this post was submitted on 11 Apr 2024
104 points (100.0% liked)
Cybersecurity
5745 readers
397 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Eh, I honestly don't see much value in that "protection," it's a cop-out for companies to get away with really bad behavior with a slap on the wrist. I don't think it actually protects anyone in any meaningful sense.
Instead, we should be fining companies heavily for improper security practices. If they would've avoided it if they practiced industry-standard security, big fine. If they had a reasonable amount of time to deploy a patch but didn't, big fine. If they don't respond quickly to a breach with industry-standard procedures (forcing users to change passwords, key rotation, etc), big fine. And the fine should get bigger very fast the longer they take to address it.
And yeah, we should absolutely have a more secure system. It's ridiculous that big tech companies are moving toward passkeys when the federal government literally relies one one 9-digit number that's static for life for pretty much everything. So if there's one breach that includes your SSN, you're screwed. These problems aren't hard to solve, the tech around passkeys has been around for decades. There's no reason we can't have a system like that where companies only get the data they need, such as:
The only group that really needs your SSN is the Social Security Administration, and they could just keep that internal and do authentication w/ a passkey or similar. The #1 rule of security is to only have the access you need, whereas companies just grab everything "just in case." Even lawsuits could be filed without actually knowing your personal details, as long as they have a token that uniquely refers to you, they could initiate legal proceedings to the court.