|
|
Subscribe / Log in / New account

Security quote of the week

Security quote of the week

Posted Jun 7, 2018 13:32 UTC (Thu) by karkhaz (subscriber, #99844)
In reply to: Security quote of the week by mjthayer
Parent article: Security quote of the week

1) A lot of what Schneier is complaining about is vulnerabilities that affect IoT and embedded devices worldwide, and where a botnet powered by non-US devices can cripple people and companies in the US. Who are you going to sue for damages in that case, the whole world and all of their CCTV cameras? Better to ensure that the vulnerable devices don't end up in consumers' hands in the first place. I agree with you that this is not something that is likely to be enacted in US law. So my suggestion is to lobby for it to be enacted in EU law, so that US consumers (and everybody else) also end up with safer devices from manufacturers who want to sell in both markets.

2) does a class action suit actually force a change in the law, or does it merely entitle the damaged party to compensation? I thought it was the latter. This doesn't stop companies from selling their devices, it just gives them an incentive to hire expensive lawyers to demonstrate that it wasn't their fault in court. I realise that taking everything to court so that everybody apart from the lawyers ends up worse off is the American Way, but I'm more concerned with preventing the problem than retroactively seeking damages for its effects.

to post comments

Security quote of the week

Posted Jun 8, 2018 5:32 UTC (Fri) by marcH (subscriber, #57642) [Link] (3 responses)

> 2) does a class action suit actually force a change in the law, or does it merely entitle the damaged party to compensation? I thought it was the latter.

I think you're mixing up two unrelated things.

> https://en.wikipedia.org/wiki/Common_law
> Common law (also known as judicial precedent or judge-made law, or case law) is that body of law derived from judicial decisions of courts and similar tribunals.[1][2][3][4][5] The defining characteristic of “common law” is that it arises as precedent.

Precedence can come indifferently from both class actions and from non-class actions.

Not every court decision is made in a previously grey area, so not every court decision generates new precedence.

Security quote of the week

Posted Jun 8, 2018 15:59 UTC (Fri) by karkhaz (subscriber, #99844) [Link] (2 responses)

Fair enough. But even then, even if a class action suit resulted in a precedent being set, I imagine that the precedent would be something like "it is reasonable to claim compensation from a device manufacturer if their poorly-secured device was used in a botnet that caused you damage"---right? I don't think that the class action suit would result in regulations against such poorly-secured devices being enacted, which is what Schneier keeps arguing for.

Although it might be nice to have that kind of precedent set, what I believe Schneier wants is for such devices to not be sold in the first place. After all, we already have regulations that prohibit devices from being sold if they emit interfering radio waves, or if they pose an unreasonable safety hazard to the consumer, etc. so that we don't even need to wait for the damage to be done before going after the manufacturer. If botnets become a big enough problem to society, then it makes sense to preemptively regulate against them in the same way as any other hazard, rather than playing whack-a-mole with lawsuits.

Security quote of the week

Posted Jun 8, 2018 17:17 UTC (Fri) by pizza (subscriber, #46) [Link] (1 responses)

> I don't think that the class action suit would result in regulations against such poorly-secured devices being enacted, which is what Schneier keeps arguing for.

Not _governmental_ regulations, but if the insurance companies that pay those claims out (under the business' general E&O insurance policies) have to pay out too many claims due to class action suits, they will start requiring that their customers secure things properly as a requirement to getting insurance.

(Not unlike how the payment card industry requires point of sale terminals to adhere to certain standards in order to have the vendor not be liable for fraudulent activity...)

The bottom line is that nobody is going to care until there is a real $$$ cost that is born by those who have poor security practices.

Security quote of the week

Posted Jun 8, 2018 18:01 UTC (Fri) by marcH (subscriber, #57642) [Link]

> The bottom line is that nobody is going to care until there is a real $$$ cost that is born by those who have poor security practices.

Yes, no solution will ever work without this most basic requirement.
https://en.wikipedia.org/wiki/Externality

Customer (or even worse: consumer) pressure and the "invisible finger" of the market will never be enough with respect to security, security is something that is basically impossible to evaluate before the fact/breach.

Security quote of the week

Posted Jun 8, 2018 12:16 UTC (Fri) by mjthayer (guest, #39183) [Link]

Admittedly not what I originally had in mind (other comments suggest that class actions are no longer current anyway), but I could imaging people affected by DDOS attacks suing the makers of specific insecure IoT devices involved in the attack.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds