Comments on: By their fruits, ye shall know them

By: Adam

Adam — Mon, 18 Feb 2008 21:05:40 +0000

PHB,
I think that attention to the reasons for bad security and breach notice are intertwined. As we start talking about what’s going wrong and why, we can start to address it better.

By: PHB

PHB — Mon, 18 Feb 2008 19:44:49 +0000

Perhaps before we go into breach notification in even more depth, perhaps a bit of attention to the reasons for bad security.
Yes I know that some companies are just lazy, but many are not and many of them have breaches as well.
I have been looking at the usability of some well known security applications and the picture is not at all pretty.
I can set ACLs to set up a database, but when I tried to use them to stop the kids from watching random stuff on the media vault I quickly realized that the whole system is broken.
Protecting information according to where it is stored does not work once data starts to move about.
We need to completely rethink some core approaches here. The security usability just sucks, and it is no better on the Mac and much worse on Unix.

By: Chris

Chris — Mon, 18 Feb 2008 16:43:31 +0000

Benjamin:
What specific guidance in the bill I wrote about is improper? Issues with AB 779 are irrelevant: that isn’t the bill under discussion.
How is a requirement for “clear language” a technical topic, for example?
It’s not like the CA legislature is providing prescriptive guidance to the people who design or operate the infrastructure used to hold or transmit PII; they’re just saying what you need to do if it is revealed, despite whatever technical measures you’ve used (save encryption) to protect it.

By: Benjamin Wright

Benjamin Wright — Mon, 18 Feb 2008 15:33:56 +0000

Adam: When a legislature wades into a technical topic that it really does not understand, it makes a fool of itself. The California legislature made a fool of itself when it enacted Assembly Bill 779 in September. Even though the spirit behind 779 was pure, the legislation was technical mess and the governor vetoed it. See http://hack-igations.blogspot.com/2007/10/i-am-no-fan-of-part-of-californias.html

By: Adam

Adam — Mon, 18 Feb 2008 12:16:35 +0000

Benjamin,
So you think we need more laws with bits like SarBox 404? I think a lack of detail can be less wise than detail.

By: Benjamin Wright

Benjamin Wright — Mon, 18 Feb 2008 09:20:02 +0000

A legislature is unwise to get into technical details like encryption.

By: Iang

Iang — Mon, 18 Feb 2008 06:08:27 +0000

Calling on the government to solve some problem is almost always a mistake. SB1386 may be the rare exception.
Calling on the government to improve on this … has to be treated with some degree of skepticism. I find it very unlikely that any government decree can cause reliable breach reporting and reliable information gathering. This mission is unachievable. There are always methods by which companies will find ways to confuse the data delivery. If you can’t see how to do that, then … you’re probably not in the security world!
At some stage we have to think about open governance being run by the people. That is, expect to see some quality control from open institutions, ones that arise for a need. E.g., blogs like this and other aggregators of info.