Comment by chii
1 day ago
> nobody gets fired when there's a breach
this must mean the consequences of such a breach has either not produced any visible damage, or the entity being damaged is uncaring (or have no power to care).
1 day ago
> nobody gets fired when there's a breach
this must mean the consequences of such a breach has either not produced any visible damage, or the entity being damaged is uncaring (or have no power to care).
If you fire people for stuff they didn’t maliciously introduced you will end up with no people to work with.
Imagine jailing doctors for every patient that died you would be out of doctors quite soon.
The legal system already has sufficient cop-out: for anything that you should have been aware of, or would have been informed about.
Eg. doctors do get sued and fired for malpractice, if they did something no other skilled doctor would reasonably do ("let's just use the instruments from the previous surgery").
Here are a bunch more things to make you even more scared.
- Oops! mistakenly left some instrument inside and sewed up the patient - Junior begging to do certain step of the surgery while the anesthesiologist asking them to just get a move on. - Administered a drug to a newborn baby which was supposed to be given to the mother. (My sister's colleague did this with no consequences)
We don't get delivered to us 18-year-olds that happen to be in perfect health. And a lot of Americans don't believe in wellness visits. Although more and more it's the insurance companies that are practicing medicine. Sorry it's a sore subject with me lol
If the doctor is criminally negligent they could be jailed.
My sister knows a doctor who botched a surgery due to an argument with a junior who wanted to do some step of the surgery. The senior one was not having it at all and just threw the scalpel directly at him. Nothing happened to him because if we start firing doctors for this, we would be missing out on all the surgeries he did successfully.
1 reply →
That's kind of obvious, I didn't think it has to be spelled out.
1 reply →
>this must mean the consequences of such a breach has either not produced any visible damage
Yeah lets say you were carrying unencrypted frames for Bills Burger Hut.
The largest extent of the damage might be sniffing some smtp credentials or something. Bill sends some spam messages, never figures out how it was done but their IP reputation is always in the toilet.
Lets then say instead of Bills Burger Hut, you are carrying traffic for critical mineral and food industries. The attacker isnt a scammer, but a hostile nation state. Customer never realises, but theres a large, long term financial cost because (TOTALLY NOT CHINA) is sharing this data with competitors of yours overseas, or preparing to drop your pants in a huge way for foreign policy reasons.
No one gets fired until after the worst case long term damage, and even then probably not.
In fact, the likely outcome is that the burden gets moved to the customer for L2 encryption and the cowboy never changes.
End user license agreements are a huge part of the problem. Ideally users could sue if our data is leaked - and the threat of being sued would put pressure on companies to take security more seriously. Ie, it would become a business concern.
Instead we're constantly asked to sign one-sided contracts ("EULAs") which forbid us from suing. If a company's incompetence results in my data being leaked on the internet, there's no consequences. And not a thing any of us can do about it.
There is in at least California, the EU, and China. A lot of clauses in EULAs aren't actually legal.
On the other hand you can't sue a company for losing your data in many EU companies. You can report them to whatever data protection agency your country has, and after an investigation they can fine, and/or, in more serious cases turn the matter over to the police for a criminal investigation.
The disadvantage of this is that the local data protection agencies haven't been handing out very big fines. Sometimes that's due to company law. In my country you'd fine the owning company, which in many cases will be a holding company. Since fine sizes are linked to revenue and a holding company typically has no revenue, this means fines are often ridicilously small.
Or, the entity being damaged is not the decision maker and has no power to hold the decision maker responsible.
Or the damage is diffuse whereas the costs of preventing the breach would be concentrated. Or the connection between the damage and the breach is difficult to prove.