Comment by brightball
5 years ago
I’ve always thought along similar lines. What bothers me is that, if someone were to break into your home there is risk to them because you are allowed to defend yourself by fighting back.
As far as I know, we aren’t allowed to counter attack cyber attackers so our only option is better defenses and then handing things off to authorities. I used to work for an smaller eBay-for-a-niche market type site and dealing with fraud was our biggest issue.
We tracked fraud ourselves and even managed to send a delivery to a PO Box used by someone who had swindled customers out of thousands of dollars. We contacted the authorities, told them everything and exactly where the criminal would be.
They did nothing.
If we aren’t allowed to fight back and the authorities won’t do anything, what deterrent is there?
Parent comment is saying that the deterrent could be how difficult you make it to hack you.
A case where the best, and possibly only, offense is a good defence.
> But legally, we must hold accountable organizations who are breached
Parent comment is also insisting on the imature idea that we must generically hold organizations accountable when breached. I say immature because this idea keeps popping up once in a while from people who didn't yet realize that it's been debated repeatedly in the past and it didn't get applied so generically for good reason.
There are so many nuances OP has ignored, and so many ways this is not only impossible, it's also a bad way of dealing with the situation. When a private citizen gets breached due to an insecure ISP router, is it just the ISP to blame or also the user for not buying a better one even though the ISP allowed it? Who's responsible when a company user gets tricked by fishing even after the regulation training? Personally liable for the breach? When a company Linux server vulnerability is exploited who gets the blame? The user? The admin? The distro maintainer? The developer who pushed the code? This would kick OSS software to the curb because most of it does not have an "organization" behind it to take the blame for every vulnerability.
Organizations will be breached. Most of them can't even afford the defenses that an averagely determined attacker can afford to penetrate. Where do you draw the line between who's to blame, attacker or victim? With real world crime we did a good job of fine tuning that threshold over centuries.
Best you can do (and we should do) is come up with a set of rules, regulations, and best practices that are enforced by law, and I think this is coming one way or another. For example "patch any CVSS 9 or higher within 14 days of publishing", "implement 2FA for x and y access". But even these rules will always be behind the times and never enough to thwart attacks. It raises the bar for a successful attack and creates a clearer (not clear) threshold for responsibility.
Sure, some cases are clear cut, you haven't patched for 2 years and have no leg to stand on. But the solution is certainly not blanket blaming the victim because you can fit it in an HN comment.
The crims have obviously worked out that it's much easier to subvert the "users" rather than have a head-to-head battle with IT. If a user (even a careful one) clicks on a link in an email, should they actually be held responsible for what follows, or is it the fault of IT/Security whose security setup allowed an email with a dubious attachment to make it through to the user?
I know many intelligent, conscientious, non-techy users who'd be mortified to think they enabled a ransomware attack - but is it their fault?
“there is risk to them because you are allowed to defend yourself by fighting back”
This depends a lot on what jurisdiction you live in.