[MBCook]

Isn’t this an issue of mandating the means and not the ends?

If the regulations said banks had to be secure by ‘taking all due care’ and follow ‘best practices’ and such, this wouldn’t be such an issue. That gives room for improvements and for problematic standards to be weeded out over time.

It sounds like the government instead said banks had to be secure by using (for example) SSL 1.0 with a 64-bit key. Because the specified the exact how, that’s what banks did. And when that how was broken the law wasn’t changed, so banks still do the old thing.

And when the old thing (Active-X) stopped working they invented new ways to do the old thing with local proxies. Because the law says they must and are safe if they do.

This is the danger of legislating an exact how. It may be the right thing sometimes, but it can also go sideways.

[thaumasiotes]

> This is the danger of legislating an exact how. It may be the right thing sometimes, but it can also go sideways.

> If the regulations said banks had to be secure by ‘taking all due care’ and follow ‘best practices’ and such, this wouldn’t be such an issue.

Legislating the outcome is even worse than legislating the means.

American medical care is regulated in the exact manner you describe - a doctor is required to follow the local standard of care, whatever that may be.

This means that every time anyone takes a precaution, it becomes part of the standard of care and must be taken in every case from now until the end of time. If you stop doing it, perhaps because on a cost-benefit analysis it has wildly negative benefits, you're not following the local standard of care and you're wide open to a malpractice suit.

Your preferred legal phrasing is a ratchet; the only outcome it can ever have is insanity.

Legislating outcomes can be even worse than that: https://www.theonion.com/proposed-bill-would-bring-4-000-tro...

[kragen]

that just leaves the courts to decide what the best practices are, and what due care is or isn't, which i think is actually what happened in south korea

that would be great if judges were hackers and legislators weren't, but that isn't the current situation

[likecarter]

In court, you bring in experts (usually professors from reputable universities) to state best practices. Judges don't act as experts in a trial.

[roenxi]

That is also how the legislative process works, and is likely how the Koreans got in to this mess in the first place. Experts at the time identified IE6 and ActiveX as dominating the market and standardised on them^. If the web had converged on IE and ActiveX it wouldn't look as stupid as it does now. Back at the time it was arguably clever, it only looked ill-advised if you were a free-market thinker.

^ The cynic in me cheerfully suggests the experts were probably endorsed by Microsoft, at the time a colossus on the net and world's most successful web browser purveyor. Hard to get better pedigree experts. All recommending that people commit hard to Microsoft technologies.

[kragen]

this is an excellent point

i had not thought of this

[kragen]

judges decide who counts as experts, and doing that correctly requires expertise

this is why so many people get convicted on the basis of pseudoscience like lie detector tests and tracy harpster's 911 call analysis https://www.propublica.org/article/911-call-analysis-fbi-pol...

it would not be especially difficult to find a professor from a reputable university who would explain that using dynamically typed languages was malpractice, or that using the waterfall model was, or that using threads was, or that running the servers on microsoft windows was just fine, or that running virus scanners was useless, or that running virus scanners was essential and therefore it's malpractice to not run on an os that can run them, or that using crypto that had lost a nist competition was malpractice, or that unauthenticated rce security holes were unavoidable and the best you can do is to patch them quickly, or that you need to prove all your security-relevant code correct with coq or something before you ship it and therefore any security hole is malpractice, etc.

[likecarter]

That's why both sides get experts.

Your reasoning is extremely reductive – I can't tell if you're just trying to win an argument here. You could say people will be misleading about anything. Your doctor, the police, the DMV clerk. At some point, you have to recognize you live in a society, and society is built on some level of trust and fairness.

[kragen]

well, you could say a lot of random irrelevant things like that but you'd probably be better off thinking about what i said