Hacker News new | past | comments | ask | show | jobs | submit login

I don't see how that protects the people whose data was stolen.

"Here's the license plate number and home address of the guy who just ran over your grandma. Sorry for your loss."




It limits the corporate risks: they know exactly which passwords to change, accounts to lock, and other data loss to ameliorate.

And if the time window of exploitation is kept small, the exact same magnitude of data loss could have happened in a rapid-disclosure and patch scenario. (Two years ago, were practices for rapid response better or worse than now? Would the time window of public-knowledge-but-incomplete-protection have been any smaller - or maybe larger?)

So why not let it break later (and maybe never), rather than earlier? It's like any kind of "technical debt" analysis... oftentimes it makes sense to defer fixes, because by the time the issue becomes critical, it may have already been rendered moot, by larger changes.


That doesn't give me, as a user, much comfort. But I can see your point from a corporate standpoint.

This whole things just sucks.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: