It's amazing that (approximately) no one cares about stuff like this.
GoDaddy was severely breached several times over several years, yet they still rake in billions of revenue from their millions of customers. Now they have to pay someone to fill out a biennial checklist and... promise to not lie. Awesome.
If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
>If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Depends on the industry. I'm in healthcare, and our legal department is always reminding the devs that even a small breach can be financially catastrophic for the company, as they are totaled as $xx,000 per person affected.
Except Change Healthcare got hacked, lost a ton of records and they are still operating. So those fines must be, could be up to xx,000 per person affected but in actuality, those affected will get Arbys coupon and C Suite will lose a week of yacht time.
I got a letter telling me they gave away my information with a link to an “identity monitoring” site that looks like the CEOs nephew built in a weekend and just errors out when I sign up.
You don't really have a choice, you have to have insurance for breaches (HIPAA term, not strictly the typical cybersec term, means any loss of control of information that results in potential of dissemination of PII).
So the answer is to put the same kind of onerous penalties that companies pay for leaking healthcare data and apply them to any PII / user data. If it can't hit the bottom line bigcorps don't care; liability is the only language they understand.
You have to provide your email to sign up for HN, however, it is not publicly visible. If YCombinator had to pay $10,000 for leaking a user email, this site isn't going to exist since it's not their core business and represents a huge liability.
It's also disproportionate. If my email is leaked in the context of receiving treatment for a stigmatized disease, that's a lot worse than an MMORPG leaking my real name.
Maybe some penalty is necessary but $10k or above per user is disproportionate for the vast majority of people. A $50/person penalty with gradations for sensitivity of the information is going to work better in practice. If leaking an SSN is more expensive than an email or site-specific ID, corporations might stop using SSNs to identify people to reduce their exposure
Have the C-suite hand back their compensation above minimum wage for the last 3 years. Fine the company, all profits, or a percentage of global revenue (and pay that back to customers).
If the outcome of ignoring data security is to not make any money then companies will actually do something about it.
Penalities should push the company to the point of failing.
> Then you get people on HN shouting "regulatory capture!" and "stifling innovation!"
You phrasing it like this is not a substitute for explaining why it wouldn't be those things.
Also, the most obvious thing is: if you're a healthcare provider, you would probably hire some hackers to go after your competition, and let heavy-handed fines take them down. Much easier than providing better value.
Yeah it sucks, but what can you do when you have titanic amoral agents stomping through society? You gotta speak their language. Maybe scale the penalty with the size of the company.
Then I (a normal user) find myself in the position of my data being stolen/mishandled AND have to either pay for it via increase fees, or my healthcare provider goes belly-up and I have to find a new one.
I have started to put together some resources to teach C suite, maybe new-to-the-field lawyers, other interested stakeholders - about website compliance issues..
looking to mimic other good training / learning materials, extra info to consider, maybe collab and send business I can't take on, etc.
Not the person you are replying to, but I work in security and have spent ~5 years of my career helping various companies set up and maintain security awareness programs.
There are some out-of-the-box solutions that can start you on your way to creating a security awareness training program, such as KnowBe4 and ProofPoint (there are others as well, but these are some of the big names). If you don't have in-house security staff, these types of offerings can be quite helpful.
For a more grounds-up approach, there are guidelines such as the NIST SP 800-50 "Building a Cybersecurity and Privacy Learning Program" guidance. (https://csrc.nist.gov/pubs/sp/800/50/r1/final)
If you have specific questions, I can try to answer them.
While I agree with you, that's why they are a starting point for someone looking to stand up a program, not an end point.
And, from my experience, many of the trainings that seem almost offensively easy to me (e.g. "How to read a URL") have been some of the ones that received the most positive feedback from non-technical departments.
The real key with security awareness training is ensuring the training is at the appropriate level of complexity for the trainee.
Very glad to these options and how they can be perceived by people, this should mean there are paths and that if they can be made better / different for different audiences that they may be well received.
Appreciate you and @ziddoap offering insight!
Looking at starting deck for FTC issues, Hipaa issues, and Google's policies - all for websites and apps specifically very soon and let the videos / webinars / interactive / discussions grow from here.
KnowBe4 is awesome. It trains everyone to be on the lookout. The penalty for barely screwing up is another boring training session that no one has time for. Very painful. Pain is a great teacher.
One way to relieve the boredom is to count the number of times you see the people in videos typing away on desktops/monitors with no cables plugged into them.
> As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Honestly, I'm more afraid of reputational loss than government fines. Our customers don't have to use our product. They do because they trust us. Lose that trust and it's awfully hard to get it back.
The whole thread is related to GoDaddy's numerous breaches not affecting their bottom line or market position. So it seems lots and lots and lots of people really don't care.
Also your data will probably just be leaked somewhere else sometime anyway. Punishing a single company once unfortunately does next to nothing at this point.
I think customers feel, rightly or wrongly, there's no alternative to CrowdStrike.
There are so many alternatives to what GoDaddy provides, it is quite commoditized.
But also... true, their customers don't seem to care anyway? Or it's "cost of switch", even just mentally? If you were starting fresh it really wouldn't be any harder at all to go with any of numerous alternatives, but if you already have godaddy...
I've actually not worked anywhere that has used CrowdStrike. It's usually ruled out as too expensive (I've mostly worked in public sector). I've had very good experiences with Sentinel One and Microsoft Defender. I've had terrible experiences with Trellix and Sophos."Oopsy" aside, is CrowdStrike really that much better than the competition?
I only worked at one shop that used CrowdStrike but TBH compared to the others I've had to deal with, definitely is the 'least' shitty compared to other competitors...
It's enterprise software. The people using the software and the people choosing the software are not the same people. In many cases they only buy it to satisfy a contractual or regulatory requirement and then the primary criterion is which one costs less or which one's sales reps give the best kickbacks, with considerations like "is it any good" not really playing a major role.
I always feel dumb and like I'm missing some fundamental principle thinking about companies like GoDaddy. They provide a pretty undifferentiated commodity with a relatively low bar to switching, don't seem particularly well run or trustworthy based among other things on events like this, and their brand and marketing give off a vaguely skeezy low-rent vibe. Is it just a perpetual motion machine of market sharing affording good marketing which then drives continued market share?
> Is it just a perpetual motion machine of market sharing affording good marketing which then drives continued market share?
Worse. It's a market where most of the customers are unsophisticated but price sensitive, so they tend to prefer the provider with the lowest apparent price, and then the big providers compete on the basis of who can present the lowest apparent price through the use of dark patters, misleading claims, bait and switch tactics and hidden fees.
Example: GoDaddy provides a "free" site builder but if you use it the resulting site can't easily be extricated from their service and now you're locked in if you don't want to recreate your site. Meanwhile the price you were quoted for various services was an onboarding price and now that you've sunk a lot of time creating and improving the site you can't move, the price is going up.
This is, incidentally, a major reason WordPress is so popular despite being fairly miserable. It makes it easy for unsophisticated users to get started and your site isn't tied to a particular host.
Not commodified as much as regulated. The personal data that banks collect is probably mandated by the government, so switching banks doesn't really change the risk someone faces. And probably a bunch of other things that would otherwise be competitive advantages for customers too. The lack of full reserve banks (or close enough too) despite what would be a reasonable level of customer demand, for example.
it takes time there are plenty of lawsuits flying around that incident .
Even if they win all the suits without settling or loosing, customers will negotiate far stiffer penalties and controls on next renewal or get steep discounts or just straight up switch vendors .
Sooner or later their ability to be competitive will get affected and they will likely become a target for acquisition and rebranding.
Organizations of that magnitude do not collapse overnight like startups
Crowdstrike's security reputation matters a lot more. I'll bet the customers assume the competitors have the same reliability problems, they can tolerate a little downtime, and going with nobody is even worse.
I feel this is more important for a younger or smaller company, and less so when stopping a product from one company to switch to another is a pain in the ass or has other problems / risks..
switching from godaddy to another registrar is not super hard, but there are hurdles and sometimes problems occur that even people with experience run into.
I think (some?) people also hope a place that suffers a breach learns from it and makes it near impossible for similar to happen again.
That reputational loss is almost exclusively among those who understand how the crowdstrike products work, but the Venn diagram with those folks and “people at companies who can approve large expenses” is nearly empty.
Yes, the CRWD ticker took a hard hit, dropping about 50% over the course of 2 weeks last July. But... it recently topped its previous high, only 7 months later (which is like 1/2 or 1/3 of an enterprise sales cycle!).
Most customers use your product because it was on the first page of their Google search results.
The only people who's reputation gets ruined are the D-Level Directors and Managers who run this stuff and regularly run into budget or resource shortfalls that prevent them from doing all that they are capable of doing.
Creating lock-in which prevents customers from having an alternative is a more effective use of money, because it "solves" not just the threat of reputation loss due to security failures, but many others at the same time.
> And people wonder why Luigi is seen by some as "the good guy".
There are many reasons to explain why people wonder. No one single reason is enough to explain it.
Luckily, no penalty for breaches can be resolved with laws and/or regulations. I suggest you take this matter up with your lawmakers instead of making comments which incite those very same people you describe.
It's a bit exhausting that every time anyone says anything about executives in any context, we have to make sure to bring up the cold-blooded murder of one of them and make sure to remind everyone that some people on the internet think that that murder was justified.
It's free internet points, I guess, but it's also not constructive and frankly more than a little bit creepy.
> It's free internet points, I guess, but it's also not constructive and frankly more than a little bit creepy.
What makes you think it's not constructive?!
I think it's worth discussing why a large number (possibly even a majority!) of people want to murder executives. Telling those people to shut up removes yet another way for them to express their opinions. I think taking notice of the room is very constructive. I think having a point to discuss (even if it's violence) is constructive. Talk is cheap, after all; and talk is way cheaper than murder.
Moreover, I've heard many many many people insist that violence is never the answer. Alas, they forget that violence is how most countries were founded; ignore that many laws and regulations are written in blood; and rarely consider the situations where all other solutions have been explored and exhausted. Further, if business is so worried about costs, and violence can be cheaper than exploring all alternative options, then there's definitely a business mindset to that. And business is what you want to discuss anyway, right?
If you really think violence is never the answer then you should do everything in your power to prevent it. So instead of insulting someone for expressing an opinion, perhaps you should talk to them instead. You might discover a new/unique point of view, or you might even be able to change their mind.
Because it's completely and totally irrelevant to the topic at hand, the only connection is the general strata of the position that the people held—not even the same title, just the same class of title!
I'm generally not okay with people calling for murdering people based solely on their job title. Subtly hinting that it might be okay to kill those people is not much better.
> So instead of insulting someone for expressing an opinion, perhaps you should talk to them instead.
They didn't express an opinion, they casually referenced a mostly unrelated sensational story while intentionally avoiding expressing an opinion.
> Because it's completely and totally irrelevant to the topic at hand
Fun fact: topics can change while discussion continues.
> I'm generally not okay with people calling for murdering people based solely on their job title. Subtly hinting that it might be okay to kill those people is not much better.
To be clear, neither am I. But I do think it's important to discuss with people who think it is okay because, as I said earlier, telling them to shut up will result in worse situations.
> They didn't express an opinion
Perhaps the mere fact that you don't recognize their comment as an opinion is partly why people feel unheard.
They are also the worst hosting provider I have ever worked with, multiple times. Awful customer support and high prices. The only reason I work with them anymore is to migrate new customers to a different provider.
GoDaddy had really good marketing at one point and as of the last time I used it, which was years ago, they make it very difficult (I'm pretty sure by design) to leave. Their UX was one of the worst I've ever experienced in my life and they were consistently moving things around to make it worse. They essentially trap you, and someone without either the savvy or diligence will just give up.
If you don't make the fines or whatever substantially more than the profit of the illicit or negligent conduct, it isn't a consequence. It's a budget line-item.
Every regulatory agency in America has been stripped to the bones by decades of budget cuts and never ending accusations of "stifling innovation" and we're shocked now that companies get away with both metaphorical and actual murder.
The sad truth is that for the most part, the web hosting industry has normalized a fairly lax approach to security, and sees settlements like this, and even breaches, as a cost of doing business. Look at Wordpress maintenance, for example.
It's a tough business hosting arbitrary UGC, and doing it well costs a lot of time effort and money (ask me how I know). But I fully agree: treating this as just another line-item cost is absurd.
They profit a lot from uninformed CTOs and founders just going for whatever they heard of, instead of looking into whether it is a good provider, footing their businesses on shaky foundations.
Yeah - selection bias and apathy is the root of it, IMO.
GoDaddy attracts the unwashed masses who don’t care about security, and who remain unphased after learning about breaches. Meanwhile, the tech-savvy crowd who would care about breaches already know to avoid GoDaddy and view the inevitable breaches as the plebs reaping what they’ve sown.
Ergo, no one getting breached by GoDaddy cares, and nobody informed watching it happen feels a need to intervene.
I'd be less amazed if people could articulate why this matters. What is the harm being done here and why is it more costly than GoDaddy raising their prices by a few dollars?
One example: They're selling domain registration privacy, but don't sufficiently secure the private data. The entire Domains by Proxy dataset is available on the dark web.
Most companies are way too incompetent to even know how to secure their own data because it is just too expensive to actually hire someone that knows what they're doing - so most of the "cybersecurity" industry is just grifters talking about buzzwords and building dashboards to show how good they are at patching CVEs.
I have had to tell multiple cybersecurity vendors that brag about working with huge companies and governments that we cannot work with them because of how poor their own cybersecurity practices are (i.e. not using secure compute/hardware crypto when dealing with our private keys).
These are companies that should know better, I have had to stop ADP professional services more than once from disabling certificate validation on critical pipelines pertaining to confidential employee and customer information. I do not want to imagine what happens at 99% of companies with cybersecurity teams that don't even know what certificate validation is.
I worked for a medium sized company. They had a very large commercial e-commerce site for their customers. They used Wordpress sites that were hosted on GoDaddy. I worked there for two years. They never updated any of their passwords for GoDaddy or their Wordpress sites.
Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
I mean, someone gets access to their GoDaddy account and within minutes will have full control of a major bit of their business. Talk about playing with fire.
> Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
... but.. why?
Why let them live rent-free in your mind? Why admit to that in even a pseudonymous space?
I know, that's exactly why I wrote "historic", but the current owners gave him an enormous amount of money, didn't clean up their act, and GoDaddy CONTINUES to be terrible.
The security breach we're discussing didn't happen 14 years ago, as you well know. They have a long and infamous track record and toxic corporate culture and unethical business practices and willfully misleading negligence of security that show no signs of improving.
So charming that you're on such a familiar first name basis with a piece of shit like Bob Parsons. Are you friends? Are you actually carrying the water for GoDaddy, or think it's ok to murder elephants and run incredibly sexist commercials while never giving a shit about security or customers? Yuck.
I've had a dim view of them ever since my first interaction with Domains by Proxy (At the time, I recall finding that many 'windows support' scam sites and other malware distribution was showing up under their domains, and every attempt to uncover would only lead to a 'oh that account is now banned but we wont tell you thx'.)
... Honestly it reminds me of how some Internet VOIP providers won't tell the name of the business who actually bought the number (Which, of course, complicates the ability to collect on TCPA when it's a number used for spam.)
GoDaddy was severely breached several times over several years, yet they still rake in billions of revenue from their millions of customers. Now they have to pay someone to fill out a biennial checklist and... promise to not lie. Awesome.
If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)