- Companies should suffer massive fines / damages / criminal charges when they leak the personal data of millions of customers.
- I think EULAs are a ridiculous run-around the law. They should be non-enforceable. Its far from perfect, but case law is pretty clear that people and companies are liable for damages due to foreseeable harm that they cause. (Except EULAs dodge this.) (I am not a lawyer, this is not legal advice.)
Software engineers & security engineers can make just about anything secure. But we can only do so if we're given time and money to hire the expertise when needed. We need to make it incredibly expensive for companies to lose personal data like this. Management teams should be clamoring to hire the best security engineers. But they'll only do so if they're sufficiently motivated.
The risk of massive liability is the right incentive to convince companies to invest in getting information security right. The current status quo is ridiculous.
Apart from leaks harming the privacy of customers, paying ransoms does social harm by providing an income and incentive to criminals.
I found leaked details of Royal Mail's negotiations with their attackers fascinating [0].
I'm not sure it's practical to outlaw the payment of ransoms, but it should at least be heavily taxed (say, 100%). Naively, I would expect this to cut by half the amount that can be extorted through ransomware attacks, making countries that implement such a tax less attractive targets.
The analogy is closer to being: the state will prosecute the murder victim's family for failing to properly protect them AND won't be able to locate or punish the true murderer. So in this situation, what's the family going to do? Mourn in private and not report the crime, maybe try for vigilante justice if they think they've identified the murderer.
> laws against murder, makes murder no report them self
One of these is more universally repulsive than the other. Were it illegal, I'm not sure I could be bothered to blow a whistle on a company paying a cyberransom. That's obviously different for murder.
Then you toss the entire executive branch in prison when it inevitably leaks. The problem will solve itself soon enough. These criminal organizations should be treated as such.
Hah the LockBit negotiator displays that childish " I'm going to make something up and be convinced it's true" mentality that's much too common nowadays..
> LockBit refused to accept the explanation and accused the company’s negotiator of “bluffing”, speculating that the company’s directors probably held £100m of cryptocurrency personally that could “finish this nightmare”.
"I have the ability to punish you for my fantasy not being true" isn't childish, it's common among adults, and, indeed, is a defining feature among the adults who abuse children and anyone else less powerful than them. It is, in fact, one of the most powerful tools a dictator has: "You failed to capture that objective? You are incompetent, and possibly traitorous, so you will be executed, your family will be executed, and I will continue this war with competent generals who execute my plans because my plans are viable."
If an organization pays a ransom, I consider that organization to be effectively in league with the criminals, and avoid doing any business with them in the future.
This. It would have been (relatively) easy for Ring to encrypt the video data so that they themselves can't access it. Obviously I don't wish it upon the individuals that use these cameras but I would probably smirk if data gets leaked and Amazon gets sued into the ground.
Definitely some tradeoffs there. I recall going back and forth in my head "I'm paranoid, I don't need to enable this" to "what if there was a breach..".
Thats not what E2E encryption means. Encryption during transmission is called transport layer encryption (eg via TLS). E2E (end to end) encryption is encryption where the data is encrypted in transit and at rest. Generally E2E systems only have the keys to decrypt the data on the user's (endpoint) device.
That's a nice idea, but Blue Iris in particular, while being affordable and while not requiring a subscription, only runs on Windows. Keeping a Windows system running 24/7 is a whole chore in itself.
Got any suggestions for OSes that are easy to secure and easy to run 24/7?
MotionEyeOS isn’t as easy as a Windows installer and is probably only as secure as you make the rest of your network, but as a main Windows user and occasional *nix, the various guides weren’t too hard to follow and it’s been fairly reliable.
I rolled my own system, initially with MotionEye, and then rolled over to Frigate. I appreciate the extra object detection feature in MotionEye, whereas MotionEye really only records on, well, motion. Even with two 720P streams, I'm able to do motion detection and object recognition on an ancient Core2Duo Mac Mini, no TPU.
No data leaves my LAN unless I want it to.
The most painful part of the whole process was the YAML files for Frigate.
Don't tell us, tell your legislators. Ideally with some kind of narrative that ties to a financial incentive for the lawmaker and his or her constituents.
If the security industry got together and lobbied for this as both a jobs program (security companies offering services to tech companies) and as a means of protecting Americans/constituents, then it might get somewhere.
> never talk to a politician without remembering that if they don't get a cut
Most voters don't care about digital security. That means most politicians, reasonably, don't care either. Most voters do care about their economies. So linking what you're talking about to talking points the political can use is helpful. Not because they're going to get a cut.
Yes.
Also, this time it's a consumer grade surveillance, but the same goes for security cams in prisons or nuclear facilities: hoarding information (sensitive or not) does not translate 1:1 to increasing security. This should be obvious, still we feel more, not less, safe with our house surveilled with technology.
I kinda agree with you but it’s a tough one because what you’re describing is fining the victims of a crime. We don’t fine homeowners who fit cheap locks and get burgled do we.
Pragmatically, it might be the right thing to do, but it feels wrong. Would you consider a due diligence to security threshold? That would certainly make it easier the well resourced to weasel out of fines, but when a small startup comes up against a well resourced nation state level hackers with a catalogue of 0days what are they supposed to do? Just go out of business?
We don't fine them, but homeowners usually don't have million of records of private data at home.
Wouldn't you want your bank get fined if they aren't secure enough and loose your money? Or your local government if they loose your tax records because they think they don't need to lock their door?
The hard part will be determining whether the company could have done something about it (like locking the doors or the windows). If they could, they for sure should get a fine if they didn't.
We absolutely do fine/convict homeowners if, in a burglary, their improperly secured gun is stolen. The fines aren't for being hacked, they're for not adequately securing user data; ownership of which is a conscious decision.
> We don’t fine homeowners who fit cheap locks and get burgled do we
This isn't an appropriate comparison. I'm not a lawyer but I would imagine this would fall under negligence. Businesses are liable for improperly securing dangerous materials in the physical world.
It would be like fining the victim of home burglary who stores data about their neighbors for profit. Mandatory business data leak should be exempt but everything else should be a liability. If they save cc info by default (opt-out) that should be a major liability.
Want cars not to explode when slightly rear-ended? Why are they so expensive now? Where did the car businesses go? Let's create car security companies! Why so expensive still? ...
I can't make a car company. I can make a webcam on doors company.
And you might say it is about raw materials. But I can buy enough materials for one car and one webcam door. I can't put the car on the road (as much as it make sense) only because of the sheer amount of cost required to pass regulations.
So while regulation is something we want as costumers. I think we'd prefer to not have it become a obstacle in the software sector to the point it exist elsewhere.
That is why I think the GDPR is great since it applies to companies with 250+ employs.
>So while regulation is something we want as costumers. I think we'd prefer to not have it become a obstacle in the software sector to the point it exist elsewhere.
Alternatively looked in the metaphor, cars are dangerous things - for the passengers and civilians nearby. We as a society don't want any random vehicle to be on the road due to the risks involved. A webcam door doesn't have this type of risk associated, so it's fine to DIY and whatever. However there are still risks, like PII leaks, so these they need to be mitigated too.
> That is why I think the GDPR is great since it applies to companies with 250+ employs.
No it doesn't? It applies to any company that holds EU citizens' PII.
i am only glad that you arent selling cars without safety tests.
i would also be glad that not anyone would make a air traffic control or a train signaling system.
while i like foss programs and have low barriers of entry in any field, there needs to be a minimal standard that everyone shoud adhere to where a system failure could affect someones life beyond minor inconvenience.
I am very much with you on this but I think the biggest hurdle in this theory is that introducing such regulation would create a de-facto hostile innovation environment in that jurisdiction. And no regulator will lightheartedly put themselves into the position of being the guy that “drove away all the innovators/startups/research/business”
> I am very much with you on this but I think the biggest hurdle in this theory is that introducing such regulation would create a de-facto hostile innovation environment in that jurisdiction.
Personally I think that is a price worth paying. Laws like the parent are suggesting are about having a standard that companies need to meet if they want to operate in a given space, and currently it is clear that companies will not meet these standards unless they are legally obliged to do so.
Some would say the most fertile ground for "business innovation" is a country with no labor protection laws.
I think innovation will happen regardless and I'm kinda tired of fear mongering around "throttling innovation" whenever people talk about making our world better for people.
> companies should suffer massive fines / damages / criminal charges when they leak the personal data of millions of customers
This is zealous. If consumers don't care, and nobody can show tangible damages, "massive fines" and "criminal charges" are closer to moral outrage than prudent lawmaking.
Noone cares about anything, unless they're the one affected by this.
I don't care if people around me don't have car insurance, but once one of them crashes into my car, i sure want them to have one, while the rest will continue not caring.
So yes, requiring companies to safeguard data, even if that means fines and criminal charges for responsible people is important.
I have a wifi webcam with no Internet access at my front door. It doesn't need Internet access (in fact, it's blocked from going outside the router). It's happily streaming video onto my home network. I just open the stream in VLC on any device to see the live video feed instantly. Easy to make a shortcut that opens the address in VLC.
Video is also being archived locally elsewhere on my home network, but no outside hosting is needed for either instant live access or home archiving. Just a minimum of research.
When shopping for a camera, only buy one that has ONVIF compatability. Then you can use it with third party apps.
I've worked professionally with wifi equipment and my take on the whole deal is this: if it's on wifi, it will fail not as frequent enough to be replaced by something better, but often enough to be make you miserable.
Yes, $1000 phones work fine, but every other device? the standard must be a mess because every other wifi certified device is unreliable.
Everything on my house that can be wired, is wired.
Even my beloved Ubiquiti's doorbell cam suffers in much the same ways (and my nest had it too). There must be some difficulty here that is non-obvious for all the competitors to be falling into the same flaws.
I personally blame Unifi's SSO for a lot of the slugishness. My old Reolink (1/3rd the price of Unifi's offerings) was instant when loaded and connected via IP+port.
Do you think the camera didn’t work because the parent company got ransomwared? Or is this anecdote related to the posted story in a different way that I’m missing
We should change the URL to point to the Vice article instead. This is a tweet of a screenshot of the hacker's home page, and while we have no specific reason to disbelieve them, we also have no reason to believe they're telling the whole truth.
The Vice story has more context: Ring denies any compromise to their own systems (and if you can't find the ransomware it's not doing its job very well), but there is a third party vendor with no access to customer data who is currently affected.
I'm genuinely surprised we haven't had something like that happen....yet. All these "smart" appliances, fridges, & stoves gotta have the same vulnerability just waiting to make them bots. Considering they're all running some old Android instance.
It has happened. Lots of these devices ARE on botnets. I think it was cloudflare who claimed a significant amount of DDoS traffic comes from hacked IOT devices
I wonder what kind of data they had access to. It's usually much easier to reach AND dump, say, an invoicing system, than what I can only imagine is an extremely large set of user data.
Either way, bad look for a company that pitches itself as a home security company.
"Hey, we said your home would be secure, not our architecture."
Leaking user data isn't really penalized enough. First two incidents, high monetary penalty, third incident, company is closed permanently in the interest of public security.
>company is closed permanently in the interest of public security.
So there goes a janitors job, secretaries etc.
Local cafes, bars, transport lose out. The dependents of all the company are now involved. There's a long chain of consequences after this.
Why not just target the guilty: maybe any punishment should make them suffer.
> So there goes a janitors job, secretaries etc. Local cafes, bars, transport lose out. The dependents of all the company are now involved. There's a long chain of consequences after this. Why not just target the guilty: maybe any punishment should make them suffer.
I agree. It would be better to make execs personally criminally liable.
They'll find jobs with companies that fill the void but with improved security measures.
If anything, there will be more jobs created by the demand to shore up security. They'll be high quality jobs too, as management will be reluctant to outsource potential criminal liability to incompetent contractors in India.
That makes all of them vested in the outcome that that company was actually good in its security of sensitive information. If they are important to anyone actually involved in the company, the company will take care of things properly.
The same argument is made for why breadwinners shouldn't get jail time when they commit a felony.
Well, I'd argue if the first two high penalties did not have an effect, the company is likely rotten from within and can not really be fixed, so close it.
Also, I find your "but you have to think about the children^WJobs" argument pretty hollow. Nothing can be changed, because some gay lesbian from a foreign country might loose their already precarious job. Come on, is this really an argument for something?
this is interesting. I had an alert from an ID monitoring service I subscribe to today advising of a “mid severity breach” for an undisclosed service. The details leaked were my name, email address, and town of residence. The notification says the service is undisclosed as the provider is still working with law enforcement. I wonder if this it.
But I would pretty inclined to distrust a "security" company that has "Limited Liability" in their name when they store a lot private data serverside. Doesn't exactly inspire confidence in their commitment to actual security and not merely convenient insecurity which seems to be their actual product.
My personal trust of devices like this is low - and since it is capturing public side recordings (outside my front door) I'm less worried about the vidoes. I just prefer to treat them as untrusted devices and put them on my guest network isolated from the rest of my network.
> since it is capturing public side recordings (outside my front door) I'm less worried about the vidoes
Differences between countries are funny. For instance, in France Rings don't fly because you're filming a public place, and by default people have an expectation of privacy and the right not to be filmed. If you want to film a public place (like put a camera that covers the street), there's a specific process to follow that includes getting a permission from the privacy authority, putting up warnings, and having processes (who has access to the videos, when, why, etc.).
I agree with the sentiment. Technically I only trigger video on my property boundary to avoid the street and protect the public's reasonable right to privacy.
Apparently quite a few people have Ring cameras inside their homes as well.
And another point. You might not think video outside your home matters, but it could be invaluable to burglars who want to know when you're not home. I could imagine it being used to deanonymize ___location data as well because it would provide known locations and timestamps to filter data against.
Yes, but doing that is much more risky and time consuming. The burglar could find the basic pattern in a matter of hours rather than days of sitting on the house at the risk of being reported as suspicious. They would also be able to tell which entrances are surveilled and use that information for the burglary itself.
So you could make an argument that woth their terrible security track record, numerous leaks etc Ring is more of a help to potential burglars than it is useful as a security device.
I only trigger video on my property boundary to avoid the street and protect the public's reasonable right to privacy. There will always be the risk of coincidental videoing when someone is on my property - but I try my best to respect my neighbours.
If Twitter doesn't work (well), I recommend nitter.net (or other instances of Nitter, it's open source software). Addons are available for various browsers to automatically redirect.
Nitter is meant as a privacy-friendly Twitter front-end, but I mainly use it because Twitter takes literal seconds to load a 280 character post and Nitter works almost instantly. As an added bonus, it doesn't rely on Javascript to render.
Because often when you click on a link that goes to Twitter and start reading a thread they will pester you to make an account and won’t let you read the whole thread if you don’t.
For what it's worth, this behavior has always bothered me hugely (can't read a thread without registering), but disappeared shortly after the last point you cite. Now there is just a nag notification similar to a cookie acceptance bar, you can dismiss it and read the whole thread without interruption:
Because it very quickly became difficult to read a narrative without losing ones way into...
I don't even know, unrelated pointlessness that has no right to exist.
It's a gateway to somewhere I've never had any desire to visit: other people's drama.
Non partisan reasons to dislike Twitter as a tool of communication were posted before you made this comment.
Anyway, your experience of any social media depends on how you curate it. For example I only follow professional photographers on Instagram so that's the only kind of content I see there.
>Anyway, your experience of any social media depends on how you curate it.
That's not entirely true anymore. Many users of Twitter have recently mentioned the alarming number of violent videos being added to their "For You" suggestions. These users are largely self-siloed into the industry they operate in and self-describe as people that dont follow "fight video" accounts or people that consume that content.
It seems either the suggestion algo has been broken, is being gamed by users, or the platform owners are choosing to feed users toxic content that they didnt request for some reason.
On a tech forum one would expect the reasons to be more centered upon tech rather than (what I think you're referring to anyway) politics.
Twitter sucks because it's full of JavaScript and tracking that you don't need, so I would imagine that most on HN would find it burdensome to even view the content, since many in tech whittle the content down to only getting the packets necessary - which Twitter/Facebook make very difficult.
Nitter has a much better user interface and makes it much easier to see what is happening on your device.
Other than that, the content is mostly just low quality as well, so there's little reason to use it.
- Companies should suffer massive fines / damages / criminal charges when they leak the personal data of millions of customers.
- I think EULAs are a ridiculous run-around the law. They should be non-enforceable. Its far from perfect, but case law is pretty clear that people and companies are liable for damages due to foreseeable harm that they cause. (Except EULAs dodge this.) (I am not a lawyer, this is not legal advice.)
Software engineers & security engineers can make just about anything secure. But we can only do so if we're given time and money to hire the expertise when needed. We need to make it incredibly expensive for companies to lose personal data like this. Management teams should be clamoring to hire the best security engineers. But they'll only do so if they're sufficiently motivated.
The risk of massive liability is the right incentive to convince companies to invest in getting information security right. The current status quo is ridiculous.