Liability, Hackers, Security and losing faith in the System: What’s The Answer?

I say we dust off and nuke them from space.  It's the only way to be sure.....;p

http://www.zeropaid.com/news/94099/abhaxas-dumps-details-of-the-internal-florida-voting-database-online/?from_rss

Sometimes I wonder why some things are even accessible from the internet. Learn to pull the plug.

     You do a fantastic job Doc keeping us informed about all this nonsense with IT security. Posting it in the forums where everybody can see and put voice to their opinions. The only problem I see is that they need broader coverage so that this information is disseminated across a wider spectrum. I wonder if local newspapers and/or magazines that reach many more people would be possible. Putting it out there blatantly, sort of up front and in your face type thing, might get a lot more people involved in this issue. We have a ton of members and probably by word of mouth most of this gets spread around but what if it hit the local media, not just online but everywhere.

     People read newspapers every day, some religiously. A vast majority listens to the radio and some even pay attention to commercial breaks. If there were commercials on the radio telling people about this and on TV where it can be seen as well as heard it just might raise social consciousness to the point where not just IT pros pay attention but 'so-called' politicos with a need to keep their constituents, read people who voted for them, in the know. Sound promising? Sure. Will it work? It can if its out there. Will it be done? Probably not. Most public officials. term used loosely, are more interested in how much of your money they put in their purses rather than doing the right thing. Perhaps one day....IMO  

Very thought provoking post.  Its difficult to think about getting 'cyber malware spreaders, and cyber hackers reigned in because of national boundaries, etc.  Its more difficult to get, as you suggested, the entities (CEO's on down) to do anything truly awesome related to cyber security, IF they are not responsible for breaches.  The hold harmless type clauses that are ubiquitous in on the web guarantee they are 'not responsible.'  Yes, pull your plug, don't leave your PC on line when you are idling, etc.,  - all good suggestions.

And Doc expressed, very well, the need for many corporate cultures to take more seriously the tasks, role, etc., of IT professionals.  However, a rather large missing piece of the 'new corporate culture' is largely responsible for this.  Many other more egregious (i believe evil) behaviors are also predicated on the hierarchical structure of uber corporations.  Corporate culture, in large corps, is generally very stratified, with a class structure that includes privilege. .  The upper classes in this structure, many times, have a sense of entitlement, a sense that the entire enterprise serves them.  While this is most apparent among uber banksters - who have 'stolen' retirement monies from a multitude of small fry - little has been done to prosecute these 'persons.'   I mention, in passing, the massive sense of entitlement the massively large giants in the so-called 'free market' act on way too often.   

So, it is not surprising the cyber hackers, mal-ware doers, etc., are not getting the 'attention' we small fry feel that should get.  Because, until this cyber activity really hurts the bottom line of the corporations, these corps will consider it a nuisance, and a 'cost of doing business.'  It minor damage to them, even if it destroys the lives of many people. Its a 'feature'  (I would say systemic evil) inherent in massive, class stratified, hierarchical fiefdoms (err corporations) to not care much for the peasants - even if you are marketing to them, unless too many small fry get hurt - and that hurt starts to affect the top levels, and the bottom line.  Anything else is just a 'cost of dining business' and mere 'collateral damage.'  Its not personal, its just business.  Bottom line;  until there is a vastly different corporate culture, small fry will continue to get cyber attacked, etc. and the top will not give sufficient concern to the IT folks. 

I too imagine it is mainly a matter of money.  One thing to remember - When companies pour money into anything, either by choice or as the result of a lawsuit, they build those costs into their product and the consumer pays for it.  So when we all say "Companies should put more money into xxxx", what we're really saying is "We want companies to put more money into xxxx and we want to pay for it".  (Same thing when we talk about what the governments should be doing.)

I honestly don't know what the answer is, clearly some different approach would be helpful.  Just remember - We're going to pay for it.

Either way. At least my way your info has a chance of being more secure.

The other way you're paying more to pay off their unnecessary law suit, subsequent to the loss of your info as well. So you pay double, and lose as well.

Just want people to remember that companies don't run down to the basement and print off a bunch of cash to pay for these things   Governments do sometimes I suppose, and that usually doesn't turn out so well 

I do IT and specifically networking and security for a living.  The problem with bringing "security" to the internet is that the internet was designed with a "barn-door open" concept.  When the stalls were built all over the field how does one now build a barn over top to protect them all?

I see absolutely nothing in the internet-security landscape changing at all until we start to control (at a router/network level) what and where individuals are allowed to go/do.  Anything short of that (keeping in mind we're already doing a lot of that within corporate networks and restricting usage when individuals are using company assets) will have little to no effect. 

Of course getting the world to come to together in deciding what is and what isn't "off limits" would be a monumental task in the first place.  So do I really things can/will change?  No.

Holding companies more responsible is only one part of the problem.  Once companies realise that they can't really guarantee client data safety, they will be faced with removing certain services, is that something society will be happy with?  Less services?  For that reason I predict there will come a time where society will have to decide, less individual freedoms (meaning someone somewhere will exercise some control over "your internet") or companies beginning to offer less because it job of fighting off the cyber-crimminals will have become too large.

Was not the topic of the OP.

Was. I believe IT specialists, if heeded and allowed to make data secure, can do it. Government IT and private can collaborate to create the standard practices which should yield the best results.... not necessarily perfect, and that law suits and liability attornies are doing that in stead of IT at present, which is less than optimal.

My quote below addressed same.

You seem to feel more legal responsibility is the answer to your thread question.  Obviously I think there is more to it than that since even your OP suggests the current system (the system you alluded to in your last reply to me with regard to lawyers and law suits doing the job of the law/standards makers) is "broken" (ie. you've lost faith in it).

ISP's could do so much more:

-  Log everything a person does using their connection.  (something being discussed in Canada although who knows how serious this discussion really is)

-  Scan for and block certain types of traffic (malicious traffic can in many cases be identified) and be even more aggressive world-wide with internet traffic shaping/allowances.

-  ISP's create an "acceptable use" policy that actually dictates and holds the individual liable for how their connection is used.

-  Remove an individual from the ISP connection if their traffic logs show multiple "infractions".

-  Have ISP's share global ban/block lists of domains and even individuals who are "known" to be causing mischief.

etc. etc.  There are plenty more things the ISP's could be ordered to do.

Conversations and/or discussions like this remind me on that old saying 'Locks are for honest people'.  No matter to what degree security is increased..........

Anyone that has an extra hour will find this interesting. Talks about Corporate Social Responsibility.

The Internet swings one way and another... towards more or less open. It looks like it's in a swing towards less open at present.

Perhaps the answer lies in more powerful or sophisticated tools to root them out and deal with them independent of the national states in which they reside.

I was looking at just the organizations which have and are supposed to guard our information and over which we have (as individuals) no recourse except litigation (not a real option for most of us), and the governmental ones which through "sovereignty" are not concerned with litigation. There really should be a way besides "Them doing it on their own" to address this situation.

Not sure how to enforce a demand for tighter security on the part of companies would work except through collaboration with people with expertise. As for simple things, why should companies be allowed to hold unencrypted data, or be allowed to work in unsafe ways? If there are safe/safer ways to work, why shouldn't they have to work that way? Why shouldn't https become the standard? How does that infringe on 'rights'? I maintain it doesn't.

Freedom doesn't mean the right to behave in unsafe ways with other peoples' information and be able to escape from consequences by a tricky TOS or "sovereignty". While I believe most people would be willing give up never used 'rights/freedoms' for more security (viz. responses to 9/11), I don't think it's been proven they would have to.

As for the ISP's, I'm not opposed. http://arstechnica.com/web/news/2011/02/isps-the-off-duty-cops-of-the-world.ars certainly explains it well, but that really doesn't address ISP's in countries less legally oriented than ours... ie the place where many cyber attacks seem to originate.

ISP's are certainly one layer. The targets themselves is another. The people in these companies and government agencies also have to learn responsible conduct, and there really has to be an updated and applicable policy across government agencies and for public companies. Who better than IT to determine them?

How the heck to get people to take things seriously and do their work responsibly (take a look at the arstechnica article)? There has to be a way to do this is a serious manner.

I like Jafo's idea.

'twas Ripley's .....and she was right all along ....;)

I do not believe they can.  many hacks are through social engineering, and as long as you have people with access to data, you are going to have hacks.  I think more care can be given towards securing the data, but you are not going to eliminate data breeches no matter the security.  The only way to make it 100% secure is to deny all access, but then the data is worthless.

The hacks can be prevented for the greatest part by people following rules. I think OS's have weaknesses that need addressing, part of that is by establishing rules like no facebook/private-non business related email/im'ng on company computers. Is that perfect? No. But if people are allowed to do those things on company computers, then breaches are very likely to happen. If people conduct their private business on private devices, then the company/agency will be safer. You'll agree with that, I'm sure.

I also agree with you that nothing is perfect, but things can be a heck of a lot better than they are at present, and I think IT Pros can really make huge improvements to the current state of affairs if they are listened to.

2 find again

The IT professionals, well, ere the professionals.  Reading this thread has enlightened me.  I really thought IT supervisors, and officers had a lot more influence in corp life than, they, apparently do.  That's a sad state of affairs.  

Agreed, but social engineering relies on the fact that people are not machines and not perfect.

Ok ,Dilbert. (Like that is going to happen in our lifetimes).

The IT dept where I work seem to call all the shots when it comes to how data is collected and stored.

That's 'Doc'-bert, Dr Guy.