10 votes

Topic deleted by author

18 comments

  1. [11]
    Adys
    Link
    I don't think that's true, tbh. The line isn't really a signal on whether or not they actually do, but a lot of companies do take privacy/security very seriously because of internal activism....

    The truth is, most companies don’t care about the privacy or security of your data

    I don't think that's true, tbh. The line isn't really a signal on whether or not they actually do, but a lot of companies do take privacy/security very seriously because of internal activism.

    Sometimes, a single employee in the right place is enough for the company to develop good internal security and privacy policies.

    Of course I do wish such companies could be hit with hard fines should they say that meaninglessly. Paypal comes to mind, a company that "takes security extremely seriously" and yet:

    • Has no proper TOTP 2FA flow (there's a hidden, awkward one)
    • Has an extremely dumb password policy (max 20 chars, among other things)
    • Is completely unable to tell you why a payment failed "for security reasons", even if it failed because of something on your bank's side (they'll tell you it was probably fraudulent).
    • Uses a bazillion scam-looking non-paypal.com domains for their emails and other very real communications.

    Did you know? All the following domain names are owned by Paypal and legitimately used by them (and yes, https doesn't even work on most of them):

    9 votes
    1. [9]
      Amarok
      Link Parent
      Maintaining proper security is a herculean task. It's hard as hell, boring and monotonous work, complicated to the extreme, doing it right means inconveniencing everyone from internal developers...

      Maintaining proper security is a herculean task. It's hard as hell, boring and monotonous work, complicated to the extreme, doing it right means inconveniencing everyone from internal developers to regular users, and the costs for it are ongoing, it's never ever 'done.' Basically, getting security done right is like having a constant headache for a business. The costs of data breaches are far less than the costs of security. Hopefully we'll see some fines that change that, and then perhaps businesses will start to take it seriously instead of giving up on it in frustration or ignoring it completely.

      There's an easy litmus test for this. When you use computers at the places you work, is it a colossal pain in the ass to access everything? Does your workflow involve 2-3 extra steps on a semi-hourly basis because of it? If the answer is no, then you haven't got good security. ;)

      5 votes
      1. [2]
        Adys
        Link Parent
        Boy do I disagree with that :) Security is always a tradeoff with convenience. Severely inconveniencing users and/or staff is a great way to ensure that security will become the user's opponent,...

        If the answer is no, then you haven't got good security. ;)

        Boy do I disagree with that :)

        Security is always a tradeoff with convenience. Severely inconveniencing users and/or staff is a great way to ensure that security will become the user's opponent, and the user will actively attempt to defeat everything that protects them.

        Or to put it another way, it's in both the user's and Durex's best interests that sex with condoms remains pleasurable.

        5 votes
        1. Amarok
          Link Parent
          Perhaps I've just not been lucky enough to deal with well written applications - but I doubt my experiences are atypical. Sure, you could in theory have a highly secure system that's easy to use....

          Perhaps I've just not been lucky enough to deal with well written applications - but I doubt my experiences are atypical.

          Sure, you could in theory have a highly secure system that's easy to use. That's only easy to do if you develop it with those goals in mind from day one. If you try to add security after the fact, it's always a science project and it's like seven times the effort. Most large businesses are still using internal software that was written long before these security issues became a mainstream concern.

          Honestly that might be one of the reasons they are all so keen on cloud services, trying to outsource some of the risks and dump the old systems.

          2 votes
      2. [6]
        masochist
        Link Parent
        I don't think you're depicting things accurately, here. It sounds like what you're actually describing is perfect security. Perfect security is indeed impossible. But there are some very simple...

        I don't think you're depicting things accurately, here. It sounds like what you're actually describing is perfect security. Perfect security is indeed impossible. But there are some very simple best practices that any company can use (largely because they've been encapsulated in reuseable tools expressly for the purpose of making it easier to do things right). When we see things like passwords stored in plain text, that's just irresponsible laziness. It's one function call to store a password in a secure way vs. insecurely, and one function call to do a secure lookup so that the plain text version never reaches the DB.

        What you're describing here is far more than most people need. There's a difference between the perfect model that you're talking about and the "good enough" model that most people need. Sure, if you work for the government, with sensitive data, the kind of security vs. convenience tradeoffs you're talking about are fine. But for most users, with most kinds of data, there are very simple changes to make which don't impact convenience that much. I usually hate this philosophy because it leads to awful code, but in this case perfect really is the enemy of the good.

        3 votes
        1. [5]
          Amarok
          Link Parent
          Depends on the threat model. If you're seriously trying to keep china out, as opposed to only worrying about script kiddies, you've got to take the big steps. Imagine how much work it'll take for...

          Depends on the threat model. If you're seriously trying to keep china out, as opposed to only worrying about script kiddies, you've got to take the big steps.

          Imagine how much work it'll take for any business to refactor existing systems just to implement the simple basics you're talking about - and no, most of them haven't even got the basics. How many internal applications and servers have to be checked? I worked for a small development company and for them it would have been around 50. Some of our corporate clients would have been well into the hundreds. Weeks of work per system, disruptions and deployments, millions of dollars at a minimum and years of time to get it all done.

          2 votes
          1. [4]
            masochist
            Link Parent
            Sure, if you're trying to keep a government out, you need to do the stuff that you're describing. But I don't think most businesses or organizations need to worry about threats with a nation's...

            Sure, if you're trying to keep a government out, you need to do the stuff that you're describing. But I don't think most businesses or organizations need to worry about threats with a nation's resources. That's what we call an APT (advanced persistent threat) in the industry, and the accepted wisdom is basically that if you're up against an APT that you're going to be compromised and to just work to minimize the impact.

            Sure, it'll take effort, but it's still work that needs to be done. It sounds like you're taking something of a defeatist position here, where because "it's hard and will cost a lot" it can't be done. Maybe I'm misreading it, maybe I'm more optimistic, but "it's hard and will cost a lot" is not a reason for things not to be done. Now, of course, manglement will disagree, but that's independent of needing to do the work.

            I'm sorry if I misread your second paragraph; if I have, can you please clarify?

            2 votes
            1. [3]
              Amarok
              Link Parent
              I'm kinda thinking about this in the context of facebook/twitter et al - the big companies that have the most data, the kind that make billions a year. Remember the train wreck that Sony got into...

              I'm kinda thinking about this in the context of facebook/twitter et al - the big companies that have the most data, the kind that make billions a year. Remember the train wreck that Sony got into with the playstation network? That sort of thing.

              My criticism isn't of the technology. I know we're quite capable of doing it and doing it well, despite the work and the costs. I have no confidence at all that management will ever go for it. They'll whine and squirm until they find a way to avoid spending the money, just like they always have when it comes to any kind of substantial investment in their IT infrastructure... and probably even moreso, because Mr. Manager will be personally impacted by having to remember a complex password or use a password manager. It's something they really, really do not want to do. Some take it seriously, but it's so few, so rare, and that makes me a bit depressed.

              This security problem is, to me, a strictly human failure. :)

              4 votes
              1. [2]
                masochist
                Link Parent
                Right, in that kind of context, yes, you absolutely need to worry about things like state-backed actors. I absolutely do remember the PSN fiasco, yes. And I know that Sony's still making tons of...

                Right, in that kind of context, yes, you absolutely need to worry about things like state-backed actors. I absolutely do remember the PSN fiasco, yes. And I know that Sony's still making tons of cash because people just don't care.

                Yes, manglement are the ones who will ruin everything. Sadly, this isn't a new observation. :( It definitely leaves me a bit sad, too.

                Most security problems are strictly human failures. I don't mean that in the sense that code problems represent human failings (they do), but rather that the human making a bad decision about the use of technology causes the security problem. Things like not building a site intelligently or not updating their internet-facing Windows box.

                2 votes
                1. Amarok
                  Link Parent
                  How does that saying go? There is no patch for human stupidity. It's a bit pessimistic but often true. Even saying we got our secured datacenters, how long until the bosses decide they can cut the...

                  How does that saying go? There is no patch for human stupidity.

                  It's a bit pessimistic but often true. Even saying we got our secured datacenters, how long until the bosses decide they can cut the security budget now that all the hard work is done? Security is a commitment, not a gadget you buy once and problem solved. What is it going to take to get everyone to make that honest commitment?

                  1 vote
    2. masochist
      Link Parent
      If they took your privacy and security seriously, they wouldn't have such horrible policies regarding protecting user privacy and security. The claim just doesn't make sense when we look at how...

      If they took your privacy and security seriously, they wouldn't have such horrible policies regarding protecting user privacy and security. The claim just doesn't make sense when we look at how these companies behave. Plaintextoffenders is an archive of sites that store passwords in plain text. The third most recent post on the site at time of writing belongs to the Canadian government. This isn't a third world country that's just rolling out a website for the first time. This is a developed, first world nation.

      2 votes
  2. [8]
    Comment deleted by author
    Link
    1. [7]
      Amarok
      Link Parent
      Here at Tildes, we take your privacy and security seriously. /ducks Hey, if nothing gets collected, then there's nothing for hackers to steal. Somehow I doubt the for-profit companies ever thought...

      Here at Tildes, we take your privacy and security seriously. /ducks

      Hey, if nothing gets collected, then there's nothing for hackers to steal. Somehow I doubt the for-profit companies ever thought of that as a workable solution to the problem. :D

      6 votes
      1. [6]
        Kirisame
        (edited )
        Link Parent
        Not hoarding something that's potentially monetizable? Unthinkable. I hope GDPR signals a real trend, and that we see something similar in the States. The requirements may be onerous for...

        Not hoarding something that's potentially monetizable? Unthinkable.

        I hope GDPR signals a real trend, and that we see something similar in the States. The requirements may be onerous for newcomers, but being small and new to a market shouldn't be an excuse for poor data collection/retention policies.

        5 votes
        1. [5]
          masochist
          Link Parent
          With how pro-business the US is, I really don't see it happening in the US any time soon, and certainly not at the federal level. California has some state-level laws that are the very beginning...

          With how pro-business the US is, I really don't see it happening in the US any time soon, and certainly not at the federal level. California has some state-level laws that are the very beginning of what the GDPR does, but it only applies to California and certainly won't be adopted by the more libertarianrepublican states.

          3 votes
          1. [4]
            Amarok
            Link Parent
            The good news with GDPR is that most major online companies do business in Europe somewhere. If any Europeans access those services, that means those companies are wide open for GDPR-related fines...

            The good news with GDPR is that most major online companies do business in Europe somewhere. If any Europeans access those services, that means those companies are wide open for GDPR-related fines (and at 4% yearly net revenue per infraction, it's no joke). Perhaps rather than creating and maintaining two separate service silos (one for Europe that's compliant, one for everyone else that isn't) most of them will just keep the one service stack and actually do the work of securing it. Perhaps. I'm not optimistic. :/

            3 votes
            1. [3]
              masochist
              Link Parent
              As two technically-inclined users that makes sense to us from a software design perspective. But from a "must satisfy the shareholders" perspective, it can't work. Business ruins everything. grmbl.

              As two technically-inclined users that makes sense to us from a software design perspective. But from a "must satisfy the shareholders" perspective, it can't work. Business ruins everything. grmbl.

              2 votes
              1. [2]
                Amarok
                Link Parent
                I think of it like a costs issue. It seems like it'll be cheaper to fix the one silo and maintain it, or build the second one and move to it, than to deal with the costs of having two different...

                I think of it like a costs issue.

                It seems like it'll be cheaper to fix the one silo and maintain it, or build the second one and move to it, than to deal with the costs of having two different 'versions' of your application to deal with going forward. If that's the case when they run the numbers, they might make the right choice out of greed.

                2 votes
                1. masochist
                  Link Parent
                  I'm something of an act utilitarian and coming to the right design by greed is good enough for me given the alternatives--especially when tech manglement is involved. I really do think that's the...

                  I'm something of an act utilitarian and coming to the right design by greed is good enough for me given the alternatives--especially when tech manglement is involved. I really do think that's the best we can hope for given incompetent decision makers.

                  2 votes