upvote

points

by jasode10 hours ago |
comments
upvoteby SoftTalker6 hours ago|
next
[-]
Katherine Archuleta and Donna Seymour aren't writing code or administering online systems. I'm sure their organizations have security policies and standards, why not put the devs and sysadmins in prison if they didn't follow them?

I think that what we're seeing is evidence that humans, in general, are not capable of securely delivering the kinds of online services that they are trying to deliver. It's just too complicated, and while defenses have to be perfect, attacks only have to work occasionally to be worth doing.

Edit: not that we shouldn't expect best efforts, and financial liability for organizational failures. Prison maybe for clear proven negligence or intentional sabotage, but for mistakes? Nobody will write software anymore. When is the last time you wrote even a screenful of code without a mistake?

reply
upvoteby pixl974 hours ago|
parent|
next
[-]
>why not put the devs and sysadmins in prison if they didn't follow them

So we should start treating them like licensed engineers... Actually I agree with this.

reply
upvoteby sandeepkd2 hours ago|
parent|
next
[-]
This is bit too far to put onus on devs for security and the comparison is more like apples to oranges with other regular licensed engineers. It hard to justify ROI on Security, if anything it makes it harder to roll out features with more traction.

In the absence of any fine, most companies are comfortable with bit of reputation damage.

reply
upvoteby nightski3 hours ago|
parent|
prev|
[-]
When the Minneapolis bridge collapsed there were no criminal charges involved. HN has this obsession with "licensed engineers" as if it completely prevents catastrophe and holds people to the highest standards. It's just a dog and pony show.
reply
upvoteby pixl973 hours ago|
parent|
[-]
I mean, 40 years is a bit longer than the garbage we're making lasts.

And software holds people to exactly zero standards and it shows.

reply
upvoteby saltcured1 hours ago|
parent|
prev|
next
[-]
Accountability needs to start at the top. To allow a system where some underling is a liability blind for the top is to set up a system ripe for abuses of power.
reply
upvoteby jtbayly4 hours ago|
parent|
prev|
[-]
No problem. We can have AI do it.

And the side benefit is that we could summarily execute one every once in a while for failing to write secure code.

reply
upvoteby paulddraper1 hours ago|
prev|
next
[-]
> As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour could have been put in prison as punishment instead of just resigning.

If they committed a crime.

Law enforcement failing to prevent a robbery is not treated on the same order as someone committing a robbery.

As a practical matter, I just assume that the data I provide to anyone will get leaked, because there's a pretty good chance it will.

reply
upvoteby markdown7 hours ago|
prev|
[-]
> The ultimate entity that could hold businesses accountable is the government but the government itself is careless with citizens' private data.

Let's not forget the largest data breach in US history by Elon Musk and his DOGE kids.

reply