CA Law Demands Public Disclosure Of Break-Ins 188
AuntieMisha writes "BusinessWeek has an article about a new California law passed that
requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."
Yay, verily (Score:5, Insightful)
Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit.
Re:Yay, verily (Score:1, Informative)
Re:Yay, verily (Score:3, Insightful)
That is more damaging to their reputation than any hack attack.
Re:Yay, verily (Score:2)
as not secure enough for someone to trust them
with sensitive info. Sensible enough; and even
if it weren't, the public will hype themselves
into believing it is.
Would you want them to keep it quiet if your
bank got broken into?
Re:Yay, verily (Score:3, Funny)
Heck, even some spammers do it. Look at this choice piece from buystainlessonline, it's hilarous:
Seems like some net vigilante typed 'or 1=1-- or something of that ilk into the spammer's remove link, or whatever...
Re:Yay, verily (Score:2)
Did anyone else read this and think the author had Turrets?
Re:Yay, verily (Score:2)
Re:Yay, verily (Score:2, Funny)
Computer security breaches are hardly similar to other issues of public safety. Announcing that a breach has occurred when there is no viable solution to keep it from happening again (either to the same company or other companies using the same software) would put the public's safety at an even greater risk.
If it involves any of my personal data, then I would rather them keep their mouths shut for damage control until there is a solution to the original problem.
It is sort of a catch-22 though. Other companies using the same software would be unaware of the vulnerability until a solution to the problem is found by that one company (which could potentially be slower than if many companies were looking for a fix). Maybe what we need is a *trusted* network (not in the ether sense of the word) where vulnerabilities could be posted without getting the word out to the people that would use this information maliciously.
Re:Yay, verily (Score:2)
Would you really prefer that they don't tell you that your credit card details have been stolen until they have patched their web server?
Re:Yay, verily (Score:2, Insightful)
Not to mention the healthy effect of getting companies to actually pay some attention to security, or face at least some bad publicity if they don't.
You want the truth? (Score:2, Insightful)
Every day I stand on my wall watching for intruders and protecting my web servers. Web logs indicate that my servers survive a constant barrage of attacks.
Most attacks fail however every once in a while some lucky script kiddy, or spammer finds a chink in the armour.
Where do you draw the line on what needs to be reported? Last week a spammer found that a poorly configured formmail.pl script on one of my servers and used it to send their spam.
If the law allows judgement calls where a company is only required to report serious breaches then a company would try to have everything classified as trivial.
On the other hand if a company is required to report every possible breach then the company might try to flood the public with a bunch of trivial information like a formmail script that was abused for a few hours, and then try to bury a serious problem inside the noise.
Sure, scare the bejezus out of the llama cash cows (Score:3, Funny)
I find out that my #1 favorite stock i dumped thousands into on the advice of my dentist has recently fallen victim to a 11 year old IRC junkie.
Do I:
a. invest more money in my company, showing appreciation for the companies candor.
b. Murmur something very Zen to myself about the strongest tree bending in the wind, while noteing the fact that no real damage was done.
c. put a humming bird to shame franticly clicking the refresh button on IE6, neuroticly waiting for the stock to move a tick up or down.
d. scream "SELL SELL SELL" into my cellphone while barely avoiding a headon collision in my SUV.
e. dump all of my money into precious metals and move to an obscure island nation in preperation for the inevitable global ecconomic collapse.
and.... pencils down.
Re:Sure, scare the bejezus out of the llama cash c (Score:2)
2. Exploit MS security holes
3. Disclose information about the break-in
4. ???
5. Profit!
May I be excused, now?
Re:Sure, scare the bejezus out of the llama cash c (Score:2, Funny)
2. Exploit MS security holes
3. Short MSFT
4. Disclose information about the break-in
5. Profit!
Loophole (Score:1, Interesting)
Wouldn't want those wacky hackers to know that people were on to them and actually investigating the crime! Who makes that decision? Chief Moose?
Re:Loophole (Score:3, Funny)
"I'd rather let a thousand criminals go than chase aftert them..."
There will be no more break-ins (Score:1, Insightful)
But how do you enforce this? (Score:5, Interesting)
Seriously, it's not like the CA government is gonna be able to "audit" companies like they do if they suspect fraud in other self reported areas. (Like tax fraud, emissions, etc...)
Re:But how do you enforce this? (Score:3, Insightful)
Re:But how do you enforce this? (Score:2)
Actually, I've got all three. What does that mean?
Re:But how do you enforce this? (Score:2)
Pay me 1 million not release your new product specs to your competition. Or you could pay me 1.5 mill to not anonymously report the break in. For the low low price of 2 mill, you get to keep your trade secrets AND the fact that they were stolen. Act now! Crackers are standing by!
Re:But how do you enforce this? (Score:5, Funny)
From the article...
They (the CA government) don't need to audit or enforce anything. It is self-enforcing for those businesses that feel they may be sued and have to pay monetary payments for NOT reporting the incident. If a given company doesn't feel it can be successfully sued due to the incident then there probably wouldn't be a public reporting of it.
It's just a CYA that would have to be handled on a case by case basis for each company and wouldn't be enforced by auditors and the like.
Re:But how do you enforce this? (Score:2)
Maybe because the hacker himself might have reported it to zone-h [zone-h.org]?
Sounds good to me... (Score:3, Funny)
Small businesses can hire me as a security consultant. And I can do my consulting by hacking^H^H^H^H^H^H telecommuting my way into California from my New Hampshire home.
Re:Sounds good to me... (Score:3, Funny)
The bigger picture (Score:4, Insightful)
All in all, they have an obligation to tell the world, not just for their current customers, but to let potential future customers aware of the situation so that they can make sound, informed financial decisions.
Re:The bigger picture (Score:5, Funny)
that won't help me if Bob Hacker over here can make it look like I never invested in the first place
For some of us, this could be a very good thing!
Re:The bigger picture (Score:2)
Why? (Score:2, Interesting)
Re:Why? (Score:2)
Because. (Score:2)
If the video store is broken into, and someone steals some tapes, I don't care.
If their database of customers and credit card info, identification, lending habits, etcetera, is stolen, I want to know about it.
How is this not good. (Score:5, Insightful)
Oh thats really useful (Score:3, Insightful)
So if you can prevent it from happening again you don't have to tell other people how to protect themselves. But if you can't protect yourself you have to tell the hacker that you don't know how to track them down and they should be sure and hack you again.
Why is it that when people go into politics they suddenly become stupid?
Stupid... (Score:2, Insightful)
So, it sails through committee, the floor, the other house because John and Joe Legislator want to be on record (and show in their newsletters) that they are doing something(tm) about that internet id theft.
After it's on the books, people look at it and realize that it is unclear, misguided, and not enforceable, but that wasn't the ultimate purpose was it? Plus fixing it or adding more practical legislation gives Joe, John, and Jane something to do next year.
Misread (Score:4, Funny)
oh, right, California...
CA is far more influential than MS (Score:2)
Con game (Score:1)
why not ? It is a good idea (Score:2, Interesting)
Special clauses must mention that when sensitive information is compromised (trade secrets, credit card numbers, etc) customers should be notified IMMEDIATELY, barring a judge authorizing a delay of that to protect an investigation for justified, specific reasons - ie no blank checks should be given for non-disclosure.
Re:why not ? It is a good idea (Score:2)
It's about time (Score:5, Insightful)
It seems like the submitter is a little too polarized on this issue, but I don't feel the compulsion to take every attempt to legislate order into the digital world as an insidious attempt to undermine small business.
In fact, why is it that Slashdot seems to think that any attempt to introduce order through legislation as a bad thing? Get a grip already. This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.
Re:It's about time (Score:2, Insightful)
1) You know publicity about your break-ins will cost you reputation.
2) You know that there really isn't any way to 100% secure your site from every niggling little security hole, no matter how much money you spend.
What's stopping you from dumping your ENTIRE network security department and never actually going out and looking for breakins ever.
If you never SEE a break-in, you can't be obliged to report it, right?
There's no accounting for taste, (Score:2)
This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.
I say, bullshit. The net is mostly built on public right of way. That makes it mine, yours too unfortunately. The order of slavery is enforced by brute repression. In any case, the net will be worthless without mass participation or it becomes a one way push fest like TV or something. Oh yeah, we own the airwaves too, I keep forgeting that.
Eggplant man, does that mean "eat me"?
On the contrary, this is a Good Thing(tm) (Score:3, Insightful)
Re:On the contrary, this is a Good Thing(tm) (Score:2, Insightful)
IIS has the biggest market share on web servers? Since when? According to every statistic I've seen, Apache has the biggest market share.
Also, your line of events ending in everyone adopting Linux and ditching NT is highly unlikely. Most of the NT boxes I've seen are run by morons - morons work cheap(er).
Re:On the contrary, this is a Good Thing(tm) (Score:2)
Re:On the contrary, this is a Good Thing(tm) (Score:2)
Points 1, 3, and 5 are all good. Points 2 and 4, however, weaken your argument substantially. Since when do laws exist to arbitrarily punish Microsoft and benefit Debian?
Could have the opposite effect.. (Score:4, Interesting)
Microsoft may just sell companies its own security and consulting services, or companies will simply hire any one of the thousands of unemployed paper MCSE drones that are now floating around.
Re:On the contrary, this is a Good Thing(tm) (Score:2)
I like your thinking, but your logic is screwed up. Since everyone, everyone intelligent to consider switching to Linux, knows that IIS is the market leader, they'll just chalk up the large number of break ins on IIS to their market share. At least that's how your logic makes it sound. Plus with that logic, Apache would be reporting the most breakins of all!
Re:On the contrary, this is a Good Thing(tm) (Score:3, Insightful)
Agreed. If a program is a security liability, they need to either fix it or replace it. Electronic deadwood does no-one any good, no matter how pretty it is.
This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.
It depends on how smart and flexible MS is. They've finally been catching onto doing networking the smart way and if they start getting revealed as unsecure as they actually are, they may just fix themselves, and rake in the public attention, while the open source community whacks themselves on the forehead saying, "BUT WE'VE BEEN DOING IT THAT WAY, FOR FREE FOR YEARS!" Never underestimate MS's spin doctors or the public's gulibility.
This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm).
I like the concept of IT staff's importance about to take a big step up. Maybe I'll actually be able to get a job when I stop doing this shit for the Army, instead of fighting some kid for a tech support job or some crap like that.
Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.
Speaking as an Army Sys-Admin, I can tell you that most of our users are too tech-stupid to use Linux, no matter how ridiculously easy the distro is. Windows will stay entrenched in the military. Other government sections may be smart enough to swap out to Linux, but the Army won't. We just don't have enough people that can find the "any" key.
all in all, the IT crowd and the public at large wins with this new law. slap an S or HR on it with a couple of numbers and I'll vote for whoever in Congress sponsors it.
Get your facts straight (Score:2, Interesting)
What? Since when did IIS overtake Apache in web server market share?
This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm). Never opened a small business, eh? Let me enlighten you. Most small business (under 50 employees) are sole proprietorships or partnerships started by either a single person or a small group of individuals with limited resources.
These shops use MS Windows and IIS for the following reasons:
1: It is similar to the machine used at home. For someone who has used Win9x or NTx Workstation, Windows Servers are pretty easy to get started with.
2: Most of the services (file sharing, email, web) are free as in beer with Windows.
3: It is prety easy to set up a decent site with Front Page.
Debian will benefit. Debian's "apt" facility is extremely simple for end-users to use and understand, and helps system administrators keep large numbers of boxes up to date without causing RPM hell or any other conflicts that one may experience when using a distribution like RH that does not regression test their patches.
Only in Linux Land. Since when did apt become easier than Windows Update?
Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.
Wrong again. I have contracted for the Fed and much of their critical stuff not only runs on MS, it is secure as all hell. In fact, the biggest vulnerabilty in the gov't systems I have seen has been the fact that several different platforms and apps are in use - a network admin's nightmare. (e.g. MS Windows of all vintages, SOLARIS, AS/400, OS/390, a dozen different databases, etc.)
Please, not everything in the world that takes place is related to Linux. Give it a rest.
Re:Get your facts straight (Score:2)
It really can be. It is very easy to hit Windows Update watch it download and install a few things and think you're OK. At least, this is true for nontechnical users. For a new install of Windows 2000 or 98, it will be necessary to hit Update several times. Once to get the current service pack (reboot) then it's time to get the Critical security patches. Ooops, one of them has a run-time dependency so we have reboot again to get the last critical update. Now we have to get IE's service pack (reboot) and the fixes since the update came out (reboot). One can count on at least four reboots for 98 and probably three for 2000. I wouldn't be surprised if XP takes at least two visit Update and reboot cycles. What's so fricken easy about that? On Debian machines it apt-get update, apt-get upgrade, answer some easy questions, and done. Only kernel updates necessitate rebooting. Any admin who thinks that is difficult is too dangerous to expose machines to the net.
"Please, not everything in the world that takes place is related to Linux. Give it a rest."
Agreed, but admit Windows ease-of-use isn't what it's cracked up to be. Many Windows cheerleaders trumpet how "easy" Windows is but when issues are pointed out say "but that doesn't happen if you know what you're doing" thus kicking the legs out from under their "easy" argument. A properly adminned Windows no easier or harder to deal than Linux or one of the BSDs. It IS much easier to mismange Windows since it papers over necessary details with pretty buttons and wizards.
Re: (Score:2)
Re:On the contrary, this is a Good Thing(tm) (Score:2)
I thought that was the percentage of statistics that are made up on the spot.
Quite a coincidence, really.
I don't see how this would be enforceable (Score:2, Interesting)
How about for break-ins that the admin didn't know happened? I can't imagine that this law would require reporting of something you don't know about. Any admin could feign ignorance of something to avoid reporting.
Who is going to care if stuff isn't reported? If you don't report something, who is going to sue you? I can see a new type of hacker: "I broke in but you didn't report it, so now you owe me One Million Dollars (bwah hah hah)."
What would the purpose of this law be anyway? For law enforcement to gather data? I didn't read the article or text of the law, so maybe some of my concerns are addressed. I don't see how it would ever work given the Slashdot writeup.
Re:I don't see how this would be enforceable (Score:2)
You have to notify those who's information may have been leaked. If you don't and they find out later, they will be the ones that care and can sue you.
Be very careful, i.e. slippery slope (Score:3, Insightful)
A break in is unauthorized access. Period. It isn't even decided by the admin. What the admin wants is irrelevant, it's what the corporate executives want. If the execs don't want something open to the public, then someone publicly access it, the admin gets fired/sued and the person who broke in goes to jail. It's a very simple concept many of todays prima donna admins don't grasp.
Re:Be very careful, i.e. slippery slope (Score:2)
Re:Be very careful, i.e. slippery slope (Score:2)
Hello? It's only when confidential info is leaked. (Score:5, Insightful)
From the article:
California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised.
This isn't nearly as bad as the alarmist description at the top of this story. This doesn't say that Company B has to announce that their Web server was hacked to say "1 0wn U!" It says that the people affected by a break in (i.e., the people whose confidential records were exposed) must be notified.
A couple of years ago, I had to cancel a credit card after some charges from Russia showed up. Eventually it came out that an online retailer had lost a bunch of card numbers. They should have told me when it happened, not after my credit card company was ripped off.
Seems like a good law to me.
Re:Hello? It's only when confidential info is leak (Score:2)
If applied correctly, this could be a good thing. (Score:4, Insightful)
Unless I misread the article, I get the feeling that by "investigation" they meant a legal investigation. If that is true, then businesses couldn't just start an internal investigation to put off disclosure forever. If this is not true, then well, it should be restricted to legal investigations only.
But again, I do think this is a good step in the right direction. When I give my personal data to a company, they need to manage it and secure it. I expect them to inform me if a problem occurs. With laws like this, they will have to.
Not all cyber break ins (Score:3, Informative)
So if your web server is hacked and defaced, you don't have to reveal anything. If your credit card database is hacked, you do.
I don't see the problem with this. As it is, confidential information is exposed, and no one knows about it.
Re:Not all cyber break ins (Score:2)
The problem is with public disclosure rather than notification of those affected. If I have five customers for my consulting service (a sole proprietorship) and a break-in exposes the confidential data of one of them why do I have to tell the world?
This is a good thing (Score:2)
Up until now many companies don't seem to care that they use insecure MS products to store information since it didn't really matter to them if their customer's privacy was being violated. If this now affects the company's reputation, you bet they will care!
Some crucial missing words... (Score:5, Informative)
Maybe that's obvious to the submitter, but I was horrified that such a burdensome and unnecessary law was passed. And reading other posts, a lot of others didn't get it either.
Re:Some crucial missing words... (Score:2)
I can think of better laws than this, but they are vastly outnumbered by those which are worse.
I can see it now... (Score:3, Funny)
Microsoft (Nasdaq: MSFT) filed documents with the SEC today relating to a breach of network security.
According to the filings, at 5:23 AM last Tuesday, Microsoft's network was "owned" by a hacker calling himself "Z3r0 kew10r". While the hacker refered to himself as "1337" in his defacement of Microsoft's webpage, Microsoft CEO Bill Gates indicated that the security breach was very minor.
In a press release accompanying the filing, Gates said: "t#1s punk th1nks h3's 1337 but h3's just a littl3 scr1p7 k1dd13 and i'm g0nna sh0w h1m what 1337 is when m3 and the M$ haxx0r cr3w crak his b0xx0r!"
New business opportunity (Score:4, Funny)
I would like to point out that ongoinginvestigation.com is still available for registration. Imagine the business you'll get in California! Certainly it will be worth a few bucks a month to a company's reputation to hire you to keep the investigation ongoing.
Small vs. Large (Score:1)
IMHO this is a good law. Businesses have a responsibility to keep confidential information confidential and failing to do so may be considered negligence. Obviously, "negligence" is subjective.
Your point about the law not requireing specific details about the type of breach is well taken.
Mom and Pop (Score:3, Insightful)
I agree with it to an extent. I have a feeling breakins are far more common than any of us truely know. Only by making this public will the problem get better. Constantly pushing it under the rug is how MS has gotten away with security problems for so long.
On the upside this law will help the IT industry since it'll create more IT jobs for network/security auiditing etc.
I hate to see goverment medle in business matters, however the tech industry doesn't seem capable/willing enough to handle the security issues alone. I know most people are sick of it, and when people get sick of it, they start passing laws. The tech industry really has no one to blame but itself.
How about security auditng? (Score:3, Interesting)
Re:How about security auditng? (Score:2, Informative)
Re:How about security auditng? (Score:2)
Given that such auditing is either done by authorized internal personnel (I do this for my company), or by authorized external personnel (generally under a pretty draconian NDA), I don't think any confidential material is accessed without authorization. Whether the admin authorized it is besides the point; the directors of the corporation did, and that's what matters.
Whatever!!! (Score:1)
Hacker Trophy (Score:1)
A good start, but flawed (Score:3, Interesting)
Even though I don't think it will do any good for the prevention of such crimes as identity theft, perhaps it will send a message that a tighter grip is required for confidential data.
However, I see some problems. As one poster already noted, how do you enforce this if an admission has to be made voluntarily?
Also, the 'loophole' is wide enough to drive a Mack truck through. It would prove very handy to business or government entities that did not want to disclose that they had been hacked.
Of course, if the goverment really wants to help people who have had their private stuff lifted, perhaps the Feds should change the law so it is possible to get a new Social in case of theft. Your SSN can be used to create all sorts of havoc, but the Gov't will not give you another one, even if you can prove that someone is ruining your life with it. Very sad.
Need an investigation done? (Score:1)
Minimum length of investigation: 20 years
No more than 1 byte processed per day.
Results cost extra.
How about it? For a little over $3000 a year, you'll never have your reputation damaged by a hacker again.
What constitutes an investigation? (Score:3, Interesting)
Sounds like I could have an 'ongoing investigation' for the rest of my life.
Why is their reputation that important? (Score:2, Interesting)
<Quote>
Small businesses that don't have the resources to maintain an investigation will have their reputations ruined
</Quote>
I'm sorry, but if the choice is between their reputation and not knowing that some joker out there can steal my hard-earned cash at a moment's notice because he has my credit card information, I think I'd choose wrecking their reputation.
Kind of slanted viewpoint, isn't it? (Score:5, Insightful)
First off: I submitted this yesterday with a much less biased writeup. "Luck of the editor", I guess. My overall /. submission record is now 2 and 16.
Second: the problem is not big business vs. small, or even public sector vs. private. The issue is confidential data about the public and what expectation the public should be able to place on those who promise confidentiality. I don't think it's unreasonable for the legislature to define what that expectation is, the same way they define what the expectations on a company are in terms of pollution or accounting or workplace safety. Businesses have to meet certain standards to operate in a particular region; doing what they say with respect to confidential customer data is just one more standard, and probably a more important one than some of the other standards a business has to meet.
The argument that disclosure harms enforcement and education is only true as long as disclosure isn't mandatory for all. Once there's no longer a choice about disclosure, the public will quickly learn who can be trusted, and law enforcement and the business community will quickly learn what are the most common security issues to address. The marketplace will quickly put an appropriate premium on security once this law forces information about lax security out into the open. It's an effective way of letting the public determine how important security is - this is a much better solution than the state just requiring a particular patch level or certification or something like that. We say we don't want the state dictating how software is written - ensuring full disclosure of software faults is a great way to allow the public more voice in determining the right tradeoff, rather than having the state do it.
And if a vulnerability is discovered for which there isn't a patch yet, some people ask whether the company should be in trouble for not taking their systems off the 'net and getting 0wn3d. Of course they should! Their inability to plan a secure and maintainable computing infrastructure should not necessitate the exposure of my personal data to all and sundry. Just like the BIA, if you can't show that you're secure, you need to be off the 'net. This will have the effect of placing a premium on computing platforms that are quicker to patch when security problems are found, likely making Open Source solutions more popular. All in all, it's a win-win-win situation once the adjustment period is complete.
See No Evil (Score:2)
And ``see no evil, hear no evil, speak no evil'' is?
Break-ins are a reality. It happens. IMO it's better to be open about it. If I were a customer of a company whose network got cracked, I would rather know that it happened and what measures are being taken to prevent this in the future than to be told nothing and later find out by different means (possibly painful).
Openness could also result in a better understanding of what software/people/practices lead to lower or higher risks of break-in, and improve security accross the board.
I also disagree that this law favors large businesses. Small businesses can carry out investigations just as well, and even investigations carried out by large companies come to an end, after which the break-in has to be disclosed. Bogus investigations aren't harmed by disclosure, so that's not a real option. Wealthy corporations _do_ mess with laws to the detriment of small businesses in Real Life, but I don't see this law making it much worse.
Lawmaker Cluelessness and Double-Standard (Score:4, Funny)
NOW they're going to make it illegal to not notify the public. Is telling the world about a security breach irresponsible or isn't it?
Yeesh. I feel like the whole gang from Bloom County who didn't know if they were watching "F Troop" or CNN and thus whether they should be enjoying the carnage or not.
Re:Lawmaker Cluelessness and Double-Standard (Score:2)
> notify the public. Is telling the world about a
> security breach irresponsible or isn't it?
But they are not required to reveal any details. The typical "disclosure" will appear in the legal notices section of a newspaper of record or some such thing and will look like this:
"There was a break-in at Amazon some time in the
last two weeks. Some customer data may have
been compromised."
Re:Lawmaker Cluelessness and Double-Standard (Score:2)
But they are not required to reveal any details. The typical "disclosure" will appear in the legal notices section of a newspaper of record or some such thing and will look like this: "There was a break-in at Amazon some time in the last two weeks. Some customer data may have been compromised."
If it is that vague, what is the difference between forcing the people running the software to admit there was a break-in and forcing those who created the software from admitting there was a breach in their product? Why not require software manufacturers to release known security holes? That's closer to the root than this initiative is.
If you take the position that the admin should have secured the software, how do you know that? The information is sufficiently vague as to leave the culpability an unknown variable.
The end-result is "Some Company, Inc. was broken into and data was compromised," which looks terrible for Some Company, but you won't hear "...because of an unpatched and unacknowledged bug in Win2k that the admin couldn't either know or do anything about" because revealing the exploit is illegal, or at least professionally dangerous.
Look, I'm not flaming you and I'm VERY big on letting people know when their data has been compromised but why does the fan poop only get as far as the victim? That just seems inherently unfair unless the blame does turn out to be theirs.
Re:Lawmaker Cluelessness and Double-Standard (Score:2)
> between forcing the people running the software
> to admit there was a break-in and forcing those
> who created the software from admitting there
> was a breach in their product?
None. Neither would do a damn thing but complicate the lives of those required to comply. That's why I oppose such laws.
> That just seems inherently unfair unless the
> blame does turn out to be theirs.
The blame _is_ theirs. They selected the software, they put up the site, they administered it, and they put the confidential data on it. They may have a claim against their software supplier if he misled them, but that does not lessen their liability for their own actions.
Trolling for Karma (Score:3, Funny)
0 break-ins reported, 7,435 break-ins currently being investigated.
These should be reported. (Score:2)
So companies/whatever which can't be bpthered to patch their holes get a buy? I don't think so.
Re:These should be reported. (Score:2)
I was referring to the case where the maker of the software goes weeks or months before producing a patch or even acknowledging the problem. These should be disclosed, as people should not be using this software, long term.
Even the first occurrence should be disclosed. How many "first times" will we permit before expunging wu-ftpd from the planet?
The point this raises is that not all cracks are the admin's fault for not patching - but software choice also is a factor.
Why aren't you at the beach right now? (Score:2)
even when you're not there. More Info [slashdot.org]
Why the complaints? (Score:2)
Loopholes (Score:2)
No, because
The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation.
Emphasis added.
Interactions with Berman cyber-vigilante billl? (Score:4, Funny)
I was hacked by... (Score:2)
Take that, US Gov!
The consequence is simple... (Score:2, Funny)
Small corporations will simply classify the event as "computer malfunction" and reinstall all the software and document the event as such...
In the end, California will be the only place in the world where there isn't any break in at all... at least reported publicly...
Cheers...
Better than you think (Score:2)
It's almost never in the public's best interest to hide vulnerabilities from them, even if there's no solution. If one person has exploited one system, there are almost certainly other victims and the numbers will almost certainly continue to grow. Most are probably undetected.
Even if there is no fix out there, it gives people the option to reevaluate the need to run the system, and also consider switching solutions/vendors. The "bad guys" are going to know if you say somethign or not, while telling all of the innocent bystanders lets at least some of them protect themselves.
Misleading (Score:4, Informative)
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(f) For purposes of this section, "personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
As for this "investigation" loophole this only applies to ongoing investigations being conducted by law enforcement agencies. I know that a large company may have a bit more clout in getting an investigation started, but even so they can only delay disclosure if "a
law enforcement agency determines that the notification will impede a
criminal investigation." So I'm not sure how big of a "loophole" this is.
As for the notification methods, it doesn't look like full public disclosure is what the bill is aiming at. It looks more like they just want the people who's information was compromised to be notified. Here is the section on notification:
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
So there doesn't appear to be what I would consider a "full disclosure" requirement anywhere in this. It looks like you've got to notify the people who's info got out, which seems reasonable to me.
DCMA and EULA conflicts??? (Score:4, Insightful)
There IS _Always_ A Technical Solution (Score:2)
> where a break-in occurs because of a
> software/hardware issue for which there is no
> released technical solution (i.e. anyone else who
> has software X would be susceptible to the same
> type of break-in). This is not good."
If "software X" (e.g., IIS) is broken quit using it. If you can't figure out any way to secure your system short of taking down your server, tough shit. "We can't figure out any other way to do it" is no excuse for compromising your customer's confidential information.
What sets the Jurisdiction? (Score:2)
Please engage mind before putting mouth in gear. (Score:2)