Share good ideas and conversation.   Login, Join Us, or Take a Tour!
comment by goobster

Ah. I see where I was unclear. Thanks for taking the time to explain how you read my post, because I did not mean what you read.

This isn't a problem for the USER to solve. My problem is with the BUSINESS.

It is the BUSINESS that washed their hands of the responsibility for your data, thereby endangering you in the first place.

To take my Target breach example; If Target had their own credit card that they underwrote, issued, and processed, they would be FAR more careful with your data. Because any breach hits them directly in the bottom line.

Instead, they offload the responsibility to a credit card issuer/processor (Visa, MasterCard, etc), who do not have as much skin in the game, and are therefore less interested in maintaining the highest level of security around YOUR data, because YOU are not their customer: Target is. And Target is paying them for TRANSACTIONS, not for fabulous security.

If you think about the tech used in a CC transaction, there are 5 companies handling your data, and only ONE of them has any real motivation to protect you, as an individual. To all 4 of the other intermediaries, you don't even exist: you are just a packet of data within gigabytes of data they transfer every day.

The parallel I tried to draw with email is that we choose offload the responsibility to someone else, when we choose to use a service (Gmail, Hotmail, Yahoo, etc.), instead of configuring our own server. Things were a lot more secure when you had to give a shit and actually understand how all the parts and pieces fit together, from hardware to software. Now it takes 10 seconds to set up an email account, and all you need to do is come up with a 4-letter password. Offloading all the responsibility for the infrastructure and security onto a disinterested third party is the risk we decide to take.

The key place where you took my words off in a new direction, is when you moved away from my conjecture - that services are the problem - and abstracted to armies, cable companies, etc. And yeah... libertarianism to me is the domain of 13-year old keyboard jockeys who have never had to pay rent. It is stupid to its core.

The bone I want to pick is with SaaS, which, incidentally, pays my considerable wages.

Everyone is so quick to invent a new middle-man service, that streamlines a process and takes a half-a-penny per transaction... but every middle-man "service provider" is one more incredibly weak link in the chain.

From the 1500s up to about the 1920s, a business took care of itself. Everyone from the janitor to the CEO worked for the company, and all customer processes were handled in-house.

But that is expensive. Having your own Credit Department that has to research every new application for a credit card is expensive. And it SHOULD be! It is a critical, important, and delicate function of the business.

But then Johnny McStartup shows up and says that he can do all that for you for 1/10th of the price, so you fire all your skilled people and pay McStartup to do all your credit accounts.

Why does McStartup cost less? Because they are less rigorous. Or hire junior-level researchers and analysts. Or whatever. They cut corners. That cuts costs.

But McStartup's customer is the Company, not the Individual. So they keep the Company happy by providing a service that Company used to do in-house, and they do it for a fraction of the price. And hey... if they fuck it up, who cares? It isn't Company that takes the blame! And McStartup is one-step removed from you, Mr Customer, so they are insulated from you as well.

THIS is my problem with the way businesses are structured today, and why it is so easy for hackers to ALWAYS get the data they want, with little effort. There are too many middle-men, with too little respect for the data they handle, and hackers always find a way through. Hell... they don't even need tech to do it... they can just call up Customer Service and social-engineer them, to get the info they want.

Yeah. So, fuck Libertarianism.

And security is ALWAYS going to be a problem, when you create choke-points in the data stream that are lucrative to hack. If every single retailer had to issue their own credit cards, instead of using Visa or MasterCard, there would be little to no reason for hackers to target that data.

And maybe now that we have sorta unlimited bandwidth, RAM, and disk space, maybe widening the choke points is a better way to reduce the tastiness of the data to hackers...




veen  ·  450 days ago  ·  link  ·  

    This isn't a problem for the USER to solve. My problem is with the BUSINESS.

I did understand that you were talking about businesses, but I don't think that's a useful or necessary distinction. Businesses and users are both facing the same security problems. Businesses try to protect their proprietary data, their passwords, their sensitive information, but so are you and I. There's B2B services, and there's B2C services, and security revolves around the same question for both: can I offload some difficult aspect of my work without jeopardizing that work?

My disagreement was mostly with your suggestion that businesses should tell services to GTFO and develop those services in-house instead. I don't think that's a reasonable think to ask of businesses: the ocean of sensitive data has become so incredibly wide (from passwords and pdf's to credit card info and blockchain keys) and deep (big data). It's not the 1920s anymore, which is why SaaS is such a vital part of modern business and why it is incredibly inefficient to have every company and user reinvent the wheel.

Just to give an example, my last gig and my current internship both run everything on Citrix thin clients. Is that safe enough? Maybe not.... Should hundreds if not thousands of companies develop their own OS-integrated remote client solutions just so they have their data back in control? I don't think so.

SaaS is pretty much unavoidable these days even though its incentives are misaligned. My solution, for both users and businesses, is to be way more strict about security in what kind of services they demand. To vote with their wallet and pick the more expensive, more secure option over the bargain hacked together startup solution. I think that's a much more attainable goal for security problems, even though it will never be a perfect option.

goobster  ·  449 days ago  ·  link  ·  

    "My solution, for both users and businesses, is to be way more strict about security in what kind of services they demand. To vote with their wallet and pick the more expensive, more secure option over the bargain hacked together startup solution. I think that's a much more attainable goal for security problems, even though it will never be a perfect option."

I hear ya, but this requires defensive security, which has been proven to be ineffective for centuries now.

I was hoping to open the conversation to radical new ways of thinking about data and security.

The only reason why CCs and personal data are under constant attack by hackers, is because they are broadly valuable.

A "simple" solution to that problem is to go back to having a Macy's card, and a Shell card, and an Amazon card - essentially a card-per-business - because then hacking your personal and CC data has no value to the hacker. They get ONE person's info, which can be used for ONE store, and is, in fact, already in use, so any attempt to use that data to establish a NEW account, would immediately be flagged. "That user already exists in the system."

I dunno.

It's just a different way to think about security. Remove the choke-points that hackers love to target, and suddenly hackers won't be cracking your system, because there is no big financial gain to be had.

It was just a thought experiment...