Hacker News new | ask | show | jobs
by sokoloff 1075 days ago
How would it work to be required to disclose the worst, though? In most instances, you literally can't describe the worst possible case in the first hours/days of the discovery.

You'd be requiring companies to speculate on the outer bounds of something that is simply not knowable.
1 comments
Veserv 1075 days ago
That is pretty easy: “We have been breached. Everyone may be affected. Preliminary results of our investigation to come shortly at {URL}.”

Sucks to be them, but then they have a very strong incentive to quickly begin investigation and triage so that they can quickly identify who is actually at risk.

It is ridiculous to sacrifice the victims by keeping them ignorant of the risks they are facing so that the company can save face. They should not be allowed to blindly speculate that everything is perfectly fine which is simply not knowable without a investigation.

link
sokoloff 1075 days ago
How long until those become the security equivalent of Prop 65 "causes cancer" warnings? Or the shitshow that DMCA takedowns are today?

What's the burden of proof to confirm that the first sentence in your quote is correct? (Can I just claim to have breached some company and have the law compel them to issue that quote?)

You're frustrated that companies are issuing information-free notices today; your proposal appears to make them issue information-free notices tomorrow.

link
Veserv 1075 days ago
Establishing the presence of any data breach is far easier than establishing the exact scope. My proposal moves the burden of proof to just establishing the former and demanding the company prove the latter. This is a division of labor that is common in safety critical industrys with decades of proven results supporting the effectiveness of such a regime.

Your complaint that the situation will just turn into everybody acknowledging that they are hopelessly insecure is a far better situation than now where everybody lies by claiming that they are secure. It results in the acknowledgement of breaches and the acceptance of liability that would be helpful for future legislation that can actually apply penaltys for delivering products that are defective with respect to security.

link
Goronmon 1075 days ago
Can I just claim to have breached some company and have the law compel them to issue that quote?

I don't think anyone would have to claim to have breached the company in question.

Just the act of asking the question would compel any company to have to respond "Yes, we have been breached."

link
naikrovek 1074 days ago
> That is pretty easy: “We have been breached. Everyone may be affected.

so as a user, just assume this at all times, then. just assume that all of your accounts are hacked or will be in 10 minutes and don't put anything in them that you would not be ok with others knowing. I don't see the difference between just assuming they're all compromised and waiting for a company to tell you that your account may be compromised and that they'll tell you more in 2 years once the investigation is fully completed and everything is known.

link