a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment

I'm mostly with you on this, @veen. @rd95 and @kleinbl00 make excellent points, but I think they are trying to put the worms back in the can, at this point.

Defensive security doesn't work. We have proved this since castle sieges in the 15th century. No matter what defenses you build, the baddies will innovate a way around, and get in.

The thing is, that these security breaches happen with services.

Every single one of these data breaches have one thing in common: The user of the data has abdicated responsibility for the data to a disinterested third party.

1. Equifax. This is just an intermediary who tells you data about a person, that you are too lazy to look up yourself. You want a loan? OK. Show me what you own. Show me your bank statement and pay stubs. Ok, sure. You look like a safe bet, here is your loan/credit card.

Instead, people pay Equifax for a "rating", which is just elementary-school level math applied to the data points above. This provides the lender with plausible deniability in the event you default on your loan. "But Equifax said they were a 720!"

2. Deloitte. Covering your ass is Deloitte's entire business. You hire Deloitte to investigate data, or build a system for you. They are a consulting firm, and their entire reason for existence is that you won't spend the money to have in-house experts to do the data analysis. So you hire Deloitte (or PWC, or The Heritage Foundation, or ,or, or...) to do the analysis FOR you, so that - if it is wrong - then you can blame someone else for it.

3. Yahoo/Hotmail/Gmail. Instead of saving your email on your computer, and having to sort it, back it up, recover it if your computer dies, etc., you go to a cloud service for your email. It is YOU washing your hands of the responsibility for doing software updates, defragging your hard disks, updating your RAM, managing server loads, etc., and "paying" someone else to do it for you.

4. Target. Target's credit card data was hacked, because Target knew they were protected by the CC companies, and didn't actually issue the CCs themselves, or protect the data themselves. If they had issued their own CCs, instead of purchasing the service from a third party, they would have been much more careful.

Anyway, this premise can be extrapolated to just about any "service" out there. They are monetizing the transaction, and therefore interested solely in transmission. WHAT they are transmitting in immaterial, and of no real interest or value to them. And that's why the hackers target service providers, because it is a choke point, where the orgs are not motivated to protect the data, only enable the transaction.

What's the alternative?

Figure it out. Go back to base principles: Do it in-house. Hire the skills and talent you need to deliver your product, rather than outsourcing to the lowest bidder.

We KNOW that defending from attackers doesn't work in the long run.

So maybe we need some radical new thinking about the entire system.

If your Target data is only useful for getting you a Target credit card, then it has no value to a hacker. Because you already have a Target credit card, and if another one gets created, then flags go off. Or the creation of a second one is simply impossible.

If a bank uses their own internal logic to determine who is worthy of a home loan, then all the data can be public. It has no value to a hacker, because they can't use that data for other systems. (Broadly speaking.)

Remove the service providers, and suddenly security looks very very different.