Share good ideas and conversation.   Login, Join Us, or Take a Tour!
comment by user-inactivated
user-inactivated  ·  458 days ago  ·  link  ·    ·  parent  ·  post: Krack Attacks: Major vulnerability found in WPA2. "If your device supports Wi-Fi, it is most likely affected."

    To me, your argument sounds like the same argument that's been discussed here before - the user / company is dumb and should know better / protect themselves better.

That's not my argument at all, well, kind of. My first argument would be that it's the responsibility of organizations to do their best to secure their products (looking at you Equifax) and that they should be held to high standards of accountability as well as transparency.

What I'm trying to say is that

A) I don't think organizations are trying hard enough to be proactive, accountable, and transparent and I think that we're reaching a point where the public, and hopefully lawmakers, will really start to demand that.

B) Every time this kind of thing happens, there's someone new that reads these articles, and hopefully they discover how vulnerable they can be and start adjusting their behavior to protect themselves. I know I learn something new almost every time something like this comes up and I keep security an active part of my conversations when talking to other people, people who are savy so I can learn more and people who aren't savy so I can give them tips to protect themselves. For example, whenever banking comes up I always tell people to get mobile alerts and two factor authentication activated whenever possible.

C) We're on the tech frontier here. We have to understand that, know that we're at risk, and realize we're really just starting out in finding ways to protect ourselves. We need back up plans, just in case the metaphorical bear spray we're given to protect ourselves turns out to be nothing more than compressed water in a can.

I mean, hardships in this area are all around right now, but literally every time something like this happens, it's in the news (even on local television news) and it gets people talking and aware and awareness is the first step in addressing a problem.

veen  ·  457 days ago  ·  link  ·  

It is great that people are becoming more and more aware of this. But I genuinely don't think it's enough.

I mean, I agree with A). I'm right here with you hoping for a better world. And slowly but steadily, more people seem to care about privacy and security. Just a few days ago the 300,000 signature milestone was reached for initiating a referendum about a new mass surveillance law. Public awareness is growing and I love that.

But I don't think it is enough. Public awareness means that the low hanging fruit of insecurity is getting caught: I don't know anyone my age who isn't careful about their social media presence, and most people know not to connect to any WiFi network that looks free.

The main reason I linked to that discussion and the core of my argument is that we're now seeing fuckups so massive, so far-reaching that there is nothing you or I can do about it. Awareness is futile against an entire WPA protocol being insecure. Similarly, there will be companies that have your data, and they will at some point fuck up royally, and there is no researching or 'adjusting your behaviour' or bear spray that can stop it. Take Equifax: it's an oligopoly of three credit agencies, so there isn't enough pressure on any of those to get them to change their behaviour. Especially not since their real customers are the companies that buy their data. Maybe the government manages to break the market up or sets strict rules, and I really hope they do for the sake of everyone involved, but I highly doubt it.

I mean, it used to be just email / credit card data, like when Target or Adobe messed up. Now it's home addresses, SSNs, full names. Identity thefts are going to have a field day. What can normal people even do against that? Bear spray doesn't do shit against a tsunami.

kleinbl00  ·  457 days ago  ·  link  ·  

    What can normal people even do against that? Bear spray doesn't do shit against a tsunami.

It's gonna be truly dope when the biometrics get out. You can change a password but if Google or Apple leak your fingerprint...

and I know that Google and Apple don't "have" your fingerprint. They have a hashed cipher of markers of your fingerprint. But nobody realized Sony was storing user data and passwords in plaintext until it got out and I've seen no reason to trust either organization implicitly.

Eventually, there will come laws for improper data hoarding and breaches of secure information. There will be civil and criminal penalties for mishandling sensitive data - I mean, if you forced anyone that works with credit card or social security numbers to be HIPAA-compliant you'd see an instant sea change. But this will not happen until it is too late and there has been substantial damage done, and our legislators will fight it tooth and claw, democrat and republican.

And the NSA will still get it, and the NSA will still leak it, and we'll be right back where we started except the lawyers will be rich.