zlacker

[parent] [thread] 4 comments
1. southe+(OP)[view] [source] 2021-09-15 07:26:04
Implementing security guidelines is not as easy as paying a security expert. You then have to follow their advice, which means security practice for all employees. It can be costly and cumbersome.

Of course, it would have reduced damaged, such as pointing out that unhashed or unsalted MD5 passwords in a database is... what we've stopped doing 20 years ago for good reasons? :)

But well, if you're a big hosting provider tailoring to white supremacist content, you usually don't need so much security, since apart from anonymous-adjacent antifascists pretty much everyone is licking your boots, including law enforcement. The biggest neonazi forums have been around for decades, and their biggest proponents are well hidden behind the walls of our police stations, banks and parliaments.

Love the reference to Woody Guthrie, too https://en.wikipedia.org/wiki/This_machine_kills_fascists

replies(2): >>tcmart+w >>vmoore+cK
2. tcmart+w[view] [source] 2021-09-15 07:30:42
>>southe+(OP)
Yup. Security is a lot of time an after-thought and a burden to quiet a few companies since security is something that is not of immediate value. Last spring we had a speaker from northrup-grunman who talked about the need to push for a DevSecOps strategy.
replies(1): >>southe+n2
◧◩
3. southe+n2[view] [source] [discussion] 2021-09-15 07:47:26
>>tcmart+w
> security is something that is not of immediate value

Yeah exactly. It's a huge cost upfront and zero immediate benefits. The investment is worth it to prevent losing value due to a breach, but unfortunately it seems pretty OK for for-profit companies to "loose" data from millions of their customers without facing any sort of consequences.

I'm not exactly saying it should be entirely okay for non-profits, but these generally don't have the resources/budget to ensure any form of security so i don't have the same standards. In my book, a for-profit business leaking user data due to preventable mistakes should be dissolved instantly by law for endangering uselessly their customers.

> we had a speaker from northrup-grunman

Uh. Sorry for you. These military industrial complex people have the best security advice, but they're the worst kind of humans.

replies(1): >>tcmart+88
◧◩◪
4. tcmart+88[view] [source] [discussion] 2021-09-15 08:48:49
>>southe+n2
For the northrup-grunman, his advise made sense, but as vet I agree with you on the characterization.

As for the for-profit companies. For some reason there is not enough value placed on security in the eyes of the public. Sony is still a major player in the gaming industry, even though the massive hack years ago. Not saying Sony should not be in business, but I don't think it made any major impact on their ability to sell consoles. Security compromises don't seem to have nearly the same impact as other kinds of compromises.

5. vmoore+cK[view] [source] 2021-09-15 14:00:42
>>southe+(OP)
> It can be costly and cumbersome

That's the opportunity cost of defending. It's like walking through treacle at times, but you have to visualize the worst case scenario in your head and act as if you're gonna get breached. You need to essentially enact the situation in your head so that it gives you the momentum you need to keep defending.

[go to top]