×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US DOJ Lays Out Cybersecurity Basics Every Company Should Practice

samzenpus posted about a year ago | from the protect-ya-neck dept.

Government 58

coondoggie writes "The mantra is old, grant you, but worth repeating since it's obvious from the amount of cybersecurity breaches that not everyone is listening. Speaking at the Georgetown Cybersecurity Law Institute this week, Deputy Attorney General of the United States James Cole said there are a ton of things companies can do to help government and vice-versa, to combat cyber threats through better prevention, preparedness, and incidence response."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

58 comments

Step 1: Close your tags (0)

Anonymous Coward | about a year ago | (#43827889)

Valid HTML is secure HTML. Well, not really, but it's a start.

Security and DoJ (0)

Anonymous Coward | about a year ago | (#43827947)

The US DoJ is corrupt and untrustworthy.

Use any advise with great caution.

Re:Security and DoJ (1)

craigminah (1885846) | about a year ago | (#43827967)

Right, their "advise" are things that allow DOJ to investigate you without a warrant to see if you're a threat that needs to be added to the "disposition matrix."

In other news... (1)

wbr1 (2538558) | about a year ago | (#43827975)

John Brennan says there are tons of things companies can do to help spy on the populace^H^H^H^H^H^H^H^H terrorists.

Not working well? Do it EVEN MORE! (5, Interesting)

Anonymous Coward | about a year ago | (#43828067)

The article advocates more passwords, and stronger passwords, saying it is less of a pain than having everything stolen by hackers.

But....

When your password rules are too onerous, people start rebelling against them out of practical necessity. People write them down on post-its or store them in files on the hard drive because there are too many to remember (and they are too hard to remember). The few people who don't do this suffer frequent lock-outs, costing the company time and money (over and over again) in password resets. And, invariably, your CEOs exclude themselves from the policies. These same CEOs tend to have way more access than they actually need, and as such are the primary targets for hackers.

So, rather than requiring a few more special characters in the min of 20 character passwords that lock out after the second failed attempt, must be changed every 10 days, have an infinite history to prevent re-use, and each of which grants you access to between five and ten percent of the subsystems you use on a daily basis...perhaps we should work smarter instead of harder.

Use two factor authentication for the core systems (everyone has a cell phone these days, and good systems can work on the employee's office landline anyway). Passwords lock out after 10 attempts (seriously, those extra 7 attempts are NOT what will give a dictionary attack its edge). Require long passwords with a minimum "variety factor" in the letters rather than specific number and special character minimums (the variety factor and length are far more cryptographically strong than adding a 123 at the end). Train employees to recognize phish. And, of course, don't give people access to stuff they don't need.

Re:Not working well? Do it EVEN MORE! (0)

gmuslera (3436) | about a year ago | (#43828285)

Key passwords (maybe mail, the password managers ones, places where you must type your password frequently) should be easy to remember, and hard to crack (hint [xkcd.com]), the rest (there are always a lot of them) should be in one or more password managers (i.e. your browser, with a master password, but also more portable ones like KeePassX [keepassx.org]) where as are not meant to be remembered are easier to change, to put hardest complexity, and of course, to have all different. And try to avoid automated password trying, specially at fast speed, like using fail2ban or similar when possible or having a keyphrase in your private ssh certficate with PKCS #8 [kleppmann.com] to slow down cracking,

But passwords are just a part of the equation, what run as your user usually have access as the same resources as you (i.e. could read your files, your clipboard, your keyboard input, so could capture passwords, no matter how complex they are), access sites to where you are identified on (i.e. single sign-on systems that enables the IP you are on means that a trojan running in your PC have your privileges, same for vpns, or internal systems not safe from xss attacks). And antivirus aren't as good as protection as they claim to be (Red October was active 5 years before being detected [securelist.com], they can be forced to contain backdoors [pcpro.co.uk]). Using more secure OSs and browsers (at least, ones with no such overabundance of malware), and security practices (only install from official repositories, stop at mail server level things that don't come from where they claim to come, etc).

And of course, educate people. In real life you know things that are risky and dangerous (i.e. don't walk alone at night in high criminality rate neighbourhoods, drink and drive, touch electric wires, etc ), people should be able to understand what is dangerous or risky in internet too, including their private use at home (even if privacy is a lost cause [theregister.co.uk], there are far more risks)

Re:Not working well? Do it EVEN MORE! (1)

Decker-Mage (782424) | about a year ago | (#43828653)

Not everyone has a cellphone, nor wants/needs one. OTOH, I tend to use passwords (passphrases where possible) from Hell except where id10ts creates policies that are ummm... not to put too fine a point on it, idiotic. Like my banks and credit agencies, the government (multiple agencies no less all with fucked up policies), &c. ad nauseum. You want good policies? Get people who actually know the realities of security, people, and especially security theater.

Meantime, I'll keep my passwords in encrypted passwordsafe files, available via multiple pathways, and even on multiple tablets which are also thoroughly, and I do mean thoroughly, encrypted. Synching everyone is about my only complaint left.

And yes, I define paranoia.

Re:Not working well? Do it EVEN MORE! (1)

Salgak1 (20136) | about a year ago | (#43829093)

Sounds about right. I also keep an offline copy, the encrypted password/passphrase list on a DVD-R, the decrypting software on the original CD, both of which live in my safe deposit box at the bank AND the fire-proof in the house. The decryption passphrase and instructions are in a tamper-noticable "Cookie" (heat-sealed plastic around paper). One copy of which is elsewhere in the house, and two more which are. . .somewhere else.

Re:Not working well? Do it EVEN MORE! (2)

chrismcb (983081) | about a year ago | (#43831587)

The article advocates more passwords, and stronger passwords,

Why do companies have archaic password limitations? Must be less than 12 characters (or 16 or some other arbitrary short length) Must NOT be the following characters... Why is there a limit on the characters I use? Whenever I see boneheaded rules like this, I assume someone is incompetent, and I wonder what other security holes there are.

Re:Not working well? Do it EVEN MORE! (1)

hobarrera (2008506) | about a year ago | (#43883495)

One of my banks has "eight digit, numbers only, cannot repeat numbers", and each time I change it, it no digits must me replaced in the same place as the last password. No three digits must be consecutive numbers, or consecutive in reverse order. Amongst other conditions.

Generating a rememerable password is extremely hard. Even random numbers are of little use, since they tend to be rejected as well.

This results in me having to use keepassx (instead of MY BRAIN) to store my passwords.

Meanwhile, I can easily remember passwords for sites with free-form strings as password. I can even use unique ones everywhere. It would also take several centuries to brute force any of those.

Incentives (4, Insightful)

Okian Warrior (537106) | about a year ago | (#43828019)

Making a book of "best practices" is a good first step, but incentives are also needed.

For example, suppose the government set penalties for security breaches which result from not following best practices. The penalties would not trigger until an actual breach, but if one *does* happen then the company is fined for breach of trust.

The fines should be structured to encourage businesses to reduce risk, by artificially creating proportional risk.

If someone steals CC numbers because the company kept them in the clear, and kept them beyond the time necessary to complete a transaction, the company is fined $5 each number. If passwords are not encrypted and salted, $1 for each stolen password. If web form data is not sanitized and customer information is stolen, $3 for each record. If the power station control computers are on the net with default passwords - half a mil.

The government could also set up incentives and rewards for white-hat hackers who find vulnerabilities. If 1/10 of the potential fine goes to the white-hat hacker who discovers it, security practices would come into line very quickly. Perhaps with a cap of $50,000: enough for incentive to the hacker and the company, but not enough to affect the business.

(... tempered by common sense. The company can argue that a different action is just as secure as "best practice" - but this should be done in court as response to a data breach investigation. Also, security breaches which are the result of something not covered by "best practices" are exempt.)

Government can tweak and tune things for the betterment of society, but it has to be structured in the manner of game theory. People have to want to follow procedures.

Re:Incentives (0)

Anonymous Coward | about a year ago | (#43828069)

Many of the things you suggest with regards to CC info are already in place due to PCI-DSS compliance specs, but I don't disagree in general.

Re:Incentives (3)

gl4ss (559668) | about a year ago | (#43828467)

Many of the things you suggest with regards to CC info are already in place due to PCI-DSS compliance specs, but I don't disagree in general.

yeah.. but you know what? BIG COMPANIES ARE NOT PENALIZED AS THEY SHOULD BE FOR BREACHING THOSE TERMS/CONTRACTS! was stratfor put into it's place for hoarding the numbers? fuck no. ..and well, we get just vague "your information may be compromised" messages from companies instead of them fessing up that they stored the information in plain text.

Re:Incentives (3, Interesting)

Decker-Mage (782424) | about a year ago | (#43828793)

Sadly PCI-DSS is an example of security theater. VISA/Mastercard set up the standard to protect themselves, not the 'stakeholders': credit card users, processing firms, banks.... They've held that up as the Standard by which all things are measured and when their practices are questioned they blame everyone else but themselves.

There have been firms who have suffered breaches directly after audits demonstrating compliance that have been fined for non-compliance. Why? Because they were breached so they can't have been in compliance. Nice example of ex-post facto there. Then there have been firms undergoing and audit that have been breached and therefor fined, even when the breach was discovered after the audit was completed and compliance was assured. Pure and simple, if you are breached, you must not be in compliance.

If I were the only one dealing with security saying this, it might be personal. I'm not. It's just one of those meaningless standards that exist solely to provide butt-cover. As for government doing the job, I used to ensure compliance with all the various safety regulations (military, environmental, OSHA,... that list is almost endless) and I literally lost count. Counting is something I do real good. That and an eidetic memory. It was simply impossible to comply with them all, not from the standpoint of time and money; it was impossible as they often contradicted themselves. If you fed them all to an expert system it would have a seizure. Me? I used to laugh out loud, a lot, and everyone thought I was weird for laughing at the regs.

The only way to get things right is to vote with our wallets but that's damn hard to do when dealing with a duopoly. And impossible when you're dealing with government. Corps have much bigger wallets than ours. They ought to since any costs they incur come out of our wallet.

Re:Incentives (2)

kermidge (2221646) | about a year ago | (#43830209)

As I was reading the article I saw many references to companies and shareholders; the only reference to customers was regard their perception of the company. Nice priorities. Was time a company understood that with no customers there was no company. Now they presume the presence of plenty of unthinking consumers.

Re:Incentives (2, Insightful)

Anonymous Coward | about a year ago | (#43828107)

Oh, I see. You want to monetize security breaches and have the government provide price supports, sort of like the DEA does with drugs.

Then a whole army of bureaucrats and police will be created to make sure security breaches remain a profit center for their continued existence.

That will solve the problem!

Re:Incentives (1)

Anonymous Coward | about a year ago | (#43828269)

You need to live in the States to understand this, it's unlike any other country. In America Time is Money - seriously, every waking minute is either spent making or spending Money.

A few years ago I read an article in a Canadian paper that compared media regulations in Canada and the States. It basically said that if a Canadian tv or radio station broadcasts something offensive they not only get their hands slapped but also risk not getting their license renewed, not a good thing. If an American station does the same, they pay a fine and move on, so it's a matter of "does the increased revenue justify the fine?"

There was a TV series in the 90s called Sliders [wikipedia.org] where the characters kept jumping from one alternate Earth to another. In one alternate Earth nobody ever apologized (not even for bumping into someone else) because that meant admission of guilt which entailed punishment...

That's pretty much where America is headed, every wrong has a culprit and the culprit must pay with dollars, cause it's all about Money and the Bottom Line.

Re:Incentives (0)

Anonymous Coward | about a year ago | (#43828437)

You need to live in the States to understand this, it's unlike any other country. In America Time is Money - seriously, every waking minute is either spent making or spending Money.

Clearly you're only mailing it in. I make and spend money in my sleep. At night I'm a guinea pig for new drugs used in sleep studies, which is a like earning an extra paycheck. The down side is that I seem to play a lot of video poker when I sleepwalk (or at least that's what the sleep study technicians tell me). Why they put a video poker room in a hospital is beyond me.

Re:Incentives (0)

Anonymous Coward | about a year ago | (#43828317)

Incentives to be secure, or incentives to sweep breaches under the rug?

With passwords you might even have some chance to prove they leaked it - this email was only used for this site, so I know who leaked it. Now just to prove it's true and I'm not making it up to hurt your site...

Your CC doesn't change like that. Which sites did you leave it on? Did somebody with physical access abuse it to spite you?

Re:Incentives (1)

gmuslera (3436) | about a year ago | (#43828327)

Yes, "best practices" book is good step, specially if they are agnostics about the used solutions (is something that could be easily exploited by their "rulers" to force some particular providers or patented technologies).

The penalties should go in the hand with consumer protection. If a company or government office stores passwords in plain text [slashdot.org] and is breached, then the users should be able to sue them. And the government maybe should be proactive finding and reporting to the responsible people about vulnerabilities and bad practices (after all, they are scanning the entire internet right now, why not use it in something positive?), but first they must warn and give the opportunity to fix it.

Regarding rewarding white hats and people that reports vulnerabilities, that would be the reasonable thing to do, but they are too far into the dark side to do that, they already punished a lot of people for doing that, they won't go back so easily in that policy.

Re:Incentives (0)

Anonymous Coward | about a year ago | (#43828361)

(... tempered by common sense. The company can argue that a different action is just as secure as "best practice" - but this should be done in court as response to a data breach investigation. Also, security breaches which are the result of something not covered by "best practices" are exempt.)

So only big companies can afford security? Cripes, that's all we need is lawyers defining 'best practices'. Before you know it you won't be able to plug in your personal PC without paying a lawyer to whip you up a legal contract first.

The common sense is that companies should be responsible when they fuck up. In today's society, they aren't.

Re:Incentives (0)

Anonymous Coward | about a year ago | (#43828615)

Having worked for a USA Federal Government site, my opinion is that the USA Federal Government has no authority or right to tell others how to secure networks or to penalize those networks when a fault is exploited or found. Federal Government networks are sieves--they filter out only the honest people some of the time. The Federal Government accepts the flimsiest of excuses when their own networks are insecure and operating outside the "best practices" of the industry. When Federal Government auditors come to inspect and test, they miss the easiest failures on the part of their contractors--it seems that "crony capitalism" has undermined the Federal Government network security realm to the point of corruption.

By the way, layoffs, which the Federal Government and their contractors excel at, are the gosh-darn best way to build morale and motivate their people to strive for excellence. /sarcasm
In the area of network security, it breeds incompetence--the greatest of Federal Government qualities. ("Close enough for government work" has its basis in truth.)

Re:Incentives (0)

Anonymous Coward | about a year ago | (#43829551)

Unfortunately, the natural and rational response to that is for companies to keep security breaches secret, even more so than they do now.

OK, there are plenty of publicised ones - usually, those where the perps are (basically) politically motivated and trying to embarrass their targets, so they're the ones to make the announcement. But in general, there's nothing that forces companies to publicise when they've been breached, and every incentive for them to keep it quiet. Changing that situation would be a real 'first step', but it would require changes pretty much the opposite of what you're suggesting.

Re:Incentives (1)

CodeBuster (516420) | about a year ago | (#43830873)

Why do we need the government to tell us this? They're incompetent so why should we listen to them when they tell us how we should be running our businesses? WTF do they know about running a business? Almost nothing. I don't need some paper pusher bureaucrat in Washington telling me how to secure my networks and I sure as hell don't need them to give me advice on passwords. From my perspective all the government ever does is take my tax money and waste it on God knows who and for God knows what, but it sure as hell doesn't help me that's for damn sure because if I don't make something happen for myself, it doesn't happen.

Re:Incentives (0)

Anonymous Coward | about a year ago | (#43832543)

one correction, NO FUCKING CAPS.

The company will just weight the cost of the fix against the cap. No we will not buy that $60,000 since we only have to pay $50,000 IF we get hacked.

How about $100 in cash payable to each account holder whose account is compromised. And the company is not allowed to go bankrupt until after all debts are paid.

Companies should fear going out of business for having bad security.

Make up their damned mind. (4, Insightful)

Anonymous Coward | about a year ago | (#43828091)

    Do I secure my network or backdoor it to comply with the demans of the Surveillance State?

Re:Make up their damned mind. (1)

Decker-Mage (782424) | about a year ago | (#43828809)

Direct hit!!! As a policy I never give AC's +mods. In your case, I'd give it all five positives!

Re:Make up their damned mind. (0)

Anonymous Coward | about a year ago | (#43831797)

Funny, as a policy I never give non-AC's +mods. We probably balance each other out then :)

Re:Make up their damned mind. (0)

Anonymous Coward | about a year ago | (#43831147)

From another article, "Holder was able to obtain a normal search warrant that allowed federal agents to secretly obtain up to six years of email correspondence between Fox News correspondent James Rosen and his alleged sources."

I'd say the DOJ has done a remarkably thorough job of demonstrating that something that every corporation should do is mandate that all of their email be encrypted. Well done, Mr. Holder!

Very lame (1)

gagol (583737) | about a year ago | (#43828101)

Kinda like you should brush your teeth before going to bed. You dont see articles written about that! Well, it's because you don't brush your teeth ON A COMPUTER!!!! Move along nothing to see here (That slashdot crowd dont already know!).

Re:Very lame (1)

Sesostris III (730910) | about a year ago | (#43828367)

Kinda like you should brush your teeth before going to bed. You dont see articles written about that! Well, it's because you don't brush your teeth ON A COMPUTER!!!! Move along nothing to see here (That slashdot crowd dont already know!).

http://www.nhs.uk/Livewell/dentalhealth/Pages/Teethcleaningguide.aspx [www.nhs.uk]

Re:Very lame (0)

Anonymous Coward | about a year ago | (#43828549)

Nice try but that's in the UK. My country has similar material, in fact every self-respecting country has some. But this article's related to the States:

1) The Association of Dental Care Providers will lobby the government to NOT tell the people to brush their teeth.
2) If the government does so anyways, the People will sue the government (and win) for taking away their right to choose between brushing their teeth or not.
3) Reacting to a decline in sales of toothpaste, Crest will sponsor a "scientific research" proving that American kids who brush their teeth with Crest Ultra-Whitening Sparkling Toothpaste will have a much higher IQ than average. Colgate in turn will sponsor American Idol where the judges are seen brushing their teeth between each song.
4) The People will therefore start to brush their teeth again, not because the evil government told them so, but because they freely chose to do it after seeing the tv adds (sic).

Re:Very lame (1)

ShanghaiBill (739463) | about a year ago | (#43828651)

1) The Association of Dental Care Providers will lobby the government to NOT tell the people to brush their teeth.

This is very close to the truth. The ADA (American Dental Association) did lobby the government to try to stop them from promoting dental sealants [wikipedia.org]. They were partially successful, and the CDC only promoted sealants for low income children. The dentists that worked on the low income children on behalf of the government recommended sealants at four times the rate that they used on their paying customers, where extra cavities mean extra income.

Number one rule... (1)

Mashiki (184564) | about a year ago | (#43828245)

Don't trust the DOJ on what it states as "best rules."

Re:Number one rule... (1)

gl4ss (559668) | about a year ago | (#43828737)

Don't trust the DOJ on what it states as "best rules."

there wasn't actual rules list in the article.

it just said that there's going to be an inevitable cyber incident sooner or later and you better get ready! oh and build firewalls because that's how you keep cyber incidents in the bay, since hackers can't go through firewalls (no mention of actually putting sensitive information off-network.. or defining what's a firewall in this case).

and that government has some cyber security help program you can ask help from.

CYBER! LAYER EIGHT!!!!! fucking fat bastard should just stop writing articles.

Becomes the law (1)

petes_PoV (912422) | about a year ago | (#43828301)

So will these "minimum standards" now become a de-facto definition of "good" and (in law) "negligent" behaviour. I.e. if you don't meet these standards, you will be held accountable for security breaches, maybe even have any insurance cover withheld.

How does 4 == ton (0)

Anonymous Coward | about a year ago | (#43828753)

The article basically says firewall firewalls firewalls, passwords passwords passwords, hire less gullible employees and trust the government. Four things that are not going to help any company.

I work in IT and while I will admit to turning any and all firewalls on, I know in the back of my mind that they don't do a whole lotta good. They do what they do which is to basically close down network access to all those extra services that we all run but don't really secure. That's not going to stop an attacker just give them a bit less to work with which is great but not a whole lot in the long run because....

Some employee (usually the company owner) is just going to give that attacker all his passwords because he was stupid enough to install the pr0n browser 2013 toolbar in IE 8 which he's still using because the government mandates its use so they don't have to re-factor their online services to eliminate stupid Active X controls.

Which brings us to trust the government? No really half the unpatched vulnerabilities on the systems I care for (which would be all the known vulnerabilities) are there because government can't be bothered to fix its stuff.

So my best rules for security... Don't trust the government. Eliminate Active X, Flash and Java. Turn off things you don't need. Regularly audit PC's and uninstall the junkware. Try to use fewer closed (Adobe, Apple, Google, Microsoft...) products whenever possible. Use wired networking if possible for important stuff and wireless as sparingly as possible. Use a keychain.

PS Microsoft, Apple has had the keychain for what 14-15yrs now what is taking you so long to copy it?
PPS Mozilla folks mainstream use of the Mac Keychain. Keychain Services Integration needs some work but also needs to be part of the Mac application.
PPPS If your service does not accept passwords longer than 8 characters you are part of the problem
PPPPS Google/Apple keychain sync to mobile devices needs to happen

Thanks for suggesting I go bankrupt (1)

holophrastic (221104) | about a year ago | (#43828911)

It'd probably cost the equivalent of $50'000 per year for my small business to implement all of those. Thanks for the suggestions. I can't do any of them and remain profitable at all. So I'm going to do none of them.

Instead, I've got a suggestion for you. How about making it illegal to hack into my property; and then why don't you go about aresting and prosecuting criminals? In other words, how about you, my government, go about doing your job, instead of making me into a security task force unto myself.

Sure, it sucks getting hacked. It CAN mean losing money, losing clients, and losing my business. It sucks more to spend so much time and money securing against getting hacked that I WILL losing money, clients, and my business.

Welcome to laws. You don't want me to protect myself against criminals. That's not what we call a civilized society. I don't keep a suit of armour in the garage. I don't have a shield on-hand. I don't have chain-mail shirts -- ok, I do have one, but it's a halloween costume, and it's heavy.

Re:Thanks for suggesting I go bankrupt (2)

chrismcb (983081) | about a year ago | (#43831573)

How about making it illegal to hack into my property; and then why don't you go about aresting and prosecuting criminals?

It is, and they do... But there is also only so much they can do to arrest and prosecute foreigners.
Do you have locks on your doors at home? Do you use them, or do you expect the government to make trespassing illegal and to arrest and prosecute criminals?

Re:Thanks for suggesting I go bankrupt (1)

holophrastic (221104) | about a year ago | (#43832695)

Yeah, I live a neighbourhood where I don't need to use the locks on my doors, the alarm system, bars on the windows, neighbourhood watch, guard house, nor a private security company.

And how dangerous is your neighbourhood? Ever thought of living somewhere safer?

Re:Thanks for suggesting I go bankrupt (1)

cwsumner (1303261) | about a year ago | (#43836207)

Yeah, I live a neighbourhood where I don't need to use the locks on my doors, the alarm system, bars on the windows, neighbourhood watch, guard house, nor a private security company.

And how dangerous is your neighbourhood? Ever thought of living somewhere safer?

I live in a similar town. People often leave there cars unlocked and their doors unlocked. Most of them also own guns. Very quiet.

Re:Thanks for suggesting I go bankrupt (1)

cwsumner (1303261) | about a year ago | (#43836189)

... Welcome to laws. You don't want me to protect myself against criminals. That's not what we call a civilized society. I don't keep a suit of armour in the garage. I don't have a shield on-hand. I don't have chain-mail shirts -- ok, I do have one, but it's a halloween costume, and it's heavy.

The government and the police have no legal requirement to protect any individual. (Much as most want to, and do the best they can.) The police are tasked to apprehend criminals. That's different. The citizens are expected to protect themselves, at least as long as it takes for the police to get there. Be warned...

A place where the police are tasked with protecting all citizens, individually, is called a "police state". It is generally agreed that no one really wants to live there.

Re:Thanks for suggesting I go bankrupt (1)

holophrastic (221104) | about a year ago | (#43836939)

and what would you call individuals who hack into and steal from multiple systems routinely? Last I checked, someone who commits crimes is a criminal. English is funny that way.

Re:Thanks for suggesting I go bankrupt (1)

cwsumner (1303261) | about a year ago | (#43842919)

and what would you call individuals who hack into and steal from multiple systems routinely? Last I checked, someone who commits crimes is a criminal. English is funny that way.

True. But the police only go get them after the crime has occurred, and that is often too late for the individual victim. All citizens need to take at least some precautions for themselves. How much, is a personal choice...

Re:Thanks for suggesting I go bankrupt (1)

holophrastic (221104) | about a year ago | (#43843315)

you're talking about detective work. "go get them". It's the penalty afterwards that's supposed to act as a deterant to others in-advance of those crimes. As an individual, I can't really deter future criminals. That's what the judicial system is for -- long after police are done with the man-hunt.

But it's not a personal choice. I don't get the choice to spend $50K / year on security and still stay in business.

The fact that I'm small means that I'm difficult to see, difficult to target, and not worth targeting. Those that really want to target me, and have a reason to do so, I can't secure against. Welcome to Ethan Hunt.

Re:Thanks for suggesting I go bankrupt (1)

cwsumner (1303261) | about a year ago | (#43851609)

Secure what you can, leave what you can't. Ever little bit helps, nothing is ever perfect protection. Hope the police can catch them after other crimes, before they get around to you. That's how it is.

And, hope that the government doesn't decide, that not following all of the recomendations is grounds for some penatly... Yikes!

Re:Thanks for suggesting I go bankrupt (1)

holophrastic (221104) | about a year ago | (#43851719)

every little bit doesn't help. there's no use in having a rubber padlock. in this case, there's no use in resisting the amatuer hacker who won't be able to find me in the first place.

and the government does have those penalties, that's why we're complaining now. things like making it illegal to NOT lock your car doors when it's parked on the street. what the hell?

Oh Dear (0)

Anonymous Coward | about a year ago | (#43829875)

It's the 'don the condom' mentality.

The DOJ (2)

Kirth (183) | about a year ago | (#43831037)

The DOJ, which illegally seizes domains from foreign holders? The DOJ which orchestrates illegal raids in New Zealand? The DOJ which is the bully of the Content Mafia?

It seems that these are not really the most technical-minded people, and you expect them to advise on Computer Security?

I'd rather follow the NSA Guidelines http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml [nsa.gov]

Re:The DOJ (0)

Anonymous Coward | about a year ago | (#43832711)

Just the other day, my pet fox handed me a note ..

"Dear tk, I've been thinking about your design for your forthcoming chicken-coop
and I have some ideas I'd love to share with you ... "
                                                                                                                              - Red

I'm now pondering my reply ..

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...