Security quote of the week

Posted Jun 8, 2018 5:32 UTC (Fri) by marcH (subscriber, #57642)
In reply to: Security quote of the week by karkhaz
Parent article: Security quote of the week

> 2) does a class action suit actually force a change in the law, or does it merely entitle the damaged party to compensation? I thought it was the latter.

I think you're mixing up two unrelated things.

> https://en.wikipedia.org/wiki/Common_law
> Common law (also known as judicial precedent or judge-made law, or case law) is that body of law derived from judicial decisions of courts and similar tribunals.[1][2][3][4][5] The defining characteristic of “common law” is that it arises as precedent.

Precedence can come indifferently from both class actions and from non-class actions.

Not every court decision is made in a previously grey area, so not every court decision generates new precedence.

Security quote of the week

Posted Jun 8, 2018 15:59 UTC (Fri) by karkhaz (subscriber, #99844) [Link] (2 responses)

Fair enough. But even then, even if a class action suit resulted in a precedent being set, I imagine that the precedent would be something like "it is reasonable to claim compensation from a device manufacturer if their poorly-secured device was used in a botnet that caused you damage"---right? I don't think that the class action suit would result in regulations against such poorly-secured devices being enacted, which is what Schneier keeps arguing for.

Although it might be nice to have that kind of precedent set, what I believe Schneier wants is for such devices to not be sold in the first place. After all, we already have regulations that prohibit devices from being sold if they emit interfering radio waves, or if they pose an unreasonable safety hazard to the consumer, etc. so that we don't even need to wait for the damage to be done before going after the manufacturer. If botnets become a big enough problem to society, then it makes sense to preemptively regulate against them in the same way as any other hazard, rather than playing whack-a-mole with lawsuits.

Security quote of the week

Posted Jun 8, 2018 17:17 UTC (Fri) by pizza (subscriber, #46) [Link] (1 responses)

> I don't think that the class action suit would result in regulations against such poorly-secured devices being enacted, which is what Schneier keeps arguing for.

Not _governmental_ regulations, but if the insurance companies that pay those claims out (under the business' general E&O insurance policies) have to pay out too many claims due to class action suits, they will start requiring that their customers secure things properly as a requirement to getting insurance.

(Not unlike how the payment card industry requires point of sale terminals to adhere to certain standards in order to have the vendor not be liable for fraudulent activity...)

The bottom line is that nobody is going to care until there is a real $$$ cost that is born by those who have poor security practices.

Security quote of the week

Posted Jun 8, 2018 18:01 UTC (Fri) by marcH (subscriber, #57642) [Link]

> The bottom line is that nobody is going to care until there is a real $$$ cost that is born by those who have poor security practices.

Yes, no solution will ever work without this most basic requirement.
https://en.wikipedia.org/wiki/Externality

Customer (or even worse: consumer) pressure and the "invisible finger" of the market will never be enough with respect to security, security is something that is basically impossible to evaluate before the fact/breach.