Hacker News new | past | comments | ask | show | jobs | submit login

I thought the problem with Vastaamo was that the CEO was in charge of the mysql database and he was basically a hobbyist that didn't care much for security. (yeah zero proper sources for that... my level of Finnish is terrible) And then Murphy's law kicked it. A vilain nabs the data for free and does his thing.



MySQL server was without any kind of firewall protection for about 1.5 years, and the root account had no password.

https://www.iltalehti.fi/digiuutiset/a/69314f2e-bb1c-4ea0-8a...


The guy should be in jail with the hacker. That's crazy.


He is getting charged in relation to the case https://yle.fi/a/3-12641083


Jails would not be large enough if everybody that exposed customer data would end up in jail with the hacker.


I think if it did start happening, CEOs and management types would start caring about IT security to avoid being put there.


Liability for the whole software industry needs to be re-thought.

The problem with jailing CEOs is that even if it would work the first couple of times the other possible effect would be that people would do even more to brush their fuckups under the carpet...

The EU has got this right I think: massive fines in case of a breach to the point that the CEOs are starting to pay attention. That certainly isn't perfect but it is a step in the right direction.

Healthcare is particularly vulnerable and I'm always surprised that people in HC seem to think that they aren't a target. This is a huge mistake imo, there is massive blackmail potential in healthcare data.


The problem with the classic "burn the CEO" knee-jerk is that it only leads to security theater.

CEO hires CISO. CISO makes a big splash, and spends a ton of time getting the business certified in various ways, to prove to CEO stuff is being done.

In reality, security remains atrocious at the tactical level, and the company hemorrhages security talent because no one wants to work for clueless assholes.

Ultimately, eventually, breach still happens, CISO falls on their sword, but is fine because they and CEO always knew this is what they were really being hired to do and compensation was engineered around that expectation.

--

What actually works is a gentle, gradual pressure to move to a better security posture (e.g. vaulted credentials, separate security domains, etc.), implemented over time as opportunity allows, preventing new vulnerabilities from being introduced by targeting development processes, and financially incentivizing developers throughout the company to report issues when they find them.


And the audience of hackernews would drop by half.


And anyone not closing their car doors too.


If someone left a car door open with the car full of confidential documents and someone stole them, the person who left the door open would definitely be held responsible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: