Post AJ88dGF7REHfaLEujQ by kedislav@freeradical.zone
(DIR) More posts by kedislav@freeradical.zone
(DIR) Post #AJ7z0RjrrbLSMG2Tr6 by adam@hax0rbana.social
2022-05-05T02:19:13Z
0 likes, 0 repeats
If you are a major corporation in the US (and likely other jurisdictions too), you can have absolutely negligent computer security and according to the law, it's not your fault if you get compromised. It's the fault of those who "gained unauthorized access to a computer system".The only thing that matters, criminally, is whether or not you authorized that access. So your password was solarwinds123? That's fine. It's not your fault. It's the fault of the criminal.Maybe it is time for reform?
(DIR) Post #AJ80Cg0ejNCa2zHrwO by June@kitty.town
2022-05-05T02:32:36Z
0 likes, 0 repeats
@adam the colonial pipeline shutdown is instructive here
(DIR) Post #AJ832r9sizpxaibyJU by adam@hax0rbana.social
2022-05-05T03:04:26Z
0 likes, 0 repeats
To be explicit, the first question is whether essentially hanging up a sign that says "please don't hack me" is sufficient, or whether the bar should be higher.A reasonable parallel might be trespassing. It is considered sufficient to hang a sign. The law doesn't require putting up a fence, let alone dictating how high that fence should be.That doesn't necessarily make is the right balance, but it does provide some perspective.To continue our thought experiment, we'll answer: raise the bar
(DIR) Post #AJ83WWBvFDAfFai4JM by adam@hax0rbana.social
2022-05-05T03:09:50Z
0 likes, 0 repeats
The next question is, if the bar is going to be raised, how high? And to whom would these obligations apply?Quantifying cybersecurity has been something the industry has struggled with. There's an undefined "industry standard" which varies wildly between, for example, finance/military on the high side and IoT/ICS on the low side. Even if it's "your own industry", it's not well defined and in th ed case of ICS, the standard is basically posting a sign up, so we've still failed to raise the bar.
(DIR) Post #AJ843niX6W3TA8pk3c by adam@hax0rbana.social
2022-05-05T03:15:50Z
0 likes, 0 repeats
Setting aside the quantification problem, there is the question of who the requirement to secure one's own stuff should be applied to?Requiring everyday citizens to become cybersecurity experts seems like a terrible idea to me. Just corporations? LLCs too? Do non-profits get a pass, or should they be forced to spend some of the donated money on security?I haven't heard good answers to any of these questions by proponents of regulations to solve cybersecurity problems.
(DIR) Post #AJ84VahN6Ju0tUXdxY by adam@hax0rbana.social
2022-05-05T03:20:52Z
0 likes, 0 repeats
What if we flip it around? Let's imagine unauthorized access to a computer system were not a crime. How would that change incentives?After all, this is effectively the situation we have now in countries with nonextradition to the US. They can hack anyone with impunity, either to help them secure their systems, or for malicious purposes.But what if it weren't just people located in countries with poor relations with the US? What would that look like?
(DIR) Post #AJ856ewkGndCmdPMxs by adam@hax0rbana.social
2022-05-05T03:27:34Z
0 likes, 0 repeats
First, those who can't afford better security would get taken advantage of due to there being more attackers. Short of volunteers helping secure them (and them spending time and cooperating with said volunteers), this goes poorly for small firms and they get swallowed up by large companies (who may have been the ones breaking into the small companies computers in the first place).Large companies would have a mixed bag. On one hand, there's the aforementioned opportunity, but there's also risk.
(DIR) Post #AJ85g4oW5VsF92Ro1I by adam@hax0rbana.social
2022-05-05T03:33:58Z
0 likes, 0 repeats
Another group of people currently sitting on the sidelines are law abiding activists. This legal change would bring them into the game.If there are laws against unauthorized public disclosure, with a loophole for things that are "in the public interest", it might mean big companies who are running an honest business would benefit, while those doing things like secretly dumping toxic waste illegally would be exposed and hopefully punished (either legally, or by consumers abandoning them).
(DIR) Post #AJ86CABfe3Dx4pZski by adam@hax0rbana.social
2022-05-05T03:39:45Z
0 likes, 0 repeats
I guess whether it'd potentially be a positive move boils down to what you believe.Would those with the money and the power be able to take advantage of this more than the ragtag group of hackers and activists?What would do you the collateral damage would be? Does harming big companies, covertly doing illegal/objectionable things hurt the average person (i.e. the megacorp's customers)?I'd like to hear some other people's perspectives. Boosts welcome.
(DIR) Post #AJ87kes2AhVi2VPBIG by kedislav@freeradical.zone
2022-05-05T03:57:11Z
0 likes, 0 repeats
@adam I do believe something like this happens already, not necessarily through hacking though, since the legal system is such a huge joke that copyright loopholes and straight theft is often more affordable than hiring hackers that are tightlipped and will steal the intellectual property you want (1/?)
(DIR) Post #AJ88dGF7REHfaLEujQ by kedislav@freeradical.zone
2022-05-05T03:58:00Z
0 likes, 0 repeats
@adam Take disney, for example. They do just that, literally the case with Lucasfilms and the OG author of star wars is exactly this case, and this is one of many. (2/?)
(DIR) Post #AJ88dH0yZIZ5yld8KG by kedislav@freeradical.zone
2022-05-05T04:00:01Z
0 likes, 0 repeats
@adam Bigger, smarter companies that do not have sometimes the luxury to buy another company, even through a proxy company in the case of overseas companies, do hack into each other with stealing intellectual property in mind. A book called "This is how they told me the world ends" goes in-depth to this market of 0-days and how it relates to both governments and companies hacking for the upper hand. (3/?)
(DIR) Post #AJ88dIcEcFxkwc4P2W by kedislav@freeradical.zone
2022-05-05T04:03:11Z
0 likes, 0 repeats
@adam The whole Pegasus spyware, and the organized cyberattacks to Russia from the world are both huge cases of exactly this dystopia you're pointing at. I think what you write about might not be the exact present, but instead a very near future. Security, owning your data, and principles like that were already important, and are now becoming a matter of life/death in some cases. (4/?)
(DIR) Post #AJ88dK4dCAGtSyMawK by kedislav@freeradical.zone
2022-05-05T04:06:25Z
0 likes, 0 repeats
@adam Laws rn are more pointing towards those with money, as they can easily hire malware-as-a-service and.or spec-ops to take care of some ragtag group of hackers, or a legal team to tank and bankrupt a small to medium company. Harming the big companies, even if it brings collateral damage (which should be kept to a minimum, but 0 is an idealistic view, not a realistic one) is great. Public disclosure of wrongdoings and public pressure is our only way to bring attention to things that matter.
(DIR) Post #AJ89cE5w2UwoaU0xDE by sj@social.scriptjunkie.us
2022-05-05T04:18:04Z
0 likes, 0 repeats
@adam you can absolutely still be civilly liable and many companies do get held responsible for lax security.
(DIR) Post #AJ89hI6qXYFYUEr7E8 by brotherjay@blackjackandhookers.net
2022-05-05T04:19:00Z
0 likes, 0 repeats
@adam Long thread but post 1 alone is already some hardcore fuckery, manBigass tech website can't be expected to cover their own ass, but a woman r*ped prompts worry about her wardrobe? Bullshit.Absolute. Fucking. Bullshit.(Damn I was gonna hashtag "RIPAdrianLamo" but wikipikipedia claims he was kind of an asshole? Doesn't change that The Man fucking wronged him, though)
(DIR) Post #AJ8D1xkDke0RGmoyzQ by adam@hax0rbana.social
2022-05-05T04:56:21Z
0 likes, 0 repeats
@bill Fascinating. I saw her name on a paper when I was researching some policy thing a few years ago. I knew she was involved in cyber, and I knew she was the Attorney General, but I didn't put those together and think that she was criminal prosecuting people for cybercrimes. Thanks for the pointer. 🙂