I think the issue right now is that private user information is viewed as an asset, not a liability. If we could find a way to make it more of a liability, companies would be less likely to collect it just for the sake of having it, and they would be more proactive in securing it.
Alternatively, if it's truly an asset, can it be taxed as an asset?
If I give a company a car, that is taxed. If I give a company my data which is worth more than a car, it isn't.
Is it possible that current accounting/tax law can be interpreted so that these are viewed similarly?
I reached this same conclusion from a very different angle. If you're seriously worried about the unchecked power of monopolies, and understand the effects of Metcalfe's law, we should measure the degree of monopolization of tech companies differently than we do traditional industries. Businesses are locked in to Facebook and Google the same way that businesses were locked in to doing business with Standard Oil in the gilded age. The impossibility for regular users to leave the network makes competition de facto impossible, even if the company does not actively engage in anti-competitive behavior (in many cases, they do anyway).
A tax on social software companies proportional to their network size would be an interesting proposal to solve both of these issues. It would also greatly increase the ability for 100,000 - 1,000,000 person "decentralized" social networks (like Mastodon or other competing networks) to thrive.
This is how the civil legal system is supposed to function. There needs to be some very large class action lawsuits brought against these companies, and huge awards need to be extracted in order increase the financial risk of having shitty infosec.
I believe EU's GDPR made some efforts in that direction, but I'm not sure it went far enough.
We need laws that give companies incentive to store very little data on us outside of what's absolutely required for the functioning of the service. And if they do store additional info, and their servers are breached, then automatic hefty fines should be paid (right after the mandatory notification to authorities and the public).
That should encourage companies to either minimize data collection or use end-to-end encryption, where most of that additional data would be stored on the client's device. This would have to exempt them from liability, and it should since the data wouldn't be on their servers if breached.
This could be a voluntary insurance that companies purchase on behalf of their users. If the company suffers a breach, they will be bound to pay X amount to their users depending on the data lost.
Dress it up with a fancy badge to slap on the front of their site. Maybe a silver badge means user data is insured up to $10 each; a gold badge is up to $100; platinum up to $1000.
Sure, I like the thinking. In theory some of these costs will hit the errors and omissions insurance, which will drive up their costs in the long run (I know they are being absorbed by Verizon, but typically...). In turn part of the insurance evaluation would they assess the collection of the data as a risk as well as their track records in keeping it secure.
3 billion - we live in an age where half the population of the earth can exist on a service, and everyone is vulnerable.
Yes, a good chunk of these are probably duplicates for business / spam / anon accounts, but this is where the world is trending. How long is it until facebook or google have a massive breach?
I'm not being snarky, but do you think they would tell us if they did? We have to assume they are prime targets. They might have slightly better personnel, but is that enough to out do the nefarious and the determined? And can we discount a rouge employee?
Serious question: at what point do we reach the "everyone is vulnerable so no one is vulnerable"?
EDIT: Or maybe not "no one is "vulnerable", but just that everyone's information is assumed compromised and our current societal infrastructure accounts for it.
> A massive data breach at Yahoo in 2013 was far more extensive than previously disclosed, affecting all of its 3 billion user accounts, new parent company Verizon Communications Inc. said on Tuesday.
Does anyone have insight on how this works? Do you just sue the pants off of the execs, or the lawyers who did due diligence, or the SREs maybe? Do the clawback the difference in goodwill + legal costs from the selling investors?
Is there recourse at all?
It'll probably the some poor schmuck SRE getting the blame, like always, right?
I used to work at aol. Neither company trusted the others networks or security processes. Integration planning meetings were like negotiating a prisoner exchange.
Looks like both Equifax (2.5m additional accounts) and Yahoo chose today as a good day to bury bad news (the papers being filled with Las Vegas, Puerto Rico, etc). Slimy moves from their PR teams.
There never is a break-in where they get 1/3 or 1/2 of the accounts. It has to be nearly all or some much smaller faction. (my own presumption based on the idea nothing large does mere 2 to 3 way replication or partition)
It depends. It's possible a company could catch a breach while the data is being dumped to s3/russia/wherever and cut it off before everything is extracted.
Another possibility is that only one particular system is breached, which wouldn't actually affect all users of a given company. If Facebook were hacked, it's possible that only the ad-buy system is compromised and not their entire user store, for example, thus exposing only people who have purchased ads and not all users.
When I was on Facebook today, I saw an ad with a photo of a minivan, and some copy about finding a new vehicle. The ad was posted by Yahoo. When I clicked it, it took me to the search result for minivans. This company feels like an AI experiment.
A spokesman for Oath, the new name of Verizon’s Yahoo unit, said the company determined last week that the break-in was much worse than thought, after it received new information from outside the company.
Can they claw back money from Yahoo shareholders because of this?
Just an ancillary comment but Yahoo has a whole bunch of password requirements. So much so that my passwords don't cut it and I can never remember my password. And/or I need to validate every new device. Is this all just for show? Its insult to injury that they force all these things and then they get broken into.
Hopefully your experience is characteristic of most yahoo users, and this breach is less effective because people are using a unique password for their breached account.
Somewhat off-topic, but does anyone know what top-level domains are in practice "safe" to use for email addresses if we're going to migrate to our own domain?
I mean "safe" in the sense of being unlikely to cause confusion or problems with less-than-well-written software (or humans).
Obviously .com is okay, and I haven't heard of problems with .edu/.gov/.org/.net, but I'm a little afraid of getting a domain for email addresses that isn't a well-established 3-letter TLD, on the off chance that someone has hard-coded a requirement like this in their code. I'm not sure if I'm just being paranoid about this though. Any suggestions on what's considered safe?
For about 9 years or so, I've used the .CC TLD for my personal/family's email without any technical issues...though it is important to know that throughout the entire time, I've used G Suite as my email provider (used to be called google apps for your domain, etc.). So, one could speculate that perhaps my lack of technical issues was less due to the TLD that i used, and maybe because google considers my domain name "not spammy".
HOWEVER, an annoying problem that I've had over the years - and while it has diminished slightly still persists - is that people (or at least people here in the U.S.) are not used to hearing domain names that don't end in the usual .COM, .ORG, .NET...so I ALWAYS have to clarify and explain that my email ends in .CC and not .COM, etc. i find myself still doing this even today - almost a decade later - with so many lay people "being online". I sort of expect that more often with lay people more explanation is needed, but you'd be surprised how many technical people also are not as used to hearing domain names that don't end in the usual top 3. I like the .CC TLD, I really do...but having lived these last 9 or so years with having to constantly explain to people (with whom I plan to correspond with) that there are soooooo many other TLDs out there (beyond just .COM, .ORG, .NET) does get really tiring. If I had to do this all over again, I would have gone with .NET or .ORG (the .COM back then was already taken for my domain name). Oh well.
> I'm not sure if I'm just being paranoid about this though. Any suggestions on what's considered safe?
Maybe a bit, I don't think it is based in paranoia, you have technical reasons. Just recently had to strip tld from uri's, and boy was that harder then excepted!
That being said domains like co.uk, co.jp been around for a long time. I will stay away from "fancy .named" domains, but country level names should work fine.
There is an unpatched server at some IP address long forgotten and no longer used by Yahoo but still nevertheless works. The page still shows the Yahoo portal with news on the front page from when Yasser Arafat was alive. I believe the page has not been updated since 2003.
The IP address is in the 200 range. I used to remember the IP address for many years due to photographic memory even though I had only seen it briefly once. But I just cannot dig up that memory anymore.
Does anyone have a good solution to deleting a Yahoo account? I've got one that is 99.9% spam mail now but I've never deleted it because If I remember correctly someone else could open up that email in my name and continue to get my emails. They also don't support automatic email forwarding if I remember correctly. It remains as the dark spot of my email accounts.
So, let's see: We have a server farm and it is working along. We want to know right along, in real time, if it is sick or healthy. So, we do some monitoring.
There are two kinds:
(1) The first kind looks for problems never seen before. Here we get to use data of two kinds, (i) when the system was healthy and (ii) when the system was sick and we detected the problem, understood it, found out why, and tried to prevent that problem in the future.
(2) The second kind looks for problems never seen before, that is, zero-day problems. Here we have no data on the problems but likely do have a lot of data on when the system was healthy or at least seemed to be, not just on the day of the data collection but also later.
In both cases we have two ways to be wrong:
(A) Say that the system is sick when it is healthy -- a false alarm.
(B) Say that the system is healthy when it is sick -- a missed detection.
So, from (A) and (B), we get two rates and want both to be low.
We can get data on many variables at high data rates.
Now, what do we do?
Okay, it's a problem in, say, data analysis, data science, statistics, AI/ML, right?
Hmm .... What do we do?
Uh, be warned: If the false alarm rate is too high, then the monitoring will be ignored.
This still is a huge concern for us web app developers. Most people re-use their email addresses and passwords across multiple sites. One breach at one internet company affects all the others.
IMO, password reuse is the #1 web application security problem in the world right now, and there's very little in the way of accepted industry standards to mitigate it.
The statistical analysis on the password database here would be fantastic! You've likely got demographics, geolocation, age, when the password was made (going back maybe 20 years!) and more. It'd be a great research tool if it ever leaks.
I swear if your company is about to go under, the executives are just selling off the data, calling it a breach, making some bank and giving an excuse to go close down which wouldn't be their fault.
[+] [-] RcouF1uZ4gsC|8 years ago|reply
[+] [-] avivo|8 years ago|reply
Is it possible that current accounting/tax law can be interpreted so that these are viewed similarly?
[+] [-] natural219|8 years ago|reply
A tax on social software companies proportional to their network size would be an interesting proposal to solve both of these issues. It would also greatly increase the ability for 100,000 - 1,000,000 person "decentralized" social networks (like Mastodon or other competing networks) to thrive.
[+] [-] bparsons|8 years ago|reply
[+] [-] closeparen|8 years ago|reply
[+] [-] specialist|8 years ago|reply
Anyone who has my data for any purpose owes me my cut.
Making this a property rights issue solves all the privacy & identity issues.
[+] [-] mtgx|8 years ago|reply
We need laws that give companies incentive to store very little data on us outside of what's absolutely required for the functioning of the service. And if they do store additional info, and their servers are breached, then automatic hefty fines should be paid (right after the mandatory notification to authorities and the public).
That should encourage companies to either minimize data collection or use end-to-end encryption, where most of that additional data would be stored on the client's device. This would have to exempt them from liability, and it should since the data wouldn't be on their servers if breached.
[+] [-] ctab|8 years ago|reply
Dress it up with a fancy badge to slap on the front of their site. Maybe a silver badge means user data is insured up to $10 each; a gold badge is up to $100; platinum up to $1000.
[+] [-] bluetwo|8 years ago|reply
[+] [-] Jass_ack|8 years ago|reply
[deleted]
[+] [-] kiernanmcgowan|8 years ago|reply
Yes, a good chunk of these are probably duplicates for business / spam / anon accounts, but this is where the world is trending. How long is it until facebook or google have a massive breach?
[+] [-] craftyguy|8 years ago|reply
[+] [-] chiefalchemist|8 years ago|reply
[+] [-] ktta|8 years ago|reply
[+] [-] wmeredith|8 years ago|reply
EDIT: Or maybe not "no one is "vulnerable", but just that everyone's information is assumed compromised and our current societal infrastructure accounts for it.
[+] [-] peterwwillis|8 years ago|reply
[+] [-] jsemrau|8 years ago|reply
[+] [-] hlmencken|8 years ago|reply
Imagine the buyers remorse
[+] [-] JBReefer|8 years ago|reply
Is there recourse at all?
It'll probably the some poor schmuck SRE getting the blame, like always, right?
[+] [-] empath75|8 years ago|reply
[+] [-] rhizome|8 years ago|reply
[+] [-] garethsprice|8 years ago|reply
[+] [-] bluetwo|8 years ago|reply
[+] [-] propman|8 years ago|reply
[+] [-] jmount|8 years ago|reply
[+] [-] kingnothing|8 years ago|reply
Another possibility is that only one particular system is breached, which wouldn't actually affect all users of a given company. If Facebook were hacked, it's possible that only the ad-buy system is compromised and not their entire user store, for example, thus exposing only people who have purchased ads and not all users.
[+] [-] kylehotchkiss|8 years ago|reply
[+] [-] dcgudeman|8 years ago|reply
Can they claw back money from Yahoo shareholders because of this?
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] empath75|8 years ago|reply
[+] [-] bogomipz|8 years ago|reply
https://www.nytimes.com/2017/10/02/business/equifax-breach.h...
Is proper audit capability just not seen as important at these companies?
[+] [-] oeunht3nh|8 years ago|reply
[+] [-] runesoerensen|8 years ago|reply
[+] [-] chirau|8 years ago|reply
They are probably counting my 25+ Craigslist accounts I guess. And just maybe all the 'princes' I've been over the years. Lol
[+] [-] danvoell|8 years ago|reply
[+] [-] snakeboy|8 years ago|reply
[+] [-] throwaway613834|8 years ago|reply
I mean "safe" in the sense of being unlikely to cause confusion or problems with less-than-well-written software (or humans).
Obviously .com is okay, and I haven't heard of problems with .edu/.gov/.org/.net, but I'm a little afraid of getting a domain for email addresses that isn't a well-established 3-letter TLD, on the off chance that someone has hard-coded a requirement like this in their code. I'm not sure if I'm just being paranoid about this though. Any suggestions on what's considered safe?
[+] [-] mxuribe|8 years ago|reply
HOWEVER, an annoying problem that I've had over the years - and while it has diminished slightly still persists - is that people (or at least people here in the U.S.) are not used to hearing domain names that don't end in the usual .COM, .ORG, .NET...so I ALWAYS have to clarify and explain that my email ends in .CC and not .COM, etc. i find myself still doing this even today - almost a decade later - with so many lay people "being online". I sort of expect that more often with lay people more explanation is needed, but you'd be surprised how many technical people also are not as used to hearing domain names that don't end in the usual top 3. I like the .CC TLD, I really do...but having lived these last 9 or so years with having to constantly explain to people (with whom I plan to correspond with) that there are soooooo many other TLDs out there (beyond just .COM, .ORG, .NET) does get really tiring. If I had to do this all over again, I would have gone with .NET or .ORG (the .COM back then was already taken for my domain name). Oh well.
[+] [-] oneweekwonder|8 years ago|reply
Maybe a bit, I don't think it is based in paranoia, you have technical reasons. Just recently had to strip tld from uri's, and boy was that harder then excepted!
That being said domains like co.uk, co.jp been around for a long time. I will stay away from "fancy .named" domains, but country level names should work fine.
Would love to hear other opinions as well.
[+] [-] chrisper|8 years ago|reply
[+] [-] fitzroy|8 years ago|reply
[+] [-] devy|8 years ago|reply
[+] [-] nashashmi|8 years ago|reply
The IP address is in the 200 range. I used to remember the IP address for many years due to photographic memory even though I had only seen it briefly once. But I just cannot dig up that memory anymore.
[+] [-] AlwaysRock|8 years ago|reply
[+] [-] graycat|8 years ago|reply
There are two kinds:
(1) The first kind looks for problems never seen before. Here we get to use data of two kinds, (i) when the system was healthy and (ii) when the system was sick and we detected the problem, understood it, found out why, and tried to prevent that problem in the future.
(2) The second kind looks for problems never seen before, that is, zero-day problems. Here we have no data on the problems but likely do have a lot of data on when the system was healthy or at least seemed to be, not just on the day of the data collection but also later.
In both cases we have two ways to be wrong:
(A) Say that the system is sick when it is healthy -- a false alarm.
(B) Say that the system is healthy when it is sick -- a missed detection.
So, from (A) and (B), we get two rates and want both to be low.
We can get data on many variables at high data rates.
Now, what do we do?
Okay, it's a problem in, say, data analysis, data science, statistics, AI/ML, right?
Hmm .... What do we do?
Uh, be warned: If the false alarm rate is too high, then the monitoring will be ignored.
[+] [-] methodover|8 years ago|reply
IMO, password reuse is the #1 web application security problem in the world right now, and there's very little in the way of accepted industry standards to mitigate it.
[+] [-] kristopolous|8 years ago|reply
[+] [-] tamrix|8 years ago|reply
[+] [-] misterbowfinger|8 years ago|reply