Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EE BrightBox router hacked - bares all if you ask nicely

From: Dan Ballance <tzewang.dorje () gmail com>
Date: Thu, 16 Jan 2014 18:09:57 +0000
Totally agree with the driving drunk analogy. I mean, we say that car
manufacturers and airplane companies have to run their systems to agreed
standards. And this is done in such a way that safety on the roads and in
skies improves. So why can it not be done for the IT industry? Nobody talks
about the car industry collapsing because they're being asked to meet basic
safety standards. Maybe it's convenient for some security professionals to
see things carry on as they are? I don't know.
On 16 Jan 2014 18:03, "Jeffrey Walton" <noloader () gmail com> wrote:


On Thu, Jan 16, 2014 at 12:44 PM,  <Valdis.Kletnieks () vt edu> wrote:

On Thu, 16 Jan 2014 11:30:18 +0000, Dan Ballance said:


So your point is that there should be legislation to require companies

to

adhere to certain security standards? I'd support that - particularly

in an

ISP market which is clearly defined by national boundaries and law.


OK.. What standard do you want to hoist as a legal mandate?

No standards are needed. Attach a nominal dollar amount to the data.
That will unbalance the risk equations and the industry will act on
its own.

For example, if it takes 2 hours to reset  to all your passwords
(password reuse is rampant), then allow a consumer to recover $250 for
their time. If PII is lost allow them damages of 7 years of credit
reporting (about $150) plus actual damages from any loss.

Hell, I had to overnight a credit card last summer while on business
that was cancelled due to a breach. That cost me $75.00. Perhaps
triple damages are in order, too.


Bonus points for finding a standard that provides enough *actual*

security

that it is worth doing...

+1


... but yet won't bankrupt the industry.

Computing is a privilege, not a right.

Should Sony continue to be allowed to compute when they suffered at
least 50 incidents, including dataloss
(http://attrition.org/security/rants/sony_aka_sownage.html)? Hell,
Sony suffered 7 different incidents in one month
(
http://www.thetechherald.com/article.php/201121/7185/Seven-security-incidents-in-two-months-Sony-s-nightmare-grows
).

How much time an aggravation have they caused to institutions and
consumers?

That's driving drunk on the information superhighway.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: