I hold an unpopular opinion that lawyers and lawsuits are a great way to motivate companies to "do the right thing", where in this case the "right thing" we're talking about is protecting customer data.
Another great motivator for doing the right thing is knowing that customers will vote with their wallets. Unfortunately this isn't always a strong enough motivation because some markets don't have enough competition, or the cost and hassle of changing the companies you do business with is too high. (Don't you wish customers had left AT&T in droves over the NSA spying ordeal?)
That's where another force comes into play, which is government regulation. I lean libertarian, and although I think some regulation is an absolute necessity (especially on environmental issues) my preference is to have the least amount of regulation necessary. That brings us back to the attorneys. When a company like Sony screws up and exposes their customers' data, I'd rather see them get their pants sued off than have the government step in and regulate. Fear of being sued is a much more compelling reason to "do the right thing" than fear of breaking a law, which might only get you a slap on the wrist.
Do frivolous lawsuits exist? Yes, and they piss me off like the next person. Do scumball attorneys exist? Yes, and I hate them like you do. Ironically, I think some of this problem could be solved with new laws, but I haven't really thought about it enough to more specific. (Maybe something along the lines of the loser having to pay the the other side's legal fees, but I can also argue against that from ten angles. I really haven't spent enough time thinking about how to minimize frivolous lawsuits to feel like I can say anything intelligent about it, other than to say that I bet something can be done.)
Anyway, my point is that companies have different forces that can/should/do motivate them to provide data security, and the threat of lawsuit is an excellent one, right up there with fear of losing customers and fear of government regulation. Too much of any one of these forces is bad, but we wouldn't have a healthy mix without attorneys and their lawsuits.
It's going to work for about a year, then when there is a security failure the company will turn around run git/svn blame and sue the individual employee. Hopefully the laws would be written so that when you post security best practices in your TOS and the customer does not follow them the liability can be mitigated (eg. don't reuse passwords on multiple sites)
Still, Halderman warned that too much litigation could cause companies to become excessively security-conscious. Software developers always face a trade-off between security and other priorities like cost and time to market. Forcing companies to devote too much effort to security can be as harmful as devoting too little.
While I suppose there is always some risk of obscure, exotic vulnerabilities that take substantial creativity to find, the breaches that have been making the news lately have not been of this kind; they've all involved "kindergarten security" as Bruce Schneier put it. Securing applications against these kinds of exploits is not difficult!
Yes it is. Most devastating bugs are actually trivial. English or metric units? The security problem isn't how hard or simple any one bug is; it's how to eradicate them across entire immense codebases, while still shipping with the market.
The class action suit against Dropbox sounds frivolous... the claimant says she wasn't even aware of the possible security lapse until days later when she read about it from a news source. That's on top of not being notified by Dropbox, which means her account wasn't accessed during the problem window. What possible damages could she be claiming?
1. That the unfair competitive practices Dropbox engaged in when they told people untruths about their security caused her and people like her to select suboptimal storage solutions, which is a claim that arises from a California unfair competition law.
2. That some people in the class had their privacy invaded, the precise number of whom might be found during discovery.
3. That the negligence involved in opening this hole in Dropbox incurred damages at customers for instance by requiring them to take time off to move files off Dropbox.
4. That Dropbox breached its warranty and owes its customers a refund.
Rather than drag the lawyers into this, (just more paperwork)why don't we look at it from the perspective of the tools we are using? For SQL injection, what stops databases from building an input scrubber that sits between the database and user input and scrubs input to block SQL injection? Or for that matter, why don't we see languages and frameworks used for web development touting the fact they include robust security that's easy to use?
Part of it is culture, we actually have to care about security and part of it is ease of security. If we build tools that make it easier to create a (more) secure environment and push it by default, we can at least make improving security easier.
I think you just described PHP's old magic quotes feature, which automatically escaped all user input to, among other things, block SQL injection. It's universally reviled as one of PHP's worst design decisions and is no longer part of the default feature set.
I have always believed that it will ultimately be the insurers (through liability insurance conditions) who enforce server security, rather than courts and lawyers. I don't see this as a bad thing.
Current computer security for companies is analogous to medieval castles: large crude systems with large support requirements and little concern for the security of small individual contributors. Once computer infrastructure effectively moves to less crude large scale centralized forms and provides effective minimal security for every small contributor will the key be available.
My home is my castle; my community infrastructure supports that implementation. Therefore the community does not require a castle. When personal computing equipment is equally robust, large computing systems will not be as necessary and neither will the legal implementations.
Laws and lawyers at the individual level are the key to computer security.
[+] [-] pittsburgh|14 years ago|reply
Another great motivator for doing the right thing is knowing that customers will vote with their wallets. Unfortunately this isn't always a strong enough motivation because some markets don't have enough competition, or the cost and hassle of changing the companies you do business with is too high. (Don't you wish customers had left AT&T in droves over the NSA spying ordeal?)
That's where another force comes into play, which is government regulation. I lean libertarian, and although I think some regulation is an absolute necessity (especially on environmental issues) my preference is to have the least amount of regulation necessary. That brings us back to the attorneys. When a company like Sony screws up and exposes their customers' data, I'd rather see them get their pants sued off than have the government step in and regulate. Fear of being sued is a much more compelling reason to "do the right thing" than fear of breaking a law, which might only get you a slap on the wrist.
Do frivolous lawsuits exist? Yes, and they piss me off like the next person. Do scumball attorneys exist? Yes, and I hate them like you do. Ironically, I think some of this problem could be solved with new laws, but I haven't really thought about it enough to more specific. (Maybe something along the lines of the loser having to pay the the other side's legal fees, but I can also argue against that from ten angles. I really haven't spent enough time thinking about how to minimize frivolous lawsuits to feel like I can say anything intelligent about it, other than to say that I bet something can be done.)
Anyway, my point is that companies have different forces that can/should/do motivate them to provide data security, and the threat of lawsuit is an excellent one, right up there with fear of losing customers and fear of government regulation. Too much of any one of these forces is bad, but we wouldn't have a healthy mix without attorneys and their lawsuits.
[+] [-] fleitz|14 years ago|reply
Re: AT&T where are they going to go? T-Mobile?
[+] [-] ScottBurson|14 years ago|reply
While I suppose there is always some risk of obscure, exotic vulnerabilities that take substantial creativity to find, the breaches that have been making the news lately have not been of this kind; they've all involved "kindergarten security" as Bruce Schneier put it. Securing applications against these kinds of exploits is not difficult!
[+] [-] tptacek|14 years ago|reply
[+] [-] dangrossman|14 years ago|reply
[+] [-] tptacek|14 years ago|reply
2. That some people in the class had their privacy invaded, the precise number of whom might be found during discovery.
3. That the negligence involved in opening this hole in Dropbox incurred damages at customers for instance by requiring them to take time off to move files off Dropbox.
4. That Dropbox breached its warranty and owes its customers a refund.
Happy to help.
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] floppydisk|14 years ago|reply
Part of it is culture, we actually have to care about security and part of it is ease of security. If we build tools that make it easier to create a (more) secure environment and push it by default, we can at least make improving security easier.
[+] [-] tptacek|14 years ago|reply
[+] [-] dangrossman|14 years ago|reply
[+] [-] robtoo|14 years ago|reply
[+] [-] tptacek|14 years ago|reply
[+] [-] Dylan16807|14 years ago|reply
[+] [-] GaryOlson|14 years ago|reply
My home is my castle; my community infrastructure supports that implementation. Therefore the community does not require a castle. When personal computing equipment is equally robust, large computing systems will not be as necessary and neither will the legal implementations.
Laws and lawyers at the individual level are the key to computer security.