Hacker News new | past | comments | ask | show | jobs | submit login

Parent comment is saying that the deterrent could be how difficult you make it to hack you.

A case where the best, and possibly only, offense is a good defence.




> But legally, we must hold accountable organizations who are breached

Parent comment is also insisting on the imature idea that we must generically hold organizations accountable when breached. I say immature because this idea keeps popping up once in a while from people who didn't yet realize that it's been debated repeatedly in the past and it didn't get applied so generically for good reason.

There are so many nuances OP has ignored, and so many ways this is not only impossible, it's also a bad way of dealing with the situation. When a private citizen gets breached due to an insecure ISP router, is it just the ISP to blame or also the user for not buying a better one even though the ISP allowed it? Who's responsible when a company user gets tricked by fishing even after the regulation training? Personally liable for the breach? When a company Linux server vulnerability is exploited who gets the blame? The user? The admin? The distro maintainer? The developer who pushed the code? This would kick OSS software to the curb because most of it does not have an "organization" behind it to take the blame for every vulnerability.

Organizations will be breached. Most of them can't even afford the defenses that an averagely determined attacker can afford to penetrate. Where do you draw the line between who's to blame, attacker or victim? With real world crime we did a good job of fine tuning that threshold over centuries.

Best you can do (and we should do) is come up with a set of rules, regulations, and best practices that are enforced by law, and I think this is coming one way or another. For example "patch any CVSS 9 or higher within 14 days of publishing", "implement 2FA for x and y access". But even these rules will always be behind the times and never enough to thwart attacks. It raises the bar for a successful attack and creates a clearer (not clear) threshold for responsibility.

Sure, some cases are clear cut, you haven't patched for 2 years and have no leg to stand on. But the solution is certainly not blanket blaming the victim because you can fit it in an HN comment.


The crims have obviously worked out that it's much easier to subvert the "users" rather than have a head-to-head battle with IT. If a user (even a careful one) clicks on a link in an email, should they actually be held responsible for what follows, or is it the fault of IT/Security whose security setup allowed an email with a dubious attachment to make it through to the user?

I know many intelligent, conscientious, non-techy users who'd be mortified to think they enabled a ransomware attack - but is it their fault?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: