS is not a government body, nor is legally mandated by the government. It's not the government.

[kragen]

clueless regulation is equally harmful regardless of how it's imposed

both governments and visa are in a position to impose it

[chunsj]

Neither, this should not be an example/a cautionary tale against government regulation. This is an example of wrong/invalid kind of regulation which other countries should not follow. We, SK, could not fixed this problem because the private sector (companies who pursuit their private interest and against public interest) depending on the wrong/invalid regulation has lobbied and prevented several attempts to fix the regulation. So, this is not a problem of regulation or motivation or even knowledge; this is more of the problem of capitalism.

[kragen]

the clueless regulation is the problem, not capitalism

once you're competing by lobbying for regulation what you're doing isn't capitalism anymore

[franga2000]

So the US isn't doing capitalism anymore? If your system is based on the idea that "those with more money have more power", then those people using that power to stop competitors sounds like an entirely logical outcome to me. "Doing capitalism" means running your company with profit as your goal, and if the best way to profit is lying, bribing, preventing competition, exploiting workers and destroying the environment, that's what a capitalist will do.

That's not to say that capitalism can't be, to some extent, prevented from doing those harms by strong regulation. But as long as those writing the regulation live in and benefit from that same system, that regulation will never be particularly strong - and that's by design.

[kragen]

nobody has ever done pure capitalism; social systems are always a messy mix of modalities

but some societies are more capitalist than others, like those where markets rather than regulators make collective choices, and those tend to be the more prosperous and competent societies

'running your company with profit as your goal' predates capitalism by several millennia, and for that reason among others it is totally inadequate as a definition of capitalism

quoting wikipedia:

Capitalism is an economic system based on the private ownership of the means of production and their operation for profit.[1][2][3][4] Central characteristics of capitalism include capital accumulation, competitive markets, price system, private property, property rights recognition, voluntary exchange, and wage labor.[5][6] In a market economy, decision-making and investments are determined by owners of wealth, property, or ability to maneuver capital or production ability in capital and financial markets—whereas prices and the distribution of goods and services are mainly determined by competition in goods and services markets.

market competition is fundamental to capitalism. calling a competition-prohibiting government decree like this 'capitalist' because private companies presumably lobbied for it last millennium is like calling iran or venezuela today 'democratic' because their dictatorships were voted in by their citizens many years ago

you say, 'capitalism [can] be, to some extent, prevented from doing those harms by strong regulation' but in fact in this case the strong regulation is what is doing the harm, not whatever vestiges of capitalism remain after the regulators removed competitive markets, voluntary exchange, price signals, and private-sector decision-making

[pjc50]

> think of that the next time someone contrasts bitcoin with the heavily regulated conventional banking system

Just watching the largest fraud trial in history unfold over at FTX.

Bitcoin deals with any and all questions of fraud by dumping them on the victim. No help and no recourse. Very libertarian, but of course routinely results in people losing life changing amounts of money.

[kragen]

there have been plenty of larger frauds and outright thefts in history (i'd point at our own sovereign default and mass confiscation of dollar bank accounts, respectively, in 02001), but the culprits were never brought to trial because they were the government

[pjc50]

> mass confiscation of dollar bank accounts, respectively, in 2001

Argentina?

[kragen]

yup

[beebmam]

Isn't that exactly the position that tech executives are in?