Of course, it would have reduced damaged, such as pointing out that unhashed or unsalted MD5 passwords in a database is... what we've stopped doing 20 years ago for good reasons? :)
But well, if you're a big hosting provider tailoring to white supremacist content, you usually don't need so much security, since apart from anonymous-adjacent antifascists pretty much everyone is licking your boots, including law enforcement. The biggest neonazi forums have been around for decades, and their biggest proponents are well hidden behind the walls of our police stations, banks and parliaments.
Love the reference to Woody Guthrie, too https://en.wikipedia.org/wiki/This_machine_kills_fascists
Yeah exactly. It's a huge cost upfront and zero immediate benefits. The investment is worth it to prevent losing value due to a breach, but unfortunately it seems pretty OK for for-profit companies to "loose" data from millions of their customers without facing any sort of consequences.
I'm not exactly saying it should be entirely okay for non-profits, but these generally don't have the resources/budget to ensure any form of security so i don't have the same standards. In my book, a for-profit business leaking user data due to preventable mistakes should be dissolved instantly by law for endangering uselessly their customers.
> we had a speaker from northrup-grunman
Uh. Sorry for you. These military industrial complex people have the best security advice, but they're the worst kind of humans.
As for the for-profit companies. For some reason there is not enough value placed on security in the eyes of the public. Sony is still a major player in the gaming industry, even though the massive hack years ago. Not saying Sony should not be in business, but I don't think it made any major impact on their ability to sell consoles. Security compromises don't seem to have nearly the same impact as other kinds of compromises.
That's the opportunity cost of defending. It's like walking through treacle at times, but you have to visualize the worst case scenario in your head and act as if you're gonna get breached. You need to essentially enact the situation in your head so that it gives you the momentum you need to keep defending.
I can't speak for all of them. But I worked at a very large company known on a global scale. They thought they had proper security experts, but the people that hired them didn't know security very well. When issues were brought up, instead of them asking "how do we resolve this?" they would ask "why would someone do that?" This raised so many red flags in my head the first time I heard this, I didn't even know how to respond.
I came to them with various issues, one of them could've had very serious consequences. I proposed step by step solutions that were simple and would've patched up issues behind the scenes and only impacted people that were violating security policies. They never seemed to care about protecting what they had. It was very sad.
I'll give two examples of the issues they faced:
1. They left doors unlocked and open to the building during working hours, anyone could enter and witness highly classified work on someone's machine, or use someone's machine if they had left their desk without locking it, which happened frequently.
2. Their shared document service, which contained many classified, and highly classified documents had an authz vulnerability which would allow any logged in user to view (and in some cases edit) any document in the company that was stored on their document storage service.
I think my conclusion is that a lot of companies don't even know what their issues are, don't know what experts they need (or if they need them at all), and don't care because nothing bad has happened yet.