Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Your Rights Online

CA Law Demands Public Disclosure Of Break-Ins 188

AuntieMisha writes "BusinessWeek has an article about a new California law passed that requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."
This discussion has been archived. No new comments can be posted.

CA Law Demands Public Disclosure Of Break-Ins

Comments Filter:
  • Yay, verily (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 13, 2002 @03:54PM (#4662994)
    I think the California law is long overdue. In far too many instances, companies and governments have kept mum after they were hacked, seeking to preserve their reputations and avoid public outcry while their customers face risk of identity theft. Computer-security breaches must be treated like any other issue of public safety, and people must be informed when they're at risk.

    Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit.

    • Re:Yay, verily (Score:1, Informative)

      by Anonymous Coward
    • Re:Yay, verily (Score:3, Insightful)

      Is it that hurtful to their reputations? What is the shame at getting hacked? It has happened to the biggest of them (ebay, CNN). I think more damage would be done if the consumers found out that they were withholding the information from them.

      That is more damaging to their reputation than any hack attack.

      • The shame is that they will be perceived
        as not secure enough for someone to trust them
        with sensitive info. Sensible enough; and even
        if it weren't, the public will hype themselves
        into believing it is.

        Would you want them to keep it quiet if your
        bank got broken into?
    • Most businesses that get hacked surely do the right thing and inform customers.

      Heck, even some spammers do it. Look at this choice piece from buystainlessonline, it's hilarous:

      From sales@buystainlessonline.com Tue Oct 22 15:46:16 2002
      Return-Path: <sales@buystainlessonline.com>
      Received: from xxxxxx.xxxxxxxx.xx (xxxxxx.xxxxxxxx.xx [xxx.xxx.xx.xxx])
      by xxxxxx.xxx.xx (8.12.3/8.12.3/SuSE Linux 0.6) with ESMTP id g9MDkJVR020365
      for <xxxxxx@xxxxxxxxxx.xxx.xx>; Tue, 22 Oct 2002 15:46:24 +0200
      Received: from linuxpow.com (IDENT:qmailr@linuxpow.com [12.149.2.10])
      by xxxxxx.xxxxxxxx.xx (8.11.6/8.11.6) with SMTP id g9MDkFQ16222
      for <xxxxx@xxxxx.xx>; Tue, 22 Oct 2002 15:46:16 +0200
      Date: Tue, 22 Oct 2002 15:46:16 +0200
      Message-Id: <200210221346.g9MDkFQ16222@xxxxxx.xxxxxxxx.xx&g t;
      Received: (qmail 13748 invoked from network); 22 Oct 2002 12:08:48 -0000
      Received: from buystainlessonline.com (HELO ) (nobody@12.149.2.55)
      by mail.buystainlessonline.com with SMTP; 22 Oct 2002 12:08:48 -0000
      Subject: HACKERS ATTACKED...E-MAILS TO RESUME... PLEASE READ
      To: xxxxx@xxxxx.xx
      From: "BuyStainlessOnline.com" <sales@buystainlessonline.com>
      Content-Type:
      X-UID: 468

      ATTENTION! This email will be sent twice before we resume our weekly newsletter.

      Over the course of the last year, our E-mail system was attacked by HACKERS twice, resulting in the corruption of our marketing system. If you are on this E-mail list and did not request to be, please be ADVISED that this is your opportunity to be REMOVED. We have been going through our E-mail database for the last 3 months to fix errors, this has stopped us from sending our regular e-mail THE STAINLESS STEEL NETWORK. We have done our best to "CLEAN" our list. If you are getting this and wish to be removed, this is your chance. Effective 10/28/02, we will resume sending this email weekly. If you wish to be removed, click the LINK below. If you use AOL, you must COPY and PASTE the link into the browser (http://). This will remove you immediately.


      Thank you for your time!
      Mgmt

      www.BuyStainlessOnline.com
      Your Place for Stainless Today.


      International 215.604.5922
      Fax 215.638.4960

      Click Here to REGISTER!
      https://www.buystainlessonline.com/registration/re gistration.php

      Unsubscribe By clicking below:
      http://www.buystainlessonline.com/email/mail.php?a ction=delete&eval=125410&email=xxxxx@xxxxx.xx

      Seems like some net vigilante typed 'or 1=1-- or something of that ilk into the spammer's remove link, or whatever...

      • ...was attacked by HACKERS twice...please be ADVISED that this is your opportunity to be REMOVED...sending our regular e-mail THE STAINLESS STEEL NETWORK...done our best to "CLEAN" our list...click the LINK below...you must COPY and PASTE the link

        Did anyone else read this and think the author had Turrets?
    • Computer-security breaches must be treated like any other issue of public safety, and people must be informed when they're at risk.

      Computer security breaches are hardly similar to other issues of public safety. Announcing that a breach has occurred when there is no viable solution to keep it from happening again (either to the same company or other companies using the same software) would put the public's safety at an even greater risk.
      If it involves any of my personal data, then I would rather them keep their mouths shut for damage control until there is a solution to the original problem.
      It is sort of a catch-22 though. Other companies using the same software would be unaware of the vulnerability until a solution to the problem is found by that one company (which could potentially be slower than if many companies were looking for a fix). Maybe what we need is a *trusted* network (not in the ether sense of the word) where vulnerabilities could be posted without getting the word out to the people that would use this information maliciously.

      • If it involves any of my personal data, then I would rather them keep their mouths shut for damage control until there is a solution to the original problem.

        Would you really prefer that they don't tell you that your credit card details have been stolen until they have patched their web server?

      • Re:Yay, verily (Score:2, Insightful)

        by V.P. ( 140368 )
        No. If they can't protect my data, they have no business storing them in the first place. If they do, it's their responsibility to keep them safe, and, at the very least, let me know when they're compromised.

        Not to mention the healthy effect of getting companies to actually pay some attention to security, or face at least some bad publicity if they don't.

    • by Anonymous Coward
      You can't handle the truth!

      Every day I stand on my wall watching for intruders and protecting my web servers. Web logs indicate that my servers survive a constant barrage of attacks.

      Most attacks fail however every once in a while some lucky script kiddy, or spammer finds a chink in the armour.

      Where do you draw the line on what needs to be reported? Last week a spammer found that a poorly configured formmail.pl script on one of my servers and used it to send their spam.

      If the law allows judgement calls where a company is only required to report serious breaches then a company would try to have everything classified as trivial.

      On the other hand if a company is required to report every possible breach then the company might try to flood the public with a bunch of trivial information like a formmail script that was abused for a few hours, and then try to bury a serious problem inside the noise.
    • I'm Mr. Average Invester.
      I find out that my #1 favorite stock i dumped thousands into on the advice of my dentist has recently fallen victim to a 11 year old IRC junkie.

      Do I:
      a. invest more money in my company, showing appreciation for the companies candor.
      b. Murmur something very Zen to myself about the strongest tree bending in the wind, while noteing the fact that no real damage was done.
      c. put a humming bird to shame franticly clicking the refresh button on IE6, neuroticly waiting for the stock to move a tick up or down.
      d. scream "SELL SELL SELL" into my cellphone while barely avoiding a headon collision in my SUV.
      e. dump all of my money into precious metals and move to an obscure island nation in preperation for the inevitable global ecconomic collapse.


      and.... pencils down.
  • Loophole (Score:1, Interesting)

    The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation.

    Wouldn't want those wacky hackers to know that people were on to them and actually investigating the crime! Who makes that decision? Chief Moose?

  • by Anonymous Coward
    Companies will stop paying any attention to security logs, or will at least make sure that nobody ever speaks of anything as a "break in" or a "security problem".... There will only be "network configuration issues".
  • by Halo- ( 175936 ) on Wednesday November 13, 2002 @03:56PM (#4663021)
    If you don't report a break-in, how is anyone gonna know it happened? (Unless an employee narcs, at which point it becomes a messy paper/email/word-of-mouth trail)

    Seriously, it's not like the CA government is gonna be able to "audit" companies like they do if they suspect fraud in other self reported areas. (Like tax fraud, emissions, etc...)
    • Because the truth has an unforunate tendancy to come out, eventually, Today's most tightly guarded secrets are the stuff tomorrow's headlines are made of.
    • I suppose it would make a pretty good piece of info to be used as blackmail. There -are- ways to prove that you broke into a system or network. I can see it now...

      Pay me 1 million not release your new product specs to your competition. Or you could pay me 1.5 mill to not anonymously report the break in. For the low low price of 2 mill, you get to keep your trade secrets AND the fact that they were stolen. Act now! Crackers are standing by!
    • by bovilexics ( 572096 ) on Wednesday November 13, 2002 @04:04PM (#4663115) Homepage

      From the article...

      • Come July 1, 2003, those who fail to disclose that a breach has occurred could be liable for civil damages or face class actions.

      They (the CA government) don't need to audit or enforce anything. It is self-enforcing for those businesses that feel they may be sued and have to pay monetary payments for NOT reporting the incident. If a given company doesn't feel it can be successfully sued due to the incident then there probably wouldn't be a public reporting of it.

      It's just a CYA that would have to be handled on a case by case basis for each company and wouldn't be enforced by auditors and the like.

    • If you don't report a break-in, how is anyone gonna know it happened?

      Maybe because the hacker himself might have reported it to zone-h [zone-h.org]?

  • by dfn5 ( 524972 ) on Wednesday November 13, 2002 @03:56PM (#4663025) Journal
    Small businesses that don't have the resources to maintain an investigation will have their reputations ruined.

    Small businesses can hire me as a security consultant. And I can do my consulting by hacking^H^H^H^H^H^H telecommuting my way into California from my New Hampshire home.

    • Small businesses that don't have the resources to maintain an investigation will have their reputations ruined.
      Small businesses can hire me as a security consultant. And I can do my consulting by hacking^H^H^H^H^H^H telecommuting my way into California from my New Hampshire home.

      Day 1: Begain Searching "Google" for perpetrators (Known hangout for 'haXors').

      Day 5: Still Searching Google. Found many people distributing doctored pics of Natalie Portman, but no perps.

      Day 12: No information found at Google. Now searching internationally, trying AltaVista (personal note, penis +1/4").

      Day 17: Perps deface Nasa site. Personal note:
      1. add more fake entries until Feds nab Nasa perps
      2. Blame break-in on Nasa perps
      3. Profit!

  • The bigger picture (Score:4, Insightful)

    by unicron ( 20286 ) <unicron@@@thcnet...net> on Wednesday November 13, 2002 @03:57PM (#4663034) Homepage
    What does this law have to do with sticking up for the little guy? If a company that I have a stake in, ESPECIALLY if that stake is a good amount of money, I want to know if they're getting owned. If my investments aren't safe, I have a right to know. Granted, most financial institutions are federally insured, but that won't help me if Bob Hacker over here can make it look like I never invested in the first place. The matter is A LOT more of problem if I'm highly wealthy, in which case I'm SOL on any amount higher than 100k.

    All in all, they have an obligation to tell the world, not just for their current customers, but to let potential future customers aware of the situation so that they can make sound, informed financial decisions.
  • Why? (Score:2, Interesting)

    by websurf.net ( 621915 )
    How can California insist that anyone make it public when they are hacked? Do they insist it is made public when a company is physically broken into? I doubt it. This will just cause companies to not even call the police in order to save their reputation.
    • Yeah, but if you were storing bundles of cash at some guys house you'd like to know if his house got broken into, right? Your example is flawed because most homes don't contain high amounts of money from the neighbors under the supposed protection of the homeowner, do they?
    • I believe the assumption is that if there is any kind of personal/private information on customers stored there, people should have a right to know that it has been potentially stolen.

      If the video store is broken into, and someone steals some tapes, I don't care.

      If their database of customers and credit card info, identification, lending habits, etcetera, is stolen, I want to know about it.

  • by glrotate ( 300695 ) on Wednesday November 13, 2002 @03:58PM (#4663039) Homepage
    Information asymmetry leads to inefficency, in this case through adverse selection. If my bank gets hax0r3d every other week their reputation should be tarnished. Also the article states that investigations by the federal government are exempt, not private investigations. This bill was constructed by consumer advocacy groups becasue it is good for consumers.
  • by jcrb ( 187104 ) <[jcrb] [at] [yahoo.com]> on Wednesday November 13, 2002 @03:58PM (#4663040) Homepage
    So you only have to disclose the break in if you don't have the ablity to investigate it and find out how to stop it from happening again?

    So if you can prevent it from happening again you don't have to tell other people how to protect themselves. But if you can't protect yourself you have to tell the hacker that you don't know how to track them down and they should be sure and hack you again.

    Why is it that when people go into politics they suddenly become stupid?
    • Stupid... (Score:2, Insightful)

      by DannyO152 ( 544940 )
      Like a fox. Jane Legislator has to show the constituents that she's getting things done and preferably things that look good in the newsletter (because there is no significant news coverage of state legislative affairs.) Constituents are worried about their credit cards being stolen over the internet, so what to do? Make it against the law to steal the info? Been done. Make it against the law to enter into the servers? Been done. Make it against the law to not report that you've had a break-in? Bingo!!

      So, it sails through committee, the floor, the other house because John and Joe Legislator want to be on record (and show in their newsletters) that they are doing something(tm) about that internet id theft.

      After it's on the books, people look at it and realize that it is unclear, misguided, and not enforceable, but that wasn't the ultimate purpose was it? Plus fixing it or adding more practical legislation gives Joe, John, and Jane something to do next year.
  • Misread (Score:4, Funny)

    by verloren ( 523497 ) on Wednesday November 13, 2002 @03:59PM (#4663052)
    Computer Associates is writing laws now? And I thought Microsoft had influence with the gov..

    oh, right, California...
  • I don't trust the expedience with which the law was passed, nor do I trust its conveniently broad sweep. No mention was made of any actual damages or improprieties, nor was it made mention why they didn't disclose about the attacks for two weeks after they were aware of them. So, my conclusion is that if I were wanting to pass another security bill, I would fake an attack on myself and then go bawling to the legislators. They've been waiting, bill in hand, for me to take my cue and play my part. Curtain close. Next act, Orwell-capades!
  • I second the point on smaller businesses not having the cash to maintain bogus investigations just to delay the release of information, but this can be easily fixed by establishing a deadline that cannot be easily stretched (something akin to "even with an investigation running, you must notify your customers within one month").

    Special clauses must mention that when sensitive information is compromised (trade secrets, credit card numbers, etc) customers should be notified IMMEDIATELY, barring a judge authorizing a delay of that to protect an investigation for justified, specific reasons - ie no blank checks should be given for non-disclosure.

  • It's about time (Score:5, Insightful)

    by EggplantMan ( 549708 ) on Wednesday November 13, 2002 @04:01PM (#4663084) Homepage
    I'm sorry but I do not side with the submitter on this one. Any sort of forced disclosure in this arena is a step forward. If I am going to be trusting my personal info with a business I would like to know their security record. Just consider the recent scandals with Bell, and AOL for instance.

    It seems like the submitter is a little too polarized on this issue, but I don't feel the compulsion to take every attempt to legislate order into the digital world as an insidious attempt to undermine small business.

    In fact, why is it that Slashdot seems to think that any attempt to introduce order through legislation as a bad thing? Get a grip already. This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.

    • Re:It's about time (Score:2, Insightful)

      by gnovos ( 447128 )
      Look at it this way...

      1) You know publicity about your break-ins will cost you reputation.

      2) You know that there really isn't any way to 100% secure your site from every niggling little security hole, no matter how much money you spend.

      What's stopping you from dumping your ENTIRE network security department and never actually going out and looking for breakins ever.

      If you never SEE a break-in, you can't be obliged to report it, right?
    • but IQ is heriditary. You say:

      This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.

      I say, bullshit. The net is mostly built on public right of way. That makes it mine, yours too unfortunately. The order of slavery is enforced by brute repression. In any case, the net will be worthless without mass participation or it becomes a one way push fest like TV or something. Oh yeah, we own the airwaves too, I keep forgeting that.

      Eggplant man, does that mean "eat me"?

  • by b.foster ( 543648 ) on Wednesday November 13, 2002 @04:02PM (#4663089)
    This bill is exactly what we need, and it should be adopted by all 50 states. Why? Accountability. Let's look at the facts before we jump to conclusions:
    • 99.4% of all breakins are caused by known, unpatched vulnerabilities. Businesses that cannot take simple steps to keep their systems up to date should be shunned by privacy-conscious consumers. After all, when you hire a business, you are trusting them and their network to keep your data safe and operate reliably.
    • This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.
    • This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm).
    • Debian will benefit. Debian's "apt" facility is extremely simple for end-users to use and understand, and helps system administrators keep large numbers of boxes up to date without causing RPM hell or any other conflicts that one may experience when using a distribution like RH that does not regression test their patches.
    • Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.
    • *cough*

      IIS has the biggest market share on web servers? Since when? According to every statistic I've seen, Apache has the biggest market share.

      Also, your line of events ending in everyone adopting Linux and ditching NT is highly unlikely. Most of the NT boxes I've seen are run by morons - morons work cheap(er).
    • Remind me where you got your numbers for point 2. This [netcraft.com] seems to say differently, and has for quite some time. Apache is ahead of all other competetion, nearly 2 to 1.

    • Points 1, 3, and 5 are all good. Points 2 and 4, however, weaken your argument substantially. Since when do laws exist to arbitrarily punish Microsoft and benefit Debian?

    • by EvilStein ( 414640 ) <spam@BALDWINpbp.net minus author> on Wednesday November 13, 2002 @04:15PM (#4663225)
      Companies might just pour millions into Microsoft's own services. After all, Microsoft has pledged to make security its #1 priority these days.

      Microsoft may just sell companies its own security and consulting services, or companies will simply hire any one of the thousands of unemployed paper MCSE drones that are now floating around.
    • This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.

      I like your thinking, but your logic is screwed up. Since everyone, everyone intelligent to consider switching to Linux, knows that IIS is the market leader, they'll just chalk up the large number of break ins on IIS to their market share. At least that's how your logic makes it sound. Plus with that logic, Apache would be reporting the most breakins of all!
    • 99.4% of all breakins are caused by known, unpatched vulnerabilities. Businesses that cannot take simple steps to keep their systems up to date should be shunned by privacy-conscious consumers. After all, when you hire a business, you are trusting them and their network to keep your data safe and operate reliably.

      Agreed. If a program is a security liability, they need to either fix it or replace it. Electronic deadwood does no-one any good, no matter how pretty it is.

      This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.

      It depends on how smart and flexible MS is. They've finally been catching onto doing networking the smart way and if they start getting revealed as unsecure as they actually are, they may just fix themselves, and rake in the public attention, while the open source community whacks themselves on the forehead saying, "BUT WE'VE BEEN DOING IT THAT WAY, FOR FREE FOR YEARS!" Never underestimate MS's spin doctors or the public's gulibility.

      This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm).

      I like the concept of IT staff's importance about to take a big step up. Maybe I'll actually be able to get a job when I stop doing this shit for the Army, instead of fighting some kid for a tech support job or some crap like that.

      Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.

      Speaking as an Army Sys-Admin, I can tell you that most of our users are too tech-stupid to use Linux, no matter how ridiculously easy the distro is. Windows will stay entrenched in the military. Other government sections may be smart enough to swap out to Linux, but the Army won't. We just don't have enough people that can find the "any" key.

      all in all, the IT crowd and the public at large wins with this new law. slap an S or HR on it with a couple of numbers and I'll vote for whoever in Congress sponsors it.
    • This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.

      What? Since when did IIS overtake Apache in web server market share?

      This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm). Never opened a small business, eh? Let me enlighten you. Most small business (under 50 employees) are sole proprietorships or partnerships started by either a single person or a small group of individuals with limited resources.

      These shops use MS Windows and IIS for the following reasons:
      1: It is similar to the machine used at home. For someone who has used Win9x or NTx Workstation, Windows Servers are pretty easy to get started with.
      2: Most of the services (file sharing, email, web) are free as in beer with Windows.
      3: It is prety easy to set up a decent site with Front Page.

      Debian will benefit. Debian's "apt" facility is extremely simple for end-users to use and understand, and helps system administrators keep large numbers of boxes up to date without causing RPM hell or any other conflicts that one may experience when using a distribution like RH that does not regression test their patches.

      Only in Linux Land. Since when did apt become easier than Windows Update?

      Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.

      Wrong again. I have contracted for the Fed and much of their critical stuff not only runs on MS, it is secure as all hell. In fact, the biggest vulnerabilty in the gov't systems I have seen has been the fact that several different platforms and apps are in use - a network admin's nightmare. (e.g. MS Windows of all vintages, SOLARIS, AS/400, OS/390, a dozen different databases, etc.)

      Please, not everything in the world that takes place is related to Linux. Give it a rest.

      • "Only in Linux Land. Since when did apt become easier than Windows Update? "

        It really can be. It is very easy to hit Windows Update watch it download and install a few things and think you're OK. At least, this is true for nontechnical users. For a new install of Windows 2000 or 98, it will be necessary to hit Update several times. Once to get the current service pack (reboot) then it's time to get the Critical security patches. Ooops, one of them has a run-time dependency so we have reboot again to get the last critical update. Now we have to get IE's service pack (reboot) and the fixes since the update came out (reboot). One can count on at least four reboots for 98 and probably three for 2000. I wouldn't be surprised if XP takes at least two visit Update and reboot cycles. What's so fricken easy about that? On Debian machines it apt-get update, apt-get upgrade, answer some easy questions, and done. Only kernel updates necessitate rebooting. Any admin who thinks that is difficult is too dangerous to expose machines to the net.

        "Please, not everything in the world that takes place is related to Linux. Give it a rest."

        Agreed, but admit Windows ease-of-use isn't what it's cracked up to be. Many Windows cheerleaders trumpet how "easy" Windows is but when issues are pointed out say "but that doesn't happen if you know what you're doing" thus kicking the legs out from under their "easy" argument. A properly adminned Windows no easier or harder to deal than Linux or one of the BSDs. It IS much easier to mismange Windows since it papers over necessary details with pretty buttons and wizards.
    • Comment removed based on user account deletion
    • 99.4% of all breakins are caused by known, unpatched vulnerabilities

      I thought that was the percentage of statistics that are made up on the spot.
      Quite a coincidence, really.
  • First of all, who decides what a break-in is? If somebody can access the data who is to say that the admin didn't want it that way? If the admin wanted it accessable, he shouldn't have to report every access to it.

    How about for break-ins that the admin didn't know happened? I can't imagine that this law would require reporting of something you don't know about. Any admin could feign ignorance of something to avoid reporting.

    Who is going to care if stuff isn't reported? If you don't report something, who is going to sue you? I can see a new type of hacker: "I broke in but you didn't report it, so now you owe me One Million Dollars (bwah hah hah)."

    What would the purpose of this law be anyway? For law enforcement to gather data? I didn't read the article or text of the law, so maybe some of my concerns are addressed. I don't see how it would ever work given the Slashdot writeup.

    • Ah, I read the article, it is for computer-security breaches in which confidential information may have been compromised. That makes a bit more sense. Now I know who you have to notify and why.

      You have to notify those who's information may have been leaked. If you don't and they find out later, they will be the ones that care and can sue you.

    • Playing ignorant with law enforcment and the legal eagles is a dangerous path to take. I wouldn't advise anyone on it. They have much more time to screw with you than you do with them, and they play hardball. Not to mention they have the final word.

      A break in is unauthorized access. Period. It isn't even decided by the admin. What the admin wants is irrelevant, it's what the corporate executives want. If the execs don't want something open to the public, then someone publicly access it, the admin gets fired/sued and the person who broke in goes to jail. It's a very simple concept many of todays prima donna admins don't grasp.
  • by island_earth ( 468577 ) on Wednesday November 13, 2002 @04:02PM (#4663099)

    From the article:

    California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised.

    This isn't nearly as bad as the alarmist description at the top of this story. This doesn't say that Company B has to announce that their Web server was hacked to say "1 0wn U!" It says that the people affected by a break in (i.e., the people whose confidential records were exposed) must be notified.

    A couple of years ago, I had to cancel a credit card after some charges from Russia showed up. Eventually it came out that an online retailer had lost a bunch of card numbers. They should have told me when it happened, not after my credit card company was ripped off.

    Seems like a good law to me.

  • by nystul555 ( 579614 ) on Wednesday November 13, 2002 @04:03PM (#4663102)
    I would have to say that this COULD be a good thing. It could provide incentive for companies to tighten security. And most importantly, in my mind, I would want to know as soon as possible if an information with my SSN, credit card numbers, etc had been hacked, so that I could keep a closer eye on my accounts and be ready to provide information to law enforcement and the credit agencies should my identity be stolen.

    Unless I misread the article, I get the feeling that by "investigation" they meant a legal investigation. If that is true, then businesses couldn't just start an internal investigation to put off disclosure forever. If this is not true, then well, it should be restricted to legal investigations only.

    But again, I do think this is a good step in the right direction. When I give my personal data to a company, they need to manage it and secure it. I expect them to inform me if a problem occurs. With laws like this, they will have to.
  • by sdowney ( 447548 ) on Wednesday November 13, 2002 @04:03PM (#4663103)
    "[The law] mandates public disclosure of computer-security breaches
    in which confidential information may have been compromised."

    So if your web server is hacked and defaced, you don't have to reveal anything. If your credit card database is hacked, you do.

    I don't see the problem with this. As it is, confidential information is exposed, and no one knows about it.

    • > I don't see the problem with this.

      The problem is with public disclosure rather than notification of those affected. If I have five customers for my consulting service (a sole proprietorship) and a break-in exposes the confidential data of one of them why do I have to tell the world?
  • Excellent. Since companies will now fear losing their reputation, perhaps they will put more thought into the operating systems they choose for keeping customer information.

    Up until now many companies don't seem to care that they use insecure MS products to store information since it didn't really matter to them if their customer's privacy was being violated. If this now affects the company's reputation, you bet they will care!
  • by Otter ( 3800 ) on Wednesday November 13, 2002 @04:04PM (#4663118) Journal
    Note that this legislation "mandates public disclosure of computer-security breaches in which confidential information may have been compromised". It doesn't mean that any web server that gets owned has to be publically reported.

    Maybe that's obvious to the submitter, but I was horrified that such a burdensome and unnecessary law was passed. And reading other posts, a lot of others didn't get it either.

  • by Waab ( 620192 ) on Wednesday November 13, 2002 @04:05PM (#4663121) Homepage

    Microsoft (Nasdaq: MSFT) filed documents with the SEC today relating to a breach of network security.

    According to the filings, at 5:23 AM last Tuesday, Microsoft's network was "owned" by a hacker calling himself "Z3r0 kew10r". While the hacker refered to himself as "1337" in his defacement of Microsoft's webpage, Microsoft CEO Bill Gates indicated that the security breach was very minor.

    In a press release accompanying the filing, Gates said: "t#1s punk th1nks h3's 1337 but h3's just a littl3 scr1p7 k1dd13 and i'm g0nna sh0w h1m what 1337 is when m3 and the M$ haxx0r cr3w crak his b0xx0r!"

  • by kawika ( 87069 ) on Wednesday November 13, 2002 @04:05PM (#4663123)
    >> The only loophole is if there is an ongoing investigation

    I would like to point out that ongoinginvestigation.com is still available for registration. Imagine the business you'll get in California! Certainly it will be worth a few bucks a month to a company's reputation to hire you to keep the investigation ongoing.
  • IMHO small businesses can be just as shady, if not MORE shady than large businesses. There are fewer chefs in the kitchen, so to speak.

    IMHO this is a good law. Businesses have a responsibility to keep confidential information confidential and failing to do so may be considered negligence. Obviously, "negligence" is subjective.

    Your point about the law not requireing specific details about the type of breach is well taken.

  • Mom and Pop (Score:3, Insightful)

    by geek ( 5680 ) on Wednesday November 13, 2002 @04:05PM (#4663127)
    Mom and Pop shops will be hurt by this. Notice this targets small busniess who probably run free software to reduce costs. Large companies can handle this, even find ways around it.

    I agree with it to an extent. I have a feeling breakins are far more common than any of us truely know. Only by making this public will the problem get better. Constantly pushing it under the rug is how MS has gotten away with security problems for so long.

    On the upside this law will help the IT industry since it'll create more IT jobs for network/security auiditing etc.

    I hate to see goverment medle in business matters, however the tech industry doesn't seem capable/willing enough to handle the security issues alone. I know most people are sick of it, and when people get sick of it, they start passing laws. The tech industry really has no one to blame but itself.
  • by gnovos ( 447128 ) <gnovos@nospAm.chipped.net> on Wednesday November 13, 2002 @04:05PM (#4663130) Homepage Journal
    "Breaking in" is an inherant part of security auditing, isn't it? In order to see if your computers are hackable one must, in fact, hack them. Would this law require that network security companies announce when they find a client's systems vulnerable, becuase technically it is a "break in"? If so, wouldn't the end result of that be companies completely ignoring security all together becuase the less they "know" about the break ins on thier own site, the less they have to report?
    • It would be a stretch to claim that confidential materials are compromised when the "break-in" was performed by staff (consultants, whatever) who are authorized to do so.
    • Would this law require that network security companies announce when they find a client's systems vulnerable, becuase technically it is a "break in"?

      Given that such auditing is either done by authorized internal personnel (I do this for my company), or by authorized external personnel (generally under a pretty draconian NDA), I don't think any confidential material is accessed without authorization. Whether the admin authorized it is besides the point; the directors of the corporation did, and that's what matters.

  • If this was a law requiring companies to keep break-ins confidential you'd be bitching about that saying that these things should be made public knowledge!
  • So now the hackers have a new trophy to go for. Their bragging rites will be "How many investigations failed to find you" Seems to offer the same kind of trophy for virus writers in regards to the virus rating schemes that some anti-virus vendor use.
  • by Duderstadt ( 549997 ) on Wednesday November 13, 2002 @04:08PM (#4663164)
    I support the general idea of informing people theat their supposedly confidential or private information has been leaked or stolen.

    Even though I don't think it will do any good for the prevention of such crimes as identity theft, perhaps it will send a message that a tighter grip is required for confidential data.

    However, I see some problems. As one poster already noted, how do you enforce this if an admission has to be made voluntarily?

    Also, the 'loophole' is wide enough to drive a Mack truck through. It would prove very handy to business or government entities that did not want to disclose that they had been hacked.

    Of course, if the goverment really wants to help people who have had their private stuff lifted, perhaps the Feds should change the law so it is possible to get a new Social in case of theft. Your SSN can be used to create all sorts of havoc, but the Gov't will not give you another one, even if you can prove that someone is ruining your life with it. Very sad.

  • I'll investigate any break in or security breach for ten bucks a day. The following terms and conditions may apply:

    Minimum length of investigation: 20 years
    No more than 1 byte processed per day.
    Results cost extra.

    How about it? For a little over $3000 a year, you'll never have your reputation damaged by a hacker again.

  • by teamhasnoi ( 554944 ) <teamhasnoi@yahoo. c o m> on Wednesday November 13, 2002 @04:14PM (#4663214) Journal
    If I look at logs every other day? If I run Zone Alarm? Look at the screen with a magnifying glass? If I hang out on IRC and talk to script kiddies? An email to Steve Gibson? Call Encyclopedia Brown? Invite the Hardy Boys over (or Nancy Drew...grrrrr;)? Ask the kids? Call the cops weekly? Write my congressman? Watch Mystery Science Theatre 3000? Type 'Hacker +"My Computer"' in Google? Dust for prints? Listen to Prince? Buy a fedora? Tape the X-Files? Eat a unidentified mushroom? Hang out near the computer books at Barnes & Noble? Watch '20/20'? Puzzle over a "Where's Waldo" Sunday comic? Post to alt.are.you.hacking.me? Hide some X10 cameras in my floppy drive? Respond to "FIND OUT ANYTHING ABOUT ANYONE!!!!!!!" spam? Read the label? Check behind me occasionally? Smelling my shirt to see if it's clean? Submit an Ask Slashdot?

    Sounds like I could have an 'ongoing investigation' for the rest of my life.

  • <Quote>

    Small businesses that don't have the resources to maintain an investigation will have their reputations ruined

    </Quote>

    I'm sorry, but if the choice is between their reputation and not knowing that some joker out there can steal my hard-earned cash at a moment's notice because he has my credit card information, I think I'd choose wrecking their reputation.

  • by ethereal ( 13958 ) on Wednesday November 13, 2002 @04:16PM (#4663238) Journal

    First off: I submitted this yesterday with a much less biased writeup. "Luck of the editor", I guess. My overall /. submission record is now 2 and 16.

    Second: the problem is not big business vs. small, or even public sector vs. private. The issue is confidential data about the public and what expectation the public should be able to place on those who promise confidentiality. I don't think it's unreasonable for the legislature to define what that expectation is, the same way they define what the expectations on a company are in terms of pollution or accounting or workplace safety. Businesses have to meet certain standards to operate in a particular region; doing what they say with respect to confidential customer data is just one more standard, and probably a more important one than some of the other standards a business has to meet.

    The argument that disclosure harms enforcement and education is only true as long as disclosure isn't mandatory for all. Once there's no longer a choice about disclosure, the public will quickly learn who can be trusted, and law enforcement and the business community will quickly learn what are the most common security issues to address. The marketplace will quickly put an appropriate premium on security once this law forces information about lax security out into the open. It's an effective way of letting the public determine how important security is - this is a much better solution than the state just requiring a particular patch level or certification or something like that. We say we don't want the state dictating how software is written - ensuring full disclosure of software faults is a great way to allow the public more voice in determining the right tradeoff, rather than having the state do it.

    And if a vulnerability is discovered for which there isn't a patch yet, some people ask whether the company should be in trouble for not taking their systems off the 'net and getting 0wn3d. Of course they should! Their inability to plan a secure and maintainable computing infrastructure should not necessitate the exposure of my personal data to all and sundry. Just like the BIA, if you can't show that you're secure, you need to be off the 'net. This will have the effect of placing a premium on computing platforms that are quicker to patch when security problems are found, likely making Open Source solutions more popular. All in all, it's a win-win-win situation once the adjustment period is complete.

  • ``This is not good''
    And ``see no evil, hear no evil, speak no evil'' is?

    Break-ins are a reality. It happens. IMO it's better to be open about it. If I were a customer of a company whose network got cracked, I would rather know that it happened and what measures are being taken to prevent this in the future than to be told nothing and later find out by different means (possibly painful).

    Openness could also result in a better understanding of what software/people/practices lead to lower or higher risks of break-in, and improve security accross the board.

    I also disagree that this law favors large businesses. Small businesses can carry out investigations just as well, and even investigations carried out by large companies come to an end, after which the break-in has to be disclosed. Bogus investigations aren't harmed by disclosure, so that's not a real option. Wealthy corporations _do_ mess with laws to the detriment of small businesses in Real Life, but I don't see this law making it much worse.
  • by limekiller4 ( 451497 ) on Wednesday November 13, 2002 @04:24PM (#4663304) Homepage
    On one hand you have lawmakers calling hackers 'thugs' and 'criminals' because -- and this is generally after months of reporting the problem to, say, Microsoft -- they notify the public that there is a security hole.

    NOW they're going to make it illegal to not notify the public. Is telling the world about a security breach irresponsible or isn't it?

    Yeesh. I feel like the whole gang from Bloom County who didn't know if they were watching "F Troop" or CNN and thus whether they should be enjoying the carnage or not.
    • > NOW they're going to make it illegal to not
      > notify the public. Is telling the world about a
      > security breach irresponsible or isn't it?

      But they are not required to reveal any details. The typical "disclosure" will appear in the legal notices section of a newspaper of record or some such thing and will look like this:

      "There was a break-in at Amazon some time in the
      last two weeks. Some customer data may have
      been compromised."

      • John Hasler writes:
        But they are not required to reveal any details. The typical "disclosure" will appear in the legal notices section of a newspaper of record or some such thing and will look like this: "There was a break-in at Amazon some time in the last two weeks. Some customer data may have been compromised."

        If it is that vague, what is the difference between forcing the people running the software to admit there was a break-in and forcing those who created the software from admitting there was a breach in their product? Why not require software manufacturers to release known security holes? That's closer to the root than this initiative is.

        If you take the position that the admin should have secured the software, how do you know that? The information is sufficiently vague as to leave the culpability an unknown variable.

        The end-result is "Some Company, Inc. was broken into and data was compromised," which looks terrible for Some Company, but you won't hear "...because of an unpatched and unacknowledged bug in Win2k that the admin couldn't either know or do anything about" because revealing the exploit is illegal, or at least professionally dangerous.

        Look, I'm not flaming you and I'm VERY big on letting people know when their data has been compromised but why does the fan poop only get as far as the victim? That just seems inherently unfair unless the blame does turn out to be theirs.
        • > If it is that vague, what is the difference
          > between forcing the people running the software
          > to admit there was a break-in and forcing those
          > who created the software from admitting there
          > was a breach in their product?

          None. Neither would do a damn thing but complicate the lives of those required to comply. That's why I oppose such laws.

          > That just seems inherently unfair unless the
          > blame does turn out to be theirs.

          The blame _is_ theirs. They selected the software, they put up the site, they administered it, and they put the confidential data on it. They may have a claim against their software supplier if he misled them, but that does not lessen their liability for their own actions.
  • by nege ( 263655 ) on Wednesday November 13, 2002 @04:25PM (#4663311) Journal
    Microsoft.

    0 break-ins reported, 7,435 break-ins currently being investigated.
  • the article doesn't mention ...where a break-in occurs because of a(n) ... issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible...).

    So companies/whatever which can't be bpthered to patch their holes get a buy? I don't think so.
  • AppAssure lets you watch your data center 24 x 7,
    even when you're not there. More Info [slashdot.org]
  • Laws like these will force companies away from overly insecure Microsoft products and force them to actually care about security. With a more concerted effort towards IT security, our personal data will become safer, and alot of high paying security and Linux related jobs should open up. Why would anyone here complain?
  • Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them.

    No, because

    The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation.

    Emphasis added.

  • by extremecenter ( 620934 ) on Wednesday November 13, 2002 @05:17PM (#4663815)
    So if Ca. Congresscritter Berman's cyber vigilante bill passes, there will be a surefire method of dealing with pesky business competitors: attack their systems on the pretext that they might have some of your copyrighted data. If they report the breakin, they'll get bad publicity. If they don't report it, have your lawyers point out that fact to the appropriate authorites and they get busted for not reporting the breakin, also generating bad publicity for them. On the upside, this looks like a full-employment bill for security types.


  • Take that, US Gov!
  • Big corporations will have an internal investigation department and thrus never reveal nothing...

    Small corporations will simply classify the event as "computer malfunction" and reinstall all the software and document the event as such...

    In the end, California will be the only place in the world where there isn't any break in at all... at least reported publicly...

    Cheers...
  • Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."

    It's almost never in the public's best interest to hide vulnerabilities from them, even if there's no solution. If one person has exploited one system, there are almost certainly other victims and the numbers will almost certainly continue to grow. Most are probably undetected.

    Even if there is no fix out there, it gives people the option to reevaluate the need to run the system, and also consider switching solutions/vendors. The "bad guys" are going to know if you say somethign or not, while telling all of the innocent bystanders lets at least some of them protect themselves.

  • Misleading (Score:4, Informative)

    by krangomatik ( 535373 ) <rfujikawa@@@yahoo...com> on Wednesday November 13, 2002 @06:14PM (#4664302)
    After reading the text of SB1386 (the Bill referenced in this article) I think the Slashdot blurb on this was a bit misleading. California isn't demanding "Public Disclosure Of Break-Ins." This makes it sound like whenever there is a break in it must be disclosed. This isn't really the case. Notifications only have to take place when the following criteria is met: "personal information" means an
    individual's first name or first initial and last name in combination
    with any one or more of the following data elements, when either the
    name or the data elements are not encrypted:
    (1) Social security number.
    (2) Driver's license number or California Identification Card
    number.
    (3) Account number, credit or debit card number, in combination
    with any required security code, access code, or password that would
    permit access to an individual's financial account.
    (f) For purposes of this section, "personal information" does not
    include publicly available information that is lawfully made
    available to the general public from federal, state, or local
    government records.


    As for this "investigation" loophole this only applies to ongoing investigations being conducted by law enforcement agencies. I know that a large company may have a bit more clout in getting an investigation started, but even so they can only delay disclosure if "a
    law enforcement agency determines that the notification will impede a
    criminal investigation."
    So I'm not sure how big of a "loophole" this is.

    As for the notification methods, it doesn't look like full public disclosure is what the bill is aiming at. It looks more like they just want the people who's information was compromised to be notified. Here is the section on notification:
    (g) For purposes of this section, "notice" may be provided by one
    of the following methods:
    (1) Written notice.
    (2) Electronic notice, if the notice provided is consistent with
    the provisions regarding electronic records and signatures set forth
    in Section 7001 of Title 15 of the United States Code.
    (3) Substitute notice, if the agency demonstrates that the cost of
    providing notice would exceed two hundred fifty thousand dollars
    ($250,000), or that the affected class of subject persons to be
    notified exceeds 500,000, or the agency does not have sufficient
    contact information. Substitute notice shall consist of all of the
    following:
    (A) E-mail notice when the agency has an e-mail address for the
    subject persons.
    (B) Conspicuous posting of the notice on the agency's Web site
    page, if the agency maintains one.
    (C) Notification to major statewide media.
    (h) Notwithstanding subdivision (g), an agency that maintains its
    own notification procedures as part of an information security policy
    for the treatment of personal information and is otherwise
    consistent with the timing requirements of this part shall be deemed
    to be in compliance with the notification requirements of this
    section if it notifies subject persons in accordance with its
    policies in the event of a breach of security of the system.

    So there doesn't appear to be what I would consider a "full disclosure" requirement anywhere in this. It looks like you've got to notify the people who's info got out, which seems reasonable to me.
  • by djfatbody ( 140917 ) on Wednesday November 13, 2002 @06:31PM (#4664452)
    Consider the recent RedHat patch that boiled down to "you should run this patch but we can't tell you why" and the lawsuits where large software giants have threatened lawsuits because possible exploits were released before they the company was notified and allowed to investigate internally. Is it possible that a company may disclose the details of its incident and end up in violation of the DCMA or their EULA's?
  • > Also, the article doesn't mention the contingency
    > where a break-in occurs because of a
    > software/hardware issue for which there is no
    > released technical solution (i.e. anyone else who
    > has software X would be susceptible to the same
    > type of break-in). This is not good."

    If "software X" (e.g., IIS) is broken quit using it. If you can't figure out any way to secure your system short of taking down your server, tough shit. "We can't figure out any other way to do it" is no excuse for compromising your customer's confidential information.
  • Does the company have to be incorporated in CA, have offices there, or just their servers? Also, does the break in have to happen in California, or do they have to report it if the CA companies datacenter in New York gets hacked?
  • It may be too much to ask that people submitting items that reference published articles read the articles first. But, as often seems to happen, the Slashdot "editors" didn't read the article either. This isn't going to improve their job prospects after VA Linux/Software/Burgers/whatever finally tanks..

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...