Proposition: Cyberattacks that seriously affect life or safety, where the perpetrator can be positively identified, should be punished with life imprisonment with no possibility of parole. Discuss.
Conversation
Notices
-
Embed this notice
Lauren Weinstein (lauren@mastodon.laurenweinstein.org)'s status on Sunday, 04-May-2025 03:07:49 JST 
Lauren Weinstein
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Sunday, 04-May-2025 03:07:47 JST 
Rich Felker
@lauren Punishment for the decision maker who put vulnerable systems in positions where their subversion can impact life or safety? Yes please!
Oh, you meant the shithead cybercrime hustlers who make convenient scapegoats? Not even the folks who enabled their whole thing by making up magic toy money and lobbying governments not to imprison anyone trying to sell it for real money for securities fraud??
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Sunday, 04-May-2025 03:09:02 JST
Rich Felker
@lauren It's about as good an idea as getting mad at drug dealers rather than the CIA.
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Sunday, 04-May-2025 06:57:26 JST
Rich Felker
@lauren @falcon This isn't blaming end users. This is blaming powerful decisionmakers who make a choice not to spend money on security and IT operations professionals, and to cut corners eliminating non-networked analog systems that could serve as backups in the event of outages caused by intentional attacks or natural or incompetence-induced outages.
Nobody should die or be unable to be treated when a hospital's IT systems go down, whatever the reason.
-
Embed this notice
Lauren Weinstein (lauren@mastodon.laurenweinstein.org)'s status on Sunday, 04-May-2025 06:57:28 JST
Lauren Weinstein
@falcon Blaming the end user firms for security breaches will only take one so far. Increasingly, risks are complex and tied to cloud systems (and now, AI systems) that the Big Tech providers are disclaiming responsibility for. Already, generative AI systems are being used to massively leverage new forms of effective cyberattacks, and as usual Big Tech is disclaiming all responsibility for AI abuses. It is not surprising that so many firms are unable to stay ahead of the escalating threat surfaces, with Big Tech AI now actually enabling the attackers.
-
Embed this notice
Falcon Darkstar (falcon@mastodon.falconk.rocks)'s status on Sunday, 04-May-2025 06:57:29 JST 
Falcon Darkstar
@lauren it is pointless. We can continue to prosecute some of these attackers with varying success, but the more pressing and impactful thing is to compel organizations who hold a public trust (banks, hospitals, etc.) to do more than the bare minimum to defend.
These attacks are the wages of low-cost software development, a CYA approach to compliance, and an emphasis on generic bolt-on security products that mostly don't work (instead of better software engineering).
-
Embed this notice
Falcon Darkstar (falcon@mastodon.falconk.rocks)'s status on Sunday, 04-May-2025 07:47:23 JST
Falcon Darkstar
@dalias @lauren or, like for example systems in airplanes and medical device firmware, everything in the critical path should be designed for high reliability.
Instead we build gigantic internet-accessible web apps with a thousand unnecessary parts and interfaces, and then occasionally it gets hacked or just goes down on its own, and people suffer.
The responsibility for that is mostly on vendors like Epic and on the hospitals that choose to use them, and on our field's lack of ethics.
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Sunday, 04-May-2025 09:03:40 JST
Rich Felker
@lauren @falcon While all that is true, legacy communication links are not what we were talking about. Rather, there's already an unjustifiable critical gap in safety if keeping people alive depends on communication links.
-
Embed this notice
Lauren Weinstein (lauren@mastodon.laurenweinstein.org)'s status on Sunday, 04-May-2025 09:03:41 JST
Lauren Weinstein
@falcon @dalias Maintaining legacy systems can become impossible even when you want to. Case in point, it has become literally impossible to maintain analog or even many older (actually more secure, dedicated) digital communications links. The carriers (e.g. AT&T) simply will not provide them, or in some cases even fix them when they fail (this goes far, far beyond landlines, which I've discussed many times and will probably be discussing again Monday on my national radio tech segment). And the reason the carriers no longer will provide those circuits and systems is that regulators have permitted them to do so -- a situation that will only accelerate now under the new MAGA FCC chairman. And the regulators have been largely bought and owned by politicians from both parties over the many years. Firms can't use what they can't obtain!
Rich Felker repeated this. -
Embed this notice
Falcon Darkstar (falcon@mastodon.falconk.rocks)'s status on Sunday, 04-May-2025 09:03:57 JST
Falcon Darkstar
@lauren @dalias I hazard it is in part a pack of demand because incompetent managers are rarely held to account for incurring risk. It has been only 20-30 years since we designed and engineered these systems for high reliability in at least some contexts, and we still remember how to pull cable and use terrestrial radios. We can get it back if we want to.
Folks in tech are way too easily swayed by trends and "inevitability" right now, also due to bad incentives.
-
Embed this notice
Falcon Darkstar (falcon@mastodon.falconk.rocks)'s status on Sunday, 04-May-2025 09:38:37 JST
Falcon Darkstar
@lauren @dalias society exists thanks to communication. In the aeronautical world, safety depends in large part not only on communication, which was made as reliable as possible, but on good and tested procedures for what to do (as completely and predictably as possible) when communication fails. So the airspace system is engineered and I have a procedure to follow so that even in an opaque cloud with no radios or radars, my location and next action are predictable. We need more of that.
-
Embed this notice
Lauren Weinstein (lauren@mastodon.laurenweinstein.org)'s status on Sunday, 04-May-2025 09:38:38 JST
Lauren Weinstein
@dalias @falcon If you're talking about hospital contexts specifically, they have always depended on comm links of one sort or another -- even if that was humans running from floor to floor. But again, the dependence on complicated IT systems in medical environments has been driven by a number of factors, including to a significant degree regulatory compliance. Which brings us back to the regulatory/political realm again. In the final analysis, it's always follow the money.
Rich Felker repeated this.
-
Embed this notice
All GNU social JP content and data are available under the